From 0198bf929702b756214b5f509ffe677ca58bf650 Mon Sep 17 00:00:00 2001 From: Matthew Harmsen Date: Wed, 8 Aug 2012 13:41:46 -0700 Subject: PKI Deployment Scriptlets * TRAC Ticket #184 - Dogtag 10: Update PKI Deployment to handle cloning CA/KRA/OCSP/TKS . . . * TRAC Ticket #285 - Dogtag 10: Fix installation issues for KRA, OCSP, and TKS --- base/deploy/config/pkideployment.cfg | 1 + base/deploy/src/scriptlets/pkijython.py | 63 ++++++------ base/deploy/src/scriptlets/pkiparser.py | 176 +++++++------------------------- 3 files changed, 71 insertions(+), 169 deletions(-) (limited to 'base') diff --git a/base/deploy/config/pkideployment.cfg b/base/deploy/config/pkideployment.cfg index ae02bb450..80816e495 100644 --- a/base/deploy/config/pkideployment.cfg +++ b/base/deploy/config/pkideployment.cfg @@ -57,6 +57,7 @@ pki_ds_ldaps_port=636 pki_ds_remove_data=True pki_ds_secure_connection=False pki_group=pkiuser +pki_issuing_ca= pki_restart_configured_instance=True pki_security_domain_hostname= pki_security_domain_https_port=8443 diff --git a/base/deploy/src/scriptlets/pkijython.py b/base/deploy/src/scriptlets/pkijython.py index e08b4901e..5adc7e022 100644 --- a/base/deploy/src/scriptlets/pkijython.py +++ b/base/deploy/src/scriptlets/pkijython.py @@ -180,7 +180,7 @@ def generateCRMFRequest(token, keysize, subjectdn, dualkey): # 1st : Encryption key s1.addElement(crmfMsg) # 2nd : Signing Key - if dualkey: + if config.str2bool(dualkey): javasystem.out.println(log.PKI_JYTHON_IS_DUALKEY) seq1 = SEQUENCE() certReqSigning = CertRequest(INTEGER(1), certTemplate, seq1) @@ -338,36 +338,28 @@ class rest_client: data.setIsClone("false") # Security Domain Information # - # NOTE: External CA's DO NOT require a security domain - if master['pki_instance_type'] == "Tomcat": - if master['pki_subsystem'] == "CA": - if not config.str2bool(master['pki_clone']) and\ - not config.str2bool(master['pki_subordinate']): - # PKI CA - data.setSecurityDomainType( - ConfigurationData.NEW_DOMAIN) - data.setSecurityDomainName( - master['pki_security_domain_name']) - else: - # PKI Cloned or Subordinate CA - data.setSecurityDomainType( - ConfigurationData.EXISTING_DOMAIN) - data.setSecurityDomainUri( - master['pki_security_domain_uri']) - data.setSecurityDomainUser( - master['pki_security_domain_user']) - data.setSecurityDomainPassword( - sensitive['pki_security_domain_password']) - else: - # PKI KRA, OCSP, or TKS - data.setSecurityDomainType( - ConfigurationData.EXISTING_DOMAIN) - data.setSecurityDomainUri( - master['pki_security_domain_uri']) - data.setSecurityDomainUser( - master['pki_security_domain_user']) - data.setSecurityDomainPassword( - sensitive['pki_security_domain_password']) + # NOTE: External CA's DO NOT require a security domain + # + if master['pki_subsystem'] != "CA" or\ + config.str2bool(master['pki_clone']) or\ + config.str2bool(master['pki_subordinate']): + # PKI KRA, PKI OCSP, PKI RA, PKI TKS, PKI TPS, + # CA Clone, KRA Clone, OCSP Clone, TKS Clone, or + # Subordinate CA + data.setSecurityDomainType( + ConfigurationData.EXISTING_DOMAIN) + data.setSecurityDomainUri( + master['pki_security_domain_uri']) + data.setSecurityDomainUser( + master['pki_security_domain_user']) + data.setSecurityDomainPassword( + sensitive['pki_security_domain_password']) + elif not config.str2bool(master['pki_external']): + # PKI CA + data.setSecurityDomainType( + ConfigurationData.NEW_DOMAIN) + data.setSecurityDomainName( + master['pki_security_domain_name']) # Directory Server Information if master['pki_subsystem'] != "RA": data.setDsHost(master['pki_ds_hostname']) @@ -420,6 +412,15 @@ class rest_client: else: javasystem.out.println(log.PKI_JYTHON_CRMF_SUPPORT_ONLY) javasystem.exit(1) + # Issuing CA Information + if master['pki_subsystem'] != "CA" or\ + config.str2bool(master['pki_clone']) or\ + config.str2bool(master['pki_subordinate']) or\ + config.str2bool(master['pki_external']): + # PKI KRA, PKI OCSP, PKI RA, PKI TKS, PKI TPS, + # CA Clone, KRA Clone, OCSP Clone, TKS Clone, + # Subordinate CA, or External CA + data.setIssuingCA(master['pki_issuing_ca']) # Create system certs systemCerts = ArrayList() # Create 'CA Signing Certificate' diff --git a/base/deploy/src/scriptlets/pkiparser.py b/base/deploy/src/scriptlets/pkiparser.py index bf22a4d18..dd1f93bd3 100644 --- a/base/deploy/src/scriptlets/pkiparser.py +++ b/base/deploy/src/scriptlets/pkiparser.py @@ -1455,157 +1455,57 @@ def compose_pki_master_dictionary(): # The following variables are established via the specified PKI # deployment configuration file and potentially overridden below: # + # config.pki_master_dict['pki_issuing_ca'] # config.pki_master_dict['pki_security_domain_hostname'] # config.pki_master_dict['pki_security_domain_name'] # config.pki_master_dict['pki_subsystem_name'] # - if config.pki_subsystem in config.PKI_APACHE_SUBSYSTEMS: - # PKI RA or TPS + if not len(config.pki_master_dict['pki_subsystem_name']): + config.pki_master_dict['pki_subsystem_name'] =\ + config.pki_subsystem + " " +\ + config.pki_master_dict['pki_hostname'] + " " +\ + config.pki_master_dict['pki_https_port'] + if config.pki_subsystem != "CA" or\ + config.str2bool(config.pki_master_dict['pki_clone']) or\ + config.str2bool(config.pki_master_dict['pki_subordinate']): + # PKI KRA, PKI OCSP, PKI RA, PKI TKS, PKI TPS, + # CA Clone, KRA Clone, OCSP Clone, TKS Clone, or + # Subordinate CA config.pki_master_dict['pki_security_domain_type'] = "existing" - if not len(config.pki_master_dict['pki_security_domain_hostname']): - # Guess that it is the local host + if not len(config.pki_master_dict['pki_security_domain_name']): + # Guess that the security domain resides on the local host + config.pki_master_dict['pki_security_domain_name'] =\ + config.pki_master_dict['pki_dns_domainname'] + " " +\ + "Security Domain" + if not\ + len(config.pki_master_dict['pki_security_domain_hostname']): + # Guess that the security domain resides on the local host config.pki_master_dict['pki_security_domain_hostname'] =\ config.pki_master_dict['pki_hostname'] config.pki_master_dict['pki_security_domain_uri'] =\ "https" + "://" +\ config.pki_master_dict['pki_security_domain_hostname'] + ":" +\ config.pki_master_dict['pki_security_domain_https_port'] + if not len(config.pki_master_dict['pki_issuing_ca']): + # Guess that it is the same as the + # config.pki_master_dict['pki_security_domain_uri'] + config.pki_master_dict['pki_issuing_ca'] =\ + config.pki_master_dict['pki_security_domain_uri'] + elif config.str2bool(config.pki_master_dict['pki_external']): + # External CA + # + # NOTE: External CA's DO NOT require a security domain + # + if not len(config.pki_master_dict['pki_issuing_ca']): + config.pki_master_dict['pki_issuing_ca'] = "External CA" + else: + # PKI CA + config.pki_master_dict['pki_security_domain_type'] = "new" if not len(config.pki_master_dict['pki_security_domain_name']): - # Guess that security domain is on the local host + # Guess that the security domain resides on the local host config.pki_master_dict['pki_security_domain_name'] =\ - config.pki_master_dict['pki_dns_domainname'] +\ - " " + "Security Domain" - elif config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS: - if config.pki_subsystem == "CA": - if config.str2bool(config.pki_master_dict['pki_external']): - # External CA - # - # NOTE: External CA's DO NOT require a security domain - if not len(config.pki_master_dict['pki_subsystem_name']): - config.pki_master_dict['pki_subsystem_name'] =\ - "External CA" + " " +\ - config.pki_master_dict['pki_hostname'] + " " +\ - config.pki_master_dict['pki_https_port'] - elif not config.str2bool(config.pki_master_dict['pki_clone'])\ - and not\ - config.str2bool(config.pki_master_dict['pki_subordinate']): - # PKI CA - config.pki_master_dict['pki_security_domain_type'] = "new" - if not len(config.pki_master_dict\ - ['pki_security_domain_name']): - config.pki_master_dict['pki_security_domain_name'] =\ - config.pki_master_dict['pki_dns_domainname'] +\ - " " + "Security Domain" - if not len(config.pki_master_dict['pki_subsystem_name']): - config.pki_master_dict['pki_subsystem_name'] =\ - "PKI CA" + " " +\ - config.pki_master_dict['pki_hostname'] + " " +\ - config.pki_master_dict['pki_https_port'] - else: - # PKI Cloned or Subordinate CA - config.pki_master_dict['pki_security_domain_type'] =\ - "existing" - if not len(config.pki_master_dict\ - ['pki_security_domain_hostname']): - # Guess that it is the local host - config.pki_master_dict['pki_security_domain_hostname']\ - = config.pki_master_dict['pki_hostname'] - config.pki_master_dict['pki_security_domain_uri'] =\ - "https" + "://" +\ - config.pki_master_dict['pki_security_domain_hostname']\ - + ":" +\ - config.pki_master_dict['pki_security_domain_https_port'] - if not len(config.pki_master_dict\ - ['pki_security_domain_name']): - # Guess that security domain is on the local host - config.pki_master_dict['pki_security_domain_name']\ - = config.pki_master_dict['pki_dns_domainname']\ - + " " + "Security Domain" - if config.str2bool(config.pki_master_dict['pki_clone']): - # Cloned CA - if not\ - len(config.pki_master_dict['pki_subsystem_name']): - config.pki_master_dict['pki_subsystem_name'] =\ - "Cloned CA" + " " +\ - config.pki_master_dict['pki_hostname'] + " " +\ - config.pki_master_dict['pki_https_port'] - else: - # Subordinate CA - if not\ - len(config.pki_master_dict['pki_subsystem_name']): - config.pki_master_dict['pki_subsystem_name'] =\ - "Subordinate CA" + " " +\ - config.pki_master_dict['pki_hostname'] + " " +\ - config.pki_master_dict['pki_https_port'] - else: - # PKI or Cloned KRA, OCSP, or TKS - config.pki_master_dict['pki_security_domain_type'] = "existing" - if not len(config.pki_master_dict\ - ['pki_security_domain_hostname']): - # Guess that it is the local host - config.pki_master_dict['pki_security_domain_hostname'] =\ - config.pki_master_dict['pki_hostname'] - config.pki_master_dict['pki_security_domain_uri'] =\ - "https" + "://" +\ - config.pki_master_dict['pki_security_domain_hostname'] +\ - ":" +\ - config.pki_master_dict['pki_security_domain_https_port'] - if not len(config.pki_master_dict['pki_security_domain_name']): - # Guess that security domain is on the local host - config.pki_master_dict['pki_security_domain_name'] =\ - config.pki_master_dict['pki_dns_domainname'] +\ - " " + "Security Domain" - if config.pki_subsystem == "KRA": - if config.str2bool(config.pki_master_dict['pki_clone']): - # Cloned KRA - if not\ - len(config.pki_master_dict['pki_subsystem_name']): - config.pki_master_dict['pki_subsystem_name'] =\ - "Cloned KRA" + " " +\ - config.pki_master_dict['pki_hostname'] + " " +\ - config.pki_master_dict['pki_https_port'] - else: - # PKI KRA - if not\ - len(config.pki_master_dict['pki_subsystem_name']): - config.pki_master_dict['pki_subsystem_name'] =\ - "PKI KRA" + " " +\ - config.pki_master_dict['pki_hostname'] + " " +\ - config.pki_master_dict['pki_https_port'] - elif config.pki_subsystem == "OCSP": - if config.str2bool(config.pki_master_dict['pki_clone']): - # Cloned OCSP - if not\ - len(config.pki_master_dict['pki_subsystem_name']): - config.pki_master_dict['pki_subsystem_name'] =\ - "Cloned OCSP" + " " +\ - config.pki_master_dict['pki_hostname'] + " " +\ - config.pki_master_dict['pki_https_port'] - else: - # PKI OCSP - if not\ - len(config.pki_master_dict['pki_subsystem_name']): - config.pki_master_dict['pki_subsystem_name'] =\ - "PKI OCSP" + " " +\ - config.pki_master_dict['pki_hostname'] + " " +\ - config.pki_master_dict['pki_https_port'] - elif config.pki_subsystem == "TKS": - if config.str2bool(config.pki_master_dict['pki_clone']): - # Cloned TKS - if not\ - len(config.pki_master_dict['pki_subsystem_name']): - config.pki_master_dict['pki_subsystem_name'] =\ - "Cloned TKS" + " " +\ - config.pki_master_dict['pki_hostname'] + " " +\ - config.pki_master_dict['pki_https_port'] - else: - # PKI TKS - if not\ - len(config.pki_master_dict['pki_subsystem_name']): - config.pki_master_dict['pki_subsystem_name'] =\ - "PKI TKS" + " " +\ - config.pki_master_dict['pki_hostname'] + " " +\ - config.pki_master_dict['pki_https_port'] + config.pki_master_dict['pki_dns_domainname'] + " " +\ + "Security Domain" # Jython scriptlet # 'Directory Server' Configuration name/value pairs # -- cgit