From b644429de7d9649e98737113182d9fcd6912e92a Mon Sep 17 00:00:00 2001
From: Ade Lee <alee@redhat.com>
Date: Tue, 9 Sep 2014 15:06:31 -0400
Subject: Fix sub-CA installation with own security domain

Installation code failed to anticipate installation of a subordinate
CA that would host its own security domain.  This patch includes changes
to python installation code, java configuration servlet and
changes to man pages.

Ticket 1132
---
 .../python/pki/server/deployment/pkihelper.py       | 21 +++++++++++++++------
 .../python/pki/server/deployment/pkiparser.py       | 11 +++++------
 2 files changed, 20 insertions(+), 12 deletions(-)

(limited to 'base/server/python/pki/server')

diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py
index b4c728a87..96048bdec 100644
--- a/base/server/python/pki/server/deployment/pkihelper.py
+++ b/base/server/python/pki/server/deployment/pkihelper.py
@@ -52,7 +52,6 @@ from .pkiconfig import pki_selinux_config_ports as ports
 from . import pkimanifest as manifest
 from . import pkimessages as log
 from .pkiparser import PKIConfigParser
-import pki.account
 import pki.client
 import pki.system
 
@@ -503,6 +502,9 @@ class ConfigurationFile:
                                      extra=config.PKI_INDENTATION_LEVEL_2)
                 raise Exception(log.PKI_SUBORDINATE_UNSUPPORTED_1,
                                 self.subsystem)
+            if config.str2bool(
+                    self.mdict['pki_subordinate_create_new_security_domain']):
+                self.confirm_data_exists('pki_subordinate_security_domain_name')
 
     def confirm_external_step_two(self):
         # ALWAYS defined via 'pkiparser.py'
@@ -3414,6 +3416,7 @@ class ConfigClient:
         # generic extension support in CSR - for external CA
         self.add_req_ext = config.str2bool(
             self.mdict['pki_req_ext_add'])
+        self.security_domain_type = self.mdict['pki_security_domain_type']
 
     def configure_pki_data(self, data):
         config.pki_log.info(
@@ -3626,16 +3629,15 @@ class ConfigClient:
         self.set_hierarchy_parameters(data)
 
         # Security Domain
-        if ((self.subsystem != "CA" or self.clone or self.subordinate) and
-                not self.standalone):
-            # PKI KRA, PKI OCSP, PKI RA, PKI TKS, PKI TPS,
-            # CA Clone, KRA Clone, OCSP Clone, TKS Clone, TPS Clone, or
-            # Subordinate CA
+        if self.security_domain_type != "new":
             self.set_existing_security_domain(data)
         else:
             # PKI CA, External CA, or Stand-alone PKI
             self.set_new_security_domain(data)
 
+        if self.subordinate:
+            self.set_subca_security_domain(data)
+
         # database
         if self.subsystem != "RA":
             self.set_database_parameters(data)
@@ -3943,6 +3945,13 @@ class ConfigClient:
         data.securityDomainType = "newdomain"
         data.securityDomainName = self.mdict['pki_security_domain_name']
 
+    def set_subca_security_domain(self, data):
+        if config.str2bool(
+                self.mdict['pki_subordinate_create_new_security_domain']):
+            data.securityDomainType = "newsubdomain"
+            data.subordinateSecurityDomainName = (
+                self.mdict['pki_subordinate_security_domain_name'])
+
     def set_database_parameters(self, data):
         data.dsHost = self.mdict['pki_ds_hostname']
         data.dsPort = self.mdict['pki_ds_ldap_port']
diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py
index de224eb9a..ea6bbffab 100644
--- a/base/server/python/pki/server/deployment/pkiparser.py
+++ b/base/server/python/pki/server/deployment/pkiparser.py
@@ -1078,24 +1078,23 @@ class PKIConfigParser:
                 # Stand-alone PKI
                 self.mdict['pki_security_domain_type'] = "new"
                 self.mdict['pki_issuing_ca'] = "External CA"
-            elif config.pki_subsystem != "CA" or\
-                    config.str2bool(self.mdict['pki_clone']) or\
-                    config.str2bool(self.mdict['pki_subordinate']):
+            elif (config.pki_subsystem != "CA" or
+                    config.str2bool(self.mdict['pki_clone']) or
+                    config.str2bool(self.mdict['pki_subordinate'])):
                 # PKI KRA, PKI OCSP, PKI RA, PKI TKS, PKI TPS,
-                # CA Clone, KRA Clone, OCSP Clone, TKS Clone, TPS Clone, or
+                # CA Clone, KRA Clone, OCSP Clone, TKS Clone, TPS Clone
                 # Subordinate CA
                 self.mdict['pki_security_domain_type'] = "existing"
                 self.mdict['pki_security_domain_uri'] = \
                     "https" + "://" + \
                     self.mdict['pki_security_domain_hostname'] + ":" + \
                     self.mdict['pki_security_domain_https_port']
-
             elif config.str2bool(self.mdict['pki_external']):
                 # External CA
                 self.mdict['pki_security_domain_type'] = "new"
                 self.mdict['pki_issuing_ca'] = "External CA"
             else:
-                # PKI CA
+                # PKI CA (master)
                 self.mdict['pki_security_domain_type'] = "new"
 
             # 'External CA' Configuration name/value pairs
-- 
cgit