From 391d345b5a6a1a905e3db4105a65dd4fdd0d19a9 Mon Sep 17 00:00:00 2001 From: Matthew Harmsen Date: Fri, 4 May 2012 20:29:35 -0700 Subject: PKI Deployment Scriptlets * Re-aligned code to account for revised layout documented at http://pki.fedoraproject.org/wiki/PKI_Instance_Deployment * Massaged logic to comply with PKI subsystem running within a shared instance * Developed code to take advantage of a single shared NSS security database model * Completed the following two 'scriptlets': * Dogtag 10: Python 'slot_assignment.py' Installation Scriptlet (https://fedorahosted.org/pki/ticket/146) * Dogtag 10: Python 'security_databases.py' Installation Scriptlet (https://fedorahosted.org/pki/ticket/136) * Created several additional PKI deployment helper utilities. --- base/deploy/src/scriptlets/pkiparser.py | 777 ++++++++++++++++++++++++++------ 1 file changed, 641 insertions(+), 136 deletions(-) (limited to 'base/deploy/src/scriptlets/pkiparser.py') diff --git a/base/deploy/src/scriptlets/pkiparser.py b/base/deploy/src/scriptlets/pkiparser.py index bff405955..19c9119a6 100644 --- a/base/deploy/src/scriptlets/pkiparser.py +++ b/base/deploy/src/scriptlets/pkiparser.py @@ -24,6 +24,7 @@ import ConfigParser import argparse import logging import os +import time # PKI Deployment Imports @@ -171,9 +172,14 @@ def process_command_line_arguments(argv): # NOTE: When performing 'pkidestroy', a configuration file must be # explicitly specified if it does not use the default location # and/or default configuration file name. + if config.pki_subsystem in config.PKI_APACHE_SUBSYSTEMS: + pki_web_server = "Apache" + elif config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS: + pki_web_server = "Tomcat" config.pkideployment_cfg = config.pki_root_prefix +\ config.PKI_DEPLOYMENT_REGISTRY_ROOT + "/" +\ config.PKI_DEPLOYMENT_DEFAULT_INSTANCE_NAME + "/" +\ + pki_web_server.lower() +"/" +\ config.pki_subsystem.lower() +"/" +\ config.PKI_DEPLOYMENT_DEFAULT_CONFIGURATION_FILE if not os.path.exists(config.pkideployment_cfg) or\ @@ -192,6 +198,8 @@ def read_pki_configuration_file(): rv = 0 try: parser = ConfigParser.ConfigParser() + # Make keys case-sensitive! + parser.optionxform = str parser.read(config.pkideployment_cfg) config.pki_common_dict = dict(parser._sections['Common']) if config.pki_subsystem == "CA": @@ -223,140 +231,637 @@ def read_pki_configuration_file(): def compose_pki_master_dictionary(): "Create a single master PKI dictionary from the sectional dictionaries" - config.pki_master_dict = dict() - # 'pkispawn'/'pkirespawn'/'pkidestroy' name/value pairs - config.pki_master_dict['pki_timestamp'] = config.pki_timestamp - # Configuration file name/value pairs - config.pki_master_dict.update(config.pki_common_dict) - config.pki_master_dict.update(config.pki_web_server_dict) - config.pki_master_dict.update(config.pki_subsystem_dict) - config.pki_master_dict.update(__name__="PKI Master Dictionary") - config.pki_master_dict['pki_source_conf'] =\ - config.pki_master_dict['pki_source_root'] + "/" +\ - config.pki_master_dict['pki_subsystem'].lower() + "/" + "conf" - if config.pki_master_dict['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: - config.pki_master_dict['pki_war'] =\ - config.pki_master_dict['pki_source_root'] + "/" +\ - config.pki_master_dict['pki_subsystem'].lower() + "/" +\ - "war" + "/" + config.pki_master_dict['pki_war_name'] - config.pki_master_dict['pki_tomcat_bin_path'] =\ - config.pki_master_dict['pki_tomcat_root'] + "/" + "bin" - config.pki_master_dict['pki_tomcat_lib_path'] =\ - config.pki_master_dict['pki_tomcat_root'] + "/" + "lib" - if config.pki_master_dict['pki_subsystem'] == "CA": - config.pki_master_dict['pki_source_emails'] =\ - config.pki_master_dict['pki_source_root'] + "/" +\ - "ca" + "/" + "emails" - config.pki_master_dict['pki_source_profiles'] =\ - config.pki_master_dict['pki_source_root'] + "/" +\ - "ca" + "/" + "profiles" - # Instance layout base name/value pairs - config.pki_master_dict['pki_root_prefix'] = config.pki_root_prefix - config.pki_master_dict['pki_path'] =\ - config.pki_master_dict['pki_root_prefix'] +\ - config.pki_master_dict['pki_instance_root'] - config.pki_master_dict['pki_instance_path'] =\ - config.pki_master_dict['pki_path'] + "/" +\ - config.pki_master_dict['pki_instance_name'] - config.pki_master_dict['pki_instance_database_link'] =\ - config.pki_master_dict['pki_instance_path'] + "/" + "alias" - # Instance layout log name/value pairs - config.pki_master_dict['pki_log_path'] =\ - config.pki_master_dict['pki_root_prefix'] +\ - config.pki_master_dict['pki_instance_log_root'] - config.pki_master_dict['pki_instance_log_path'] =\ - config.pki_master_dict['pki_log_path'] + "/" +\ - config.pki_master_dict['pki_instance_name'] - # Instance layout configuration name/value pairs - config.pki_master_dict['pki_configuration_path'] =\ - config.pki_master_dict['pki_root_prefix'] +\ - config.pki_master_dict['pki_instance_configuration_root'] - config.pki_master_dict['pki_instance_configuration_path'] =\ - config.pki_master_dict['pki_configuration_path'] + "/" +\ - config.pki_master_dict['pki_instance_name'] - # Instance layout registry name/value pairs - config.pki_master_dict['pki_registry_path'] =\ - config.pki_master_dict['pki_root_prefix'] +\ - config.PKI_DEPLOYMENT_REGISTRY_ROOT - config.pki_master_dict['pki_instance_registry_path'] =\ - config.pki_master_dict['pki_registry_path'] + "/" +\ - config.pki_master_dict['pki_instance_name'] - # Instance-based webserver Apache base name/value pairs - if config.pki_master_dict['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS: - config.pki_master_dict['pki_apache_path'] =\ - config.pki_master_dict['pki_instance_path'] + "/apache" - # Instance-based webserver Tomcat base name/value pairs - if config.pki_master_dict['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: - config.pki_master_dict['pki_tomcat_path'] =\ - config.pki_master_dict['pki_instance_path'] + "/" + "tomcat" - config.pki_master_dict['pki_tomcat_bin_link'] =\ - config.pki_master_dict['pki_tomcat_path'] + "/" + "bin" - config.pki_master_dict['pki_common_path'] =\ - config.pki_master_dict['pki_tomcat_path'] + "/" + "common" - config.pki_master_dict['pki_common_lib_path'] =\ - config.pki_master_dict['pki_common_path'] + "/" + "lib" - config.pki_master_dict['pki_conf_path'] =\ - config.pki_master_dict['pki_tomcat_path'] + "/" + "conf" - config.pki_master_dict['pki_tomcat_lib_link'] =\ - config.pki_master_dict['pki_tomcat_path'] + "/" + "lib" - config.pki_master_dict['pki_tomcat_logs_link'] =\ - config.pki_master_dict['pki_tomcat_path'] + "/" + "logs" - config.pki_master_dict['pki_webapps_path'] =\ - config.pki_master_dict['pki_tomcat_path'] + "/" + "webapps" - config.pki_master_dict['pki_webapps_root_path'] =\ - config.pki_master_dict['pki_webapps_path'] + "/" + "ROOT" - config.pki_master_dict['pki_webapps_root_webinf_path'] =\ - config.pki_master_dict['pki_webapps_root_path'] + "/" + "WEB-INF" - config.pki_master_dict['pki_webapps_webinf_path'] =\ - config.pki_master_dict['pki_webapps_path'] + "/" + "WEB-INF" - config.pki_master_dict['pki_webapps_webinf_classes_path'] =\ - config.pki_master_dict['pki_webapps_webinf_path'] + "/" + "classes" - config.pki_master_dict['pki_webapps_webinf_lib_path'] =\ - config.pki_master_dict['pki_webapps_webinf_path'] + "/" + "lib" - config.pki_master_dict['pki_webapps_subsystem_path'] =\ - config.pki_master_dict['pki_webapps_path'] + "/" +\ - config.pki_master_dict['pki_subsystem'].lower() - config.pki_master_dict['pki_webapps_subsystem_webinf_classes_link'] =\ - config.pki_master_dict['pki_webapps_subsystem_path'] + "/" +\ - "WEB-INF" + "/" + "classes" - config.pki_master_dict['pki_webapps_subsystem_webinf_lib_link'] =\ - config.pki_master_dict['pki_webapps_subsystem_path'] + "/" +\ - "WEB-INF" + "/" + "lib" - # Instance-based webserver Apache/Tomcat configuration name/value pairs - config.pki_master_dict['pki_database_path'] =\ - config.pki_master_dict['pki_instance_configuration_path'] + "/" +\ - "alias" - # Instance-based subsystem base name/value pairs - config.pki_master_dict['pki_subsystem_path'] =\ - config.pki_master_dict['pki_instance_path'] + "/" +\ - config.pki_master_dict['pki_subsystem'].lower() - config.pki_master_dict['pki_subsystem_database_link'] =\ - config.pki_master_dict['pki_subsystem_path'] + "/" + "alias" - config.pki_master_dict['pki_subsystem_configuration_link'] =\ - config.pki_master_dict['pki_subsystem_path'] + "/" + "conf" - config.pki_master_dict['pki_subsystem_logs_link'] =\ - config.pki_master_dict['pki_subsystem_path'] + "/" + "logs" - if config.pki_master_dict['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: - if config.pki_master_dict['pki_subsystem'] == "CA": - config.pki_master_dict['pki_subsystem_emails_path'] =\ - config.pki_master_dict['pki_subsystem_path'] + "/" + "emails" - config.pki_master_dict['pki_subsystem_profiles_path'] =\ - config.pki_master_dict['pki_subsystem_path'] + "/" + "profiles" - config.pki_master_dict['pki_subsystem_webapps_link'] =\ - config.pki_master_dict['pki_subsystem_path'] + "/" + "webapps" - # Instance-based subsystem log name/value pairs - config.pki_master_dict['pki_subsystem_log_path'] =\ - config.pki_master_dict['pki_instance_log_path'] + "/" +\ - config.pki_master_dict['pki_subsystem'].lower() - config.pki_master_dict['pki_subsystem_signed_audit_log_path'] =\ - config.pki_master_dict['pki_subsystem_log_path'] + "/" +\ - "signedAudit" - # Instance-based subsystem configuration name/value pairs - config.pki_master_dict['pki_subsystem_configuration_path'] =\ - config.pki_master_dict['pki_instance_configuration_path'] + "/" +\ - config.pki_master_dict['pki_subsystem'].lower() - # Instance-based subsystem registry name/value pairs - config.pki_master_dict['pki_subsystem_registry_path'] =\ - config.pki_master_dict['pki_instance_registry_path'] + "/" +\ - config.pki_master_dict['pki_subsystem'].lower() + try: + config.pki_master_dict = dict() + # 'pkispawn'/'pkirespawn'/'pkidestroy' name/value pairs + config.pki_master_dict['pki_install_time'] = config.pki_install_time + config.pki_master_dict['pki_timestamp'] = config.pki_timestamp + config.pki_master_dict['pki_certificate_timestamp'] =\ + config.pki_certificate_timestamp + config.pki_master_dict['pki_hostname'] = config.pki_hostname + config.pki_master_dict['pki_pin'] = config.pki_pin + config.pki_master_dict['pki_one_time_pin'] = config.pki_one_time_pin + # Configuration file name/value pairs + config.pki_master_dict.update(config.pki_common_dict) + config.pki_master_dict.update(config.pki_web_server_dict) + config.pki_master_dict.update(config.pki_subsystem_dict) + config.pki_master_dict.update(__name__="PKI Master Dictionary") + # IMPORTANT: A "PKI instance" no longer corresponds to a single + # pki subystem, but rather to zero or one unique + # "Tomcat web instance" AND/OR zero or one unique + # "Apache web instance". Obviously, each + # "PKI instance" must contain at least one of these + # two web instances. The name of the default + # "PKI instance" is called "default" and may be + # changed in the PKI deployment configuration file, + # and/or overridden via the command-line interface. + # + # A "Tomcat instance" consists of a single process + # which may itself contain zero or one unique + # "CA" and/or "KRA" and/or "OCSP" and/or "TKS" + # pki subystems. Obviously, the "Tomcat instance" must + # contain at least one of these four pki subystems. + # + # Similarly, an "Apache instance" consists of a single + # process which may itself contain zero or one unique + # "RA" and/or "TPS" pki subsystems. Obviously, the + # "Apache instance" must contain at least one of these + # two pki subystems. + # + # To emulate the original behavior of having a CA and + # KRA be unique PKI instances, each must be located + # within a separately named "PKI instance" if residing + # on the same host machine, or may be located within + # an identically named "PKI instance" when residing on + # two separate host machines. + # + # PKI INSTANCE NAMING CONVENTION: + # + # OLD: "pki-${pki_subsystem}" + # (e. g. Tomcat - "pki-ca", "pki-kra", "pki-ocsp", "pki-tks") + # (e. g. Apache - "pki-ra", "pki-tps") + # NEW: "pki-${pki_instance_name}-${pki_web_server}" + # (e. g. Tomcat: "pki-default-tomcat") + # (e. g. Apache: "pki-default-apache") + # + config.pki_master_dict['pki_instance_id'] =\ + "pki" + "-" + config.pki_master_dict['pki_instance_name'] + "-" +\ + config.pki_master_dict['pki_web_server'].lower() + # PKI Source name/value pairs + config.pki_master_dict['pki_source_conf_path'] =\ + os.path.join(config.pki_master_dict['pki_source_root'], + config.pki_master_dict['pki_subsystem'].lower(), + "conf") + config.pki_master_dict['pki_source_setup_path'] =\ + os.path.join(config.pki_master_dict['pki_source_root'], + config.pki_master_dict['pki_subsystem'].lower(), + "setup") + config.pki_master_dict['pki_source_cs_cfg'] =\ + os.path.join(config.pki_master_dict['pki_source_conf_path'], + "CS.cfg") + config.pki_master_dict['pki_source_registry'] =\ + os.path.join(config.pki_master_dict['pki_source_setup_path'], + "registry_instance") + if config.pki_master_dict['pki_subsystem'] in\ + config.PKI_TOMCAT_SUBSYSTEMS: + config.pki_master_dict['pki_tomcat_bin_path'] =\ + os.path.join(config.pki_master_dict['pki_tomcat_root'], + "bin") + config.pki_master_dict['pki_tomcat_lib_path'] =\ + os.path.join(config.pki_master_dict['pki_tomcat_root'], + "lib") + config.pki_master_dict['pki_war_path'] =\ + os.path.join(config.pki_master_dict['pki_source_root'], + config.pki_master_dict['pki_subsystem'].lower(), + "war") + config.pki_master_dict['pki_source_webapps_path'] =\ + os.path.join(config.pki_master_dict['pki_source_root'], + config.pki_master_dict['pki_subsystem'].lower(), + "webapps") + config.pki_master_dict['pki_war'] =\ + os.path.join(config.pki_master_dict['pki_war_path'], + config.pki_master_dict['pki_war_name']) + config.pki_master_dict['pki_source_catalina_properties'] =\ + os.path.join(config.pki_master_dict['pki_source_conf_path'], + "catalina.properties") + config.pki_master_dict['pki_source_servercertnick_conf'] =\ + os.path.join(config.pki_master_dict['pki_source_conf_path'], + "serverCertNick.conf") + config.pki_master_dict['pki_source_server_xml'] =\ + os.path.join(config.pki_master_dict['pki_source_conf_path'], + "server.xml") + config.pki_master_dict['pki_source_tomcat_conf'] =\ + os.path.join(config.pki_master_dict['pki_source_conf_path'], + "tomcat.conf") + config.pki_master_dict['pki_source_index_jsp'] =\ + os.path.join(config.pki_master_dict['pki_source_webapps_path'], + "ROOT", + "index.jsp") + config.pki_master_dict['pki_source_webapps_root_web_xml'] =\ + os.path.join(config.pki_master_dict['pki_source_webapps_path'], + "ROOT", + "WEB-INF", + "web.xml") + if config.pki_master_dict['pki_subsystem'] == "CA": + config.pki_master_dict['pki_source_emails'] =\ + os.path.join(config.pki_master_dict['pki_source_root'], + "ca", + "emails") + config.pki_master_dict['pki_source_profiles'] =\ + os.path.join(config.pki_master_dict['pki_source_root'], + "ca", + "profiles") + config.pki_master_dict['pki_source_proxy_conf'] =\ + os.path.join(config.pki_master_dict['pki_source_conf_path'], + "proxy.conf") + # Instance layout base name/value pairs + # NOTE: Never use 'os.path.join()' whenever 'pki_root_prefix' + # is being prepended!!! + config.pki_master_dict['pki_root_prefix'] = config.pki_root_prefix + config.pki_master_dict['pki_path'] =\ + config.pki_master_dict['pki_root_prefix'] +\ + config.pki_master_dict['pki_instance_root'] + config.pki_master_dict['pki_instance_path'] =\ + os.path.join(config.pki_master_dict['pki_path'], + config.pki_master_dict['pki_instance_name']) + # Instance layout log name/value pairs + config.pki_master_dict['pki_log_path'] =\ + config.pki_master_dict['pki_root_prefix'] +\ + config.pki_master_dict['pki_instance_log_root'] + config.pki_master_dict['pki_instance_log_path'] =\ + os.path.join(config.pki_master_dict['pki_log_path'], + config.pki_master_dict['pki_instance_name']) + # Instance layout configuration name/value pairs + config.pki_master_dict['pki_configuration_path'] =\ + config.pki_master_dict['pki_root_prefix'] +\ + config.pki_master_dict['pki_instance_configuration_root'] + config.pki_master_dict['pki_instance_configuration_path'] =\ + os.path.join(config.pki_master_dict['pki_configuration_path'], + config.pki_master_dict['pki_instance_name']) + # Instance layout registry name/value pairs + config.pki_master_dict['pki_registry_path'] =\ + config.pki_master_dict['pki_root_prefix'] +\ + config.PKI_DEPLOYMENT_REGISTRY_ROOT + config.pki_master_dict['pki_instance_registry_path'] =\ + os.path.join(config.pki_master_dict['pki_registry_path'], + config.pki_master_dict['pki_instance_name']) + # Instance layout NSS security database name/value pairs + config.pki_master_dict['pki_database_path'] =\ + os.path.join( + config.pki_master_dict['pki_instance_configuration_path'], + "alias") + # Instance layout convenience symbolic links + config.pki_master_dict['pki_instance_database_link'] =\ + os.path.join(config.pki_master_dict['pki_instance_path'], + "alias") + # Instance-based Apache/Tomcat webserver base name/value pairs + config.pki_master_dict['pki_webserver_path'] =\ + os.path.join(config.pki_master_dict['pki_instance_path'], + config.pki_master_dict['pki_web_server'].lower()) + # Instance-based Apache/Tomcat webserver log name/value pairs + config.pki_master_dict['pki_webserver_log_path'] =\ + os.path.join(config.pki_master_dict['pki_instance_log_path'], + config.pki_master_dict['pki_web_server'].lower()) + # Instance-based Apache/Tomcat webserver configuration name/value pairs + config.pki_master_dict['pki_webserver_configuration_path'] =\ + os.path.join( + config.pki_master_dict['pki_instance_configuration_path'], + config.pki_master_dict['pki_web_server'].lower()) + # Instance-based Apache/Tomcat webserver registry name/value pairs + config.pki_master_dict['pki_webserver_registry_path'] =\ + os.path.join(config.pki_master_dict['pki_instance_registry_path'], + config.pki_master_dict['pki_web_server'].lower()) + # Instance-based Tomcat-specific webserver name/value pairs + if config.pki_master_dict['pki_subsystem'] in\ + config.PKI_TOMCAT_SUBSYSTEMS: + # Instance-based Tomcat webserver base name/value pairs + config.pki_master_dict['pki_tomcat_common_path'] =\ + os.path.join(config.pki_master_dict['pki_webserver_path'], + "common") + config.pki_master_dict['pki_tomcat_common_lib_path'] =\ + os.path.join(config.pki_master_dict['pki_tomcat_common_path'], + "lib") + config.pki_master_dict['pki_tomcat_webapps_path'] =\ + os.path.join(config.pki_master_dict['pki_webserver_path'], + "webapps") + config.pki_master_dict['pki_tomcat_webapps_root_path'] =\ + os.path.join(config.pki_master_dict['pki_tomcat_webapps_path'], + "ROOT") + config.pki_master_dict['pki_tomcat_webapps_root_webinf_path'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_webapps_root_path'], + "WEB-INF") + config.pki_master_dict['pki_tomcat_webapps_webinf_path'] =\ + os.path.join(config.pki_master_dict['pki_tomcat_webapps_path'], + "WEB-INF") + config.pki_master_dict['pki_tomcat_webapps_webinf_classes_path'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_webapps_webinf_path'], + "classes") + config.pki_master_dict['pki_tomcat_webapps_webinf_lib_path'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_webapps_webinf_path'], + "lib") + config.pki_master_dict['pki_tomcat_webapps_root_webinf_web_xml'] =\ + os.path.join( + config.pki_master_dict\ + ['pki_tomcat_webapps_root_webinf_path'], + "web.xml") + # Instance-based Tomcat webserver log name/value pairs + # Instance-based Tomcat webserver configuration name/value pairs + # Instance-based Tomcat webserver registry name/value pairs + # Instance-based Tomcat webserver convenience symbolic links + config.pki_master_dict['pki_tomcat_bin_link'] =\ + os.path.join(config.pki_master_dict['pki_webserver_path'], + "bin") + config.pki_master_dict['pki_tomcat_lib_link'] =\ + os.path.join(config.pki_master_dict['pki_webserver_path'], + "lib") + config.pki_master_dict['pki_webserver_systemd_link'] =\ + os.path.join(config.pki_master_dict['pki_webserver_path'], + config.pki_master_dict['pki_instance_id']) + # Instance-based Apache/Tomcat webserver convenience symbolic links + config.pki_master_dict['pki_webserver_database_link'] =\ + os.path.join(config.pki_master_dict['pki_webserver_path'], + "alias") + config.pki_master_dict['pki_webserver_conf_link'] =\ + os.path.join(config.pki_master_dict['pki_webserver_path'], + "conf") + config.pki_master_dict['pki_webserver_logs_link'] =\ + os.path.join(config.pki_master_dict['pki_webserver_path'], + "logs") + # Instance-based PKI subsystem base name/value pairs + config.pki_master_dict['pki_subsystem_path'] =\ + os.path.join(config.pki_master_dict['pki_webserver_path'], + config.pki_master_dict['pki_subsystem'].lower()) + # Instance-based PKI subsystem log name/value pairs + config.pki_master_dict['pki_subsystem_log_path'] =\ + os.path.join(config.pki_master_dict['pki_webserver_log_path'], + config.pki_master_dict['pki_subsystem'].lower()) + # Instance-based PKI subsystem configuration name/value pairs + config.pki_master_dict['pki_subsystem_configuration_path'] =\ + os.path.join( + config.pki_master_dict['pki_webserver_configuration_path'], + config.pki_master_dict['pki_subsystem'].lower()) + # Instance-based PKI subsystem registry name/value pairs + config.pki_master_dict['pki_subsystem_registry_path'] =\ + os.path.join(config.pki_master_dict['pki_webserver_registry_path'], + config.pki_master_dict['pki_subsystem'].lower()) + # Instance-based Apache/Tomcat PKI subsystem name/value pairs + if config.pki_master_dict['pki_subsystem'] in\ + config.PKI_APACHE_SUBSYSTEMS: + # Instance-based Apache PKI subsystem base name/value pairs + # Instance-based Apache PKI subsystem log name/value pairs + if config.pki_master_dict['pki_subsystem'] == "TPS": + config.pki_master_dict['pki_subsystem_signed_audit_log_path'] =\ + os.path.join(config.pki_master_dict['pki_subsystem_log_path'], + "signedAudit") + # Instance-based Apache PKI subsystem configuration name/value pairs + # Instance-based Apache PKI subsystem registry name/value pairs + # Instance-based Apache PKI subsystem convenience symbolic links + elif config.pki_master_dict['pki_subsystem'] in\ + config.PKI_TOMCAT_SUBSYSTEMS: + # Instance-based Tomcat PKI subsystem base name/value pairs + config.pki_master_dict['pki_tomcat_webapps_subsystem_path'] =\ + os.path.join(config.pki_master_dict['pki_tomcat_webapps_path'], + config.pki_master_dict['pki_subsystem'].lower()) + if config.pki_master_dict['pki_subsystem'] == "CA": + config.pki_master_dict['pki_subsystem_emails_path'] =\ + os.path.join(config.pki_master_dict['pki_subsystem_path'], + "emails") + config.pki_master_dict['pki_subsystem_profiles_path'] =\ + os.path.join(config.pki_master_dict['pki_subsystem_path'], + "profiles") + # Instance-based Tomcat PKI subsystem log name/value pairs + config.pki_master_dict['pki_subsystem_signed_audit_log_path'] =\ + os.path.join(config.pki_master_dict['pki_subsystem_log_path'], + "signedAudit") + # Instance-based Tomcat PKI subsystem configuration name/value pairs + # Instance-based Tomcat PKI subsystem registry name/value pairs + # Instance-based Tomcat PKI subsystem convenience symbolic links + config.pki_master_dict['pki_subsystem_tomcat_webapps_link'] =\ + os.path.join(config.pki_master_dict['pki_subsystem_path'], + "webapps") + config.pki_master_dict\ + ['pki_tomcat_webapps_subsystem_webinf_classes_link'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_webapps_subsystem_path'], + "WEB-INF", + "classes") + config.pki_master_dict\ + ['pki_tomcat_webapps_subsystem_webinf_lib_link'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_webapps_subsystem_path'], + "WEB-INF", + "lib") + # Instance-based Apache/Tomcat PKI subsystem convenience symbolic links + config.pki_master_dict['pki_subsystem_database_link'] =\ + os.path.join(config.pki_master_dict['pki_subsystem_path'], + "alias") + config.pki_master_dict['pki_subsystem_conf_link'] =\ + os.path.join(config.pki_master_dict['pki_subsystem_path'], + "conf") + config.pki_master_dict['pki_subsystem_logs_link'] =\ + os.path.join(config.pki_master_dict['pki_subsystem_path'], + "logs") + # PKI Target (slot substitution) name/value pairs + config.pki_master_dict['pki_target_cs_cfg'] =\ + os.path.join( + config.pki_master_dict['pki_subsystem_configuration_path'], + "CS.cfg") + config.pki_master_dict['pki_target_registry'] =\ + os.path.join(config.pki_master_dict['pki_subsystem_registry_path'], + config.pki_master_dict['pki_instance_id']) + if config.pki_master_dict['pki_subsystem'] in\ + config.PKI_TOMCAT_SUBSYSTEMS: + config.pki_master_dict['pki_target_catalina_properties'] =\ + os.path.join( + config.pki_master_dict['pki_subsystem_configuration_path'], + "catalina.properties") + config.pki_master_dict['pki_target_servercertnick_conf'] =\ + os.path.join( + config.pki_master_dict['pki_subsystem_configuration_path'], + "serverCertNick.conf") + config.pki_master_dict['pki_target_server_xml'] =\ + os.path.join( + config.pki_master_dict['pki_subsystem_configuration_path'], + "server.xml") + config.pki_master_dict['pki_target_tomcat_conf'] =\ + config.pki_master_dict['pki_root_prefix'] +\ + "/etc/sysconfig/" +\ + config.pki_master_dict['pki_instance_id'] + config.pki_master_dict['pki_target_index_jsp'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_webapps_root_path'], + "index.jsp") + # in-place slot substitution name/value pairs + config.pki_master_dict['pki_target_velocity_properties'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_webapps_subsystem_path'], + "WEB-INF", + "velocity.properties") + config.pki_master_dict['pki_target_subsystem_web_xml'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_webapps_subsystem_path'], + "WEB-INF", + "web.xml") + # subystem-specific slot substitution name/value pairs + if config.pki_master_dict['pki_subsystem'] == "CA": + config.pki_master_dict['pki_target_proxy_conf'] =\ + os.path.join(config.pki_master_dict\ + ['pki_subsystem_configuration_path'], + "proxy.conf") + # in-place slot substitution name/value pairs + config.pki_master_dict['pki_target_profileselect_template'] =\ + os.path.join( + config.pki_master_dict\ + ['pki_tomcat_webapps_subsystem_path'], + "ee", + config.pki_master_dict['pki_subsystem'].lower(), + "ProfileSelect.template") + # Slot assignment name/value pairs + # NOTE: Master key == Slots key; Master value ==> Slots value + config.pki_master_dict['PKI_INSTANCE_ID_SLOT'] =\ + config.pki_master_dict['pki_instance_id'] + config.pki_master_dict['PKI_INSTANCE_INITSCRIPT_SLOT'] =\ + os.path.join(config.pki_master_dict['pki_subsystem_path'], + config.pki_master_dict['pki_instance_id']) + config.pki_master_dict['PKI_LOCKDIR_SLOT'] =\ + os.path.join("/var/lock/pki", + config.pki_master_dict['pki_subsystem'].lower()) + config.pki_master_dict['PKI_PIDDIR_SLOT'] =\ + os.path.join("/var/run/pki", + config.pki_master_dict['pki_subsystem'].lower()) + config.pki_master_dict['PKI_REGISTRY_FILE_SLOT'] =\ + os.path.join(config.pki_master_dict['pki_subsystem_registry_path'], + config.pki_master_dict['pki_instance_id']) + if config.pki_master_dict['pki_subsystem'] in\ + config.PKI_APACHE_SUBSYSTEMS: + config.pki_master_dict['FORTITUDE_APACHE_SLOT'] = None + config.pki_master_dict['FORTITUDE_AUTH_MODULES_SLOT'] = None + config.pki_master_dict['FORTITUDE_DIR_SLOT'] = None + config.pki_master_dict['FORTITUDE_LIB_DIR_SLOT'] = None + config.pki_master_dict['FORTITUDE_MODULE_SLOT'] = None + config.pki_master_dict['FORTITUDE_NSS_MODULES_SLOT'] = None + config.pki_master_dict['HTTPD_CONF_SLOT'] = None + config.pki_master_dict['LIB_PREFIX_SLOT'] = None + config.pki_master_dict['NON_CLIENTAUTH_SECURE_PORT_SLOT'] = None + config.pki_master_dict['NSS_CONF_SLOT'] = None + config.pki_master_dict['OBJ_EXT_SLOT'] = None + config.pki_master_dict['PORT_SLOT'] = None + config.pki_master_dict['PROCESS_ID_SLOT'] = None + config.pki_master_dict['REQUIRE_CFG_PL_SLOT'] = None + config.pki_master_dict['SECURE_PORT_SLOT'] = None + config.pki_master_dict['SECURITY_LIBRARIES_SLOT'] = None + config.pki_master_dict['SERVER_NAME_SLOT'] = None + config.pki_master_dict['SERVER_ROOT_SLOT'] = None + config.pki_master_dict['SYSTEM_LIBRARIES_SLOT'] = None + config.pki_master_dict['SYSTEM_USER_LIBRARIES_SLOT'] = None + config.pki_master_dict['TMP_DIR_SLOT'] = None + config.pki_master_dict['TPS_DIR_SLOT'] = None + elif config.pki_master_dict['pki_subsystem'] in\ + config.PKI_TOMCAT_SUBSYSTEMS: + config.pki_master_dict['INSTALL_TIME_SLOT'] =\ + config.pki_master_dict['pki_install_time'] + config.pki_master_dict['PKI_ADMIN_SECURE_PORT_SLOT'] =\ + config.pki_master_dict['pki_https_port'] + config.pki_master_dict\ + ['PKI_ADMIN_SECURE_PORT_CONNECTOR_NAME_SLOT'] =\ + "Unused" + config.pki_master_dict\ + ['PKI_ADMIN_SECURE_PORT_SERVER_COMMENT_SLOT'] =\ + "" + config.pki_master_dict['PKI_AGENT_CLIENTAUTH_SLOT'] =\ + "agent" + config.pki_master_dict['PKI_AGENT_SECURE_PORT_SLOT'] =\ + config.pki_master_dict['pki_https_port'] + config.pki_master_dict['PKI_AJP_PORT_SLOT'] =\ + config.pki_master_dict['pki_ajp_port'] + config.pki_master_dict['PKI_AJP_REDIRECT_PORT_SLOT'] =\ + config.pki_master_dict['pki_https_port'] + config.pki_master_dict['PKI_CERT_DB_PASSWORD_SLOT'] =\ + config.pki_master_dict['pki_pin'] + config.pki_master_dict['PKI_CFG_PATH_NAME_SLOT'] =\ + config.pki_master_dict['pki_target_cs_cfg'] + config.pki_master_dict['PKI_CLOSE_AJP_PORT_COMMENT_SLOT'] =\ + "-->" + config.pki_master_dict['PKI_CLOSE_ENABLE_PROXY_COMMENT_SLOT'] =\ + "-->" + config.pki_master_dict\ + ['PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT_SLOT'] =\ + "-->" + config.pki_master_dict\ + ['PKI_CLOSE_SEPARATE_PORTS_WEB_COMMENT_SLOT'] =\ + "-->" + config.pki_master_dict['PKI_EE_SECURE_CLIENT_AUTH_PORT_SLOT'] =\ + config.pki_master_dict['pki_https_port'] + config.pki_master_dict\ + ['PKI_EE_SECURE_CLIENT_AUTH_PORT_CONNECTOR_NAME_SLOT'] =\ + "Unused" + config.pki_master_dict\ + ['PKI_EE_SECURE_CLIENT_AUTH_PORT_SERVER_COMMENT_SLOT'] =\ + "" + config.pki_master_dict['PKI_EE_SECURE_CLIENT_AUTH_PORT_UI_SLOT'] =\ + config.pki_master_dict['pki_https_port'] + config.pki_master_dict['PKI_EE_SECURE_PORT_SLOT'] =\ + config.pki_master_dict['pki_https_port'] + config.pki_master_dict['PKI_EE_SECURE_PORT_CONNECTOR_NAME_SLOT'] =\ + "Unused" + config.pki_master_dict['PKI_EE_SECURE_PORT_SERVER_COMMENT_SLOT'] =\ + "" + config.pki_master_dict['PKI_FLAVOR_SLOT'] =\ + "pki" + config.pki_master_dict['PKI_GROUP_SLOT'] =\ + config.pki_master_dict['pki_group'] + config.pki_master_dict['PKI_INSTANCE_PATH_SLOT'] =\ + config.pki_master_dict['pki_subsystem_path'] + config.pki_master_dict['PKI_INSTANCE_ROOT_SLOT'] =\ + config.pki_master_dict['pki_webserver_path'] + config.pki_master_dict['PKI_MACHINE_NAME_SLOT'] =\ + config.pki_master_dict['pki_hostname'] + config.pki_master_dict['PKI_OPEN_AJP_PORT_COMMENT_SLOT'] =\ + "" + config.pki_master_dict['PKI_SECURITY_MANAGER_SLOT'] =\ + config.pki_master_dict['pki_security_manager'] + config.pki_master_dict['PKI_SERVER_XML_CONF_SLOT'] =\ + config.pki_master_dict['pki_target_server_xml'] + config.pki_master_dict['PKI_SUBSYSTEM_TYPE_SLOT'] =\ + config.pki_master_dict['pki_subsystem'].lower() + config.pki_master_dict['PKI_SYSTEMD_SERVICENAME_SLOT'] =\ + "pki-" + config.pki_master_dict['pki_subsystem'].lower() +\ + "d" + "@" + "pki-" +\ + config.pki_master_dict['pki_subsystem'].lower() + ".service" + config.pki_master_dict['PKI_UNSECURE_PORT_SLOT'] =\ + config.pki_master_dict['pki_http_port'] + config.pki_master_dict['PKI_UNSECURE_PORT_CONNECTOR_NAME_SLOT'] =\ + "Unsecure" + config.pki_master_dict['PKI_UNSECURE_PORT_SERVER_COMMENT_SLOT'] =\ + "" + config.pki_master_dict['PKI_USER_SLOT'] =\ + config.pki_master_dict['pki_user'] + config.pki_master_dict['PKI_WEBAPPS_NAME_SLOT'] =\ + "webapps" + config.pki_master_dict['TOMCAT_CFG_SLOT'] =\ + config.pki_master_dict['pki_target_tomcat_conf'] + config.pki_master_dict['TOMCAT_INSTANCE_COMMON_LIB_SLOT'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_common_lib_path'], + "*.jar") + config.pki_master_dict['TOMCAT_LOG_DIR_SLOT'] =\ + config.pki_master_dict['pki_subsystem_log_path'] + config.pki_master_dict['TOMCAT_PIDFILE_SLOT'] =\ + "/var/run/" + config.pki_master_dict['pki_instance_id'] + ".pid" + config.pki_master_dict['TOMCAT_SERVER_PORT_SLOT'] =\ + config.pki_master_dict['tomcat_server_port'] + config.pki_master_dict['TOMCAT_SSL2_CIPHERS_SLOT'] =\ + "-SSL2_RC4_128_WITH_MD5," +\ + "-SSL2_RC4_128_EXPORT40_WITH_MD5," +\ + "-SSL2_RC2_128_CBC_WITH_MD5," +\ + "-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5," +\ + "-SSL2_DES_64_CBC_WITH_MD5," +\ + "-SSL2_DES_192_EDE3_CBC_WITH_MD5" + config.pki_master_dict['TOMCAT_SSL3_CIPHERS_SLOT'] =\ + "-SSL3_FORTEZZA_DMS_WITH_NULL_SHA," +\ + "-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA," +\ + "+SSL3_RSA_WITH_RC4_128_SHA," +\ + "-SSL3_RSA_EXPORT_WITH_RC4_40_MD5," +\ + "+SSL3_RSA_WITH_3DES_EDE_CBC_SHA," +\ + "+SSL3_RSA_WITH_DES_CBC_SHA," +\ + "-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5," +\ + "-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA," +\ + "-SSL_RSA_FIPS_WITH_DES_CBC_SHA," +\ + "+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA," +\ + "-SSL3_RSA_WITH_NULL_MD5," +\ + "-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA," +\ + "-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA," +\ + "+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" + config.pki_master_dict['TOMCAT_SSL_OPTIONS_SLOT'] =\ + "ssl2=true," +\ + "ssl3=true," +\ + "tls=true" + config.pki_master_dict['TOMCAT_TLS_CIPHERS_SLOT'] =\ + "-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA," +\ + "-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA," +\ + "+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA," +\ + "+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA," +\ + "+TLS_ECDH_RSA_WITH_AES_256_CBC_SHA," +\ + "-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA," +\ + "+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA," +\ + "+TLS_RSA_WITH_3DES_EDE_CBC_SHA," +\ + "+TLS_RSA_WITH_AES_128_CBC_SHA," +\ + "+TLS_RSA_WITH_AES_256_CBC_SHA," +\ + "+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA," +\ + "+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA," +\ + "-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA," +\ + "-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA," +\ + "-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA," +\ + "+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA," +\ + "+TLS_DHE_DSS_WITH_AES_128_CBC_SHA," +\ + "+TLS_DHE_DSS_WITH_AES_256_CBC_SHA," +\ + "+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA," +\ + "+TLS_DHE_RSA_WITH_AES_128_CBC_SHA," +\ + "+TLS_DHE_RSA_WITH_AES_256_CBC_SHA" + # Shared Apache/Tomcat NSS security database name/value pairs + config.pki_master_dict['pki_shared_password_conf'] =\ + os.path.join( + config.pki_master_dict['pki_instance_configuration_path'], + "password.conf") + config.pki_master_dict['pki_cert_database'] =\ + os.path.join(config.pki_master_dict['pki_database_path'], + "cert8.db") + config.pki_master_dict['pki_key_database'] =\ + os.path.join(config.pki_master_dict['pki_database_path'], + "key3.db") + config.pki_master_dict['pki_secmod_database'] =\ + os.path.join(config.pki_master_dict['pki_database_path'], + "secmod.db") + config.pki_master_dict['pki_self_signed_token'] = "internal" + config.pki_master_dict['pki_self_signed_nickname'] =\ + "Server-Cert cert-" + config.pki_master_dict['pki_instance_id'] + config.pki_master_dict['pki_self_signed_subject'] =\ + "CN=" + config.pki_master_dict['pki_hostname'] + "," +\ + "O=" + config.pki_master_dict['pki_certificate_timestamp'] + config.pki_master_dict['pki_self_signed_serial_number'] = 0 + config.pki_master_dict['pki_self_signed_validity_period'] = 12 + config.pki_master_dict['pki_self_signed_issuer_name'] =\ + "CN=" + config.pki_master_dict['pki_hostname'] + "," +\ + "O=" + config.pki_master_dict['pki_certificate_timestamp'] + config.pki_master_dict['pki_self_signed_trustargs'] = "CTu,CTu,CTu" + config.pki_master_dict['pki_self_signed_noise_file'] =\ + os.path.join( + config.pki_master_dict['pki_subsystem_configuration_path'], + "noise") + config.pki_master_dict['pki_self_signed_noise_bytes'] = 1024 + # Shared Apache/Tomcat NSS security database convenience symbolic links + config.pki_master_dict\ + ['pki_subsystem_configuration_password_conf_link'] =\ + os.path.join( + config.pki_master_dict['pki_subsystem_configuration_path'], + "password.conf") + except OSError as exc: + config.pki_log.error(log.PKI_OSERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) return + + +def compose_pki_slots_dictionary(): + """Read the slots configuration file to create + the appropriate PKI slots dictionary""" + rv = 0 + try: + config.pki_slots_dict = dict() + parser = ConfigParser.ConfigParser() + # Make keys case-sensitive! + parser.optionxform = str + parser.read(config.PKI_DEPLOYMENT_SLOTS_CONFIGURATION_FILE) + # Slots configuration file name/value pairs + if config.pki_subsystem in config.PKI_APACHE_SUBSYSTEMS: + config.pki_slots_dict = dict(parser._sections['Apache']) + elif config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS: + config.pki_slots_dict = dict(parser._sections['Tomcat']) + except ConfigParser.ParsingError, err: + rv = err + return rv -- cgit