From 924403a14e92112c3c3d696319759b65eb57a30c Mon Sep 17 00:00:00 2001 From: Matthew Harmsen Date: Fri, 18 May 2012 10:52:06 -0700 Subject: PKI Deployment Scriptlets * Introduced concept of "admin-domain" originally as a separate folder, and later incorporated this concept into an optional instance prefix * Revised definition of to be identified as "[-] * Changed NSS security database model from one shared database by BOTH a single Tomcat AND single Apache instance into one per Tomcat instance (shared by CA/KRA/OCSP/TKS) and one per Apache instance (shared by RA/TPS) * Altered Configuration 'scriptlet' to invoke Jython for access to new Java configuration servlet * Renamed various "scriptlets" to comply with this new layout * Re-aligned code to account for revised layout documented at http://pki.fedoraproject.org/wiki/PKI_Instance_Deployment --- base/deploy/src/scriptlets/security_databases.py | 50 +++++++++++++++++++----- 1 file changed, 41 insertions(+), 9 deletions(-) (limited to 'base/deploy/src/scriptlets/security_databases.py') diff --git a/base/deploy/src/scriptlets/security_databases.py b/base/deploy/src/scriptlets/security_databases.py index f32b7e497..1a08fdccb 100644 --- a/base/deploy/src/scriptlets/security_databases.py +++ b/base/deploy/src/scriptlets/security_databases.py @@ -27,7 +27,7 @@ import pkimessages as log import pkiscriptlet -# PKI Deployment Security Database Classes +# PKI Deployment Security Databases Scriptlet class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): rv = 0 @@ -36,11 +36,15 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): extra=config.PKI_INDENTATION_LEVEL_1) if not config.pki_dry_run_flag: util.password.create_password_conf( - master['pki_shared_password_conf']) + master['pki_shared_password_conf'], + master['pki_pin']) util.file.modify(master['pki_shared_password_conf']) util.certutil.create_security_databases( master['pki_database_path'], - master['pki_shared_password_conf']) + master['pki_cert_database'], + master['pki_key_database'], + master['pki_secmod_database'], + password_file=master['pki_shared_password_conf']) util.file.modify(master['pki_cert_database'], perms=\ config.PKI_DEPLOYMENT_DEFAULT_SECURITY_DATABASE_PERMISSIONS) util.file.modify(master['pki_key_database'], perms=\ @@ -49,6 +53,9 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): config.PKI_DEPLOYMENT_DEFAULT_SECURITY_DATABASE_PERMISSIONS) rv = util.certutil.verify_certificate_exists( master['pki_database_path'], + master['pki_cert_database'], + master['pki_key_database'], + master['pki_secmod_database'], master['pki_self_signed_token'], master['pki_self_signed_nickname'], password_file=master['pki_shared_password_conf']) @@ -58,6 +65,9 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): master['pki_self_signed_noise_bytes']) util.certutil.generate_self_signed_certificate( master['pki_database_path'], + master['pki_cert_database'], + master['pki_key_database'], + master['pki_secmod_database'], master['pki_self_signed_token'], master['pki_self_signed_nickname'], master['pki_self_signed_subject'], @@ -70,12 +80,19 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): util.file.delete(master['pki_self_signed_noise_file']) else: util.password.create_password_conf( - master['pki_shared_password_conf']) + master['pki_shared_password_conf'], + master['pki_pin']) util.certutil.create_security_databases( master['pki_database_path'], - master['pki_shared_password_conf']) + master['pki_cert_database'], + master['pki_key_database'], + master['pki_secmod_database'], + password_file=master['pki_shared_password_conf']) rv = util.certutil.verify_certificate_exists( master['pki_database_path'], + master['pki_cert_database'], + master['pki_key_database'], + master['pki_secmod_database'], master['pki_self_signed_token'], master['pki_self_signed_nickname'], password_file=master['pki_shared_password_conf']) @@ -85,6 +102,9 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): master['pki_self_signed_noise_bytes']) util.certutil.generate_self_signed_certificate( master['pki_database_path'], + master['pki_cert_database'], + master['pki_key_database'], + master['pki_secmod_database'], master['pki_self_signed_token'], master['pki_self_signed_nickname'], master['pki_self_signed_subject'], @@ -112,16 +132,28 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): config.pki_log.info(log.SECURITY_DATABASES_DESTROY_1, __name__, extra=config.PKI_INDENTATION_LEVEL_1) if not config.pki_dry_run_flag: - if master['pki_subsystem'] in config.PKI_SUBSYSTEMS and\ - util.instance.pki_subsystem_instances() == 0: + if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\ + util.instance.apache_instances() == 0: + util.file.delete(master['pki_cert_database']) + util.file.delete(master['pki_key_database']) + util.file.delete(master['pki_secmod_database']) + util.file.delete(master['pki_shared_password_conf']) + elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\ + util.instance.tomcat_instances() == 0: util.file.delete(master['pki_cert_database']) util.file.delete(master['pki_key_database']) util.file.delete(master['pki_secmod_database']) util.file.delete(master['pki_shared_password_conf']) else: # ALWAYS display correct information (even during dry_run) - if master['pki_subsystem'] in config.PKI_SUBSYSTEMS and\ - util.instance.pki_subsystem_instances() == 1: + if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\ + util.instance.apache_instances() == 1: + util.file.delete(master['pki_cert_database']) + util.file.delete(master['pki_key_database']) + util.file.delete(master['pki_secmod_database']) + util.file.delete(master['pki_shared_password_conf']) + elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\ + util.instance.tomcat_instances() == 1: util.file.delete(master['pki_cert_database']) util.file.delete(master['pki_key_database']) util.file.delete(master['pki_secmod_database']) -- cgit