From 5b004df074027d1eba33c2f9038030406830cc3c Mon Sep 17 00:00:00 2001 From: Matthew Harmsen Date: Thu, 19 Jul 2012 01:04:54 -0700 Subject: PKI Deployment Scriptlets * In 'catalina.properties', removed commented out jars for each of the subsystems in the 'common.loader' * In 'server.xml', removed the line containing a '1' * Moved all parameters from the [Mandatory] and [Optional] sections of the 'pkideployment.cfg' file to other more appropriate sections (e.g. - [Common], [CA], [KRA], etc.), and removed these sections and all of their associated logic from the 'pki-deploy' package * Resolved Dogtag TRAC Ticket #225 Dogtag 10: Move "pkispawn"/"pkidestroy" logs * Removed all security domain references from external CA logic * Added new 'pki_subsystem_name' parameter to 'pkideployment.cfg' file, and applied logic throughout 'pki-deploy' * Added new error message in the case of an unset DNS domain name, and replaced the log message with a simple print in the case of a 'domainname' exception --- base/deploy/config/pkideployment.cfg | 95 +++++++++++----------- base/deploy/src/pkidestroy | 26 ++---- base/deploy/src/pkispawn | 28 ++----- .../deploy/src/scriptlets/infrastructure_layout.py | 16 ++-- base/deploy/src/scriptlets/initialization.py | 3 +- base/deploy/src/scriptlets/pkiconfig.py | 4 +- base/deploy/src/scriptlets/pkijython.py | 23 ++---- base/deploy/src/scriptlets/pkimessages.py | 10 +-- base/deploy/src/scriptlets/pkiparser.py | 94 ++++++++++++++++++--- 9 files changed, 161 insertions(+), 138 deletions(-) (limited to 'base/deploy') diff --git a/base/deploy/config/pkideployment.cfg b/base/deploy/config/pkideployment.cfg index a4513d712..fb04c85fa 100644 --- a/base/deploy/config/pkideployment.cfg +++ b/base/deploy/config/pkideployment.cfg @@ -15,85 +15,60 @@ pki_ds_password= pki_pkcs12_password= pki_security_domain_password= ############################################################################### -## 'Mandatory' Data: ## -## ## -## Values in this section pertain to various PKI subsystems, and contain ## -## required information which MUST ALWAYS be provided by users. ## -############################################################################### -[Mandatory] -############################################################################### -## 'Optional' Data: ## +## 'Common' Data: ## ## ## -## Values in this section pertain to various PKI subsystems, and contain ## -## required information which MAY OPTIONALLY be provided by users. ## +## Values in this section are common to more than one PKI subsystem, and ## +## contain required information which MAY be overridden by users as ## +## necessary. ## ## ## ## NOTE: Default values will be generated for any and all required ## -## 'optional' data values which are left undefined. ## -############################################################################### -[Optional] -pki_admin_domain_name= -pki_admin_email= -pki_admin_nickname= -pki_admin_subject_dn= -pki_audit_signing_nickname= -pki_audit_signing_subject_dn= -pki_audit_signing_token= -pki_backup_file= -pki_ca_signing_nickname= -pki_ca_signing_subject_dn= -pki_ca_signing_token= -pki_ds_base_dn= -pki_ds_database= -pki_ds_hostname= -pki_ocsp_signing_nickname= -pki_ocsp_signing_subject_dn= -pki_ocsp_signing_token= -pki_security_domain_hostname= -pki_security_domain_name= -pki_ssl_server_nickname= -pki_ssl_server_subject_dn= -pki_ssl_server_token= -pki_storage_nickname= -pki_storage_subject_dn= -pki_storage_token= -pki_subsystem_nickname= -pki_subsystem_subject_dn= -pki_subsystem_token= -pki_transport_nickname= -pki_transport_subject_dn= -pki_transport_token= -############################################################################### -## 'Common' Data: ## -## ## -## Values in this section are common to ALL PKI subsystems, and contain ## -## required information which MAY be overridden by users as necessary. ## +## 'common' data values which are left undefined. ## ############################################################################### [Common] pki_admin_cert_request_type=crmf +pki_admin_domain_name= pki_admin_dualkey=False +pki_admin_email= pki_admin_keysize=2048 pki_admin_name=admin +pki_admin_nickname= +pki_admin_subject_dn= pki_admin_uid=admin pki_audit_group=pkiaudit pki_audit_signing_key_algorithm=SHA256withRSA pki_audit_signing_key_size=2048 pki_audit_signing_key_type=rsa +pki_audit_signing_nickname= pki_audit_signing_signing_algorithm=SHA256withRSA +pki_audit_signing_subject_dn= +pki_audit_signing_token= +pki_backup_file= pki_backup_keys=False +pki_ds_base_dn= pki_ds_bind_dn=cn=Directory Manager +pki_ds_database= +pki_ds_hostname= pki_ds_http_port=389 pki_ds_https_port=636 pki_ds_remove_data=True pki_ds_secure_connection=False pki_group=pkiuser +pki_security_domain_hostname= pki_security_domain_https_port=8443 +pki_security_domain_name= pki_security_domain_user=admin pki_ssl_server_key_algorithm=SHA256withRSA pki_ssl_server_key_size=2048 pki_ssl_server_key_type=rsa +pki_ssl_server_nickname= +pki_ssl_server_subject_dn= +pki_ssl_server_token= pki_subsystem_key_algorithm=SHA256withRSA pki_subsystem_key_size=2048 pki_subsystem_key_type=rsa +pki_subsystem_nickname= +pki_subsystem_subject_dn= +pki_subsystem_token= pki_user=pkiuser ############################################################################### ## 'Apache' Data: ## @@ -152,14 +127,21 @@ pki_tomcat_server_port=8005 pki_ca_signing_key_algorithm=SHA256withRSA pki_ca_signing_key_size=2048 pki_ca_signing_key_type=rsa +pki_ca_signing_nickname= pki_ca_signing_signing_algorithm=SHA256withRSA +pki_ca_signing_subject_dn= +pki_ca_signing_token= pki_external=False pki_ocsp_signing_key_algorithm=SHA256withRSA pki_ocsp_signing_key_size=2048 pki_ocsp_signing_key_type=rsa +pki_ocsp_signing_nickname= pki_ocsp_signing_signing_algorithm=SHA256withRSA +pki_ocsp_signing_subject_dn= +pki_ocsp_signing_token= pki_subordinate=False pki_subsystem=CA +pki_subsystem_name= pki_war_name=ca.war ############################################################################### ## 'KRA' Data: ## @@ -172,12 +154,19 @@ pki_war_name=ca.war pki_storage_key_algorithm=SHA256withRSA pki_storage_key_size=2048 pki_storage_key_type=rsa +pki_storage_nickname= pki_storage_signing_algorithm=SHA256withRSA +pki_storage_subject_dn= +pki_storage_token= pki_subsystem=KRA +pki_subsystem_name= pki_transport_key_algorithm=SHA256withRSA pki_transport_key_size=2048 pki_transport_key_type=rsa +pki_transport_nickname= pki_transport_signing_algorithm=SHA256withRSA +pki_transport_subject_dn= +pki_transport_token= pki_war_name=kra.war ############################################################################### ## 'OCSP' Data: ## @@ -190,8 +179,13 @@ pki_war_name=kra.war pki_ocsp_signing_key_algorithm=SHA256withRSA pki_ocsp_signing_key_size=2048 pki_ocsp_signing_key_type=rsa +pki_ocsp_signing_nickname= pki_ocsp_signing_signing_algorithm=SHA256withRSA +pki_ocsp_signing_subject_dn= +pki_ocsp_signing_token= +pki_subordinate=False pki_subsystem=OCSP +pki_subsystem_name= pki_war_name=ocsp.war ############################################################################### ## 'RA' Data: ## @@ -201,6 +195,7 @@ pki_war_name=ocsp.war ############################################################################### [RA] pki_subsystem=RA +pki_subsystem_name= ############################################################################### ## 'TKS' Data: ## ## ## @@ -210,6 +205,7 @@ pki_subsystem=RA ############################################################################### [TKS] pki_subsystem=TKS +pki_subsystem_name= pki_war_name=tks.war ############################################################################### ## 'TPS' Data: ## @@ -219,3 +215,4 @@ pki_war_name=tks.war ############################################################################### [TPS] pki_subsystem=TPS +pki_subsystem_name= diff --git a/base/deploy/src/pkidestroy b/base/deploy/src/pkidestroy index 5faa97cee..304b0bd0c 100755 --- a/base/deploy/src/pkidestroy +++ b/base/deploy/src/pkidestroy @@ -83,9 +83,11 @@ def main(argv): config.pki_dns_domainname = subprocess.check_output("domainname", shell=True) config.pki_dns_domainname = config.pki_dns_domainname.rstrip('\n') + if not len(config.pki_dns_domainname): + print log.PKI_DNS_DOMAIN_NOT_SET + sys.exit(1) except subprocess.CalledProcessError as exc: - config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_0) + print log.PKI_SUBPROCESS_ERROR_1 % exc sys.exit(1) # Initialize 'pretty print' for objects @@ -97,7 +99,7 @@ def main(argv): # Enable 'pkidestroy' logging. if not config.pki_dry_run_flag: config.pki_log_dir = config.pki_root_prefix +\ - "/var/log" + config.PKI_DEPLOYMENT_LOG_ROOT config.pki_log_name = "pki" + "-" +\ config.pki_subsystem.lower() +\ "-" + "destroy" + "." +\ @@ -124,14 +126,6 @@ def main(argv): sys.exit(1) else: # NEVER print out 'sensitive' name/value pairs!!! - config.pki_log.debug(log.PKI_DICTIONARY_MANDATORY, - extra=config.PKI_INDENTATION_LEVEL_0) - config.pki_log.debug(pp.pformat(config.pki_mandatory_dict), - extra=config.PKI_INDENTATION_LEVEL_0) - config.pki_log.debug(log.PKI_DICTIONARY_OPTIONAL, - extra=config.PKI_INDENTATION_LEVEL_0) - config.pki_log.debug(pp.pformat(config.pki_optional_dict), - extra=config.PKI_INDENTATION_LEVEL_0) config.pki_log.debug(log.PKI_DICTIONARY_COMMON, extra=config.PKI_INDENTATION_LEVEL_0) config.pki_log.debug(pp.pformat(config.pki_common_dict), @@ -147,7 +141,7 @@ def main(argv): # Override PKI configuration file values with 'custom' command-line values. if not config.custom_pki_admin_domain_name is None: - config.pki_optional_dict['pki_admin_domain_name'] =\ + config.pki_common_dict['pki_admin_domain_name'] =\ config.custom_pki_admin_domain_name if not config.custom_pki_instance_name is None: config.pki_web_server_dict['pki_instance_name'] =\ @@ -162,14 +156,6 @@ def main(argv): config.pki_web_server_dict['pki_ajp_port'] =\ config.custom_pki_ajp_port # NEVER print out 'sensitive' name/value pairs!!! - config.pki_log.debug(log.PKI_DICTIONARY_MANDATORY, - extra=config.PKI_INDENTATION_LEVEL_0) - config.pki_log.debug(pp.pformat(config.pki_mandatory_dict), - extra=config.PKI_INDENTATION_LEVEL_0) - config.pki_log.debug(log.PKI_DICTIONARY_OPTIONAL, - extra=config.PKI_INDENTATION_LEVEL_0) - config.pki_log.debug(pp.pformat(config.pki_optional_dict), - extra=config.PKI_INDENTATION_LEVEL_0) config.pki_log.debug(log.PKI_DICTIONARY_COMMON, extra=config.PKI_INDENTATION_LEVEL_0) config.pki_log.debug(pp.pformat(config.pki_common_dict), diff --git a/base/deploy/src/pkispawn b/base/deploy/src/pkispawn index 931b9baf0..6f32d08d0 100755 --- a/base/deploy/src/pkispawn +++ b/base/deploy/src/pkispawn @@ -83,9 +83,11 @@ def main(argv): config.pki_dns_domainname = subprocess.check_output("domainname", shell=True) config.pki_dns_domainname = config.pki_dns_domainname.rstrip('\n') + if not len(config.pki_dns_domainname): + print log.PKI_DNS_DOMAIN_NOT_SET + sys.exit(1) except subprocess.CalledProcessError as exc: - config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_0) + print log.PKI_SUBPROCESS_ERROR_1 % exc sys.exit(1) # Generate random 'pin's for use as security database passwords @@ -110,7 +112,7 @@ def main(argv): if not config.pki_update_flag: if not config.pki_dry_run_flag: config.pki_log_dir = config.pki_root_prefix +\ - "/var/log" + config.PKI_DEPLOYMENT_LOG_ROOT config.pki_log_name = "pki" + "-" +\ config.pki_subsystem.lower() +\ "-" + "spawn" + "." +\ @@ -126,7 +128,7 @@ def main(argv): else: if not config.pki_dry_run_flag: config.pki_log_dir = config.pki_root_prefix +\ - "/var/log" + config.PKI_DEPLOYMENT_LOG_ROOT config.pki_log_name = "pki" + "-" +\ config.pki_subsystem.lower() +\ "-" + "respawn" + "." +\ @@ -153,14 +155,6 @@ def main(argv): sys.exit(1) else: # NEVER print out 'sensitive' name/value pairs!!! - config.pki_log.debug(log.PKI_DICTIONARY_MANDATORY, - extra=config.PKI_INDENTATION_LEVEL_0) - config.pki_log.debug(pp.pformat(config.pki_mandatory_dict), - extra=config.PKI_INDENTATION_LEVEL_0) - config.pki_log.debug(log.PKI_DICTIONARY_OPTIONAL, - extra=config.PKI_INDENTATION_LEVEL_0) - config.pki_log.debug(pp.pformat(config.pki_optional_dict), - extra=config.PKI_INDENTATION_LEVEL_0) config.pki_log.debug(log.PKI_DICTIONARY_COMMON, extra=config.PKI_INDENTATION_LEVEL_0) config.pki_log.debug(pp.pformat(config.pki_common_dict), @@ -176,7 +170,7 @@ def main(argv): # Override PKI configuration file values with 'custom' command-line values. if not config.custom_pki_admin_domain_name is None: - config.pki_optional_dict['pki_admin_domain_name'] =\ + config.pki_common_dict['pki_admin_domain_name'] =\ config.custom_pki_admin_domain_name if not config.custom_pki_instance_name is None: config.pki_web_server_dict['pki_instance_name'] =\ @@ -191,14 +185,6 @@ def main(argv): config.pki_web_server_dict['pki_ajp_port'] =\ config.custom_pki_ajp_port # NEVER print out 'sensitive' name/value pairs!!! - config.pki_log.debug(log.PKI_DICTIONARY_MANDATORY, - extra=config.PKI_INDENTATION_LEVEL_0) - config.pki_log.debug(pp.pformat(config.pki_mandatory_dict), - extra=config.PKI_INDENTATION_LEVEL_0) - config.pki_log.debug(log.PKI_DICTIONARY_OPTIONAL, - extra=config.PKI_INDENTATION_LEVEL_0) - config.pki_log.debug(pp.pformat(config.pki_optional_dict), - extra=config.PKI_INDENTATION_LEVEL_0) config.pki_log.debug(log.PKI_DICTIONARY_COMMON, extra=config.PKI_INDENTATION_LEVEL_0) config.pki_log.debug(pp.pformat(config.pki_common_dict), diff --git a/base/deploy/src/scriptlets/infrastructure_layout.py b/base/deploy/src/scriptlets/infrastructure_layout.py index 471739700..d5ce233c6 100644 --- a/base/deploy/src/scriptlets/infrastructure_layout.py +++ b/base/deploy/src/scriptlets/infrastructure_layout.py @@ -36,8 +36,10 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): extra=config.PKI_INDENTATION_LEVEL_1) # establish top-level infrastructure base util.directory.create(master['pki_path']) - # establish top-level infrastructure logs - util.directory.create(master['pki_log_path']) + # no need to establish top-level infrastructure logs + # since it now stores 'pkispawn'/'pkidestroy' logs + # and will already exist + # util.directory.create(master['pki_log_path']) # establish top-level infrastructure configuration if master['pki_configuration_path'] !=\ config.PKI_DEPLOYMENT_CONFIGURATION_ROOT: @@ -70,8 +72,9 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): util.instance.pki_subsystem_instances() == 0: # remove top-level infrastructure base util.directory.delete(master['pki_path']) - # remove top-level infrastructure logs - util.directory.delete(master['pki_log_path']) + # do NOT remove top-level infrastructure logs + # since it now stores 'pkispawn'/'pkidestroy' logs + # util.directory.delete(master['pki_log_path']) # remove top-level infrastructure configuration if util.directory.is_empty(master['pki_configuration_path'])\ and master['pki_configuration_path'] !=\ @@ -89,8 +92,9 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): util.instance.pki_subsystem_instances() == 1: # remove top-level infrastructure base util.directory.delete(master['pki_path']) - # remove top-level infrastructure logs - util.directory.delete(master['pki_log_path']) + # do NOT remove top-level infrastructure logs + # since it now stores 'pkispawn'/'pkidestroy' logs + # util.directory.delete(master['pki_log_path']) # remove top-level infrastructure configuration if util.directory.is_empty(master['pki_configuration_path'])\ and master['pki_configuration_path'] !=\ diff --git a/base/deploy/src/scriptlets/initialization.py b/base/deploy/src/scriptlets/initialization.py index 1ff8522ed..cc516532e 100644 --- a/base/deploy/src/scriptlets/initialization.py +++ b/base/deploy/src/scriptlets/initialization.py @@ -46,8 +46,9 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): # establish 'uid' and 'gid' util.identity.set_uid(master['pki_user']) util.identity.set_gid(master['pki_group']) - # verify existence of MANDATORY configuration file data + # verify existence of SENSITIVE configuration file data util.configuration_file.verify_sensitive_data() + # verify existence of MUTUALLY EXCLUSIVE configuration file data util.configuration_file.verify_mutually_exclusive_data() return self.rv diff --git a/base/deploy/src/scriptlets/pkiconfig.py b/base/deploy/src/scriptlets/pkiconfig.py index 59526e667..fc8ddac90 100644 --- a/base/deploy/src/scriptlets/pkiconfig.py +++ b/base/deploy/src/scriptlets/pkiconfig.py @@ -100,9 +100,9 @@ pki_one_time_pin = None # PKI Deployment "Mandatory" Command-Line Variables pki_subsystem = None +pkideployment_cfg = "/usr/share/pki/deployment/config/pkideployment.cfg" # PKI Deployment "Optional" Command-Line Variables -pkideployment_cfg = "/usr/share/pki/deployment/config/pkideployment.cfg" pki_dry_run_flag = False pki_root_prefix = None pki_update_flag = False @@ -168,8 +168,6 @@ pki_console_log_level = None # PKI Deployment Global Dictionaries pki_sensitive_dict = None -pki_mandatory_dict = None -pki_optional_dict = None pki_common_dict = None pki_web_server_dict = None pki_subsystem_dict = None diff --git a/base/deploy/src/scriptlets/pkijython.py b/base/deploy/src/scriptlets/pkijython.py index 7856ba8c1..b55c9ecec 100644 --- a/base/deploy/src/scriptlets/pkijython.py +++ b/base/deploy/src/scriptlets/pkijython.py @@ -299,65 +299,52 @@ class rest_client: data.setPin(master['pki_one_time_pin']) data.setToken(ConfigurationData.TOKEN_DEFAULT) if master['pki_instance_type'] == "Tomcat": + data.setSubsystemName(master['pki_subsystem_name']) if master['pki_subsystem'] == "CA": if config.str2bool(master['pki_clone']): # Cloned CA data.setHierarchy("root") data.setIsClone("true") - data.setSubsystemName("Cloned CA Subsystem") elif config.str2bool(master['pki_external']): # External CA data.setHierarchy("join") data.setIsClone("false") - data.setSubsystemName("External CA Subsystem") elif config.str2bool(master['pki_subordinate']): # Subordinate CA data.setHierarchy("join") data.setIsClone("false") - data.setSubsystemName("Subordinate CA Subsystem") else: # PKI CA data.setHierarchy("root") data.setIsClone("false") - data.setSubsystemName("PKI CA Subsystem") elif master['pki_subsystem'] == "KRA": if config.str2bool(master['pki_clone']): # Cloned KRA data.setIsClone("true") - data.setSubsystemName("Cloned KRA Subsystem") else: # PKI KRA data.setIsClone("false") - data.setSubsystemName("PKI KRA Subsystem") elif master['pki_subsystem'] == "OCSP": if config.str2bool(master['pki_clone']): # Cloned OCSP data.setIsClone("true") - data.setSubsystemName("Cloned OCSP Subsystem") else: # PKI OCSP data.setIsClone("false") - data.setSubsystemName("PKI OCSP Subsystem") elif master['pki_subsystem'] == "TKS": if config.str2bool(master['pki_clone']): # Cloned TKS data.setIsClone("true") - data.setSubsystemName("Cloned TKS Subsystem") else: # PKI TKS data.setIsClone("false") - data.setSubsystemName("PKI TKS Subsystem") # Security Domain Information + # + # NOTE: External CA's DO NOT require a security domain if master['pki_instance_type'] == "Tomcat": if master['pki_subsystem'] == "CA": - if config.str2bool(master['pki_external']): - # External CA - data.setSecurityDomainType( - ConfigurationData.NEW_DOMAIN) - data.setSecurityDomainName( - master['pki_security_domain_name']) - elif not config.str2bool(master['pki_clone']) and\ - not config.str2bool(master['pki_subordinate']): + if not config.str2bool(master['pki_clone']) and\ + not config.str2bool(master['pki_subordinate']): # PKI CA data.setSecurityDomainType( ConfigurationData.NEW_DOMAIN) diff --git a/base/deploy/src/scriptlets/pkimessages.py b/base/deploy/src/scriptlets/pkimessages.py index 58b09dca3..d1326edb3 100644 --- a/base/deploy/src/scriptlets/pkimessages.py +++ b/base/deploy/src/scriptlets/pkimessages.py @@ -20,14 +20,6 @@ # # PKI Deployment Engine Messages -PKI_DICTIONARY_MANDATORY ="\n"\ -"=====================================================\n"\ -" DISPLAY CONTENTS OF PKI MANDATORY DICTIONARY\n"\ -"=====================================================" -PKI_DICTIONARY_OPTIONAL ="\n"\ -"=====================================================\n"\ -" DISPLAY CONTENTS OF PKI OPTIONAL DICTIONARY\n"\ -"=====================================================" PKI_DICTIONARY_COMMON ="\n"\ "=====================================================\n"\ " DISPLAY CONTENTS OF PKI COMMON DICTIONARY\n"\ @@ -80,6 +72,8 @@ PKI_DIRECTORY_ALREADY_EXISTS_NOT_A_DIRECTORY_1 = "Directory '%s' already "\ "directory!" PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1 = "Directory '%s' is either "\ "missing or is NOT a directory!" +PKI_DNS_DOMAIN_NOT_SET = "A valid DNS domain name MUST be established "\ + "to use PKI services!" PKI_FILE_ALREADY_EXISTS_1 = "File '%s' already exists!" PKI_FILE_ALREADY_EXISTS_NOT_A_FILE_1 = "File '%s' already "\ "exists BUT it is NOT a "\ diff --git a/base/deploy/src/scriptlets/pkiparser.py b/base/deploy/src/scriptlets/pkiparser.py index 6c4574add..e824c8ac9 100644 --- a/base/deploy/src/scriptlets/pkiparser.py +++ b/base/deploy/src/scriptlets/pkiparser.py @@ -261,8 +261,6 @@ def read_pki_configuration_file(): parser.optionxform = str parser.read(config.pkideployment_cfg) config.pki_sensitive_dict = dict(parser._sections['Sensitive']) - config.pki_mandatory_dict = dict(parser._sections['Mandatory']) - config.pki_optional_dict = dict(parser._sections['Optional']) config.pki_common_dict = dict(parser._sections['Common']) if config.pki_subsystem == "CA": config.pki_web_server_dict = dict(parser._sections['Tomcat']) @@ -284,8 +282,6 @@ def read_pki_configuration_file(): config.pki_subsystem_dict = dict(parser._sections['TPS']) # Insert empty record into dictionaries for "pretty print" statements # NEVER print "sensitive" key value pairs!!! - config.pki_mandatory_dict[0] = None - config.pki_optional_dict[0] = None config.pki_common_dict[0] = None config.pki_web_server_dict[0] = None config.pki_subsystem_dict[0] = None @@ -316,8 +312,6 @@ def compose_pki_master_dictionary(): config.pki_master_dict['pki_deployment_cfg'] = config.pkideployment_cfg # Configuration file name/value pairs # NEVER add "sensitive" key value pairs to the master dictionary!!! - config.pki_master_dict.update(config.pki_mandatory_dict) - config.pki_master_dict.update(config.pki_optional_dict) config.pki_master_dict.update(config.pki_common_dict) config.pki_master_dict.update(config.pki_web_server_dict) config.pki_master_dict.update(config.pki_subsystem_dict) @@ -1435,6 +1429,7 @@ def compose_pki_master_dictionary(): config.pki_master_dict['pki_subsystem'].lower() + "/" + "pki" # Jython scriptlet # 'Security Domain' Configuration name/value pairs + # 'Subsystem Name' Configuration name/value pairs # # Apache - [RA], [TPS] # Tomcat - [CA], [KRA], [OCSP], [TKS] @@ -1459,16 +1454,19 @@ def compose_pki_master_dictionary(): # # config.pki_master_dict['pki_security_domain_hostname'] # config.pki_master_dict['pki_security_domain_name'] + # config.pki_master_dict['pki_subsystem_name'] # if config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS: if config.pki_subsystem == "CA": if config.str2bool(config.pki_master_dict['pki_external']): # External CA - config.pki_master_dict['pki_security_domain_type'] = "new" - if not len(config.pki_master_dict\ - ['pki_security_domain_name']): - config.pki_master_dict['pki_security_domain_name'] =\ - "External CA Security Domain" + # + # NOTE: External CA's DO NOT require a security domain + if not len(config.pki_master_dict['pki_subsystem_name']): + config.pki_master_dict['pki_subsystem_name'] =\ + "External CA" + " " +\ + config.pki_master_dict['pki_hostname'] + " " +\ + config.pki_master_dict['pki_https_port'] elif not config.str2bool(config.pki_master_dict['pki_clone'])\ and not\ config.str2bool(config.pki_master_dict['pki_subordinate']): @@ -1479,6 +1477,11 @@ def compose_pki_master_dictionary(): config.pki_master_dict['pki_security_domain_name'] =\ config.pki_master_dict['pki_dns_domainname'] +\ " " + "Security Domain" + if not len(config.pki_master_dict['pki_subsystem_name']): + config.pki_master_dict['pki_subsystem_name'] =\ + "PKI CA" + " " +\ + config.pki_master_dict['pki_hostname'] + " " +\ + config.pki_master_dict['pki_https_port'] else: # PKI Cloned or Subordinate CA config.pki_master_dict['pki_security_domain_type'] =\ @@ -1492,8 +1495,24 @@ def compose_pki_master_dictionary(): "https" + "://" +\ config.pki_master_dict['pki_security_domain_hostname']\ + ":" + config.pki_security_domain_https_port + if config.str2bool(config.pki_master_dict['pki_clone']): + # Cloned CA + if not\ + len(config.pki_master_dict['pki_subsystem_name']): + config.pki_master_dict['pki_subsystem_name'] =\ + "Cloned CA" + " " +\ + config.pki_master_dict['pki_hostname'] + " " +\ + config.pki_master_dict['pki_https_port'] + else: + # Subordinate CA + if not\ + len(config.pki_master_dict['pki_subsystem_name']): + config.pki_master_dict['pki_subsystem_name'] =\ + "Subordinate CA" + " " +\ + config.pki_master_dict['pki_hostname'] + " " +\ + config.pki_master_dict['pki_https_port'] else: - # PKI KRA, OCSP, or TKS + # PKI or Cloned KRA, OCSP, or TKS config.pki_master_dict['pki_security_domain_type'] = "existing" if not len(config.pki_master_dict\ ['pki_security_domain_hostname']): @@ -1505,6 +1524,57 @@ def compose_pki_master_dictionary(): config.pki_master_dict['pki_security_domain_hostname'] +\ ":" +\ config.pki_master_dict['pki_security_domain_https_port'] + if config.pki_subsystem == "KRA": + if config.str2bool(config.pki_master_dict['pki_clone']): + # Cloned KRA + if not\ + len(config.pki_master_dict['pki_subsystem_name']): + config.pki_master_dict['pki_subsystem_name'] =\ + "Cloned KRA" + " " +\ + config.pki_master_dict['pki_hostname'] + " " +\ + config.pki_master_dict['pki_https_port'] + else: + # PKI KRA + if not\ + len(config.pki_master_dict['pki_subsystem_name']): + config.pki_master_dict['pki_subsystem_name'] =\ + "PKI KRA" + " " +\ + config.pki_master_dict['pki_hostname'] + " " +\ + config.pki_master_dict['pki_https_port'] + elif config.pki_subsystem == "OCSP": + if config.str2bool(config.pki_master_dict['pki_clone']): + # Cloned OCSP + if not\ + len(config.pki_master_dict['pki_subsystem_name']): + config.pki_master_dict['pki_subsystem_name'] =\ + "Cloned OCSP" + " " +\ + config.pki_master_dict['pki_hostname'] + " " +\ + config.pki_master_dict['pki_https_port'] + else: + # PKI OCSP + if not\ + len(config.pki_master_dict['pki_subsystem_name']): + config.pki_master_dict['pki_subsystem_name'] =\ + "PKI OCSP" + " " +\ + config.pki_master_dict['pki_hostname'] + " " +\ + config.pki_master_dict['pki_https_port'] + elif config.pki_subsystem == "TKS": + if config.str2bool(config.pki_master_dict['pki_clone']): + # Cloned TKS + if not\ + len(config.pki_master_dict['pki_subsystem_name']): + config.pki_master_dict['pki_subsystem_name'] =\ + "Cloned TKS" + " " +\ + config.pki_master_dict['pki_hostname'] + " " +\ + config.pki_master_dict['pki_https_port'] + else: + # PKI TKS + if not\ + len(config.pki_master_dict['pki_subsystem_name']): + config.pki_master_dict['pki_subsystem_name'] =\ + "PKI TKS" + " " +\ + config.pki_master_dict['pki_hostname'] + " " +\ + config.pki_master_dict['pki_https_port'] # Jython scriptlet # 'Directory Server' Configuration name/value pairs # -- cgit