From d54544b7732baebf6a93ee50708e445921478034 Mon Sep 17 00:00:00 2001 From: Matthew Harmsen Date: Thu, 18 Jun 2015 13:01:34 -0600 Subject: Check security module registration - PKI TRAC Ticket #1426 - pkispawn of KRA on HSM fails (shared instances) - PKI TRAC Ticket #1427 - pkispawn of OCSP on HSM fails (shared instances) - PKI TRAC Ticket #1429 - pkispawn of TKS on HSM fails (shared instances) --- .../python/pki/server/deployment/pkihelper.py | 54 ++++++++++++++++++++++ .../python/pki/server/deployment/pkimessages.py | 5 ++ 2 files changed, 59 insertions(+) (limited to 'base/server/python/pki') diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py index a94444793..42ca0d9cf 100644 --- a/base/server/python/pki/server/deployment/pkihelper.py +++ b/base/server/python/pki/server/deployment/pkihelper.py @@ -2688,9 +2688,63 @@ class Modutil: def __init__(self, deployer): self.mdict = deployer.mdict + def is_security_module_registered(self, path, modulename, + prefix=None, critical_failure=True): + status = False + try: + # Compose this "modutil" command + command = ["modutil"] + # Provide a path to the NSS security databases + if path: + command.extend(["-dbdir", path]) + else: + config.pki_log.error( + log.PKIHELPER_MODUTIL_MISSING_PATH, + extra=config.PKI_INDENTATION_LEVEL_2) + raise Exception(log.PKIHELPER_MODUTIL_MISSING_PATH) + # Add optional security database prefix + if prefix is not None: + command.extend(["--dbprefix", prefix]) + # Append '-nocertdb' switch + command.extend(["-nocertdb"]) + # Specify a 'modulename' + if modulename: + command.extend(["-list", modulename]) + else: + config.pki_log.error( + log.PKIHELPER_MODUTIL_MISSING_MODULENAME, + extra=config.PKI_INDENTATION_LEVEL_2) + raise Exception(log.PKIHELPER_MODUTIL_MISSING_MODULENAME) + # Display this "modutil" command + config.pki_log.info( + log.PKIHELPER_REGISTERED_SECURITY_MODULE_CHECK_1, + ' '.join(command), + extra=config.PKI_INDENTATION_LEVEL_2) + # Execute this "modutil" command + subprocess.check_call(command) + # 'modulename' is already registered + status = True + config.pki_log.info( + log.PKIHELPER_REGISTERED_SECURITY_MODULE_1, modulename, + extra=config.PKI_INDENTATION_LEVEL_2) + except subprocess.CalledProcessError as exc: + # 'modulename' is not registered + config.pki_log.info( + log.PKIHELPER_UNREGISTERED_SECURITY_MODULE_1, modulename, + extra=config.PKI_INDENTATION_LEVEL_2) + except OSError as exc: + config.pki_log.error(log.PKI_OSERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure: + raise + return status + def register_security_module(self, path, modulename, libfile, prefix=None, critical_failure=True): try: + # First check if security module is already registered + if self.is_security_module_registered(path, modulename): + return # Compose this "modutil" command command = ["modutil"] # Provide a path to the NSS security databases diff --git a/base/server/python/pki/server/deployment/pkimessages.py b/base/server/python/pki/server/deployment/pkimessages.py index dd6ba4160..652840792 100644 --- a/base/server/python/pki/server/deployment/pkimessages.py +++ b/base/server/python/pki/server/deployment/pkimessages.py @@ -260,6 +260,11 @@ PKIHELPER_PK12UTIL_MISSING_OUTFILE = \ PKIHELPER_PK12UTIL_MISSING_PWFILE = \ "pk12util missing -w pw-file option!" PKIHELPER_REGISTER_SECURITY_MODULE_1 = "executing '%s'" +PKIHELPER_REGISTERED_SECURITY_MODULE_CHECK_1 = "executing '%s'" +PKIHELPER_REGISTERED_SECURITY_MODULE_1 = \ + "security module '%s' is already registered." +PKIHELPER_UNREGISTERED_SECURITY_MODULE_1 = \ + "security module '%s' is not registered." PKIHELPER_PKI_INSTANCE_SUBSYSTEMS_2 = \ "instance '%s' contains '%d' PKI subsystems" -- cgit