From 5e93dc2ce2c26c43d3e2f7e9a40cbf08507a5ea6 Mon Sep 17 00:00:00 2001 From: Endi Sukma Dewata Date: Wed, 28 Nov 2012 09:27:16 -0500 Subject: Reorganized sensitive parameters. Previously sensitive parameters are stored in the Sensitive section in the configuration file, separate from the hierarchical structure used by non-sensitive parameters. To allow defining multiple subsystems in a single configuration file the sensitive and non-sensitive parameters have been reorganized into the same hierarchical structure. To maintain the security a new meta-parameter has been added to list all sensitive parameter names. This way the deployment code will know whether a parameter is sensitive, which then will mask the value before displaying it to the screen or storing it in a log file. Ticket #399 --- base/deploy/config/pkideployment.cfg | 76 +++++++++++++++--------- base/deploy/src/pkidestroy | 22 +++---- base/deploy/src/pkispawn | 24 ++++---- base/deploy/src/scriptlets/configuration.jy | 17 +++--- base/deploy/src/scriptlets/configuration.py | 3 +- base/deploy/src/scriptlets/pkiconfig.py | 2 +- base/deploy/src/scriptlets/pkihelper.py | 45 +++++++------- base/deploy/src/scriptlets/pkijython.py | 16 +++-- base/deploy/src/scriptlets/pkilogging.py | 18 ++++++ base/deploy/src/scriptlets/pkimessages.py | 2 +- base/deploy/src/scriptlets/pkiparser.py | 43 ++++++++------ base/deploy/src/scriptlets/security_databases.py | 5 +- 12 files changed, 150 insertions(+), 123 deletions(-) (limited to 'base') diff --git a/base/deploy/config/pkideployment.cfg b/base/deploy/config/pkideployment.cfg index 6630907a7..133d4e993 100644 --- a/base/deploy/config/pkideployment.cfg +++ b/base/deploy/config/pkideployment.cfg @@ -1,23 +1,29 @@ ############################################################################### -## 'Sensitive' Data: ## -## ## -## Values in this section pertain to various PKI subsystems, and contain ## -## required 'sensitive' information which MUST ALWAYS be provided by users. ## -## ## -## IMPORTANT: Sensitive data values must NEVER be displayed to the ## -## console NOR stored in log files!!! ## -############################################################################### -[Sensitive] -pki_admin_password= -pki_backup_password= -pki_client_database_password= -pki_client_pkcs12_password= -pki_clone_pkcs12_password= -pki_ds_password= -pki_security_domain_password= -pki_token_password= -############################################################################### -## 'Common' Data: ## +## Default Configuration: ## +## ## +## This section contains meta-parameters that determine how the PKI ## +## configuration should work. ## +############################################################################### +[DEFAULT] + +# The sensitive_parameters contains a list of parameters which may contain +# sensitive information which must not be displayed to the console nor stored +# in log files for security reasons. +sensitive_parameters= + pki_admin_password + pki_backup_password + pki_client_database_password + pki_client_pin + pki_client_pkcs12_password + pki_clone_pkcs12_password + pki_ds_password + pki_one_time_pin + pki_pin + pki_security_domain_password + pki_token_password + +############################################################################### +## Common Configuration: ## ## ## ## Values in this section are common to more than one PKI subsystem, and ## ## contain required information which MAY be overridden by users as ## @@ -34,6 +40,7 @@ pki_admin_email= pki_admin_keysize=2048 pki_admin_name= pki_admin_nickname= +pki_admin_password= pki_admin_subject_dn= pki_admin_uid= pki_audit_group=pkiaudit @@ -45,15 +52,19 @@ pki_audit_signing_signing_algorithm=SHA256withRSA pki_audit_signing_subject_dn= pki_audit_signing_token= pki_backup_keys=False +pki_backup_password= pki_client_database_dir= +pki_client_database_password= pki_client_database_purge=True pki_client_dir= +pki_client_pkcs12_password= pki_ds_base_dn= pki_ds_bind_dn=cn=Directory Manager pki_ds_database= pki_ds_hostname= pki_ds_ldap_port=389 pki_ds_ldaps_port=636 +pki_ds_password= pki_ds_remove_data=True pki_ds_secure_connection=False pki_group=pkiuser @@ -62,6 +73,7 @@ pki_restart_configured_instance=True pki_security_domain_hostname= pki_security_domain_https_port=8443 pki_security_domain_name= +pki_security_domain_password= pki_security_domain_user= pki_skip_configuration=False pki_skip_installation=False @@ -78,9 +90,11 @@ pki_subsystem_nickname= pki_subsystem_subject_dn= pki_subsystem_token= pki_token_name=internal +pki_token_password= pki_user=pkiuser + ############################################################################### -## 'Apache' Data: ## +## Apache Configuration: ## ## ## ## Values in this section are common to PKI subsystems that run ## ## as an instance of 'Apache' (RA and TPS subsystems), and contain ## @@ -90,8 +104,9 @@ pki_user=pkiuser pki_instance_name=pki-apache pki_http_port=80 pki_https_port=443 + ############################################################################### -## 'Tomcat' Data: ## +## Tomcat Configuration: ## ## ## ## Values in this section are common to PKI subsystems that run ## ## as an instance of 'Tomcat' (CA, KRA, OCSP, and TKS subsystems ## @@ -108,6 +123,7 @@ pki_https_port=443 [Tomcat] pki_ajp_port=8009 pki_clone=False +pki_clone_pkcs12_password= pki_clone_pkcs12_path= pki_clone_replicate_schema=True pki_clone_replication_master_port= @@ -123,8 +139,9 @@ pki_proxy_http_port=80 pki_proxy_https_port=443 pki_security_manager=true pki_tomcat_server_port=8005 + ############################################################################### -## 'CA' Data: ## +## CA Configuration: ## ## ## ## Values in this section are common to CA subsystems including 'PKI CAs', ## ## 'Cloned CAs', 'Subordinate CAs', and 'External CAs', and contain ## @@ -162,8 +179,9 @@ pki_ocsp_signing_token= pki_subordinate=False pki_subsystem=CA pki_subsystem_name= + ############################################################################### -## 'KRA' Data: ## +## KRA Configuration: ## ## ## ## Values in this section are common to KRA subsystems ## ## including 'PKI KRAs' and 'Cloned KRAs', and contain ## @@ -186,8 +204,9 @@ pki_transport_nickname= pki_transport_signing_algorithm=SHA256withRSA pki_transport_subject_dn= pki_transport_token= + ############################################################################### -## 'OCSP' Data: ## +## OCSP Configuration: ## ## ## ## Values in this section are common to OCSP subsystems ## ## including 'PKI OCSPs' and 'Cloned OCSPs', and contain ## @@ -203,8 +222,9 @@ pki_ocsp_signing_subject_dn= pki_ocsp_signing_token= pki_subsystem=OCSP pki_subsystem_name= + ############################################################################### -## 'RA' Data: ## +## RA Configuration: ## ## ## ## Values in this section are common to PKI RA subsystems, and contain ## ## required information which MAY be overridden by users as necessary. ## @@ -212,8 +232,9 @@ pki_subsystem_name= [RA] pki_subsystem=RA pki_subsystem_name= + ############################################################################### -## 'TKS' Data: ## +## TKS Configuration: ## ## ## ## Values in this section are common to TKS subsystems ## ## including 'PKI TKSs' and 'Cloned TKSs', and contain ## @@ -222,8 +243,9 @@ pki_subsystem_name= [TKS] pki_subsystem=TKS pki_subsystem_name= + ############################################################################### -## 'TPS' Data: ## +## TPS Configuration: ## ## ## ## Values in this section are common to PKI TPS subsystems, and contain ## ## required information which MAY be overridden by users as necessary. ## diff --git a/base/deploy/src/pkidestroy b/base/deploy/src/pkidestroy index 1597712e1..88a47308f 100755 --- a/base/deploy/src/pkidestroy +++ b/base/deploy/src/pkidestroy @@ -29,7 +29,6 @@ try: import argparse import logging import os - import pprint import socket import struct import subprocess @@ -88,9 +87,6 @@ def main(argv): print log.PKI_SUBPROCESS_ERROR_1 % exc sys.exit(1) - # Initialize 'pretty print' for objects - pp = pprint.PrettyPrinter(indent=4) - # Read and process command-line arguments. parser = PKIConfigParser() parser.process_command_line_arguments(argv) @@ -116,36 +112,36 @@ def main(argv): # Read the specified PKI configuration file. rv = parser.read_pki_configuration_file() if rv != 0: - config.pki_log.error(PKI_UNABLE_TO_PARSE_1, rv, + config.pki_log.error(log.PKI_UNABLE_TO_PARSE_1, rv, extra=config.PKI_INDENTATION_LEVEL_0) sys.exit(1) else: # NEVER print out 'sensitive' name/value pairs!!! config.pki_log.debug(log.PKI_DICTIONARY_COMMON, extra=config.PKI_INDENTATION_LEVEL_0) - config.pki_log.debug(pp.pformat(config.pki_common_dict), + config.pki_log.debug(pkilogging.format(config.pki_common_dict), extra=config.PKI_INDENTATION_LEVEL_0) config.pki_log.debug(log.PKI_DICTIONARY_WEB_SERVER, extra=config.PKI_INDENTATION_LEVEL_0) - config.pki_log.debug(pp.pformat(config.pki_web_server_dict), + config.pki_log.debug(pkilogging.format(config.pki_web_server_dict), extra=config.PKI_INDENTATION_LEVEL_0) config.pki_log.debug(log.PKI_DICTIONARY_SUBSYSTEM, extra=config.PKI_INDENTATION_LEVEL_0) - config.pki_log.debug(pp.pformat(config.pki_subsystem_dict), + config.pki_log.debug(pkilogging.format(config.pki_subsystem_dict), extra=config.PKI_INDENTATION_LEVEL_0) # NEVER print out 'sensitive' name/value pairs!!! config.pki_log.debug(log.PKI_DICTIONARY_COMMON, extra=config.PKI_INDENTATION_LEVEL_0) - config.pki_log.debug(pp.pformat(config.pki_common_dict), + config.pki_log.debug(pkilogging.format(config.pki_common_dict), extra=config.PKI_INDENTATION_LEVEL_0) config.pki_log.debug(log.PKI_DICTIONARY_WEB_SERVER, extra=config.PKI_INDENTATION_LEVEL_0) - config.pki_log.debug(pp.pformat(config.pki_web_server_dict), + config.pki_log.debug(pkilogging.format(config.pki_web_server_dict), extra=config.PKI_INDENTATION_LEVEL_0) config.pki_log.debug(log.PKI_DICTIONARY_SUBSYSTEM, extra=config.PKI_INDENTATION_LEVEL_0) - config.pki_log.debug(pp.pformat(config.pki_subsystem_dict), + config.pki_log.debug(pkilogging.format(config.pki_subsystem_dict), extra=config.PKI_INDENTATION_LEVEL_0) # Combine the various sectional dictionaries into a PKI master dictionary @@ -154,7 +150,7 @@ def main(argv): config.pki_log_name config.pki_log.debug(log.PKI_DICTIONARY_MASTER, extra=config.PKI_INDENTATION_LEVEL_0) - config.pki_log.debug(pp.pformat(config.pki_master_dict), + config.pki_log.debug(pkilogging.format(config.pki_master_dict), extra=config.PKI_INDENTATION_LEVEL_0) # Remove the specified PKI subsystem. @@ -181,7 +177,7 @@ def main(argv): sys.exit(1) config.pki_log.debug(log.PKI_DICTIONARY_MASTER, extra=config.PKI_INDENTATION_LEVEL_0) - config.pki_log.debug(pp.pformat(config.pki_master_dict), + config.pki_log.debug(pkilogging.format(config.pki_master_dict), extra=config.PKI_INDENTATION_LEVEL_0) diff --git a/base/deploy/src/pkispawn b/base/deploy/src/pkispawn index a687d5bef..65c25a93d 100755 --- a/base/deploy/src/pkispawn +++ b/base/deploy/src/pkispawn @@ -29,7 +29,6 @@ try: import argparse import logging import os - import pprint import socket import struct import subprocess @@ -88,9 +87,6 @@ def main(argv): print log.PKI_SUBPROCESS_ERROR_1 % exc sys.exit(1) - # Initialize 'pretty print' for objects - pp = pprint.PrettyPrinter(indent=4) - # Read and process command-line arguments. parser = PKIConfigParser() parser.process_command_line_arguments(argv) @@ -136,43 +132,43 @@ def main(argv): # Read the specified PKI configuration file. rv = parser.read_pki_configuration_file() if rv != 0: - config.pki_log.error(PKI_UNABLE_TO_PARSE_1, rv, + config.pki_log.error(log.PKI_UNABLE_TO_PARSE_1, rv, extra=config.PKI_INDENTATION_LEVEL_0) sys.exit(1) else: # NEVER print out 'sensitive' name/value pairs!!! config.pki_log.debug(log.PKI_DICTIONARY_COMMON, extra=config.PKI_INDENTATION_LEVEL_0) - config.pki_log.debug(pp.pformat(config.pki_common_dict), + config.pki_log.debug(pkilogging.format(config.pki_common_dict), extra=config.PKI_INDENTATION_LEVEL_0) config.pki_log.debug(log.PKI_DICTIONARY_WEB_SERVER, extra=config.PKI_INDENTATION_LEVEL_0) - config.pki_log.debug(pp.pformat(config.pki_web_server_dict), + config.pki_log.debug(pkilogging.format(config.pki_web_server_dict), extra=config.PKI_INDENTATION_LEVEL_0) config.pki_log.debug(log.PKI_DICTIONARY_SUBSYSTEM, extra=config.PKI_INDENTATION_LEVEL_0) - config.pki_log.debug(pp.pformat(config.pki_subsystem_dict), + config.pki_log.debug(pkilogging.format(config.pki_subsystem_dict), extra=config.PKI_INDENTATION_LEVEL_0) # NEVER print out 'sensitive' name/value pairs!!! config.pki_log.debug(log.PKI_DICTIONARY_COMMON, extra=config.PKI_INDENTATION_LEVEL_0) - config.pki_log.debug(pp.pformat(config.pki_common_dict), + config.pki_log.debug(pkilogging.format(config.pki_common_dict), extra=config.PKI_INDENTATION_LEVEL_0) config.pki_log.debug(log.PKI_DICTIONARY_WEB_SERVER, extra=config.PKI_INDENTATION_LEVEL_0) - config.pki_log.debug(pp.pformat(config.pki_web_server_dict), + config.pki_log.debug(pkilogging.format(config.pki_web_server_dict), extra=config.PKI_INDENTATION_LEVEL_0) config.pki_log.debug(log.PKI_DICTIONARY_SUBSYSTEM, extra=config.PKI_INDENTATION_LEVEL_0) - config.pki_log.debug(pp.pformat(config.pki_subsystem_dict), + config.pki_log.debug(pkilogging.format(config.pki_subsystem_dict), extra=config.PKI_INDENTATION_LEVEL_0) # Read in the PKI slots configuration file. parser.compose_pki_slots_dictionary() config.pki_log.debug(log.PKI_DICTIONARY_SLOTS, extra=config.PKI_INDENTATION_LEVEL_0) - config.pki_log.debug(pp.pformat(config.pki_slots_dict), + config.pki_log.debug(pkilogging.format(config.pki_slots_dict), extra=config.PKI_INDENTATION_LEVEL_0) # Combine the various sectional dictionaries into a PKI master dictionary @@ -185,7 +181,7 @@ def main(argv): config.pki_log_name config.pki_log.debug(log.PKI_DICTIONARY_MASTER, extra=config.PKI_INDENTATION_LEVEL_0) - config.pki_log.debug(pp.pformat(config.pki_master_dict), + config.pki_log.debug(pkilogging.format(config.pki_master_dict), extra=config.PKI_INDENTATION_LEVEL_0) # Install and configure the specified PKI subsystem. @@ -215,7 +211,7 @@ def main(argv): sys.exit(1) config.pki_log.debug(log.PKI_DICTIONARY_MASTER, extra=config.PKI_INDENTATION_LEVEL_0) - config.pki_log.debug(pp.pformat(config.pki_master_dict), + config.pki_log.debug(pkilogging.format(config.pki_master_dict), extra=config.PKI_INDENTATION_LEVEL_0) diff --git a/base/deploy/src/scriptlets/configuration.jy b/base/deploy/src/scriptlets/configuration.jy index bf89a0170..80543b856 100644 --- a/base/deploy/src/scriptlets/configuration.jy +++ b/base/deploy/src/scriptlets/configuration.jy @@ -23,15 +23,9 @@ from com.netscape.certsrv.client import ClientConfig def main(argv): rv = 0 - # Establish 'master' and 'sensitive' as two separate PKI jython dictionaries - master = dict() - sensitive = dict() - # Import the master dictionary from 'pkispawn' master = pickle.loads(argv[1]) - - # Import the sensitive data dictionary from 'pkispawn' - sensitive = pickle.loads(argv[2]) + sensitive_parameters = master['sensitive_parameters'].split() # Optionally enable a java debugger (e. g. - 'eclipse'): if config.str2bool(master['pki_enable_java_debugger']): @@ -63,8 +57,12 @@ def main(argv): (log.PKI_JYTHON_INDENTATION_2, javasystem.getProperties()['java.class.path']) for key in master: + if key in sensitive_parameters: + value = 'XXXXXXXX' + else: + value = master[key] print "%s '%s' = '%s'" %\ - (log.PKI_JYTHON_INDENTATION_2, key, master[key]) + (log.PKI_JYTHON_INDENTATION_2, key, value) # Initialize token jyutil.security_databases.initialize_token( @@ -84,8 +82,7 @@ def main(argv): # Establish REST Client client = jyutil.rest_client.initialize( client_config, - master, - sensitive) + master) # Construct PKI Subsystem Configuration Data data = None diff --git a/base/deploy/src/scriptlets/configuration.py b/base/deploy/src/scriptlets/configuration.py index c9454d951..2d7797b06 100644 --- a/base/deploy/src/scriptlets/configuration.py +++ b/base/deploy/src/scriptlets/configuration.py @@ -22,7 +22,6 @@ # PKI Deployment Imports import pkiconfig as config from pkiconfig import pki_master_dict as master -from pkiconfig import pki_sensitive_dict as sensitive import pkihelper as util import pkimessages as log import pkiscriptlet @@ -51,7 +50,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): # allowing 'certutil' to generate the security databases util.password.create_password_conf( master['pki_client_password_conf'], - sensitive['pki_client_database_password'], pin_sans_token=True) + master['pki_client_database_password'], pin_sans_token=True) util.file.modify(master['pki_client_password_conf'], uid=0, gid=0) # Similarly, create a simple password file containing the diff --git a/base/deploy/src/scriptlets/pkiconfig.py b/base/deploy/src/scriptlets/pkiconfig.py index 92e46d045..004366216 100644 --- a/base/deploy/src/scriptlets/pkiconfig.py +++ b/base/deploy/src/scriptlets/pkiconfig.py @@ -199,7 +199,7 @@ pki_console_log_level = None # PKI Deployment Global Dictionaries -pki_sensitive_dict = None +pki_default_dict = None pki_common_dict = None pki_web_server_dict = None pki_subsystem_dict = None diff --git a/base/deploy/src/scriptlets/pkihelper.py b/base/deploy/src/scriptlets/pkihelper.py index 904e08614..8be6c5c5d 100644 --- a/base/deploy/src/scriptlets/pkihelper.py +++ b/base/deploy/src/scriptlets/pkihelper.py @@ -42,7 +42,6 @@ import seobject # PKI Deployment Imports import pkiconfig as config from pkiconfig import pki_master_dict as master -from pkiconfig import pki_sensitive_dict as sensitive from pkiconfig import pki_slots_dict as slots from pkiconfig import pki_selinux_config_ports as ports import pkimanifest as manifest @@ -419,7 +418,7 @@ class configuration_file: # NOTE: This is the one and only parameter containing a sensitive # parameter that may be stored in a log file. config.pki_log.info(log.PKI_CONFIGURATION_WIZARD_URL_1, - sensitive['pki_configuration_url'], + master['pki_configuration_url'], extra=config.PKI_INDENTATION_LEVEL_2) config.pki_log.info(log.PKI_CONFIGURATION_WIZARD_RESTART_1, master['pki_registry_initscript_command'], @@ -428,7 +427,7 @@ class configuration_file: def display_configuration_url(self): # NOTE: This is the one and only parameter containing a sensitive # parameter that may be displayed to the screen. - print log.PKI_CONFIGURATION_URL_1 % sensitive['pki_configuration_url'] + print log.PKI_CONFIGURATION_URL_1 % master['pki_configuration_url'] print print log.PKI_CONFIGURATION_RESTART_1 %\ master['pki_registry_initscript_command'] @@ -438,8 +437,8 @@ class configuration_file: # Silently verify the existence of 'sensitive' data if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: # Verify existence of Directory Server Password (ALWAYS) - if not sensitive.has_key('pki_ds_password') or\ - not len(sensitive['pki_ds_password']): + if not master.has_key('pki_ds_password') or\ + not len(master['pki_ds_password']): config.pki_log.error( log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, "pki_ds_password", @@ -448,8 +447,8 @@ class configuration_file: sys.exit(1) # Verify existence of Admin Password (except for Clones) if not config.str2bool(master['pki_clone']): - if not sensitive.has_key('pki_admin_password') or\ - not len(sensitive['pki_admin_password']): + if not master.has_key('pki_admin_password') or\ + not len(master['pki_admin_password']): config.pki_log.error( log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, "pki_admin_password", @@ -458,8 +457,8 @@ class configuration_file: sys.exit(1) # If required, verify existence of Backup Password if config.str2bool(master['pki_backup_keys']): - if not sensitive.has_key('pki_backup_password') or\ - not len(sensitive['pki_backup_password']): + if not master.has_key('pki_backup_password') or\ + not len(master['pki_backup_password']): config.pki_log.error( log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, "pki_backup_password", @@ -467,8 +466,8 @@ class configuration_file: extra=config.PKI_INDENTATION_LEVEL_2) sys.exit(1) # Verify existence of Client Pin for NSS client security databases - if not sensitive.has_key('pki_client_database_password') or\ - not len(sensitive['pki_client_database_password']): + if not master.has_key('pki_client_database_password') or\ + not len(master['pki_client_database_password']): config.pki_log.error( log.PKIHELPER_UNDEFINED_CLIENT_DATABASE_PASSWORD_2, "pki_client_database_password", @@ -476,8 +475,8 @@ class configuration_file: extra=config.PKI_INDENTATION_LEVEL_2) sys.exit(1) # Verify existence of Client PKCS #12 Password for Admin Cert - if not sensitive.has_key('pki_client_pkcs12_password') or\ - not len(sensitive['pki_client_pkcs12_password']): + if not master.has_key('pki_client_pkcs12_password') or\ + not len(master['pki_client_pkcs12_password']): config.pki_log.error( log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, "pki_client_pkcs12_password", @@ -486,8 +485,8 @@ class configuration_file: sys.exit(1) # Verify existence of PKCS #12 Password (ONLY for Clones) if config.str2bool(master['pki_clone']): - if not sensitive.has_key('pki_clone_pkcs12_password') or\ - not len(sensitive['pki_clone_pkcs12_password']): + if not master.has_key('pki_clone_pkcs12_password') or\ + not len(master['pki_clone_pkcs12_password']): config.pki_log.error( log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, "pki_clone_pkcs12_password", @@ -499,8 +498,8 @@ class configuration_file: if config.str2bool(master['pki_clone']) or\ not master['pki_subsystem'] == "CA" or\ config.str2bool(master['pki_subordinate']): - if not sensitive.has_key('pki_security_domain_password') or\ - not len(sensitive['pki_security_domain_password']): + if not master.has_key('pki_security_domain_password') or\ + not len(master['pki_security_domain_password']): config.pki_log.error( log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, "pki_security_domain_password", @@ -509,8 +508,8 @@ class configuration_file: sys.exit(1) # If required, verify existence of Token Password if not master['pki_token_name'] == "internal": - if not sensitive.has_key('pki_token_password') or\ - not len(sensitive['pki_token_password']): + if not master.has_key('pki_token_password') or\ + not len(master['pki_token_password']): config.pki_log.error( log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, "pki_token_password", @@ -1954,14 +1953,14 @@ class password: extra=config.PKI_INDENTATION_LEVEL_2) # overwrite the existing 'pkcs12_password.conf' file with open(path, "wt") as fd: - fd.write(sensitive['pki_client_pkcs12_password']) + fd.write(master['pki_client_pkcs12_password']) fd.closed else: config.pki_log.info(log.PKIHELPER_PASSWORD_CONF_1, path, extra=config.PKI_INDENTATION_LEVEL_2) # create a new 'pkcs12_password.conf' file with open(path, "wt") as fd: - fd.write(sensitive['pki_client_pkcs12_password']) + fd.write(master['pki_client_pkcs12_password']) fd.closed except OSError as exc: config.pki_log.error(log.PKI_OSERROR_1, exc, @@ -2527,7 +2526,6 @@ class jython: property = "" # Compose this "jython" command data = pickle.dumps(master) - sensitive_data = pickle.dumps(sensitive) ld_library_path = "LD_LIBRARY_PATH" if master['pki_architecture'] == 64: ld_library_path = ld_library_path + "=" +\ @@ -2537,8 +2535,7 @@ class jython: ld_library_path = ld_library_path + "=" +\ "/usr/lib/jss:/usr/lib:/lib" command = "export" + " " + ld_library_path + ";" + "jython" + " " +\ - property + " " + scriptlet + " " + "\"" + data + "\"" +\ - " " + "\"" + sensitive_data + "\"" + property + " " + scriptlet + " " + "\"" + data + "\"" # Display this "jython" command config.pki_log.info( log.PKIHELPER_INVOKE_JYTHON_3, diff --git a/base/deploy/src/scriptlets/pkijython.py b/base/deploy/src/scriptlets/pkijython.py index e6098b01a..e106f0141 100644 --- a/base/deploy/src/scriptlets/pkijython.py +++ b/base/deploy/src/scriptlets/pkijython.py @@ -276,12 +276,10 @@ class security_databases: class rest_client: client = None master = None - sensitive = None - def initialize(self, client_config, master, sensitive): + def initialize(self, client_config, master): try: self.master = master - self.sensitive = sensitive log_level = master['pki_jython_log_level'] if log_level >= config.PKI_JYTHON_INFO_LOG_LEVEL: print "%s %s '%s'" %\ @@ -299,7 +297,7 @@ class rest_client: data.setSecurityDomainUri(self.master['pki_security_domain_uri']) data.setSecurityDomainUser(self.master['pki_security_domain_user']) data.setSecurityDomainPassword( - self.sensitive['pki_security_domain_password']) + self.master['pki_security_domain_password']) def set_new_security_domain(self, data): data.setSecurityDomainType(ConfigurationRequest.NEW_DOMAIN) @@ -309,7 +307,7 @@ class rest_client: data.setIsClone("true") data.setCloneUri(self.master['pki_clone_uri']) data.setP12File(self.master['pki_clone_pkcs12_path']) - data.setP12Password(self.sensitive['pki_clone_pkcs12_password']) + data.setP12Password(self.master['pki_clone_pkcs12_password']) data.setReplicateSchema(self.master['pki_clone_replicate_schema']) data.setReplicationSecurity( self.master['pki_clone_replication_security']) @@ -326,7 +324,7 @@ class rest_client: data.setBaseDN(self.master['pki_ds_base_dn']) data.setBindDN(self.master['pki_ds_bind_dn']) data.setDatabase(self.master['pki_ds_database']) - data.setBindpwd(self.sensitive['pki_ds_password']) + data.setBindpwd(self.master['pki_ds_password']) if config.str2bool(self.master['pki_ds_remove_data']): data.setRemoveData("true") else: @@ -340,14 +338,14 @@ class rest_client: if config.str2bool(self.master['pki_backup_keys']): data.setBackupKeys("true") data.setBackupFile(self.master['pki_backup_keys_p12']) - data.setBackupPassword(self.sensitive['pki_backup_password']) + data.setBackupPassword(self.master['pki_backup_password']) else: data.setBackupKeys("false") def set_admin_parameters(self, token, data): data.setAdminEmail(self.master['pki_admin_email']) data.setAdminName(self.master['pki_admin_name']) - data.setAdminPassword(self.sensitive['pki_admin_password']) + data.setAdminPassword(self.master['pki_admin_password']) data.setAdminProfileID(self.master['pki_admin_profile_id']) data.setAdminUID(self.master['pki_admin_uid']) data.setAdminSubjectDN(self.master['pki_admin_subject_dn']) @@ -422,7 +420,7 @@ class rest_client: data = ConfigurationRequest() # Miscellaneous Configuration Information - data.setPin(self.sensitive['pki_one_time_pin']) + data.setPin(master['pki_one_time_pin']) data.setToken(ConfigurationRequest.TOKEN_DEFAULT) data.setSubsystemName(master['pki_subsystem_name']) diff --git a/base/deploy/src/scriptlets/pkilogging.py b/base/deploy/src/scriptlets/pkilogging.py index 9b22ae39c..3c146a12c 100644 --- a/base/deploy/src/scriptlets/pkilogging.py +++ b/base/deploy/src/scriptlets/pkilogging.py @@ -22,7 +22,25 @@ # System Imports import logging import os +import pprint +sensitive_parameters = [] + +# Initialize 'pretty print' for objects +pp = pprint.PrettyPrinter(indent=4) + +def format(dict): + new_dict = {} + + # mask sensitive data + for key in dict: + if key in sensitive_parameters: + value = 'XXXXXXXX' + else: + value = dict[key] + new_dict[key] = value + + return pp.pformat(new_dict) # PKI Deployment Logging Functions def enable_pki_logger(log_dir, log_name, log_level, console_log_level, logger): diff --git a/base/deploy/src/scriptlets/pkimessages.py b/base/deploy/src/scriptlets/pkimessages.py index 435f7d10e..cec154c0a 100644 --- a/base/deploy/src/scriptlets/pkimessages.py +++ b/base/deploy/src/scriptlets/pkimessages.py @@ -193,7 +193,7 @@ PKIHELPER_GROUP_ADD_KEYERROR_1 = "KeyError: pki_group %s" PKIHELPER_INVALID_SELINUX_CONTEXT_FOR_PORT = "port %s has invalid selinux "\ "context %s" PKIHELPER_INVOKE_JYTHON_3 = "executing 'export %s;"\ - "jython %s %s '" + "jython %s %s '" PKIHELPER_IS_A_DIRECTORY_1 = "'%s' is a directory" PKIHELPER_IS_A_FILE_1 = "'%s' is a file" PKIHELPER_IS_A_SYMLINK_1 = "'%s' is a symlink" diff --git a/base/deploy/src/scriptlets/pkiparser.py b/base/deploy/src/scriptlets/pkiparser.py index 58da5d260..438b23bd7 100644 --- a/base/deploy/src/scriptlets/pkiparser.py +++ b/base/deploy/src/scriptlets/pkiparser.py @@ -31,6 +31,7 @@ import time # PKI Deployment Imports +import pkilogging import pkiconfig as config import pkimessages as log @@ -222,7 +223,8 @@ class PKIConfigParser: # Make keys case-sensitive! self.pki_config.optionxform = str self.pki_config.read(config.pkideployment_cfg) - config.pki_sensitive_dict = dict(self.pki_config._sections['Sensitive']) + config.pki_default_dict = self.pki_config.defaults() + pkilogging.sensitive_parameters = config.pki_default_dict['sensitive_parameters'].split() config.pki_common_dict = dict(self.pki_config._sections['Common']) if config.pki_subsystem == "CA": config.pki_web_server_dict = dict(self.pki_config._sections['Tomcat']) @@ -244,10 +246,12 @@ class PKIConfigParser: config.pki_subsystem_dict = dict(self.pki_config._sections['TPS']) # Insert empty record into dictionaries for "pretty print" statements # NEVER print "sensitive" key value pairs!!! + config.pki_default_dict[0] = None config.pki_common_dict[0] = None config.pki_web_server_dict[0] = None config.pki_subsystem_dict[0] = None except ConfigParser.ParsingError, err: + print err rv = err return rv @@ -277,18 +281,19 @@ class PKIConfigParser: # the configuration file pin_low = 100000000000 pin_high = 999999999999 - config.pki_sensitive_dict['pki_pin'] =\ + config.pki_master_dict['pki_pin'] =\ random.randint(pin_low, pin_high) - config.pki_sensitive_dict['pki_client_pin'] =\ + config.pki_master_dict['pki_client_pin'] =\ random.randint(pin_low, pin_high) # Generate a one-time pin to be used prior to configuration # and add this to the "sensitive" key value pairs read in from # the configuration file - config.pki_sensitive_dict['pki_one_time_pin'] =\ + config.pki_master_dict['pki_one_time_pin'] =\ ''.join(random.choice(string.ascii_letters + string.digits)\ for x in range(20)) # Configuration file name/value pairs # NEVER add "sensitive" key value pairs to the master dictionary!!! + config.pki_master_dict.update(config.pki_default_dict) config.pki_master_dict.update(config.pki_common_dict) config.pki_master_dict.update(config.pki_web_server_dict) config.pki_master_dict.update(config.pki_subsystem_dict) @@ -1141,7 +1146,7 @@ class PKIConfigParser: config.pki_master_dict['PKI_AJP_REDIRECT_PORT_SLOT'] =\ config.pki_master_dict['pki_https_port'] config.pki_master_dict['PKI_CERT_DB_PASSWORD_SLOT'] =\ - config.pki_sensitive_dict['pki_pin'] + config.pki_master_dict['pki_pin'] config.pki_master_dict['PKI_CFG_PATH_NAME_SLOT'] =\ config.pki_master_dict['pki_target_cs_cfg'] config.pki_master_dict\ @@ -1213,7 +1218,7 @@ class PKIConfigParser: config.pki_master_dict['PKI_TMPDIR_SLOT'] =\ config.pki_master_dict['pki_tomcat_tmpdir_path'] config.pki_master_dict['PKI_RANDOM_NUMBER_SLOT'] =\ - config.pki_sensitive_dict['pki_one_time_pin'] + config.pki_master_dict['pki_one_time_pin'] config.pki_master_dict['PKI_SECURE_PORT_SLOT'] =\ config.pki_master_dict['pki_https_port'] config.pki_master_dict['PKI_SECURE_PORT_CONNECTOR_NAME_SLOT'] =\ @@ -1351,19 +1356,19 @@ class PKIConfigParser: # The following variables are established via the specified PKI # deployment configuration file and is NOT redefined below: # - # config.pki_sensitive_dict['pki_client_pkcs12_password'] + # config.pki_master_dict['pki_client_pkcs12_password'] # config.pki_master_dict['pki_client_database_purge'] # # The following variables are established via the specified PKI # deployment configuration file and potentially overridden below: # - # config.pki_sensitive_dict['pki_client_database_password'] + # config.pki_master_dict['pki_client_database_password'] # config.pki_master_dict['pki_client_dir'] # - if not len(config.pki_sensitive_dict['pki_client_database_password']): + if not len(config.pki_master_dict['pki_client_database_password']): # use randomly generated client 'pin' - config.pki_sensitive_dict['pki_client_database_password'] =\ - str(config.pki_sensitive_dict['pki_client_pin']) + config.pki_master_dict['pki_client_database_password'] =\ + str(config.pki_master_dict['pki_client_pin']) if not len(config.pki_master_dict['pki_client_dir']): config.pki_master_dict['pki_client_dir'] =\ os.path.join( @@ -1434,9 +1439,9 @@ class PKIConfigParser: # The following variables are established via the specified PKI # deployment configuration file and are NOT redefined below: # - # config.pki_sensitive_dict['pki_clone_pkcs12_password'] - # config.pki_sensitive_dict['pki_security_domain_password'] - # config.pki_sensitive_dict['pki_token_password'] + # config.pki_master_dict['pki_clone_pkcs12_password'] + # config.pki_master_dict['pki_security_domain_password'] + # config.pki_master_dict['pki_token_password'] # config.pki_master_dict['pki_clone_pkcs12_path'] # config.pki_master_dict['pki_clone_uri'] # config.pki_master_dict['pki_security_domain_https_port'] @@ -1552,7 +1557,7 @@ class PKIConfigParser: # The following variables are established via the specified PKI # deployment configuration file and are NOT redefined below: # - # config.pki_sensitive_dict['pki_ds_password'] + # config.pki_master_dict['pki_ds_password'] # config.pki_master_dict['pki_clone_replication_security'] # config.pki_master_dict['pki_ds_bind_dn'] # config.pki_master_dict['pki_ds_ldap_port'] @@ -1612,7 +1617,7 @@ class PKIConfigParser: # The following variables are established via the specified PKI # deployment configuration file and are NOT redefined below: # - # config.pki_sensitive_dict['pki_backup_password'] + # config.pki_master_dict['pki_backup_password'] # config.pki_master_dict['pki_backup_keys'] # if config.str2bool(config.pki_master_dict['pki_backup_keys']): @@ -1633,7 +1638,7 @@ class PKIConfigParser: # The following variables are established via the specified PKI # deployment configuration file and are NOT redefined below: # - # config.pki_sensitive_dict['pki_admin_password'] + # config.pki_master_dict['pki_admin_password'] # config.pki_master_dict['pki_admin_cert_request_type'] # config.pki_master_dict['pki_admin_dualkey'] # config.pki_master_dict['pki_admin_keysize'] @@ -2334,13 +2339,13 @@ class PKIConfigParser: # parameter that may be stored in a log file and displayed # to the screen. # - config.pki_sensitive_dict['pki_configuration_url'] =\ + config.pki_master_dict['pki_configuration_url'] =\ "https://{}:{}/{}/{}?pin={}".format( config.pki_master_dict['pki_hostname'], config.pki_master_dict['pki_https_port'], config.pki_master_dict['pki_subsystem'].lower(), "admin/console/config/login", - config.pki_sensitive_dict['pki_one_time_pin']) + config.pki_master_dict['pki_one_time_pin']) # Compose this "systemd" execution management command if config.pki_master_dict['pki_subsystem'] in\ config.PKI_APACHE_SUBSYSTEMS: diff --git a/base/deploy/src/scriptlets/security_databases.py b/base/deploy/src/scriptlets/security_databases.py index 0cc660b3a..a74a4c157 100644 --- a/base/deploy/src/scriptlets/security_databases.py +++ b/base/deploy/src/scriptlets/security_databases.py @@ -22,7 +22,6 @@ # PKI Deployment Imports import pkiconfig as config from pkiconfig import pki_master_dict as master -from pkiconfig import pki_sensitive_dict as sensitive import pkihelper as util import pkimessages as log import pkiscriptlet @@ -41,14 +40,14 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): extra=config.PKI_INDENTATION_LEVEL_1) util.password.create_password_conf( master['pki_shared_password_conf'], - sensitive['pki_pin']) + master['pki_pin']) # Since 'certutil' does NOT strip the 'token=' portion of # the 'token=password' entries, create a temporary server 'pfile' # which ONLY contains the 'password' for the purposes of # allowing 'certutil' to generate the security databases util.password.create_password_conf( master['pki_shared_pfile'], - sensitive['pki_pin'], pin_sans_token=True) + master['pki_pin'], pin_sans_token=True) util.file.modify(master['pki_shared_password_conf']) util.certutil.create_security_databases( master['pki_database_path'], -- cgit