From 0ce6c97e4fe0e36786b78c273833b8f1dfbc12b4 Mon Sep 17 00:00:00 2001 From: Matthew Harmsen Date: Tue, 3 Jul 2012 17:52:33 -0700 Subject: PKI Deployment Scriptlets * Integration of Tomcat 7 * Introduction of dependency upon tomcatjss 7.0 * Removal of http filtering configuration mechanisms * Introduction of additional slot substitution to support revised filesystem layout * Addition of 'pkiuser' uid:gid creation methods * Inclusion of per instance '*.profile' files * Introduction of configurable 'configurationRoot' parameter * Introduction of default configuration of 'log4j' mechanism (alee) * Modify web.xml to use new Application classes to bootstrap servers (alee) * Introduction of "Wrapper" logic to support Tomcat 6 --> Tomcat 7 API change (jmagne) * Added jython helper function to allow attaching a remote java debugger (e. g. - eclipse) --- base/deploy/src/scriptlets/pkiparser.py | 1251 +++++++++++++++++++++++++++++-- 1 file changed, 1205 insertions(+), 46 deletions(-) (limited to 'base/deploy/src/scriptlets/pkiparser.py') diff --git a/base/deploy/src/scriptlets/pkiparser.py b/base/deploy/src/scriptlets/pkiparser.py index 0add192f7..5abfdc064 100644 --- a/base/deploy/src/scriptlets/pkiparser.py +++ b/base/deploy/src/scriptlets/pkiparser.py @@ -53,22 +53,18 @@ def process_command_line_arguments(argv): required=True, metavar='', help='where is ' 'CA, KRA, OCSP, RA, TKS, or TPS') + if os.path.basename(argv[0]) == 'pkispawn': + mandatory.add_argument('-f', + dest='pkideployment_cfg', action='store', + nargs=1, required=True, metavar='', + help='specifies configuration filename') optional = parser.add_argument_group('optional arguments') optional.add_argument('--dry_run', dest='pki_dry_run_flag', action='store_true', help='do not actually perform any actions') - optional.add_argument('-f', - dest='pkideployment_cfg', action='store', - nargs=1, metavar='', - help='overrides default configuration filename') optional.add_argument('-h', '--help', dest='help', action='help', help='show this help message and exit') - optional.add_argument('-p', - dest='pki_root_prefix', action='store', - nargs=1, metavar='', - help='directory prefix to specify local directory ' - '[TEST ONLY]') if os.path.basename(argv[0]) == 'pkispawn': optional.add_argument('-u', dest='pki_update_flag', action='store_true', @@ -98,6 +94,12 @@ def process_command_line_arguments(argv): dest='custom_pki_ajp_port', action='store', nargs=1, metavar='', help='AJP port (CA, KRA, OCSP, TKS)') + test = parser.add_argument_group('test arguments') + test.add_argument('-p', + dest='pki_root_prefix', action='store', + nargs=1, metavar='', + help='directory prefix to specify local directory ' + '[TEST ONLY]') args = parser.parse_args() config.pki_subsystem = str(args.pki_subsystem).strip('[\']') @@ -187,7 +189,7 @@ def process_command_line_arguments(argv): print parser.print_help() parser.exit(-1); - if not args.pkideployment_cfg is None: + if os.path.basename(argv[0]) == 'pkispawn': config.pkideployment_cfg = str(args.pkideployment_cfg).strip('[\']') elif os.path.basename(argv[0]) == 'pkidestroy': # NOTE: When performing 'pkidestroy', a configuration file must be @@ -258,6 +260,9 @@ def read_pki_configuration_file(): # Make keys case-sensitive! parser.optionxform = str parser.read(config.pkideployment_cfg) + config.pki_sensitive_dict = dict(parser._sections['Sensitive']) + config.pki_mandatory_dict = dict(parser._sections['Mandatory']) + config.pki_optional_dict = dict(parser._sections['Optional']) config.pki_common_dict = dict(parser._sections['Common']) if config.pki_subsystem == "CA": config.pki_web_server_dict = dict(parser._sections['Tomcat']) @@ -278,6 +283,9 @@ def read_pki_configuration_file(): config.pki_web_server_dict = dict(parser._sections['Apache']) config.pki_subsystem_dict = dict(parser._sections['TPS']) # Insert empty record into dictionaries for "pretty print" statements + # NEVER print "sensitive" key value pairs!!! + config.pki_mandatory_dict[0] = None + config.pki_optional_dict[0] = None config.pki_common_dict[0] = None config.pki_web_server_dict[0] = None config.pki_subsystem_dict[0] = None @@ -297,13 +305,19 @@ def compose_pki_master_dictionary(): config.pki_certificate_timestamp config.pki_master_dict['pki_architecture'] = config.pki_architecture config.pki_master_dict['pki_hostname'] = config.pki_hostname + config.pki_master_dict['pki_dns_domainname'] =\ + config.pki_dns_domainname config.pki_master_dict['pki_pin'] = config.pki_pin config.pki_master_dict['pki_client_pin'] = config.pki_client_pin config.pki_master_dict['pki_one_time_pin'] = config.pki_one_time_pin config.pki_master_dict['pki_dry_run_flag'] = config.pki_dry_run_flag config.pki_master_dict['pki_jython_log_level'] =\ config.pki_jython_log_level + config.pki_master_dict['pki_deployment_cfg'] = config.pkideployment_cfg # Configuration file name/value pairs + # NEVER add "sensitive" key value pairs to the master dictionary!!! + config.pki_master_dict.update(config.pki_mandatory_dict) + config.pki_master_dict.update(config.pki_optional_dict) config.pki_master_dict.update(config.pki_common_dict) config.pki_master_dict.update(config.pki_web_server_dict) config.pki_master_dict.update(config.pki_subsystem_dict) @@ -357,8 +371,7 @@ def compose_pki_master_dictionary(): # (e. g. Tomcat: "tomcat", "example.com-tomcat") # (e. g. Apache: "apache", "example.com-apache") # - if not config.pki_master_dict['pki_admin_domain_name'] is None and\ - not config.pki_master_dict['pki_admin_domain_name'] is '': + if len(config.pki_master_dict['pki_admin_domain_name']): config.pki_master_dict['pki_instance_id'] =\ config.pki_master_dict['pki_admin_domain_name'] +\ "-" + config.pki_master_dict['pki_instance_name'] @@ -458,6 +471,9 @@ def compose_pki_master_dictionary(): os.path.join(config.PKI_DEPLOYMENT_SOURCE_ROOT, "ca", "emails") + config.pki_master_dict['pki_source_flatfile_txt'] =\ + os.path.join(config.pki_master_dict['pki_source_conf_path'], + "flatfile.txt") config.pki_master_dict['pki_source_profiles'] =\ os.path.join(config.PKI_DEPLOYMENT_SOURCE_ROOT, "ca", @@ -465,6 +481,43 @@ def compose_pki_master_dictionary(): config.pki_master_dict['pki_source_proxy_conf'] =\ os.path.join(config.pki_master_dict['pki_source_conf_path'], "proxy.conf") + config.pki_master_dict['pki_source_registry_cfg'] =\ + os.path.join(config.pki_master_dict['pki_source_conf_path'], + "registry.cfg") + # '*.profile' + config.pki_master_dict['pki_source_admincert_profile'] =\ + os.path.join(config.pki_master_dict['pki_source_conf_path'], + "adminCert.profile") + config.pki_master_dict['pki_source_caauditsigningcert_profile']\ + = os.path.join( + config.pki_master_dict['pki_source_conf_path'], + "caAuditSigningCert.profile") + config.pki_master_dict['pki_source_cacert_profile'] =\ + os.path.join(config.pki_master_dict['pki_source_conf_path'], + "caCert.profile") + config.pki_master_dict['pki_source_caocspcert_profile'] =\ + os.path.join(config.pki_master_dict['pki_source_conf_path'], + "caOCSPCert.profile") + config.pki_master_dict['pki_source_servercert_profile'] =\ + os.path.join(config.pki_master_dict['pki_source_conf_path'], + "serverCert.profile") + config.pki_master_dict['pki_source_subsystemcert_profile'] =\ + os.path.join(config.pki_master_dict['pki_source_conf_path'], + "subsystemCert.profile") + elif config.pki_master_dict['pki_subsystem'] == "KRA": + # '*.profile' + config.pki_master_dict['pki_source_servercert_profile'] =\ + os.path.join(config.pki_master_dict['pki_source_conf_path'], + "serverCert.profile") + config.pki_master_dict['pki_source_storagecert_profile'] =\ + os.path.join(config.pki_master_dict['pki_source_conf_path'], + "storageCert.profile") + config.pki_master_dict['pki_source_subsystemcert_profile'] =\ + os.path.join(config.pki_master_dict['pki_source_conf_path'], + "subsystemCert.profile") + config.pki_master_dict['pki_source_transportcert_profile'] =\ + os.path.join(config.pki_master_dict['pki_source_conf_path'], + "transportCert.profile") # PKI top-level file system layout name/value pairs # NOTE: Never use 'os.path.join()' whenever 'pki_root_prefix' # is being prepended!!! @@ -498,12 +551,14 @@ def compose_pki_master_dictionary(): if config.pki_master_dict['pki_subsystem'] in\ config.PKI_APACHE_SUBSYSTEMS: # Apache instance base name/value pairs + config.pki_master_dict['pki_instance_type'] = "Apache" # Apache instance log name/value pairs # Apache instance configuration name/value pairs # Apache instance registry name/value pairs config.pki_master_dict['pki_instance_type_registry_path'] =\ - os.path.join(config.pki_master_dict['pki_registry_path'], - "apache") + os.path.join( + config.pki_master_dict['pki_registry_path'], + config.pki_master_dict['pki_instance_type'].lower()) config.pki_master_dict['pki_instance_registry_path'] =\ os.path.join( config.pki_master_dict['pki_instance_type_registry_path'], @@ -513,12 +568,16 @@ def compose_pki_master_dictionary(): elif config.pki_master_dict['pki_subsystem'] in\ config.PKI_TOMCAT_SUBSYSTEMS: # Tomcat instance base name/value pairs + config.pki_master_dict['pki_instance_type'] = "Tomcat" config.pki_master_dict['pki_tomcat_common_path'] =\ os.path.join(config.pki_master_dict['pki_instance_path'], "common") config.pki_master_dict['pki_tomcat_common_lib_path'] =\ os.path.join(config.pki_master_dict['pki_tomcat_common_path'], "lib") + config.pki_master_dict['pki_tomcat_tmpdir_path'] =\ + os.path.join(config.pki_master_dict['pki_instance_path'], + "temp") config.pki_master_dict['pki_tomcat_webapps_path'] =\ os.path.join(config.pki_master_dict['pki_instance_path'], "webapps") @@ -529,28 +588,43 @@ def compose_pki_master_dictionary(): os.path.join( config.pki_master_dict['pki_tomcat_webapps_root_path'], "WEB-INF") - config.pki_master_dict['pki_tomcat_webapps_webinf_path'] =\ - os.path.join(config.pki_master_dict['pki_tomcat_webapps_path'], - "WEB-INF") - config.pki_master_dict['pki_tomcat_webapps_webinf_classes_path'] =\ - os.path.join( - config.pki_master_dict['pki_tomcat_webapps_webinf_path'], - "classes") - config.pki_master_dict['pki_tomcat_webapps_webinf_lib_path'] =\ - os.path.join( - config.pki_master_dict['pki_tomcat_webapps_webinf_path'], - "lib") config.pki_master_dict['pki_tomcat_webapps_root_webinf_web_xml'] =\ os.path.join( config.pki_master_dict\ ['pki_tomcat_webapps_root_webinf_path'], "web.xml") + config.pki_master_dict['pki_tomcat_work_path'] =\ + os.path.join(config.pki_master_dict['pki_instance_path'], + "work") + config.pki_master_dict['pki_tomcat_work_catalina_path'] =\ + os.path.join(config.pki_master_dict['pki_tomcat_work_path'], + "Catalina") + config.pki_master_dict['pki_tomcat_work_catalina_host_path'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_work_catalina_path'], + "localhost") + config.pki_master_dict['pki_tomcat_work_catalina_host_run_path'] =\ + os.path.join( + config.pki_master_dict\ + ['pki_tomcat_work_catalina_host_path'], + "_") + config.pki_master_dict\ + ['pki_tomcat_work_catalina_host_subsystem_path'] =\ + os.path.join( + config.pki_master_dict\ + ['pki_tomcat_work_catalina_host_path'], + config.pki_master_dict['pki_subsystem'].lower()) # Tomcat instance log name/value pairs # Tomcat instance configuration name/value pairs + config.pki_master_dict['pki_instance_log4j_properties'] =\ + os.path.join( + config.pki_master_dict['pki_instance_configuration_path'], + "log4j.properties") # Tomcat instance registry name/value pairs config.pki_master_dict['pki_instance_type_registry_path'] =\ - os.path.join(config.pki_master_dict['pki_registry_path'], - "tomcat") + os.path.join( + config.pki_master_dict['pki_registry_path'], + config.pki_master_dict['pki_instance_type'].lower()) config.pki_master_dict['pki_instance_registry_path'] =\ os.path.join( config.pki_master_dict['pki_instance_type_registry_path'], @@ -562,9 +636,205 @@ def compose_pki_master_dictionary(): config.pki_master_dict['pki_tomcat_lib_link'] =\ os.path.join(config.pki_master_dict['pki_instance_path'], "lib") + config.pki_master_dict['pki_tomcat_lib_log4j_properties_link'] =\ + os.path.join(config.pki_master_dict['pki_tomcat_lib_path'], + "log4j.properties") config.pki_master_dict['pki_instance_systemd_link'] =\ os.path.join(config.pki_master_dict['pki_instance_path'], config.pki_master_dict['pki_instance_id']) + # Tomcat instance common lib jars + if config.pki_master_dict['pki_architecture'] == 64: + config.pki_master_dict['pki_jss_jar'] =\ + os.path.join("/usr/lib64/java", + "jss4.jar") + config.pki_master_dict['pki_symkey_jar'] =\ + os.path.join("/usr/lib64/java", + "symkey.jar") + else: + config.pki_master_dict['pki_jss_jar'] =\ + os.path.join("/usr/lib/java", + "jss4.jar") + config.pki_master_dict['pki_symkey_jar'] =\ + os.path.join("/usr/lib/java", + "symkey.jar") + config.pki_master_dict['pki_apache_commons_collections_jar'] =\ + os.path.join(config.PKI_DEPLOYMENT_JAR_SOURCE_ROOT, + "apache-commons-collections.jar") + config.pki_master_dict['pki_apache_commons_lang_jar'] =\ + os.path.join(config.PKI_DEPLOYMENT_JAR_SOURCE_ROOT, + "apache-commons-lang.jar") + config.pki_master_dict['pki_apache_commons_logging_jar'] =\ + os.path.join(config.PKI_DEPLOYMENT_JAR_SOURCE_ROOT, + "apache-commons-logging.jar") + config.pki_master_dict['pki_commons_codec_jar'] =\ + os.path.join(config.PKI_DEPLOYMENT_JAR_SOURCE_ROOT, + "commons-codec.jar") + config.pki_master_dict['pki_httpclient_jar'] =\ + os.path.join( + config.PKI_DEPLOYMENT_HTTPCOMPONENTS_JAR_SOURCE_ROOT, + "httpclient.jar") + config.pki_master_dict['pki_javassist_jar'] =\ + os.path.join(config.PKI_DEPLOYMENT_JAR_SOURCE_ROOT, + "javassist.jar") + config.pki_master_dict['pki_resteasy_jaxrs_api_jar'] =\ + os.path.join(config.PKI_DEPLOYMENT_RESTEASY_JAR_SOURCE_ROOT, + "jaxrs-api.jar") + config.pki_master_dict['pki_jettison_jar'] =\ + os.path.join(config.PKI_DEPLOYMENT_JAR_SOURCE_ROOT, + "jettison.jar") + config.pki_master_dict['pki_ldapjdk_jar'] =\ + os.path.join(config.PKI_DEPLOYMENT_JAR_SOURCE_ROOT, + "ldapjdk.jar") + config.pki_master_dict['pki_certsrv_jar'] =\ + os.path.join(config.PKI_DEPLOYMENT_PKI_JAR_SOURCE_ROOT, + "pki-certsrv.jar") + config.pki_master_dict['pki_cmsbundle'] =\ + os.path.join(config.PKI_DEPLOYMENT_PKI_JAR_SOURCE_ROOT, + "pki-cmsbundle.jar") + config.pki_master_dict['pki_cmscore'] =\ + os.path.join(config.PKI_DEPLOYMENT_PKI_JAR_SOURCE_ROOT, + "pki-cmscore.jar") + config.pki_master_dict['pki_cms'] =\ + os.path.join(config.PKI_DEPLOYMENT_PKI_JAR_SOURCE_ROOT, + "pki-cms.jar") + config.pki_master_dict['pki_cmsutil'] =\ + os.path.join(config.PKI_DEPLOYMENT_PKI_JAR_SOURCE_ROOT, + "pki-cmsutil.jar") + config.pki_master_dict['pki_nsutil'] =\ + os.path.join(config.PKI_DEPLOYMENT_PKI_JAR_SOURCE_ROOT, + "pki-nsutil.jar") + config.pki_master_dict['pki_resteasy_jaxb_provider_jar'] =\ + os.path.join(config.PKI_DEPLOYMENT_RESTEASY_JAR_SOURCE_ROOT, + "resteasy-jaxb-provider.jar") + config.pki_master_dict['pki_resteasy_jaxrs_jar'] =\ + os.path.join(config.PKI_DEPLOYMENT_RESTEASY_JAR_SOURCE_ROOT, + "resteasy-jaxrs.jar") + config.pki_master_dict['pki_resteasy_jettison_provider_jar'] =\ + os.path.join(config.PKI_DEPLOYMENT_RESTEASY_JAR_SOURCE_ROOT, + "resteasy-jettison-provider.jar") + config.pki_master_dict['pki_scannotation_jar'] =\ + os.path.join(config.PKI_DEPLOYMENT_JAR_SOURCE_ROOT, + "scannotation.jar") + config.pki_master_dict['pki_tomcatjss_jar'] =\ + os.path.join(config.PKI_DEPLOYMENT_JAR_SOURCE_ROOT, + "tomcatjss.jar") + config.pki_master_dict['pki_velocity_jar'] =\ + os.path.join(config.PKI_DEPLOYMENT_JAR_SOURCE_ROOT, + "velocity.jar") + config.pki_master_dict['pki_xerces_j2_jar'] =\ + os.path.join(config.PKI_DEPLOYMENT_JAR_SOURCE_ROOT, + "xerces-j2.jar") + config.pki_master_dict['pki_xml_commons_apis_jar'] =\ + os.path.join(config.PKI_DEPLOYMENT_JAR_SOURCE_ROOT, + "xml-commons-apis.jar") + config.pki_master_dict['pki_xml_commons_resolver_jar'] =\ + os.path.join(config.PKI_DEPLOYMENT_JAR_SOURCE_ROOT, + "xml-commons-resolver.jar") + # Tomcat instance common lib jar symbolic links + config.pki_master_dict['pki_jss_jar_link'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_common_lib_path'], + "jss4.jar") + config.pki_master_dict['pki_symkey_jar_link'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_common_lib_path'], + "symkey.jar") + config.pki_master_dict['pki_apache_commons_collections_jar_link'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_common_lib_path'], + "apache-commons-collections.jar") + config.pki_master_dict['pki_apache_commons_lang_jar_link'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_common_lib_path'], + "apache-commons-lang.jar") + config.pki_master_dict['pki_apache_commons_logging_jar_link'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_common_lib_path'], + "apache-commons-logging.jar") + config.pki_master_dict['pki_commons_codec_jar_link'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_common_lib_path'], + "apache-commons-codec.jar") + config.pki_master_dict['pki_httpclient_jar_link'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_common_lib_path'], + "httpclient.jar") + config.pki_master_dict['pki_javassist_jar_link'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_common_lib_path'], + "javassist.jar") + config.pki_master_dict['pki_resteasy_jaxrs_api_jar_link'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_common_lib_path'], + "jaxrs-api.jar") + config.pki_master_dict['pki_jettison_jar_link'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_common_lib_path'], + "jettison.jar") + config.pki_master_dict['pki_ldapjdk_jar_link'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_common_lib_path'], + "ldapjdk.jar") + config.pki_master_dict['pki_certsrv_jar_link'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_common_lib_path'], + "pki-certsrv.jar") + config.pki_master_dict['pki_cmsbundle_jar_link'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_common_lib_path'], + "pki-cmsbundle.jar") + config.pki_master_dict['pki_cmscore_jar_link'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_common_lib_path'], + "pki-cmscore.jar") + config.pki_master_dict['pki_cms_jar_link'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_common_lib_path'], + "pki-cms.jar") + config.pki_master_dict['pki_cmsutil_jar_link'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_common_lib_path'], + "pki-cmsutil.jar") + config.pki_master_dict['pki_nsutil_jar_link'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_common_lib_path'], + "pki-nsutil.jar") + config.pki_master_dict['pki_resteasy_jaxb_provider_jar_link'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_common_lib_path'], + "resteasy-jaxb-provider.jar") + config.pki_master_dict['pki_resteasy_jaxrs_jar_link'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_common_lib_path'], + "resteasy-jaxrs.jar") + config.pki_master_dict['pki_resteasy_jettison_provider_jar_link'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_common_lib_path'], + "resteasy-jettison-provider.jar") + config.pki_master_dict['pki_scannotation_jar_link'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_common_lib_path'], + "scannotation.jar") + config.pki_master_dict['pki_tomcatjss_jar_link'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_common_lib_path'], + "tomcatjss.jar") + config.pki_master_dict['pki_velocity_jar_link'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_common_lib_path'], + "velocity.jar") + config.pki_master_dict['pki_xerces_j2_jar_link'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_common_lib_path'], + "xerces-j2.jar") + config.pki_master_dict['pki_xml_commons_apis_jar_link'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_common_lib_path'], + "xml-commons-apis.jar") + config.pki_master_dict['pki_xml_commons_resolver_jar_link'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_common_lib_path'], + "xml-commons-resolver.jar") # Instance layout NSS security database name/value pairs config.pki_master_dict['pki_database_path'] =\ os.path.join( @@ -612,9 +882,6 @@ def compose_pki_master_dictionary(): elif config.pki_master_dict['pki_subsystem'] in\ config.PKI_TOMCAT_SUBSYSTEMS: # Instance-based Tomcat PKI subsystem base name/value pairs - config.pki_master_dict['pki_tomcat_webapps_subsystem_path'] =\ - os.path.join(config.pki_master_dict['pki_tomcat_webapps_path'], - config.pki_master_dict['pki_subsystem'].lower()) if config.pki_master_dict['pki_subsystem'] == "CA": config.pki_master_dict['pki_subsystem_emails_path'] =\ os.path.join(config.pki_master_dict['pki_subsystem_path'], @@ -632,18 +899,6 @@ def compose_pki_master_dictionary(): config.pki_master_dict['pki_subsystem_tomcat_webapps_link'] =\ os.path.join(config.pki_master_dict['pki_subsystem_path'], "webapps") - config.pki_master_dict\ - ['pki_tomcat_webapps_subsystem_webinf_classes_link'] =\ - os.path.join( - config.pki_master_dict['pki_tomcat_webapps_subsystem_path'], - "WEB-INF", - "classes") - config.pki_master_dict\ - ['pki_tomcat_webapps_subsystem_webinf_lib_link'] =\ - os.path.join( - config.pki_master_dict['pki_tomcat_webapps_subsystem_path'], - "WEB-INF", - "lib") # Instance-based Apache/Tomcat PKI subsystem convenience symbolic links config.pki_master_dict['pki_subsystem_database_link'] =\ os.path.join(config.pki_master_dict['pki_subsystem_path'], @@ -654,6 +909,78 @@ def compose_pki_master_dictionary(): config.pki_master_dict['pki_subsystem_logs_link'] =\ os.path.join(config.pki_master_dict['pki_subsystem_path'], "logs") + # PKI Target (war file) name/value pairs + if config.pki_master_dict['pki_subsystem'] in\ + config.PKI_TOMCAT_SUBSYSTEMS: + # Tomcat PKI subsystem war file base name/value pairs + config.pki_master_dict['pki_tomcat_webapps_subsystem_path'] =\ + os.path.join(config.pki_master_dict['pki_tomcat_webapps_path'], + config.pki_master_dict['pki_subsystem'].lower()) + config.pki_master_dict\ + ['pki_tomcat_webapps_subsystem_webinf_classes_path'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_webapps_subsystem_path'], + "WEB-INF", + "classes") + config.pki_master_dict\ + ['pki_tomcat_webapps_subsystem_webinf_lib_path'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_webapps_subsystem_path'], + "WEB-INF", + "lib") + # Tomcat PKI subsystem war file convenience symbolic links + if config.pki_master_dict['pki_subsystem'] == "CA": + config.pki_master_dict['pki_ca_jar'] =\ + os.path.join(config.PKI_DEPLOYMENT_PKI_JAR_SOURCE_ROOT, + "pki-ca.jar") + # config.pki_master_dict['pki_ca_jar_link'] =\ + # os.path.join( + # config.pki_master_dict\ + # ['pki_tomcat_webapps_subsystem_webinf_lib_path'], + # "pki-ca.jar") + config.pki_master_dict['pki_ca_jar_link'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_common_lib_path'], + "pki-ca.jar") + elif config.pki_master_dict['pki_subsystem'] == "KRA": + config.pki_master_dict['pki_kra_jar'] =\ + os.path.join(config.PKI_DEPLOYMENT_PKI_JAR_SOURCE_ROOT, + "pki-kra.jar") + # config.pki_master_dict['pki_kra_jar_link'] =\ + # os.path.join( + # config.pki_master_dict\ + # ['pki_tomcat_webapps_subsystem_webinf_lib_path'], + # "pki-kra.jar") + config.pki_master_dict['pki_kra_jar_link'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_common_lib_path'], + "pki-kra.jar") + elif config.pki_master_dict['pki_subsystem'] == "OCSP": + config.pki_master_dict['pki_ocsp_jar'] =\ + os.path.join(config.PKI_DEPLOYMENT_PKI_JAR_SOURCE_ROOT, + "pki-ocsp.jar") + # config.pki_master_dict['pki_ocsp_jar_link'] =\ + # os.path.join( + # config.pki_master_dict\ + # ['pki_tomcat_webapps_subsystem_webinf_lib_path'], + # "pki-ocsp.jar") + config.pki_master_dict['pki_ocsp_jar_link'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_common_lib_path'], + "pki-ocsp.jar") + elif config.pki_master_dict['pki_subsystem'] == "TKS": + config.pki_master_dict['pki_tks_jar'] =\ + os.path.join(config.PKI_DEPLOYMENT_PKI_JAR_SOURCE_ROOT, + "pki-tks.jar") + # config.pki_master_dict['pki_tks_jar_link'] =\ + # os.path.join( + # config.pki_master_dict\ + # ['pki_tomcat_webapps_subsystem_webinf_lib_path'], + # "pki-tks.jar") + config.pki_master_dict['pki_tks_jar_link'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_common_lib_path'], + "pki-tks.jar") # PKI Target (slot substitution) name/value pairs config.pki_master_dict['pki_target_cs_cfg'] =\ os.path.join( @@ -699,12 +1026,50 @@ def compose_pki_master_dictionary(): config.pki_master_dict['pki_tomcat_webapps_subsystem_path'], "WEB-INF", "web.xml") + config.pki_master_dict['pki_target_subsystem_web_xml_orig'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_webapps_subsystem_path'], + "WEB-INF", + "web.xml.orig") # subystem-specific slot substitution name/value pairs if config.pki_master_dict['pki_subsystem'] == "CA": + config.pki_master_dict['pki_target_flatfile_txt'] =\ + os.path.join(config.pki_master_dict\ + ['pki_subsystem_configuration_path'], + "flatfile.txt") config.pki_master_dict['pki_target_proxy_conf'] =\ os.path.join(config.pki_master_dict\ ['pki_subsystem_configuration_path'], "proxy.conf") + config.pki_master_dict['pki_target_registry_cfg'] =\ + os.path.join(config.pki_master_dict\ + ['pki_subsystem_configuration_path'], + "registry.cfg") + # '*.profile' + config.pki_master_dict['pki_target_admincert_profile'] =\ + os.path.join(config.pki_master_dict\ + ['pki_subsystem_configuration_path'], + "adminCert.profile") + config.pki_master_dict['pki_target_caauditsigningcert_profile']\ + = os.path.join(config.pki_master_dict\ + ['pki_subsystem_configuration_path'], + "caAuditSigningCert.profile") + config.pki_master_dict['pki_target_cacert_profile'] =\ + os.path.join(config.pki_master_dict\ + ['pki_subsystem_configuration_path'], + "caCert.profile") + config.pki_master_dict['pki_target_caocspcert_profile'] =\ + os.path.join(config.pki_master_dict\ + ['pki_subsystem_configuration_path'], + "caOCSPCert.profile") + config.pki_master_dict['pki_target_servercert_profile'] =\ + os.path.join(config.pki_master_dict\ + ['pki_subsystem_configuration_path'], + "serverCert.profile") + config.pki_master_dict['pki_target_subsystemcert_profile'] =\ + os.path.join(config.pki_master_dict\ + ['pki_subsystem_configuration_path'], + "subsystemCert.profile") # in-place slot substitution name/value pairs config.pki_master_dict['pki_target_profileselect_template'] =\ os.path.join( @@ -713,6 +1078,24 @@ def compose_pki_master_dictionary(): "ee", config.pki_master_dict['pki_subsystem'].lower(), "ProfileSelect.template") + elif config.pki_master_dict['pki_subsystem'] == "KRA": + # '*.profile' + config.pki_master_dict['pki_target_servercert_profile'] =\ + os.path.join(config.pki_master_dict\ + ['pki_subsystem_configuration_path'], + "serverCert.profile") + config.pki_master_dict['pki_target_storagecert_profile'] =\ + os.path.join(config.pki_master_dict\ + ['pki_subsystem_configuration_path'], + "storageCert.profile") + config.pki_master_dict['pki_target_subsystemcert_profile'] =\ + os.path.join(config.pki_master_dict\ + ['pki_subsystem_configuration_path'], + "subsystemCert.profile") + config.pki_master_dict['pki_target_transportcert_profile'] =\ + os.path.join(config.pki_master_dict\ + ['pki_subsystem_configuration_path'], + "transportCert.profile") # Slot assignment name/value pairs # NOTE: Master key == Slots key; Master value ==> Slots value config.pki_master_dict['PKI_INSTANCE_ID_SLOT'] =\ @@ -830,6 +1213,8 @@ def compose_pki_master_dictionary(): "tomcat") config.pki_master_dict['PKI_PROXY_SECURE_PORT_SLOT'] =\ config.pki_master_dict['pki_proxy_https_port'] + config.pki_master_dict['PKI_TMPDIR_SLOT'] =\ + config.pki_master_dict['pki_tomcat_tmpdir_path'] config.pki_master_dict['PKI_PROXY_UNSECURE_PORT_SLOT'] =\ config.pki_master_dict['pki_proxy_http_port'] config.pki_master_dict['PKI_RANDOM_NUMBER_SLOT'] =\ @@ -846,6 +1231,8 @@ def compose_pki_master_dictionary(): config.pki_master_dict['pki_security_manager'] config.pki_master_dict['PKI_SERVER_XML_CONF_SLOT'] =\ config.pki_master_dict['pki_target_server_xml'] + config.pki_master_dict['PKI_SUBSYSTEM_DIR_SLOT'] =\ + config.pki_master_dict['pki_subsystem'].lower() + "/" config.pki_master_dict['PKI_SUBSYSTEM_TYPE_SLOT'] =\ config.pki_master_dict['pki_subsystem'].lower() config.pki_master_dict['PKI_SYSTEMD_SERVICENAME_SLOT'] =\ @@ -924,6 +1311,10 @@ def compose_pki_master_dictionary(): "+TLS_DHE_RSA_WITH_AES_128_CBC_SHA," +\ "+TLS_DHE_RSA_WITH_AES_256_CBC_SHA" # Shared Apache/Tomcat NSS security database name/value pairs + config.pki_master_dict['pki_shared_pfile'] =\ + os.path.join( + config.pki_master_dict['pki_instance_configuration_path'], + "pfile") config.pki_master_dict['pki_shared_password_conf'] =\ os.path.join( config.pki_master_dict['pki_instance_configuration_path'], @@ -941,13 +1332,13 @@ def compose_pki_master_dictionary(): config.pki_master_dict['pki_self_signed_nickname'] =\ "Server-Cert cert-" + config.pki_master_dict['pki_instance_id'] config.pki_master_dict['pki_self_signed_subject'] =\ - "CN=" + config.pki_master_dict['pki_hostname'] + "," +\ - "O=" + config.pki_master_dict['pki_certificate_timestamp'] + "cn=" + config.pki_master_dict['pki_hostname'] + "," +\ + "o=" + config.pki_master_dict['pki_certificate_timestamp'] config.pki_master_dict['pki_self_signed_serial_number'] = 0 config.pki_master_dict['pki_self_signed_validity_period'] = 12 config.pki_master_dict['pki_self_signed_issuer_name'] =\ - "CN=" + config.pki_master_dict['pki_hostname'] + "," +\ - "O=" + config.pki_master_dict['pki_certificate_timestamp'] + "cn=" + config.pki_master_dict['pki_hostname'] + "," +\ + "o=" + config.pki_master_dict['pki_certificate_timestamp'] config.pki_master_dict['pki_self_signed_trustargs'] = "CTu,CTu,CTu" config.pki_master_dict['pki_self_signed_noise_file'] =\ os.path.join( @@ -992,10 +1383,778 @@ def compose_pki_master_dictionary(): "pki", "deployment", "configuration.jy") + config.pki_master_dict['pki_jython_base_uri'] =\ + "https" + "://" + config.pki_master_dict['pki_hostname'] + ":" +\ + config.pki_master_dict['pki_https_port'] + "/" +\ + config.pki_master_dict['pki_subsystem'].lower() + "/" + "pki" + # Jython scriptlet + # 'Security Domain' Configuration name/value pairs + # + # Apache - [RA], [TPS] + # Tomcat - [CA], [KRA], [OCSP], [TKS] + # - [CA Clone], [KRA Clone], [OCSP Clone], [TKS Clone] + # - [External CA] + # - [Subordinate CA] + # + # The following variables are defined below: + # + # config.pki_master_dict['pki_security_domain_type'] + # config.pki_master_dict['pki_security_domain_uri'] + # + # The following variables are established via the specified PKI + # deployment configuration file and are NOT redefined below: + # + # config.pki_master_dict['pki_security_domain_https_port'] + # config.pki_master_dict['pki_security_domain_password'] + # config.pki_master_dict['pki_security_domain_user'] + # + # The following variables are established via the specified PKI + # deployment configuration file and potentially overridden below: + # + # config.pki_master_dict['pki_security_domain_hostname'] + # config.pki_master_dict['pki_security_domain_name'] + # + if config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS: + if config.pki_subsystem == "CA": + if config.str2bool(config.pki_master_dict['pki_external']): + # External CA + config.pki_master_dict['pki_security_domain_type'] = "new" + if not len(config.pki_master_dict\ + ['pki_security_domain_name']): + config.pki_master_dict['pki_security_domain_name'] =\ + "External CA Security Domain" + elif not config.str2bool(config.pki_master_dict['pki_clone'])\ + and not\ + config.str2bool(config.pki_master_dict['pki_subordinate']): + # PKI CA + config.pki_master_dict['pki_security_domain_type'] = "new" + if not len(config.pki_master_dict\ + ['pki_security_domain_name']): + config.pki_master_dict['pki_security_domain_name'] =\ + config.pki_master_dict['pki_dns_domainname'] +\ + " " + "Security Domain" + else: + # PKI Cloned or Subordinate CA + config.pki_master_dict['pki_security_domain_type'] =\ + "existing" + if not len(config.pki_master_dict\ + ['pki_security_domain_hostname']): + # Guess that it is the local host + config.pki_master_dict['pki_security_domain_hostname']\ + = config.pki_master_dict['pki_hostname'] + config.pki_master_dict['pki_security_domain_uri'] =\ + "https" + "://" +\ + config.pki_master_dict['pki_security_domain_hostname']\ + + ":" + config.pki_security_domain_https_port + else: + # PKI KRA, OCSP, or TKS + config.pki_master_dict['pki_security_domain_type'] = "existing" + if not len(config.pki_master_dict\ + ['pki_security_domain_hostname']): + # Guess that it is the local host + config.pki_master_dict['pki_security_domain_hostname'] =\ + config.pki_master_dict['pki_hostname'] + config.pki_master_dict['pki_security_domain_uri'] =\ + "https" + "://" +\ + config.pki_master_dict['pki_security_domain_hostname'] +\ + ":" +\ + config.pki_master_dict['pki_security_domain_https_port'] + # Jython scriptlet + # 'Directory Server' Configuration name/value pairs + # + # Apache - [TPS] + # Tomcat - [CA], [KRA], [OCSP], [TKS] + # - [CA Clone], [KRA Clone], [OCSP Clone], [TKS Clone] + # - [External CA] + # - [Subordinate CA] + # + # The following variables are established via the specified PKI + # deployment configuration file and are NOT redefined below: + # + # config.pki_master_dict['pki_ds_bind_dn'] + # config.pki_master_dict['pki_ds_http_port'] + # config.pki_master_dict['pki_ds_https_port'] + # config.pki_master_dict['pki_ds_password'] + # config.pki_master_dict['pki_ds_remove_data'] + # config.pki_master_dict['pki_ds_secure_connection'] + # + # The following variables are established via the specified PKI + # deployment configuration file and potentially overridden below: + # + # config.pki_master_dict['pki_ds_base_dn'] + # config.pki_master_dict['pki_ds_database'] + # config.pki_master_dict['pki_ds_hostname'] + # + if not len(config.pki_master_dict['pki_ds_base_dn']): + config.pki_master_dict['pki_ds_base_dn'] =\ + "o=" + config.pki_master_dict['pki_instance_id'] + if not len(config.pki_master_dict['pki_ds_database']): + config.pki_master_dict['pki_ds_database'] =\ + "o=" + config.pki_master_dict['pki_instance_id'] + if not len(config.pki_master_dict['pki_ds_hostname']): + # Guess that the Directory Server resides on the local host + config.pki_master_dict['pki_ds_hostname'] =\ + config.pki_master_dict['pki_hostname'] + # Jython scriptlet + # 'Backup' Configuration name/value pairs + # + # Apache - [RA], [TPS] + # Tomcat - [CA], [KRA], [OCSP], [TKS] + # - [External CA] + # - [Subordinate CA] + # + # The following variables are established via the specified PKI + # deployment configuration file and are NOT redefined below: + # + # config.pki_master_dict['pki_backup_keys'] + # config.pki_master_dict['pki_backup_password'] + # + # The following variables are established via the specified PKI + # deployment configuration file and potentially overridden below: + # + # config.pki_master_dict['pki_backup_file'] + # + if config.str2bool(config.pki_master_dict['pki_backup_keys']): + if not len(config.pki_master_dict['pki_backup_file']): + if config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS: + if not config.str2bool(config.pki_master_dict['pki_clone']): + if config.pki_master_dict['pki_subsystem'] == "CA": + if config.str2bool( + config.pki_master_dict['pki_external']): + # External CA + config.pki_master_dict['pki_backup_file'] =\ + "/tmp" + "/" + "externalca.p12" + "." +\ + config.pki_master_dict['pki_timestamp'] + elif config.str2bool( + config.pki_master_dict['pki_subordinate']): + # Subordinate CA + config.pki_master_dict['pki_backup_file'] =\ + "/tmp" + "/" + "subca.p12" + "." +\ + config.pki_master_dict['pki_timestamp'] + else: + # PKI CA + config.pki_master_dict['pki_backup_file'] =\ + "/tmp" + "/" + "ca.p12" + "." +\ + config.pki_master_dict['pki_timestamp'] + elif config.pki_master_dict['pki_subsystem'] == "KRA": + # PKI KRA + config.pki_master_dict['pki_backup_file'] =\ + "/tmp" + "/" + "kra.p12" + "." +\ + config.pki_master_dict['pki_timestamp'] + elif config.pki_master_dict['pki_subsystem'] == "OCSP": + # PKI OCSP + config.pki_master_dict['pki_backup_file'] =\ + "/tmp" + "/" + "ocsp.p12" + "." +\ + config.pki_master_dict['pki_timestamp'] + elif config.pki_master_dict['pki_subsystem'] == "TKS": + # PKI TKS + config.pki_master_dict['pki_backup_file'] =\ + "/tmp" + "/" + "tks.p12" + "." +\ + config.pki_master_dict['pki_timestamp'] + # Jython scriptlet + # 'Admin Certificate' Configuration name/value pairs + # + # Apache - [RA], [TPS] + # Tomcat - [CA], [KRA], [OCSP], [TKS] + # - [External CA] + # - [Subordinate CA] + # + # The following variables are established via the specified PKI + # deployment configuration file and are NOT redefined below: + # + # config.pki_master_dict['pki_admin_cert_request_type'] + # config.pki_master_dict['pki_admin_dualkey'] + # config.pki_master_dict['pki_admin_keysize'] + # config.pki_master_dict['pki_admin_name'] + # config.pki_master_dict['pki_admin_password'] + # config.pki_master_dict['pki_admin_uid'] + # + # The following variables are established via the specified PKI + # deployment configuration file and potentially overridden below: + # + # config.pki_master_dict['pki_admin_email'] + # config.pki_master_dict['pki_admin_subject_dn'] + # + config.pki_master_dict['pki_admin_profile_id'] = "caAdminCert" + if not len(config.pki_master_dict['pki_admin_email']): + config.pki_master_dict['pki_admin_email'] =\ + config.pki_master_dict['pki_admin_name'] + "@" +\ + config.pki_master_dict['pki_dns_domainname'] + if not len(config.pki_master_dict['pki_admin_subject_dn']): + if config.pki_subsystem in config.PKI_APACHE_SUBSYSTEMS: + if config.pki_master_dict['pki_subsystem'] == "RA": + # PKI RA + config.pki_master_dict['pki_admin_subject_dn'] =\ + "cn=" + "RA Administrator" + "," +\ + "uid=" + config.pki_master_dict['pki_admin_uid'] +\ + "," + "e=" +\ + config.pki_master_dict['pki_admin_email'] +\ + "," + "o=" +\ + config.pki_master_dict['pki_security_domain_name'] + elif config.pki_master_dict['pki_subsystem'] == "TPS": + # PKI TPS + config.pki_master_dict['pki_admin_subject_dn'] =\ + "cn=" + "TPS Administrator" + "," +\ + "uid=" + config.pki_master_dict['pki_admin_uid'] +\ + "," + "e=" +\ + config.pki_master_dict['pki_admin_email'] +\ + "," + "o=" +\ + config.pki_master_dict['pki_security_domain_name'] + elif config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS: + if not config.str2bool(config.pki_master_dict['pki_clone']): + if config.pki_master_dict['pki_subsystem'] == "CA": + # PKI CA, Subordinate CA, or External CA + config.pki_master_dict['pki_admin_subject_dn'] =\ + "cn=" + "CA Administrator of Instance" + " " +\ + config.pki_master_dict['pki_instance_id'] + "," +\ + "uid=" + config.pki_master_dict['pki_admin_uid'] +\ + "," + "e=" +\ + config.pki_master_dict['pki_admin_email'] +\ + "," + "o=" +\ + config.pki_master_dict['pki_security_domain_name'] + elif config.pki_master_dict['pki_subsystem'] == "KRA": + # PKI KRA + config.pki_master_dict['pki_admin_subject_dn'] =\ + "cn=" + "KRA Administrator of Instance" + " " +\ + config.pki_master_dict['pki_instance_id'] + "," +\ + "uid=" + config.pki_master_dict['pki_admin_uid'] +\ + "," + "e=" +\ + config.pki_master_dict['pki_admin_email'] +\ + "," + "o=" +\ + config.pki_master_dict['pki_security_domain_name'] + elif config.pki_master_dict['pki_subsystem'] == "OCSP": + # PKI OCSP + config.pki_master_dict['pki_admin_subject_dn'] =\ + "cn=" + "OCSP Administrator of Instance" + " " +\ + config.pki_master_dict['pki_instance_id'] + "," +\ + "uid=" + config.pki_master_dict['pki_admin_uid'] +\ + "," + "e=" +\ + config.pki_master_dict['pki_admin_email'] +\ + "," + "o=" +\ + config.pki_master_dict['pki_security_domain_name'] + elif config.pki_master_dict['pki_subsystem'] == "TKS": + # PKI TKS + config.pki_master_dict['pki_admin_subject_dn'] =\ + "cn=" + "TKS Administrator of Instance" + " " +\ + config.pki_master_dict['pki_instance_id'] + "," +\ + "uid=" + config.pki_master_dict['pki_admin_uid'] +\ + "," + "e=" +\ + config.pki_master_dict['pki_admin_email'] +\ + "," + "o=" +\ + config.pki_master_dict['pki_security_domain_name'] + # Jython scriptlet + # 'CA Signing Certificate' Configuration name/value pairs + # + # Tomcat - [CA] + # - [External CA] + # - [Subordinate CA] + # + # The following variables are defined below: + # + # config.pki_master_dict['pki_ca_signing_tag'] + # + # The following variables are established via the specified PKI + # deployment configuration file and are NOT redefined below: + # + # config.pki_master_dict['pki_ca_signing_key_algorithm'] + # config.pki_master_dict['pki_ca_signing_key_size'] + # config.pki_master_dict['pki_ca_signing_key_type'] + # config.pki_master_dict['pki_ca_signing_signing_algorithm'] + # + # The following variables are established via the specified PKI + # deployment configuration file and potentially overridden below: + # + # config.pki_master_dict['pki_ca_signing_nickname'] + # config.pki_master_dict['pki_ca_signing_subject_dn'] + # config.pki_master_dict['pki_ca_signing_token'] + # + if config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS: + if not config.str2bool(config.pki_master_dict['pki_clone']): + if config.pki_master_dict['pki_subsystem'] == "CA": + # config.pki_master_dict['pki_ca_signing_nickname'] + if not len(config.pki_master_dict\ + ['pki_ca_signing_nickname']): + config.pki_master_dict['pki_ca_signing_nickname'] =\ + "caSigningCert" + " " + "cert-" +\ + config.pki_master_dict['pki_instance_id'] + # config.pki_master_dict['pki_ca_signing_subject_dn'] + if config.str2bool(config.pki_master_dict['pki_external']): + # External CA + if not len(config.pki_master_dict\ + ['pki_ca_signing_subject_dn']): + config.pki_master_dict['pki_ca_signing_subject_dn']\ + = "cn=" + "External CA Signing Certificate" +\ + "," + "o=" +\ + config.pki_master_dict\ + ['pki_security_domain_name'] + elif config.str2bool( + config.pki_master_dict['pki_subordinate']): + # Subordinate CA + if not len(config.pki_master_dict\ + ['pki_ca_signing_subject_dn']): + config.pki_master_dict['pki_ca_signing_subject_dn']\ + = "cn=" + "SubCA Signing Certificate" +\ + "," + "o=" +\ + config.pki_master_dict\ + ['pki_security_domain_name'] + else: + # PKI CA + if not len(config.pki_master_dict\ + ['pki_ca_signing_subject_dn']): + config.pki_master_dict['pki_ca_signing_subject_dn']\ + = "cn=" + "CA Signing Certificate" +\ + "," + "o=" +\ + config.pki_master_dict\ + ['pki_security_domain_name'] + # config.pki_master_dict['pki_ca_signing_tag'] + config.pki_master_dict['pki_ca_signing_tag'] =\ + "signing" + # config.pki_master_dict['pki_ca_signing_token'] + if not len(config.pki_master_dict['pki_ca_signing_token']): + config.pki_master_dict['pki_ca_signing_token'] =\ + "Internal Key Storage Token" + # Jython scriptlet + # 'OCSP Signing Certificate' Configuration name/value pairs + # + # Tomcat - [CA], [OCSP] + # - [External CA] + # - [Subordinate CA] + # + # The following variables are defined below: + # + # config.pki_master_dict['pki_ocsp_signing_tag'] + # + # The following variables are established via the specified PKI + # deployment configuration file and are NOT redefined below: + # + # config.pki_master_dict['pki_ocsp_signing_key_algorithm'] + # config.pki_master_dict['pki_ocsp_signing_key_size'] + # config.pki_master_dict['pki_ocsp_signing_key_type'] + # config.pki_master_dict['pki_ocsp_signing_signing_algorithm'] + # + # The following variables are established via the specified PKI + # deployment configuration file and potentially overridden below: + # + # config.pki_master_dict['pki_ocsp_signing_nickname'] + # config.pki_master_dict['pki_ocsp_signing_subject_dn'] + # config.pki_master_dict['pki_ocsp_signing_token'] + # + if config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS: + if not config.str2bool(config.pki_master_dict['pki_clone']): + if config.pki_master_dict['pki_subsystem'] == "CA": + if not len(config.pki_master_dict\ + ['pki_ocsp_signing_nickname']): + config.pki_master_dict['pki_ocsp_signing_nickname'] =\ + "ocspSigningCert" + " " + "cert-" +\ + config.pki_master_dict['pki_instance_id'] + if config.str2bool(config.pki_master_dict['pki_external']): + # External CA + if not len(config.pki_master_dict\ + ['pki_ocsp_signing_subject_dn']): + config.pki_master_dict\ + ['pki_ocsp_signing_subject_dn'] =\ + "cn=" + "External CA OCSP Signing Certificate"\ + + "," + "o=" +\ + config.pki_master_dict\ + ['pki_security_domain_name'] + elif config.str2bool( + config.pki_master_dict['pki_subordinate']): + # Subordinate CA + if not len(config.pki_master_dict\ + ['pki_ocsp_signing_subject_dn']): + config.pki_master_dict\ + ['pki_ocsp_signing_subject_dn'] =\ + "cn=" + "SubCA OCSP Signing Certificate"\ + + "," + "o=" +\ + config.pki_master_dict\ + ['pki_security_domain_name'] + else: + # PKI CA + if not len(config.pki_master_dict\ + ['pki_ocsp_signing_subject_dn']): + config.pki_master_dict\ + ['pki_ocsp_signing_subject_dn'] =\ + "cn=" + "CA OCSP Signing Certificate"\ + + "," + "o=" +\ + config.pki_master_dict\ + ['pki_security_domain_name'] + config.pki_master_dict['pki_ocsp_signing_tag'] =\ + "ocsp_signing" + if not len(config.pki_master_dict\ + ['pki_ocsp_signing_token']): + config.pki_master_dict['pki_ocsp_signing_token'] =\ + "Internal Key Storage Token" + elif config.pki_master_dict['pki_subsystem'] == "OCSP": + # PKI OCSP + if not len(config.pki_master_dict\ + ['pki_ocsp_signing_nickname']): + config.pki_master_dict['pki_ocsp_signing_nickname'] =\ + "ocspSigningCert" + " " + "cert-" +\ + config.pki_master_dict['pki_instance_id'] + if not len(config.pki_master_dict\ + ['pki_ocsp_signing_subject_dn']): + config.pki_master_dict['pki_ocsp_signing_subject_dn'] =\ + "cn=" + "OCSP Signing Certificate" + "," + "o=" +\ + config.pki_master_dict['pki_security_domain_name'] + config.pki_master_dict['pki_ocsp_signing_tag'] =\ + "signing" + if not len(config.pki_master_dict\ + ['pki_ocsp_signing_token']): + config.pki_master_dict['pki_ocsp_signing_token'] =\ + "Internal Key Storage Token" + # Jython scriptlet + # 'SSL Server Certificate' Configuration name/value pairs + # + # Apache - [RA], [TPS] + # Tomcat - [CA], [KRA], [OCSP], [TKS] + # - [CA Clone], [KRA Clone], [OCSP Clone], [TKS Clone] + # - [External CA] + # - [Subordinate CA] + # + # The following variables are defined below: + # + # config.pki_master_dict['pki_ssl_server_tag'] + # + # The following variables are established via the specified PKI + # deployment configuration file and are NOT redefined below: + # + # config.pki_master_dict['pki_ssl_server_key_algorithm'] + # config.pki_master_dict['pki_ssl_server_key_size'] + # config.pki_master_dict['pki_ssl_server_key_type'] + # + # The following variables are established via the specified PKI + # deployment configuration file and potentially overridden below: + # + # config.pki_master_dict['pki_ssl_server_nickname'] + # config.pki_master_dict['pki_ssl_server_subject_dn'] + # config.pki_master_dict['pki_ssl_server_token'] + # + if not len(config.pki_master_dict['pki_ssl_server_nickname']): + config.pki_master_dict['pki_ssl_server_nickname'] =\ + "Server-Cert" + " " + "cert-" +\ + config.pki_master_dict['pki_instance_id'] + if not len(config.pki_master_dict['pki_ssl_server_subject_dn']): + if config.pki_subsystem in config.PKI_APACHE_SUBSYSTEMS: + config.pki_master_dict['pki_ssl_server_subject_dn'] =\ + "cn=" + config.pki_master_dict['pki_hostname'] +\ + "," + "ou=" + config.pki_master_dict['pki_instance_id'] +\ + "," + "o=" +\ + config.pki_master_dict['pki_security_domain_name'] + elif config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS: + config.pki_master_dict['pki_ssl_server_subject_dn'] =\ + "cn=" + config.pki_master_dict['pki_hostname'] +\ + "," + "o=" +\ + config.pki_master_dict['pki_security_domain_name'] + config.pki_master_dict['pki_ssl_server_tag'] = "sslserver" + if not len(config.pki_master_dict['pki_ssl_server_token']): + config.pki_master_dict['pki_ssl_server_token'] =\ + "Internal Key Storage Token" + # Jython scriptlet + # 'Subsystem Certificate' Configuration name/value pairs + # + # Apache - [RA], [TPS] + # Tomcat - [CA], [KRA], [OCSP], [TKS] + # - [External CA] + # - [Subordinate CA] + # + # The following variables are defined below: + # + # config.pki_master_dict['pki_subsystem_tag'] + # + # The following variables are established via the specified PKI + # deployment configuration file and are NOT redefined below: + # + # config.pki_master_dict['pki_subsystem_key_algorithm'] + # config.pki_master_dict['pki_subsystem_key_size'] + # config.pki_master_dict['pki_subsystem_key_type'] + # + # The following variables are established via the specified PKI + # deployment configuration file and potentially overridden below: + # + # config.pki_master_dict['pki_subsystem_nickname'] + # config.pki_master_dict['pki_subsystem_subject_dn'] + # config.pki_master_dict['pki_subsystem_token'] + # + if config.pki_subsystem in config.PKI_APACHE_SUBSYSTEMS: + if not len(config.pki_master_dict['pki_subsystem_nickname']): + config.pki_master_dict['pki_subsystem_nickname'] =\ + "subsystemCert" + " " + "cert-" +\ + config.pki_master_dict['pki_instance_id'] + if not len(config.pki_master_dict['pki_subsystem_subject_dn']): + if config.pki_master_dict['pki_subsystem'] == "RA": + # PKI RA + config.pki_master_dict['pki_subsystem_subject_dn'] =\ + "cn=" + "RA Subsystem Certificate" +\ + "," + "ou=" + config.pki_master_dict['pki_instance_id']\ + + "," + "o=" +\ + config.pki_master_dict['pki_security_domain_name'] + elif config.pki_master_dict['pki_subsystem'] == "TPS": + # PKI TPS + config.pki_master_dict['pki_subsystem_subject_dn'] =\ + "cn=" + "TPS Subsystem Certificate" +\ + "," + "ou=" + config.pki_master_dict['pki_instance_id']\ + + "," + "o=" +\ + config.pki_master_dict['pki_security_domain_name'] + config.pki_master_dict['pki_subsystem_tag'] = "subsystem" + if not len(config.pki_master_dict['pki_subsystem_token']): + config.pki_master_dict['pki_subsystem_token'] =\ + "Internal Key Storage Token" + elif config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS: + if not config.str2bool(config.pki_master_dict['pki_clone']): + if not len(config.pki_master_dict['pki_subsystem_nickname']): + config.pki_master_dict['pki_subsystem_nickname'] =\ + "subsystemCert" + " " + "cert-" +\ + config.pki_master_dict['pki_instance_id'] + if not len(config.pki_master_dict['pki_subsystem_subject_dn']): + if config.pki_master_dict['pki_subsystem'] == "CA": + if config.str2bool( + config.pki_master_dict['pki_external']): + # External CA + config.pki_master_dict['pki_subsystem_subject_dn']\ + = "cn=" + "External CA Subsystem Certificate" +\ + "," + "o=" +\ + config.pki_master_dict\ + ['pki_security_domain_name'] + elif config.str2bool( + config.pki_master_dict['pki_subordinate']): + # Subordinate CA + config.pki_master_dict['pki_subsystem_subject_dn']\ + = "cn=" + "SubCA Subsystem Certificate" +\ + "," + "o=" +\ + config.pki_master_dict\ + ['pki_security_domain_name'] + else: + # PKI CA + config.pki_master_dict['pki_subsystem_subject_dn']\ + = "cn=" + "CA Subsystem Certificate" +\ + "," + "o=" +\ + config.pki_master_dict\ + ['pki_security_domain_name'] + elif config.pki_master_dict['pki_subsystem'] == "KRA": + # PKI KRA + config.pki_master_dict['pki_subsystem_subject_dn'] =\ + "cn=" + "DRM Subsystem Certificate" +\ + "," + "o=" +\ + config.pki_master_dict\ + ['pki_security_domain_name'] + elif config.pki_master_dict['pki_subsystem'] == "OCSP": + # PKI OCSP + config.pki_master_dict['pki_subsystem_subject_dn'] =\ + "cn=" + "OCSP Subsystem Certificate" +\ + "," + "o=" +\ + config.pki_master_dict\ + ['pki_security_domain_name'] + elif config.pki_master_dict['pki_subsystem'] == "TKS": + # PKI TKS + config.pki_master_dict['pki_subsystem_subject_dn'] =\ + "cn=" + "TKS Subsystem Certificate" +\ + "," + "o=" +\ + config.pki_master_dict\ + ['pki_security_domain_name'] + config.pki_master_dict['pki_subsystem_tag'] = "subsystem" + if not len(config.pki_master_dict['pki_subsystem_token']): + config.pki_master_dict['pki_subsystem_token'] =\ + "Internal Key Storage Token" + # Jython scriptlet + # 'Audit Signing Certificate' Configuration name/value pairs + # + # Apache - [TPS] + # Tomcat - [CA], [KRA], [OCSP], [TKS] + # - [External CA] + # - [Subordinate CA] + # + # The following variables are defined below: + # + # config.pki_master_dict['pki_audit_signing_tag'] + # + # The following variables are established via the specified PKI + # deployment configuration file and are NOT redefined below: + # + # config.pki_master_dict['pki_audit_signing_key_algorithm'] + # config.pki_master_dict['pki_audit_signing_key_size'] + # config.pki_master_dict['pki_audit_signing_key_type'] + # config.pki_master_dict['pki_audit_signing_signing_algorithm'] + # + # The following variables are established via the specified PKI + # deployment configuration file and potentially overridden below: + # + # config.pki_master_dict['pki_audit_signing_nickname'] + # config.pki_master_dict['pki_audit_signing_subject_dn'] + # config.pki_master_dict['pki_audit_signing_token'] + # + if config.pki_subsystem in config.PKI_APACHE_SUBSYSTEMS: + if config.pki_master_dict['pki_subsystem'] != "RA": + if not len(config.pki_master_dict\ + ['pki_audit_signing_nickname']): + config.pki_master_dict['pki_audit_signing_nickname'] =\ + "auditSigningCert" + " " + "cert-" +\ + config.pki_master_dict['pki_instance_id'] + if not len(config.pki_master_dict\ + ['pki_audit_signing_subject_dn']): + config.pki_master_dict['pki_audit_signing_subject_dn'] =\ + "cn=" + "TPS Audit Signing Certificate" +\ + "," + "ou=" + config.pki_master_dict['pki_instance_id']\ + + "," + "o=" +\ + config.pki_master_dict['pki_security_domain_name'] + config.pki_master_dict['pki_audit_signing_tag'] =\ + "audit_signing" + if not len(config.pki_master_dict['pki_audit_signing_token']): + config.pki_master_dict['pki_audit_signing_token'] =\ + "Internal Key Storage Token" + elif config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS: + if not config.str2bool(config.pki_master_dict['pki_clone']): + if not len(config.pki_master_dict\ + ['pki_audit_signing_nickname']): + config.pki_master_dict['pki_audit_signing_nickname'] =\ + "auditSigningCert" + " " + "cert-" +\ + config.pki_master_dict['pki_instance_id'] + if not len(config.pki_master_dict\ + ['pki_audit_signing_subject_dn']): + if config.pki_master_dict['pki_subsystem'] == "CA": + if config.str2bool( + config.pki_master_dict['pki_external']): + # External CA + config.pki_master_dict\ + ['pki_audit_signing_subject_dn'] =\ + "cn=" + "External CA Audit Signing Certificate"\ + + "," + "o=" +\ + config.pki_master_dict\ + ['pki_security_domain_name'] + elif config.str2bool( + config.pki_master_dict['pki_subordinate']): + # Subordinate CA + config.pki_master_dict\ + ['pki_audit_signing_subject_dn'] =\ + "cn=" + "SubCA Audit Signing Certificate" +\ + "," + "o=" +\ + config.pki_master_dict\ + ['pki_security_domain_name'] + else: + # PKI CA + config.pki_master_dict\ + ['pki_audit_signing_subject_dn'] =\ + "cn=" + "CA Audit Signing Certificate" +\ + "," + "o=" +\ + config.pki_master_dict\ + ['pki_security_domain_name'] + elif config.pki_master_dict['pki_subsystem'] == "KRA": + # PKI KRA + config.pki_master_dict['pki_audit_signing_subject_dn']\ + = "cn=" + "DRM Audit Signing Certificate" +\ + "," + "o=" +\ + config.pki_master_dict['pki_security_domain_name'] + elif config.pki_master_dict['pki_subsystem'] == "OCSP": + # PKI OCSP + config.pki_master_dict['pki_audit_signing_subject_dn']\ + = "cn=" + "OCSP Audit Signing Certificate" +\ + "," + "o=" +\ + config.pki_master_dict['pki_security_domain_name'] + elif config.pki_master_dict['pki_subsystem'] == "TKS": + # PKI TKS + config.pki_master_dict['pki_audit_signing_subject_dn']\ + = "cn=" + "TKS Audit Signing Certificate" +\ + "," + "o=" +\ + config.pki_master_dict['pki_security_domain_name'] + config.pki_master_dict['pki_audit_signing_tag'] =\ + "audit_signing" + if not len(config.pki_master_dict['pki_audit_signing_token']): + config.pki_master_dict['pki_audit_signing_token'] =\ + "Internal Key Storage Token" + # Jython scriptlet + # 'DRM Transport Certificate' Configuration name/value pairs + # + # Tomcat - [KRA] + # + # The following variables are defined below: + # + # config.pki_master_dict['pki_transport_tag'] + # + # The following variables are established via the specified PKI + # deployment configuration file and are NOT redefined below: + # + # config.pki_master_dict['pki_transport_key_algorithm'] + # config.pki_master_dict['pki_transport_key_size'] + # config.pki_master_dict['pki_transport_key_type'] + # config.pki_master_dict['pki_transport_signing_algorithm'] + # + # The following variables are established via the specified PKI + # deployment configuration file and potentially overridden below: + # + # config.pki_master_dict['pki_transport_nickname'] + # config.pki_master_dict['pki_transport_subject_dn'] + # config.pki_master_dict['pki_transport_token'] + # + if config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS: + if not config.str2bool(config.pki_master_dict['pki_clone']): + if config.pki_master_dict['pki_subsystem'] == "KRA": + # PKI KRA + if not len(config.pki_master_dict\ + ['pki_transport_nickname']): + config.pki_master_dict['pki_transport_nickname'] =\ + "transportCert" + " " + "cert-" +\ + config.pki_master_dict['pki_instance_id'] + if not len(config.pki_master_dict\ + ['pki_transport_subject_dn']): + config.pki_master_dict['pki_transport_subject_dn']\ + = "cn=" + "DRM Transport Certificate" +\ + "," + "o=" +\ + config.pki_master_dict['pki_security_domain_name'] + config.pki_master_dict['pki_transport_tag'] =\ + "transport" + if not len(config.pki_master_dict['pki_transport_token']): + config.pki_master_dict['pki_transport_token'] =\ + "Internal Key Storage Token" + # Jython scriptlet + # 'DRM Storage Certificate' Configuration name/value pairs + # + # Tomcat - [KRA] + # + # The following variables are defined below: + # + # config.pki_master_dict['pki_storage_tag'] + # + # The following variables are established via the specified PKI + # deployment configuration file and are NOT redefined below: + # + # config.pki_master_dict['pki_storage_key_algorithm'] + # config.pki_master_dict['pki_storage_key_size'] + # config.pki_master_dict['pki_storage_key_type'] + # config.pki_master_dict['pki_storage_signing_algorithm'] + # + # The following variables are established via the specified PKI + # deployment configuration file and potentially overridden below: + # + # config.pki_master_dict['pki_storage_nickname'] + # config.pki_master_dict['pki_storage_subject_dn'] + # config.pki_master_dict['pki_storage_token'] + # + if config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS: + if not config.str2bool(config.pki_master_dict['pki_clone']): + if config.pki_master_dict['pki_subsystem'] == "KRA": + # PKI KRA + if not len(config.pki_master_dict['pki_storage_nickname']): + config.pki_master_dict['pki_storage_nickname'] =\ + "storageCert" + " " + "cert-" +\ + config.pki_master_dict['pki_instance_id'] + if not len(config.pki_master_dict\ + ['pki_storage_subject_dn']): + config.pki_master_dict['pki_storage_subject_dn']\ + = "cn=" + "DRM Storage Certificate" +\ + "," + "o=" +\ + config.pki_master_dict['pki_security_domain_name'] + config.pki_master_dict['pki_storage_tag'] =\ + "storage" + if not len(config.pki_master_dict['pki_storage_token']): + config.pki_master_dict['pki_storage_token'] =\ + "Internal Key Storage Token" except OSError as exc: config.pki_log.error(log.PKI_OSERROR_1, exc, extra=config.PKI_INDENTATION_LEVEL_2) sys.exit(1) + except KeyError as err: + config.pki_log.error(log.PKIHELPER_DICTIONARY_MASTER_MISSING_KEY_1, + err, extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) return -- cgit