summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authormharmsen <mharmsen@c9f7a03b-bd48-0410-a16d-cbbf54688b0b>2009-05-07 22:37:08 +0000
committermharmsen <mharmsen@c9f7a03b-bd48-0410-a16d-cbbf54688b0b>2009-05-07 22:37:08 +0000
commit466202e75665108f5c51c5d602d2afaabed4a027 (patch)
tree9e953e972da8074d7fc4dfcc02f0d1a96f57db34
parent2963ca4c6381e7a43fff0457fb0135476874830f (diff)
downloadpki-466202e75665108f5c51c5d602d2afaabed4a027.tar.gz
pki-466202e75665108f5c51c5d602d2afaabed4a027.tar.xz
pki-466202e75665108f5c51c5d602d2afaabed4a027.zip
Bugzilla Bug #492735 - Configuration wizard stores certain incorrect port
values within TPS "CS.cfg" . . . Bugzilla Bug #495597 - Unable to access Agent page using a configured CA/KRA containing an HSM git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@431 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
Diffstat
-rw-r--r--pki/base/ca/shared/conf/CS.cfg29
-rw-r--r--pki/base/ca/shared/conf/schema.ldif17
-rw-r--r--pki/base/ca/shared/conf/server.xml2
-rwxr-xr-xpki/base/ca/shared/etc/init.d/httpd86
-rw-r--r--pki/base/ca/shared/webapps/ca/WEB-INF/web.xml113
-rw-r--r--pki/base/common/src/com/netscape/cms/authentication/TokenAuthentication.java2
-rw-r--r--pki/base/common/src/com/netscape/cms/servlet/csadmin/AdminPanel.java12
-rw-r--r--pki/base/common/src/com/netscape/cms/servlet/csadmin/AgentAuthenticatePanel.java2
-rw-r--r--pki/base/common/src/com/netscape/cms/servlet/csadmin/CAInfoPanel.java26
-rw-r--r--pki/base/common/src/com/netscape/cms/servlet/csadmin/CreateSubsystemPanel.java17
-rw-r--r--pki/base/common/src/com/netscape/cms/servlet/csadmin/DisplayCertChainPanel.java23
-rw-r--r--pki/base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java88
-rw-r--r--pki/base/common/src/com/netscape/cms/servlet/csadmin/GetCookie.java2
-rw-r--r--pki/base/common/src/com/netscape/cms/servlet/csadmin/ImportAdminCertPanel.java10
-rwxr-xr-xpki/base/common/src/com/netscape/cms/servlet/csadmin/ImportCAChainPanel.java13
-rw-r--r--pki/base/common/src/com/netscape/cms/servlet/csadmin/NamePanel.java45
-rw-r--r--pki/base/common/src/com/netscape/cms/servlet/csadmin/RestoreKeyCertPanel.java4
-rw-r--r--pki/base/common/src/com/netscape/cms/servlet/csadmin/SecurityDomainPanel.java216
-rw-r--r--pki/base/common/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java17
-rw-r--r--pki/base/common/src/com/netscape/cms/servlet/csadmin/WizardPanelBase.java342
-rw-r--r--pki/base/kra/shared/conf/CS.cfg29
-rw-r--r--pki/base/kra/shared/conf/schema.ldif17
-rw-r--r--pki/base/kra/shared/conf/server.xml2
-rw-r--r--pki/base/kra/shared/webapps/kra/WEB-INF/web.xml21
-rw-r--r--pki/base/migrate/80/MigrateSecurityDomain.java7
-rw-r--r--pki/base/migrate/80/schema-add.ldif20
-rw-r--r--pki/base/ocsp/shared/conf/CS.cfg31
-rw-r--r--pki/base/ocsp/shared/conf/schema.ldif17
-rw-r--r--pki/base/ocsp/shared/conf/server.xml2
-rw-r--r--pki/base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml17
-rw-r--r--pki/base/ra/doc/CS.cfg18
-rwxr-xr-xpki/base/ra/forms/ee/user/renewal.cgi2
-rwxr-xr-xpki/base/ra/forms/index.cgi1
-rwxr-xr-xpki/base/ra/lib/perl/PKI/RA/AdminPanel.pm20
-rwxr-xr-xpki/base/ra/lib/perl/PKI/RA/CAInfoPanel.pm22
-rwxr-xr-xpki/base/ra/lib/perl/PKI/RA/DRMInfoPanel.pm16
-rwxr-xr-xpki/base/ra/lib/perl/PKI/RA/DisplayCertChainPanel.pm91
-rwxr-xr-xpki/base/ra/lib/perl/PKI/RA/DonePanel.pm18
-rwxr-xr-xpki/base/ra/lib/perl/PKI/RA/ImportAdminCertPanel.pm14
-rwxr-xr-xpki/base/ra/lib/perl/PKI/RA/NamePanel.pm26
-rwxr-xr-xpki/base/ra/lib/perl/PKI/RA/SecurityDomainPanel.pm16
-rwxr-xr-xpki/base/ra/lib/perl/PKI/RA/SizePanel.pm6
-rwxr-xr-xpki/base/ra/lib/perl/PKI/RA/SubsystemTypePanel.pm11
-rwxr-xr-xpki/base/ra/lib/perl/PKI/RA/TKSInfoPanel.pm18
-rwxr-xr-xpki/base/setup/pkicreate82
-rwxr-xr-xpki/base/setup/pkiremove53
-rw-r--r--pki/base/silent/src/ca/ConfigureCA.java4
-rw-r--r--pki/base/silent/src/drm/ConfigureDRM.java4
-rw-r--r--pki/base/silent/src/ocsp/ConfigureOCSP.java4
-rw-r--r--pki/base/silent/src/ra/ConfigureRA.java4
-rw-r--r--pki/base/silent/src/subca/ConfigureSubCA.java4
-rw-r--r--pki/base/silent/src/tks/ConfigureTKS.java4
-rw-r--r--pki/base/silent/src/tps/ConfigureTPS.java4
-rw-r--r--pki/base/tks/shared/conf/CS.cfg31
-rw-r--r--pki/base/tks/shared/conf/schema.ldif17
-rw-r--r--pki/base/tks/shared/conf/server.xml2
-rw-r--r--pki/base/tks/shared/webapps/tks/WEB-INF/web.xml18
-rw-r--r--pki/base/tps/doc/CS.cfg18
-rwxr-xr-xpki/base/tps/lib/perl/PKI/TPS/AdminPanel.pm20
-rwxr-xr-xpki/base/tps/lib/perl/PKI/TPS/CAInfoPanel.pm22
-rwxr-xr-xpki/base/tps/lib/perl/PKI/TPS/DRMInfoPanel.pm16
-rwxr-xr-xpki/base/tps/lib/perl/PKI/TPS/DisplayCertChainPanel.pm91
-rwxr-xr-xpki/base/tps/lib/perl/PKI/TPS/DonePanel.pm18
-rwxr-xr-xpki/base/tps/lib/perl/PKI/TPS/ImportAdminCertPanel.pm14
-rwxr-xr-xpki/base/tps/lib/perl/PKI/TPS/NamePanel.pm26
-rwxr-xr-xpki/base/tps/lib/perl/PKI/TPS/SecurityDomainPanel.pm16
-rwxr-xr-xpki/base/tps/lib/perl/PKI/TPS/SizePanel.pm6
-rwxr-xr-xpki/base/tps/lib/perl/PKI/TPS/SubsystemTypePanel.pm9
-rwxr-xr-xpki/base/tps/lib/perl/PKI/TPS/TKSInfoPanel.pm18
69 files changed, 1400 insertions, 613 deletions
diff --git a/pki/base/ca/shared/conf/CS.cfg b/pki/base/ca/shared/conf/CS.cfg
index 81e43c79..aac14e86 100644
--- a/pki/base/ca/shared/conf/CS.cfg
+++ b/pki/base/ca/shared/conf/CS.cfg
@@ -2,16 +2,16 @@
#cs.state=0 (pre-operational)
#cs.state=1 (running)
#
-pkicreate.arg01.pki_instance_root=[PKI_INSTANCE_ROOT]
-pkicreate.arg02.pki_instance_name=[PKI_INSTANCE_ID]
-pkicreate.arg03.subsystem_type=[PKI_SUBSYSTEM_TYPE]
-pkicreate.arg04.agent_secure_port=[PKI_AGENT_SECURE_PORT]
-pkicreate.arg05.ee_secure_port=[PKI_EE_SECURE_PORT]
-pkicreate.arg06.admin_secure_port=[PKI_ADMIN_SECURE_PORT]
-pkicreate.arg07.secure_port=[PKI_SECURE_PORT]
-pkicreate.arg08.unsecure_port=[PKI_UNSECURE_PORT]
-pkicreate.arg09.tomcat_server_port=[TOMCAT_SERVER_PORT]
-pkicreate.arg10.user=[PKI_USER]
+pkicreate.pki_instance_root=[PKI_INSTANCE_ROOT]
+pkicreate.pki_instance_name=[PKI_INSTANCE_ID]
+pkicreate.subsystem_type=[PKI_SUBSYSTEM_TYPE]
+pkicreate.agent_secure_port=[PKI_AGENT_SECURE_PORT]
+pkicreate.ee_secure_port=[PKI_EE_SECURE_PORT]
+pkicreate.admin_secure_port=[PKI_ADMIN_SECURE_PORT]
+pkicreate.secure_port=[PKI_SECURE_PORT]
+pkicreate.unsecure_port=[PKI_UNSECURE_PORT]
+pkicreate.tomcat_server_port=[TOMCAT_SERVER_PORT]
+pkicreate.user=[PKI_USER]
pkicreate.arg11.group=[PKI_GROUP]
installDate=[INSTALL_TIME]
preop.wizard.name=CA Setup Wizard
@@ -25,12 +25,17 @@ authType=pwd
admin.interface.uri=ca/admin/console/config/wizard
ee.interface.uri=ca/ee/ca
agent.interface.uri=ca/agent/ca
-preop.securitydomain.url=https://[PKI_MACHINE_NAME]:9444
+preop.securitydomain.admin_url=https://[PKI_MACHINE_NAME]:[PKI_ADMIN_SECURE_PORT]
securitydomain.flushinterval=86400000
instanceRoot=[PKI_INSTANCE_PATH]
machineName=[PKI_MACHINE_NAME]
instanceId=[PKI_INSTANCE_ID]
-service.securePort=[PKI_SECURE_PORT]
+service.machineName=[PKI_MACHINE_NAME]
+service.instanceDir=[PKI_INSTANCE_ROOT]
+service.securePort=[PKI_AGENT_SECURE_PORT]
+service.non_clientauth_securePort=[PKI_EE_SECURE_PORT]
+service.unsecurePort=[PKI_UNSECURE_PORT]
+service.instanceID=[PKI_INSTANCE_ID]
preop.admin.name=Certificate System Administrator
preop.admin.group=Certificate Manager Agents
preop.admincert.profile=caAdminCert
diff --git a/pki/base/ca/shared/conf/schema.ldif b/pki/base/ca/shared/conf/schema.ldif
index 823543dc..269b3f57 100644
--- a/pki/base/ca/shared/conf/schema.ldif
+++ b/pki/base/ca/shared/conf/schema.ldif
@@ -381,6 +381,21 @@ attributeTypes: ( SecurePort-oid NAME 'SecurePort' SYNTAX 1.3.6.1.4.1.1466.115.
dn: cn=schema
changetype: modify
add: attributeTypes
+attributeTypes: ( SecureAgentPort-oid NAME 'SecureAgentPort' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'user defined' )
+
+dn: cn=schema
+changetype: modify
+add: attributeTypes
+attributeTypes: ( SecureAdminPort-oid NAME 'SecureAdminPort' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'user defined' )
+
+dn: cn=schema
+changetype: modify
+add: attributeTypes
+attributeTypes: ( UnSecurePort-oid NAME 'UnSecurePort' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'user defined' )
+
+dn: cn=schema
+changetype: modify
+add: attributeTypes
attributeTypes: ( SubsystemName-oid NAME 'SubsystemName' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'user defined' )
dn: cn=schema
@@ -441,7 +456,7 @@ objectClasses: ( pkiSecurityGroup-oid NAME 'pkiSecurityGroup' DESC 'CMS defined
dn: cn=schema
changetype: modify
add: objectClasses
-objectClasses: ( pkiSubsystem-oid NAME 'pkiSubsystem' DESC 'CMS defined class' SUP top STRUCTURAL MUST ( cn $ Host $ SecurePort $ SubsystemName $ Clone ) MAY ( DomainManager ) X-ORIGIN 'user defined' )
+objectClasses: ( pkiSubsystem-oid NAME 'pkiSubsystem' DESC 'CMS defined class' SUP top STRUCTURAL MUST ( cn $ Host $ SecurePort $ SubsystemName $ Clone ) MAY ( DomainManager $ SecureAgentPort $ SecureAdminPort $ UnSecurePort ) X-ORIGIN 'user defined' )
dn: cn=schema
changetype: modify
diff --git a/pki/base/ca/shared/conf/server.xml b/pki/base/ca/shared/conf/server.xml
index 7dd9f6cc..58cd6166 100644
--- a/pki/base/ca/shared/conf/server.xml
+++ b/pki/base/ca/shared/conf/server.xml
@@ -98,7 +98,7 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown)
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
- clientAuth="true" sslProtocol="SSL"
+ clientAuth="[PKI_AGENT_CLIENTAUTH]" sslProtocol="SSL"
sslOptions="ssl2=true,ssl3=true,tls=true"
ssl2Ciphers="-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5"
ssl3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,+TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA"
diff --git a/pki/base/ca/shared/etc/init.d/httpd b/pki/base/ca/shared/etc/init.d/httpd
index e0c7326b..4df900f3 100755
--- a/pki/base/ca/shared/etc/init.d/httpd
+++ b/pki/base/ca/shared/etc/init.d/httpd
@@ -208,6 +208,7 @@ fi
pidfile=${PIDFILE:-/var/run/[PKI_INSTANCE_ID].pid}
lockfile=${LOCKFILE:-/var/lock/subsys/[PKI_INSTANCE_ID]}
+PKI_SECURITY_DOMAIN=[PKI_INSTANCE_PATH]/conf/pki_security_domain
RESTART_SERVER=[PKI_INSTANCE_PATH]/conf/restart_server_after_configuration
RETVAL=0
@@ -293,6 +294,78 @@ get_pki_status_definitions()
fi
}
+get_pki_security_domain_definitions()
+{
+ # establish well-known strings
+ begin_pki_status_comment="<!-- DO NOT REMOVE - Begin PKI Status Definitions -->"
+ end_pki_status_comment="<!-- DO NOT REMOVE - End PKI Status Definitions -->"
+ announce_urls=0
+ total_ports=0
+ secure_admin_port_statement="Secure Admin Port = "
+
+ # initialize looping variables
+ pki_status_comment_found=0
+
+ # first check to see that an instance-specific "server.xml" file exists
+ if [ ! -f [PKI_SERVER_XML_CONF] ] ; then
+ echo "File '[PKI_SERVER_XML_CONF]' does not exist!"
+ exit 255
+ fi
+
+ # read this instance-specific "server.xml" file line-by-line
+ # to obtain the current PKI Status Definitions
+ exec < [PKI_SERVER_XML_CONF]
+ while read line; do
+ # first look for the well-known end PKI Status comment
+ # (to turn off processing)
+ if [ "$line" == "$end_pki_status_comment" ] ; then
+ pki_status_comment_found=0
+ break;
+ fi
+
+ # then look for the well-known begin PKI Status comment
+ # (to turn on processing)
+ if [ "$line" == "$begin_pki_status_comment" ] ; then
+ pki_status_comment_found=1
+ fi
+
+ # once the well-known begin PKI Status comment has been found,
+ # begin processing to obtain all of the PKI Status Definitions
+ if [ $pki_status_comment_found -eq 1 ] ; then
+
+ # announce security domain URL
+ if [ ${announce_urls} -eq 0 ] ; then
+ echo
+ echo
+ echo " Security Domain URL:"
+ echo " =========================================================================="
+ announce_urls=`expr ${total_ports} + 1`
+ fi
+
+ # look for a PKI Status Definition and print the
+ # security domain portion of it
+ head=`echo "$line" | cut -b1-20`
+ url=`echo "$line" | cut -b21-`
+ if [ "$head" == "$secure_admin_port_statement" ]
+ then
+ security_domain=`echo "$url" | awk '{loc=index($0, "/ca/services"); printf substr($0, 1, (loc-1))}'` ;
+ echo " $security_domain" ;
+ total_ports=`expr ${total_ports} + 1`
+ fi
+ fi
+ done
+
+ if [ ${announce_urls} -ne 0 ] ; then
+ echo " =========================================================================="
+ fi
+
+ if [ ${total_ports} -eq 1 ] ; then
+ return 0
+ else
+ return 255
+ fi
+}
+
get_pki_secure_port()
{
# establish well-known strings
@@ -1000,6 +1073,19 @@ status()
if [ $? -ne 0 ] ; then
echo "[PKI_INSTANCE_ID] Status Definitions not found"
fi
+ if [ -f ${PKI_SECURITY_DOMAIN} ] ; then
+ get_pki_security_domain_definitions
+ if [ $? -ne 0 ] ; then
+ echo "[PKI_INSTANCE_ID] Security Domain Definitions not found"
+ fi
+ else
+ echo
+ echo
+ echo " Security Domain URL:"
+ echo " =========================================================================="
+ echo " '[PKI_INSTANCE_ID]' is NOT a Security Domain!"
+ echo " =========================================================================="
+ fi
fi
echo
else
diff --git a/pki/base/ca/shared/webapps/ca/WEB-INF/web.xml b/pki/base/ca/shared/webapps/ca/WEB-INF/web.xml
index ce9c972a..eb2cdb45 100644
--- a/pki/base/ca/shared/webapps/ca/WEB-INF/web.xml
+++ b/pki/base/ca/shared/webapps/ca/WEB-INF/web.xml
@@ -220,8 +220,6 @@
<param-value> services </param-value> </init-param>
<init-param><param-name> templatePath </param-name>
<param-value> /services.template </param-value> </init-param>
- <init-param><param-name> interface </param-name>
- <param-value> ee </param-value> </init-param>
</servlet>
<servlet>
@@ -440,6 +438,17 @@
</servlet>
<servlet>
+ <servlet-name> caGetCertChainAdmin </servlet-name>
+ <servlet-class> com.netscape.cms.servlet.csadmin.GetCertChain </servlet-class>
+ <init-param><param-name> GetClientCert </param-name>
+ <param-value> false </param-value> </init-param>
+ <init-param><param-name> authority </param-name>
+ <param-value> ca </param-value> </init-param>
+ <init-param><param-name> ID </param-name>
+ <param-value> caGetCertChainAdmin </param-value> </init-param>
+ </servlet>
+
+ <servlet>
<servlet-name> caGetStatus </servlet-name>
<servlet-class> com.netscape.cms.servlet.csadmin.GetStatus </servlet-class>
<init-param><param-name> GetClientCert </param-name>
@@ -1903,8 +1912,6 @@
<param-value> caSecurityDomainLogin </param-value> </init-param>
<init-param><param-name> resourceID </param-name>
<param-value> certServer.ee.certificates </param-value> </init-param>
- <init-param><param-name> interface </param-name>
- <param-value> ee </param-value> </init-param>
</servlet>
<servlet>
@@ -1920,14 +1927,12 @@
<param-value> ca </param-value> </init-param>
<init-param><param-name> ID </param-name>
<param-value> caGetCookie </param-value> </init-param>
- <init-param><param-name> interface </param-name>
- <param-value> ee </param-value> </init-param>
<init-param><param-name> AuthMgr </param-name>
<param-value> passwdUserDBAuthMgr </param-value> </init-param>
<init-param><param-name> templatePath </param-name>
- <param-value> /ee/ca/sendCookie.template </param-value> </init-param>
+ <param-value> /admin/ca/sendCookie.template </param-value> </init-param>
<init-param><param-name> errorTemplatePath </param-name>
- <param-value> /ee/ca/securitydomainlogin.template </param-value> </init-param>
+ <param-value> /admin/ca/securitydomainlogin.template </param-value> </init-param>
</servlet>
<servlet>
@@ -1997,53 +2002,56 @@
[PKI_OPEN_SEPARATE_PORTS_WEB_COMMENT]
<filter-mapping>
- <filter-name> PassThroughRequestFilter </filter-name>
- <url-pattern> /agent/ca/updateDomainXML </url-pattern>
+ <filter-name> PassThroughRequestFilter </filter-name>
+ <url-pattern> /subsystem/* </url-pattern>
+ <url-pattern> /ca/getCertFromRequest </url-pattern>
+ <url-pattern> /ca/getBySerial </url-pattern>
+ <url-pattern> /index </url-pattern>
+ <url-pattern> /ca/connector </url-pattern>
+ <url-pattern> /ca/displayCertFromRequest </url-pattern>
+ <url-pattern> /ca/cloneConnector </url-pattern>
+ <url-pattern> /doRevoke </url-pattern>
+
+ <url-pattern> /acl </url-pattern>
+ <url-pattern> /ug </url-pattern>
+ <url-pattern> /server </url-pattern>
+ <url-pattern> /capolicy </url-pattern>
+ <url-pattern> /log </url-pattern>
+ <url-pattern> /ca/getAdminCertBySerial </url-pattern>
+ <url-pattern> /caadmin </url-pattern>
+ <url-pattern> /registry </url-pattern>
+ <url-pattern> /ocsp </url-pattern>
+ <url-pattern> /caprofile </url-pattern>
+ <url-pattern> /jobsScheduler </url-pattern>
+ <url-pattern> /capublisher </url-pattern>
+
+ <url-pattern> /renewal </url-pattern>
+ <url-pattern> /remoteAuthConfig </url-pattern>
+ <url-pattern> /certbasedenrollment </url-pattern>
+ <url-pattern> /enrollment </url-pattern>
+ <url-pattern> /ocsp </url-pattern>
+ <url-pattern> /profileSubmit </url-pattern>
+
+ <url-pattern> /services </url-pattern>
+
+ <url-pattern> /start </url-pattern>
+ <url-pattern> /cgi-bin/pkiclient.exe </url-pattern>
</filter-mapping>
<filter-mapping>
- <filter-name> AgentRequestFilter </filter-name>
- <url-pattern> /agent/ca/getOCSPInfo </url-pattern>
- <url-pattern> /agent/ca/updateDir </url-pattern>
- <url-pattern> /agent/ca/profileSelect </url-pattern>
- <url-pattern> /agent/ca/monitor </url-pattern>
- <url-pattern> /agent/ca/reasonToRevoke </url-pattern>
- <url-pattern> /agent/ca/listRequests.html </url-pattern>
- <url-pattern> /agent/ca/searchReqs </url-pattern>
- <url-pattern> /agent/ca/profileApprove </url-pattern>
- <url-pattern> /agent/ca/updateDir.html </url-pattern>
- <url-pattern> /agent/ca/profileReview </url-pattern>
- <url-pattern> /agent/ca/srchCerts </url-pattern>
- <url-pattern> /agent/header </url-pattern>
- <url-pattern> /agent/ca/listCerts </url-pattern>
- <url-pattern> /agent/ca/queryReq </url-pattern>
- <url-pattern> /agent/ca/processReq </url-pattern>
- <url-pattern> /agent/ca/srchCert.html </url-pattern>
- <url-pattern> /agent/ca/profileList </url-pattern>
- <url-pattern> /agent/ca/displayBySerial </url-pattern>
- <url-pattern> /agent/ca/srchRevokeCert.html </url-pattern>
- <url-pattern> /agent/ca/doUnrevoke </url-pattern>
- <url-pattern> /agent/ca/doRevoke </url-pattern>
- <url-pattern> /agent/ca/profileProcess </url-pattern>
- <url-pattern> /agent/ca/processCertReq </url-pattern>
- <url-pattern> /agent/ca/bulkissuance </url-pattern>
- <url-pattern> /agent/ca/queryBySerial.html </url-pattern>
- <url-pattern> /agent/ca/updateCRL </url-pattern>
- <url-pattern> /agent/ca/displayCRL </url-pattern>
- <url-pattern> /agent/ca/getInfo </url-pattern>
- <url-pattern> /agent/ca/getStats </url-pattern>
- <url-pattern> /agent/bulkissuance </url-pattern>
+ <filter-name> AgentRequestFilter </filter-name>
+ <url-pattern> /agent/* </url-pattern>
</filter-mapping>
<filter-mapping>
- <filter-name> AdminRequestFilter </filter-name>
- <url-pattern> /admin/* </url-pattern>
- <url-pattern> /auths </url-pattern>
+ <filter-name> AdminRequestFilter </filter-name>
+ <url-pattern> /admin/* </url-pattern>
+ <url-pattern> /auths </url-pattern>
</filter-mapping>
<filter-mapping>
- <filter-name> EERequestFilter </filter-name>
- <url-pattern> /ee/* </url-pattern>
+ <filter-name> EERequestFilter </filter-name>
+ <url-pattern> /ee/* </url-pattern>
</filter-mapping>
[PKI_CLOSE_SEPARATE_PORTS_WEB_COMMENT]
@@ -2089,7 +2097,7 @@
<servlet-mapping>
<servlet-name> caGetDomainXML </servlet-name>
- <url-pattern> /ee/ca/getDomainXML </url-pattern>
+ <url-pattern> /admin/ca/getDomainXML </url-pattern>
</servlet-mapping>
<servlet-mapping>
@@ -2113,8 +2121,13 @@
</servlet-mapping>
<servlet-mapping>
+ <servlet-name> caGetCertChainAdmin </servlet-name>
+ <url-pattern> /admin/ca/getCertChain </url-pattern>
+ </servlet-mapping>
+
+ <servlet-mapping>
<servlet-name> caGetStatus </servlet-name>
- <url-pattern> /ee/ca/getStatus </url-pattern>
+ <url-pattern> /admin/ca/getStatus </url-pattern>
</servlet-mapping>
<servlet-mapping>
@@ -2599,12 +2612,12 @@
<servlet-mapping>
<servlet-name> caSecurityDomainLogin </servlet-name>
- <url-pattern> /ee/ca/securityDomainLogin </url-pattern>
+ <url-pattern> /admin/ca/securityDomainLogin </url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name> caGetCookie </servlet-name>
- <url-pattern> /ee/ca/getCookie </url-pattern>
+ <url-pattern> /admin/ca/getCookie </url-pattern>
</servlet-mapping>
<servlet-mapping>
diff --git a/pki/base/common/src/com/netscape/cms/authentication/TokenAuthentication.java b/pki/base/common/src/com/netscape/cms/authentication/TokenAuthentication.java
index 0171df6b..298fd43c 100644
--- a/pki/base/common/src/com/netscape/cms/authentication/TokenAuthentication.java
+++ b/pki/base/common/src/com/netscape/cms/authentication/TokenAuthentication.java
@@ -141,7 +141,7 @@ public class TokenAuthentication implements IAuthManager,
String sessionId = (String)authCred.get(CRED_SESSION_ID);
String givenHost = (String)authCred.get("clientHost");
String auth_host = sconfig.getString("securitydomain.host");
- int auth_port = sconfig.getInteger("securitydomain.httpsport");
+ int auth_port = sconfig.getInteger("securitydomain.httpseeport");
HttpClient httpclient = new HttpClient();
String c = null;
diff --git a/pki/base/common/src/com/netscape/cms/servlet/csadmin/AdminPanel.java b/pki/base/common/src/com/netscape/cms/servlet/csadmin/AdminPanel.java
index d2495c17..e8b0346a 100644
--- a/pki/base/common/src/com/netscape/cms/servlet/csadmin/AdminPanel.java
+++ b/pki/base/common/src/com/netscape/cms/servlet/csadmin/AdminPanel.java
@@ -176,7 +176,7 @@ public class AdminPanel extends WizardPanelBase {
String domainname = "";
try {
- domainname = cs.getString("preop.securitydomain.name", "");
+ domainname = cs.getString("securitydomain.name", "");
} catch (EBaseException e1) {}
context.put("securityDomain", domainname);
context.put("title", "Administrator");
@@ -286,8 +286,8 @@ public class AdminPanel extends WizardPanelBase {
}
} else {
try {
- ca_hostname = config.getString("preop.securitydomain.host", "");
- ca_port = config.getInteger("preop.securitydomain.httpsport");
+ ca_hostname = config.getString("securitydomain.host", "");
+ ca_port = config.getInteger("securitydomain.httpseeport");
} catch (Exception e) {
}
}
@@ -362,7 +362,7 @@ public class AdminPanel extends WizardPanelBase {
system.modifyGroup(group);
}
- String select = config.getString("preop.securitydomain.select", "");
+ String select = config.getString("securitydomain.select", "");
if (select.equals("new")) {
group = system.getGroupFromName("Security Domain Administrators");
if (!group.isMember(uid)) {
@@ -419,8 +419,8 @@ public class AdminPanel extends WizardPanelBase {
int sd_port = -1;
try {
- sd_hostname = config.getString("preop.securitydomain.host", "");
- sd_port = config.getInteger("preop.securitydomain.httpsport");
+ sd_hostname = config.getString("securitydomain.host", "");
+ sd_port = config.getInteger("securitydomain.httpseeport");
} catch (Exception e) {}
String profileId = HttpInput.getID(request, "profileId");
diff --git a/pki/base/common/src/com/netscape/cms/servlet/csadmin/AgentAuthenticatePanel.java b/pki/base/common/src/com/netscape/cms/servlet/csadmin/AgentAuthenticatePanel.java
index b88898be..b2434145 100644
--- a/pki/base/common/src/com/netscape/cms/servlet/csadmin/AgentAuthenticatePanel.java
+++ b/pki/base/common/src/com/netscape/cms/servlet/csadmin/AgentAuthenticatePanel.java
@@ -70,7 +70,7 @@ public class AgentAuthenticatePanel extends WizardPanelBase {
// if we are root, no need to get the certificate chain.
try {
- String select = cs.getString("preop.securitydomain.select","");
+ String select = cs.getString("securitydomain.select","");
if (select.equals("new")) {
return true;
}
diff --git a/pki/base/common/src/com/netscape/cms/servlet/csadmin/CAInfoPanel.java b/pki/base/common/src/com/netscape/cms/servlet/csadmin/CAInfoPanel.java
index 1cf6d742..316c5706 100644
--- a/pki/base/common/src/com/netscape/cms/servlet/csadmin/CAInfoPanel.java
+++ b/pki/base/common/src/com/netscape/cms/servlet/csadmin/CAInfoPanel.java
@@ -110,10 +110,6 @@ public class CAInfoPanel extends WizardPanelBase {
CMS.debug("CAInfoPanel: display");
IConfigStore cs = CMS.getConfigStore();
- String sdcaHostname = "";
- String sdcaHttpPort = "";
- String othercaHostname = "";
- String othercaPort = "";
String hostname = "";
String httpport = "";
String httpsport = "";
@@ -153,6 +149,7 @@ public class CAInfoPanel extends WizardPanelBase {
}
String cstype = "CA";
+ String portType = "SecurePort";
/*
try {
@@ -161,7 +158,7 @@ public class CAInfoPanel extends WizardPanelBase {
*/
CMS.debug("CAInfoPanel: Ready to get url");
- Vector v = getUrlListFromSecurityDomain(cs, cstype);
+ Vector v = getUrlListFromSecurityDomain(cs, cstype, portType);
v.addElement("External CA");
StringBuffer list = new StringBuffer();
int size = v.size();
@@ -254,7 +251,7 @@ public class CAInfoPanel extends WizardPanelBase {
} else {
select = "sdca";
- // parse URL (CA1 - http://...)
+ // parse URL (CA1 - https://...)
url = url.substring(url.indexOf("https"));
urlx = new URL(url);
}
@@ -286,34 +283,35 @@ public class CAInfoPanel extends WizardPanelBase {
} catch (Exception e) {}
}
- private void sdca(HttpServletRequest request, Context context, String hostname, String httpPortStr) throws IOException {
+ private void sdca(HttpServletRequest request, Context context, String hostname, String httpsPortStr) throws IOException {
CMS.debug("CAInfoPanel update: this is the CA in the security domain.");
IConfigStore config = CMS.getConfigStore();
context.put("sdcaHostname", hostname);
- context.put("sdHttpPort", httpPortStr);
+ context.put("sdcaHttpsPort", httpsPortStr);
if (hostname == null || hostname.length() == 0) {
context.put("errorString", "Hostname is null");
throw new IOException("Hostname is null");
}
- int httpport = -1;
+ int httpsport = -1;
try {
- httpport = Integer.parseInt(httpPortStr);
+ httpsport = Integer.parseInt(httpsPortStr);
} catch (Exception e) {
CMS.debug(
- "CAInfoPanel update: Http port is not valid. Exception: "
+ "CAInfoPanel update: Https port is not valid. Exception: "
+ e.toString());
throw new IOException("Http Port is not valid.");
}
config.putString("preop.ca.hostname", hostname);
- config.putString("preop.ca.httpsport", httpPortStr);
+ config.putString("preop.ca.httpsport", httpsPortStr);
ConfigCertApprovalCallback certApprovalCallback = new ConfigCertApprovalCallback();
- updateCertChain(config, "ca", hostname, httpport, true, context,
- certApprovalCallback);
+ updateCertChainUsingSecureEEPort( config, "ca", hostname,
+ httpsport, true, context,
+ certApprovalCallback );
}
/**
diff --git a/pki/base/common/src/com/netscape/cms/servlet/csadmin/CreateSubsystemPanel.java b/pki/base/common/src/com/netscape/cms/servlet/csadmin/CreateSubsystemPanel.java
index 5fccf900..339a9244 100644
--- a/pki/base/common/src/com/netscape/cms/servlet/csadmin/CreateSubsystemPanel.java
+++ b/pki/base/common/src/com/netscape/cms/servlet/csadmin/CreateSubsystemPanel.java
@@ -139,12 +139,15 @@ public class CreateSubsystemPanel extends WizardPanelBase {
context.put("systemname", config.getString("preop.system.name"));
context.put("fullsystemname", config.getString("preop.system.fullname"));
context.put("machineName", config.getString("machineName"));
- context.put("https_port", CMS.getEESSLPort());
context.put("http_port", CMS.getEENonSSLPort());
+ context.put("https_agent_port", CMS.getAgentPort());
+ context.put("https_ee_port", CMS.getEESSLPort());
+ context.put("https_admin_port", CMS.getAdminPort());
} catch (EBaseException e) {
}
- Vector v = getMasterUrlListFromSecurityDomain(config, cstype);
+ Vector v = getMasterUrlListFromSecurityDomain( config, cstype,
+ "SecurePort" );
StringBuffer list = new StringBuffer();
int size = v.size();
for (int i = 0; i < size; i++) {
@@ -247,18 +250,18 @@ public class CreateSubsystemPanel extends WizardPanelBase {
URL u = new URL(url);
String host = u.getHost();
- int port = u.getPort();
+ int https_ee_port = u.getPort();
config.putString("preop.master.hostname", host);
- config.putInteger("preop.master.httpsport", port);
+ config.putInteger("preop.master.httpsport", https_ee_port);
ConfigCertApprovalCallback certApprovalCallback = new ConfigCertApprovalCallback();
if (cstype.equals("ca")) {
- updateCertChain(config, "clone", host, port, true, context,
- certApprovalCallback);
+ updateCertChain( config, "clone", host, https_ee_port,
+ true, context, certApprovalCallback );
}
- getTokenInfo(config, cstype, host, port, true, context,
+ getTokenInfo(config, cstype, host, https_ee_port, true, context,
certApprovalCallback);
} else {
CMS.debug("CreateSubsystemPanel: invalid choice " + select);
diff --git a/pki/base/common/src/com/netscape/cms/servlet/csadmin/DisplayCertChainPanel.java b/pki/base/common/src/com/netscape/cms/servlet/csadmin/DisplayCertChainPanel.java
index a27bcf09..d4816bc9 100644
--- a/pki/base/common/src/com/netscape/cms/servlet/csadmin/DisplayCertChainPanel.java
+++ b/pki/base/common/src/com/netscape/cms/servlet/csadmin/DisplayCertChainPanel.java
@@ -94,7 +94,7 @@ public class DisplayCertChainPanel extends WizardPanelBase {
// if we are root, no need to get the certificate chain.
try {
- String select = cs.getString("preop.securitydomain.select","");
+ String select = cs.getString("securitydomain.select","");
String type = cs.getString("preop.subsystem.select", "");
String hierarchy = cs.getString("preop.hierarchy.select", "");
@@ -194,13 +194,26 @@ public class DisplayCertChainPanel extends WizardPanelBase {
int panel = getPanelNo()+1;
IConfigStore cs = CMS.getConfigStore();
try {
- String hostname = cs.getString("preop.securitydomain.host", "");
- int port = cs.getInteger("preop.securitydomain.httpsport", -1);
+ String sd_hostname = cs.getString("securitydomain.host", "");
+ int sd_port = cs.getInteger("securitydomain.httpsadminport", -1);
+ String cs_hostname = cs.getString("machineName", "");
+ int cs_port = cs.getInteger("pkicreate.admin_secure_port", -1);
String subsystem = cs.getString("cs.type", "");
- String urlVal = "https://"+CMS.getEESSLHost()+":"+CMS.getEESSLPort()+"/"+toLowerCaseSubsystemType(subsystem)+"/admin/console/config/wizard?p="+panel+"&subsystem="+subsystem;
+ String urlVal = "https://"+cs_hostname+":"+cs_port+"/"+toLowerCaseSubsystemType(subsystem)+"/admin/console/config/wizard?p="+panel+"&subsystem="+subsystem;
String encodedValue = URLEncoder.encode(urlVal, "UTF-8");
- String sdurl = "https://"+hostname+":"+port+"/ca/ee/ca/securityDomainLogin?url="+encodedValue;
+ String sdurl = "https://"+sd_hostname+":"+sd_port+"/ca/admin/ca/securityDomainLogin?url="+encodedValue;
response.sendRedirect(sdurl);
+
+ // The user previously specified the CA Security Domain's
+ // SSL Admin port in the "Security Domain Panel";
+ // now retrieve this specified CA Security Domain's
+ // non-SSL EE, SSL Agent, and SSL EE ports:
+ cs.putString( "securitydomain.httpport",
+ getSecurityDomainPort( cs, "UnSecurePort" ) );
+ cs.putString("securitydomain.httpsagentport",
+ getSecurityDomainPort( cs, "SecureAgentPort" ) );
+ cs.putString("securitydomain.httpseeport",
+ getSecurityDomainPort( cs, "SecurePort" ) );
} catch (Exception ee) {
CMS.debug("DisplayCertChainPanel Exception="+ee.toString());
}
diff --git a/pki/base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java b/pki/base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java
index 011be586..1b657d28 100644
--- a/pki/base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java
+++ b/pki/base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java
@@ -53,6 +53,7 @@ public class DonePanel extends WizardPanelBase {
public static final Long MINUS_ONE = Long.valueOf(-1);
public static final String RESTART_SERVER_AFTER_CONFIGURATION =
"restart_server_after_configuration";
+ public static final String PKI_SECURITY_DOMAIN = "pki_security_domain";
public DonePanel() {}
@@ -166,8 +167,13 @@ public class DonePanel extends WizardPanelBase {
}
IConfigStore cs = CMS.getConfigStore();
+ String ownport = CMS.getEENonSSLPort();
String ownsport = CMS.getEESSLPort();
String ownhost = CMS.getEESSLHost();
+ String ownagentsport = CMS.getAgentPort();
+ String ownagenthost = CMS.getAgentHost();
+ String ownadminsport = CMS.getAdminPort();
+ String ownadminhost = CMS.getAdminHost();
String select = "";
String type = "";
@@ -189,8 +195,8 @@ public class DonePanel extends WizardPanelBase {
}
context.put("title", "Done");
context.put("panel", "admin/console/config/donepanel.vm");
- context.put("host", ownhost);
- context.put("port", ownsport);
+ context.put("host", ownadminhost);
+ context.put("port", ownadminsport);
String subsystemType = toLowerCaseSubsystemType(type);
context.put("systemType", subsystemType);
@@ -205,12 +211,14 @@ public class DonePanel extends WizardPanelBase {
} catch (Exception e) {
}
- String sd_port = "";
+ String sd_agent_port = "";
+ String sd_admin_port = "";
String sd_host = "";
String ca_host = "";
try {
- sd_host = cs.getString("preop.securitydomain.host", "");
- sd_port = cs.getString("preop.securitydomain.httpsport", "");
+ sd_host = cs.getString("securitydomain.host", "");
+ sd_agent_port = cs.getString("securitydomain.httpsagentport", "");
+ sd_admin_port = cs.getString("securitydomain.httpsadminport", "");
ca_host = cs.getString("preop.ca.hostname", "");
} catch (Exception e) {
}
@@ -225,7 +233,7 @@ public class DonePanel extends WizardPanelBase {
String instanceName = "";
String subsystemName = "";
try {
- sdtype = cs.getString("preop.securitydomain.select", "");
+ sdtype = cs.getString("securitydomain.select", "");
instanceName = cs.getString("instanceId", "");
subsystemName = cs.getString("preop.subsystem.name", "");
} catch (Exception e) {
@@ -237,7 +245,7 @@ public class DonePanel extends WizardPanelBase {
LDAPConnection conn = getLDAPConn(context);
String basedn = cs.getString("internaldb.basedn");
- String secdomain = cs.getString("preop.securitydomain.name");
+ String secdomain = cs.getString("securitydomain.name");
try {
// Create security domain ldap entry
@@ -288,6 +296,11 @@ public class DonePanel extends WizardPanelBase {
attrs.add(new LDAPAttribute("objectclass", "pkiSubsystem"));
attrs.add(new LDAPAttribute("Host", ownhost));
attrs.add(new LDAPAttribute("SecurePort", ownsport));
+ attrs.add(new LDAPAttribute("SecureAgentPort",
+ ownagentsport));
+ attrs.add(new LDAPAttribute("SecureAdminPort",
+ ownadminsport));
+ attrs.add(new LDAPAttribute("UnSecurePort", ownport));
attrs.add(new LDAPAttribute("Clone", "false"));
attrs.add(new LDAPAttribute("SubsystemName", subsystemName));
attrs.add(new LDAPAttribute("cn", cn));
@@ -304,10 +317,34 @@ public class DonePanel extends WizardPanelBase {
} catch (Exception e) {
CMS.debug("DonePanel display: "+e.toString());
}
+
+ int sd_admin_port_int = -1;
+ try {
+ sd_admin_port_int = Integer.parseInt( sd_admin_port );
+ } catch (Exception e) {
+ }
+
+ try {
+ // Fetch the "new" security domain and display it
+ CMS.debug( "Dump contents of new Security Domain . . ." );
+ String c = getDomainXML( sd_host, sd_admin_port_int, true );
+ } catch( Exception e ) {}
+
+ // Since this instance is a new Security Domain,
+ // create an empty file to designate this fact.
+ String security_domain = instanceRoot + "/conf/"
+ + PKI_SECURITY_DOMAIN;
+ if( !Utils.isNT() ) {
+ Utils.exec( "touch " + security_domain );
+ Utils.exec( "chmod 00660 " + security_domain );
+ }
+
} else { //existing domain
- int p = -1;
+ int sd_agent_port_int = -1;
+ int sd_admin_port_int = -1;
try {
- p = Integer.parseInt(sd_port);
+ sd_agent_port_int = Integer.parseInt(sd_agent_port);
+ sd_admin_port_int = Integer.parseInt(sd_admin_port);
} catch (Exception e) {
}
@@ -317,17 +354,31 @@ public class DonePanel extends WizardPanelBase {
cloneStr = "&clone=true";
else
cloneStr = "&clone=false";
- updateDomainXML(sd_host, p, true, "/ca/agent/ca/updateDomainXML",
- "list="+s+"&type="+type+"&host="+ownhost+"&name="+subsystemName+"&sport="+ownsport+"&dm=false"+cloneStr);
+ updateDomainXML( sd_host, sd_agent_port_int, true,
+ "/ca/agent/ca/updateDomainXML",
+ "list=" + s
+ + "&type=" + type
+ + "&host=" + ownhost
+ + "&name=" + subsystemName
+ + "&sport=" + ownsport
+ + "&dm=false" + cloneStr
+ + "&agentsport=" + ownagentsport
+ + "&adminsport=" + ownadminsport
+ + "&httpport=" + ownport );
+
+ // Fetch the "updated" security domain and display it
+ CMS.debug( "Dump contents of updated Security Domain . . ." );
+ String c = getDomainXML( sd_host, sd_admin_port_int, true );
} catch (Exception e) {
context.put("errorString", "Failed to update the security domain on the domain master.");
//return;
}
}
- // add service.securityDomainPort to CS.cfg in case pkiremove needs to remove system reference from the security domain
+ // add service.securityDomainPort to CS.cfg in case pkiremove
+ // needs to remove system reference from the security domain
try {
- cs.putString("service.securityDomainPort", ownsport);
+ cs.putString("service.securityDomainPort", ownagentsport);
cs.commit(false);
} catch (Exception e) {
CMS.debug("DonePanel: exception in adding service.securityDomainPort to CS.cfg" + e);
@@ -337,7 +388,7 @@ public class DonePanel extends WizardPanelBase {
// need to push connector information to the CA
if (type.equals("KRA") && !ca_host.equals("")) {
try {
- updateConnectorInfo(ownhost, ownsport, sd_host, sd_port);
+ updateConnectorInfo(ownagenthost, ownagentsport);
} catch (IOException e) {
context.put("errorString", "Failed to update connector information.");
return;
@@ -495,8 +546,8 @@ public class DonePanel extends WizardPanelBase {
try {
cahost = config.getString("preop.ca.hostname", "");
caport = config.getInteger("preop.ca.httpsport", -1);
- sdhost = config.getString("preop.securitydomain.host", "");
- sdport = config.getInteger("preop.securitydomain.httpsport", -1);
+ sdhost = config.getString("securitydomain.host", "");
+ sdport = config.getInteger("securitydomain.httpseeport", -1);
} catch (Exception e) {
}
@@ -589,8 +640,7 @@ public class DonePanel extends WizardPanelBase {
return "CA-" + host + "-" + port;
}
- private void updateConnectorInfo(String ownhost, String ownsport,
- String sd_host, String sd_port)
+ private void updateConnectorInfo(String ownagenthost, String ownagentsport)
throws IOException {
IConfigStore cs = CMS.getConfigStore();
int port = -1;
@@ -614,7 +664,7 @@ public class DonePanel extends WizardPanelBase {
} else {
CMS.debug("DonePanel: Transport certificate is being setup in " + url);
String session_id = CMS.getConfigSDSessionId();
- String content = "ca.connector.KRA.enable=true&ca.connector.KRA.local=false&ca.connector.KRA.timeout=30&ca.connector.KRA.uri=/kra/agent/kra/connector&ca.connector.KRA.host="+ownhost+"&ca.connector.KRA.port="+ownsport+"&ca.connector.KRA.transportCert="+URLEncoder.encode(transportCert)+"&sessionID="+session_id;
+ String content = "ca.connector.KRA.enable=true&ca.connector.KRA.local=false&ca.connector.KRA.timeout=30&ca.connector.KRA.uri=/kra/agent/kra/connector&ca.connector.KRA.host="+ownagenthost+"&ca.connector.KRA.port="+ownagentsport+"&ca.connector.KRA.transportCert="+URLEncoder.encode(transportCert)+"&sessionID="+session_id;
updateConnectorInfo(host, port, true, content);
}
diff --git a/pki/base/common/src/com/netscape/cms/servlet/csadmin/GetCookie.java b/pki/base/common/src/com/netscape/cms/servlet/csadmin/GetCookie.java
index ce9142ca..b78b98b8 100644
--- a/pki/base/common/src/com/netscape/cms/servlet/csadmin/GetCookie.java
+++ b/pki/base/common/src/com/netscape/cms/servlet/csadmin/GetCookie.java
@@ -126,7 +126,7 @@ public class GetCookie extends CMSServlet {
header.addStringValue("subsystem", subsystem);
header.addStringValue("url", url_e);
header.addStringValue("errorString", "Failed Authentication");
- String sdname = cs.getString("preop.securitydomain.name", "");
+ String sdname = cs.getString("securitydomain.name", "");
header.addStringValue("sdname", sdname);
CMS.debug("mErrorFormPath=" + mErrorFormPath);
diff --git a/pki/base/common/src/com/netscape/cms/servlet/csadmin/ImportAdminCertPanel.java b/pki/base/common/src/com/netscape/cms/servlet/csadmin/ImportAdminCertPanel.java
index ef08b05c..3f2ccc8c 100644
--- a/pki/base/common/src/com/netscape/cms/servlet/csadmin/ImportAdminCertPanel.java
+++ b/pki/base/common/src/com/netscape/cms/servlet/csadmin/ImportAdminCertPanel.java
@@ -133,8 +133,8 @@ public class ImportAdminCertPanel extends WizardPanelBase {
if (ca == null) {
if (type.equals("otherca")) {
try {
- caHost = cs.getString("preop.securitydomain.host", "");
- caPort = cs.getString("preop.securitydomain.httpsport", "");
+ caHost = cs.getString("securitydomain.host", "");
+ caPort = cs.getString("securitydomain.httpseeport", "");
} catch (Exception e) {}
} else if (type.equals("sdca")) {
try {
@@ -142,6 +142,12 @@ public class ImportAdminCertPanel extends WizardPanelBase {
caPort = cs.getString("preop.ca.httpsport", "");
} catch (Exception e) {}
}
+ } else {
+ // Provide default Security Domain values for 'caHost' and 'caPort'
+ try {
+ caHost = cs.getString("securitydomain.host", "");
+ caPort = cs.getString("securitydomain.httpseeport", "");
+ } catch (Exception e) {}
}
String pkcs7 = "";
diff --git a/pki/base/common/src/com/netscape/cms/servlet/csadmin/ImportCAChainPanel.java b/pki/base/common/src/com/netscape/cms/servlet/csadmin/ImportCAChainPanel.java
index 02614f2e..3b76b697 100755
--- a/pki/base/common/src/com/netscape/cms/servlet/csadmin/ImportCAChainPanel.java
+++ b/pki/base/common/src/com/netscape/cms/servlet/csadmin/ImportCAChainPanel.java
@@ -99,6 +99,10 @@ public class ImportCAChainPanel extends WizardPanelBase {
context.put("import", "true");
IConfigStore cs = CMS.getConfigStore();
+ try {
+ context.put("machineName", cs.getString("machineName"));
+ context.put("https_port", CMS.getEESSLPort());
+ } catch (EBaseException e) {}
ISubsystem ca = (ISubsystem) CMS.getSubsystem("ca");
@@ -141,7 +145,12 @@ public class ImportCAChainPanel extends WizardPanelBase {
Context context) {
/* This should never be called */
- context.put("title", "Import CA's Certificate Chain");
- context.put("panel", "admin/console/config/importcachainpanel.vm");
+ IConfigStore cs = CMS.getConfigStore();
+ try {
+ context.put("machineName", cs.getString("machineName"));
+ context.put("https_port", CMS.getEESSLPort());
+ context.put("title", "Import CA's Certificate Chain");
+ context.put("panel", "admin/console/config/importcachainpanel.vm");
+ } catch (EBaseException e) {}
}
}
diff --git a/pki/base/common/src/com/netscape/cms/servlet/csadmin/NamePanel.java b/pki/base/common/src/com/netscape/cms/servlet/csadmin/NamePanel.java
index 75a524e5..8b555459 100644
--- a/pki/base/common/src/com/netscape/cms/servlet/csadmin/NamePanel.java
+++ b/pki/base/common/src/com/netscape/cms/servlet/csadmin/NamePanel.java
@@ -192,20 +192,20 @@ public class NamePanel extends WizardPanelBase {
}
try {
- domainname = config.getString("preop.securitydomain.name", "");
+ domainname = config.getString("securitydomain.name", "");
String certTags = config.getString("preop.cert.list");
// same token for now
String token = config.getString(PRE_CONF_CA_TOKEN);
StringTokenizer st = new StringTokenizer(certTags, ",");
- String domaintype = config.getString("preop.securitydomain.select");
+ String domaintype = config.getString("securitydomain.select");
int count = 0;
String host = "";
- int sport = -1;
+ int sd_admin_port = -1;
if (domaintype.equals("existing")) {
- host = config.getString("preop.securitydomain.host", "");
- sport = config.getInteger("preop.securitydomain.httpsport", -1);
- count = getSubsystemCount(host, sport, true, cstype);
+ host = config.getString("securitydomain.host", "");
+ sd_admin_port = config.getInteger("securitydomain.httpsadminport", -1);
+ count = getSubsystemCount(host, sd_admin_port, true, cstype);
}
while (st.hasMoreTokens()) {
@@ -237,7 +237,7 @@ public class NamePanel extends WizardPanelBase {
//o_sd is to add o=secritydomainname
boolean o_sd = config.getBoolean(PCERT_PREFIX + certTag +
"o_securitydomain", true);
- domainname = config.getString("preop.securitydomain.name", "");
+ domainname = config.getString("securitydomain.name", "");
CMS.debug("NamePanel: display() override is "+override);
CMS.debug("NamePanel: display() o_securitydomain is "+o_sd);
CMS.debug("NamePanel: display() domainname is "+domainname);
@@ -276,8 +276,8 @@ public class NamePanel extends WizardPanelBase {
CMS.debug("NamePanel: " + e.toString());
}
- CMS.debug("NamePanel: Ready to get urls");
- Vector v = getUrlListFromSecurityDomain(config, "CA");
+ CMS.debug("NamePanel: Ready to get SSL EE HTTPS urls");
+ Vector v = getUrlListFromSecurityDomain(config, "CA", "SecurePort");
v.addElement("External CA");
StringBuffer list = new StringBuffer();
int size = v.size();
@@ -416,10 +416,10 @@ public class NamePanel extends WizardPanelBase {
String profileId = config.getString(PCERT_PREFIX+certTag+".profile");
String session_id = CMS.getConfigSDSessionId();
String sd_hostname = "";
- int sd_port = -1;
+ int sd_ee_port = -1;
try {
- sd_hostname = config.getString("preop.securitydomain.host", "");
- sd_port = config.getInteger("preop.securitydomain.httpsport", -1);
+ sd_hostname = config.getString("securitydomain.host", "");
+ sd_ee_port = config.getInteger("securitydomain.httpseeport", -1);
} catch (Exception ee) {
CMS.debug("NamePanel: configCert() exception caught:"+ee.toString());
}
@@ -428,7 +428,7 @@ public class NamePanel extends WizardPanelBase {
String securePort = config.getString("service.securePort", "");
if (certTag.equals("subsystem")) {
String content = "requestor_name=" + sysType + "-" + machineName + "-" + securePort + "&profileId="+profileId+"&cert_request_type=pkcs10&cert_request="+URLEncoder.encode(pkcs10, "UTF-8")+"&xmlOutput=true&sessionID="+session_id;
- cert = CertUtil.createRemoteCert(sd_hostname, sd_port,
+ cert = CertUtil.createRemoteCert(sd_hostname, sd_ee_port,
content, response, this);
if (cert == null) {
throw new IOException("Error: remote certificate is null");
@@ -716,7 +716,7 @@ public class NamePanel extends WizardPanelBase {
} else {
CMS.debug("NamePanel: local CA selected");
select = "sdca";
- // parse URL (CA1 - http://...)
+ // parse URL (CA1 - https://...)
url = url.substring(url.indexOf("https"));
config.putString("preop.ca.url", url);
@@ -805,23 +805,23 @@ public class NamePanel extends WizardPanelBase {
CMS.debug("NamePanel: update() done");
}
- private void sdca(HttpServletRequest request, Context context, String hostname, String httpPortStr) throws IOException {
+ private void sdca(HttpServletRequest request, Context context, String hostname, String httpsPortStr) throws IOException {
CMS.debug("NamePanel update: this is the CA in the security domain.");
- CMS.debug("NamePanel update: selected CA hostname=" + hostname + " port=" + httpPortStr);
+ CMS.debug("NamePanel update: selected CA hostname=" + hostname + " port=" + httpsPortStr);
IConfigStore config = CMS.getConfigStore();
context.put("sdcaHostname", hostname);
- context.put("sdHttpPort", httpPortStr);
+ context.put("sdHttpPort", httpsPortStr);
if (hostname == null || hostname.length() == 0) {
context.put("errorString", "Hostname is null");
throw new IOException("Hostname is null");
}
- int httpport = -1;
+ int httpsport = -1;
try {
- httpport = Integer.parseInt(httpPortStr);
+ httpsport = Integer.parseInt(httpsPortStr);
} catch (Exception e) {
CMS.debug(
"NamePanel update: Http port is not valid. Exception: "
@@ -830,10 +830,11 @@ public class NamePanel extends WizardPanelBase {
}
config.putString("preop.ca.hostname", hostname);
- config.putString("preop.ca.httpsport", httpPortStr);
+ config.putString("preop.ca.httpsport", httpsPortStr);
ConfigCertApprovalCallback certApprovalCallback = new ConfigCertApprovalCallback();
- updateCertChain(config, "ca", hostname, httpport, true, context,
- certApprovalCallback);
+ updateCertChainUsingSecureEEPort( config, "ca", hostname,
+ httpsport, true, context,
+ certApprovalCallback );
try {
CMS.debug("Importing CA chain");
importCertChain("ca");
diff --git a/pki/base/common/src/com/netscape/cms/servlet/csadmin/RestoreKeyCertPanel.java b/pki/base/common/src/com/netscape/cms/servlet/csadmin/RestoreKeyCertPanel.java
index 13fb58ef..9ae5689a 100644
--- a/pki/base/common/src/com/netscape/cms/servlet/csadmin/RestoreKeyCertPanel.java
+++ b/pki/base/common/src/com/netscape/cms/servlet/csadmin/RestoreKeyCertPanel.java
@@ -348,8 +348,8 @@ public class RestoreKeyCertPanel extends WizardPanelBase {
String master_hostname = "";
int master_port = -1;
try {
- sd_hostname = config.getString("preop.securitydomain.host", "");
- sd_port = config.getInteger("preop.securitydomain.httpsport", -1);
+ sd_hostname = config.getString("securitydomain.host", "");
+ sd_port = config.getInteger("securitydomain.httpseeport", -1);
master_hostname = config.getString("preop.master.hostname", "");
master_port = config.getInteger("preop.master.httpsport", -1);
diff --git a/pki/base/common/src/com/netscape/cms/servlet/csadmin/SecurityDomainPanel.java b/pki/base/common/src/com/netscape/cms/servlet/csadmin/SecurityDomainPanel.java
index 73ab1b07..bb4dba97 100644
--- a/pki/base/common/src/com/netscape/cms/servlet/csadmin/SecurityDomainPanel.java
+++ b/pki/base/common/src/com/netscape/cms/servlet/csadmin/SecurityDomainPanel.java
@@ -96,12 +96,14 @@ public class SecurityDomainPanel extends WizardPanelBase {
context.put("title", "Security Domain");
IConfigStore config = CMS.getConfigStore();
String errorString = "";
- String url = "";
+ String admin_url = "";
String name = "";
+ String cstype = "";
try {
- url = config.getString("preop.securitydomain.url", "");
+ admin_url = config.getString("preop.securitydomain.admin_url", "");
name = config.getString("preop.securitydomain.name", "");
+ cstype = config.getString("cs.type", "");
} catch (Exception e) {
CMS.debug(e.toString());
}
@@ -130,70 +132,60 @@ public class SecurityDomainPanel extends WizardPanelBase {
context.put("panelname", "Security Domain Configuration");
context.put("systemname", config.getString("preop.system.name"));
context.put("machineName", config.getString("machineName"));
- context.put("https_port", CMS.getEESSLPort());
- context.put("http_port", CMS.getEENonSSLPort());
+ context.put("http_ee_port", CMS.getEENonSSLPort());
+ context.put("https_agent_port", CMS.getAgentPort());
+ context.put("https_ee_port", CMS.getEESSLPort());
+ context.put("https_admin_port", CMS.getAdminPort());
+ context.put("sdomainAdminURL", admin_url);
} catch (EBaseException e) {}
context.put("panel", "admin/console/config/securitydomainpanel.vm");
context.put("errorString", errorString);
- if (url != null) {
- String r = null;
-
- try {
- URL u = new URL(url);
-
- String hostname = u.getHost();
- int port = u.getPort();
- ConfigCertApprovalCallback certApprovalCallback = new ConfigCertApprovalCallback();
- r = pingCS(hostname, port, true, certApprovalCallback);
- } catch (Exception e) {
- CMS.debug("SecurityDomainPanel: exception caught: "+e.toString());
- }
-
- if (r != null) {
- CMS.debug("SecurityDomainPanel: pingCS returns: "+r);
- context.put("sdomainURL", url);
- } else {
- CMS.debug("SecurityDomainPanel: pingCS no successful response");
- context.put("sdomainURL", "");
- }
- }
-
- // from url, find hostname, if fully qualified, get network
+ // from admin_url, find hostname, if fully qualified, get network
// domain name and generate default security domain name
- if (name.equals("") && (url != null)) {
+ if (name.equals("") && (admin_url != null)) {
try {
- URL u = new URL(url);
+ URL u = new URL(admin_url);
String hostname = u.getHost();
StringTokenizer st = new StringTokenizer(hostname, ".");
- boolean first = true;
- int numTokens = st.countTokens();
- int count = 0;
- String defaultDomain = "";
- StringBuffer sb = new StringBuffer();
- while (st.hasMoreTokens()) {
- count++;
- String n = st.nextToken();
- if (first) { //skip the hostname
- first = false;
- continue;
+ boolean first = true;
+ int numTokens = st.countTokens();
+ int count = 0;
+ String defaultDomain = "";
+ StringBuffer sb = new StringBuffer();
+ while (st.hasMoreTokens()) {
+ count++;
+ String n = st.nextToken();
+ if (first) { //skip the hostname
+ first = false;
+ continue;
}
- if (count == numTokens) // skip the last element (e.g. com)
- continue;
- sb.append((defaultDomain.length()==0)? "":" ");
- sb.append(capitalize(n));
- }
- defaultDomain = sb.toString() + " "+ "Domain";
- name = defaultDomain;
- CMS.debug("SecurityDomainPanel: defaultDomain generated:"+ name);
+ if (count == numTokens) // skip the last element (e.g. com)
+ continue;
+ sb.append((defaultDomain.length()==0)? "":" ");
+ sb.append(capitalize(n));
+ }
+ defaultDomain = sb.toString() + " "+ "Domain";
+ name = defaultDomain;
+ CMS.debug("SecurityDomainPanel: defaultDomain generated:"+ name);
} catch (MalformedURLException e) {
errorString = "Malformed URL";
- // not being able to come up with default domain name is ok
+ // not being able to come up with default domain name is ok
}
}
context.put("sdomainName", name);
+
+ // Information for "existing" Security Domain CAs
+ String instanceId = "&lt;security_domain_instance_name&gt;";
+ String os = System.getProperty( "os.name" );
+ if( os.equalsIgnoreCase( "Linux" ) ) {
+ context.put( "initCommand", "/sbin/service " + instanceId );
+ } else {
+ /* default case: e. g. - ( os.equalsIgnoreCase( "SunOS" ) */
+ context.put( "initCommand", "/etc/init.d/" + instanceId );
+ }
}
public static String capitalize(String s) {
@@ -219,10 +211,41 @@ public class SecurityDomainPanel extends WizardPanelBase {
throw new IOException("Missing name value for the security domain");
}
} else if (select.equals("existingdomain")) {
- String url = HttpInput.getURL(request, "sdomainURL");
- if (url == null || url.equals("")) {
- initParams(request, context);
- throw new IOException("Missing url value for the security domain");
+ CMS.debug( "SecurityDomainPanel: validating "
+ + "SSL Admin HTTPS . . ." );
+ String admin_url = HttpInput.getURL( request, "sdomainURL" );
+ if( admin_url == null || admin_url.equals("") ) {
+ initParams( request, context );
+ throw new IOException( "Missing SSL Admin HTTPS url value "
+ + "for the security domain" );
+ } else {
+ String r = null;
+
+ try {
+ URL u = new URL( admin_url );
+
+ String hostname = u.getHost();
+ int admin_port = u.getPort();
+ ConfigCertApprovalCallback
+ certApprovalCallback = new ConfigCertApprovalCallback();
+ r = pingCS( hostname, admin_port, true,
+ certApprovalCallback );
+ } catch( Exception e ) {
+ CMS.debug( "SecurityDomainPanel: exception caught: "
+ + e.toString() );
+ throw new IOException( "Illegal SSL Admin HTTPS url value "
+ + "for the security domain" );
+ }
+
+ if (r != null) {
+ CMS.debug("SecurityDomainPanel: pingAdminCS returns: "
+ + r );
+ context.put( "sdomainURL", admin_url );
+ } else {
+ CMS.debug( "SecurityDomainPanel: pingAdminCS "
+ + "no successful response for SSL Admin HTTPS" );
+ context.put( "sdomainURL", "" );
+ }
}
}
}
@@ -250,10 +273,10 @@ public class SecurityDomainPanel extends WizardPanelBase {
name = "";
context.put("sdomainName", name);
- String url = request.getParameter("sdomainURL");
- if (url == null)
- url = "";
- context.put("sdomainURL", url);
+ String admin_url = request.getParameter("sdomainURL");
+ if (admin_url == null)
+ admin_url = "";
+ context.put("sdomainURL", admin_url);
}
/**
@@ -274,22 +297,20 @@ public class SecurityDomainPanel extends WizardPanelBase {
if (select.equals("newdomain")) {
config.putString("preop.securitydomain.select", "new");
config.putString("securitydomain.select", "new");
- config.putString("preop.securitydomain.host",
- CMS.getEENonSSLHost());
+ config.putString("preop.securitydomain.name",
+ HttpInput.getDomainName(request, "sdomainName"));
+ config.putString("securitydomain.name",
+ HttpInput.getDomainName(request, "sdomainName"));
config.putString("securitydomain.host",
CMS.getEENonSSLHost());
- config.putString("preop.securitydomain.httpport",
- CMS.getEENonSSLPort());
config.putString("securitydomain.httpport",
CMS.getEENonSSLPort());
- config.putString("preop.securitydomain.httpsport",
- CMS.getEESSLPort());
- config.putString("securitydomain.httpsport",
+ config.putString("securitydomain.httpsagentport",
+ CMS.getAgentPort());
+ config.putString("securitydomain.httpseeport",
CMS.getEESSLPort());
- config.putString("preop.securitydomain.name",
- HttpInput.getDomainName(request, "sdomainName"));
- config.putString("securitydomain.name",
- HttpInput.getDomainName(request, "sdomainName"));
+ config.putString("securitydomain.httpsadminport",
+ CMS.getAdminPort());
// make sure the subsystem certificate is issued by the security
// domain
@@ -315,29 +336,25 @@ public class SecurityDomainPanel extends WizardPanelBase {
config.putString("preop.cert.subsystem.type", "remote");
config.putString("preop.cert.subsystem.profile", "caInternalAuthSubsystemCert");
- String url = HttpInput.getURL(request, "sdomainURL");
+ String admin_url = HttpInput.getURL(request, "sdomainURL");
String hostname = "";
- int port = -1;
+ int admin_port = -1;
- if (url != null) {
+ if( admin_url != null ) {
try {
- URL u = new URL(url);
+ URL admin_u = new URL( admin_url );
- hostname = u.getHost();
- port = u.getPort();
- } catch (MalformedURLException e) {
- errorString = "Malformed URL";
- throw new IOException(errorString);
+ hostname = admin_u.getHost();
+ admin_port = admin_u.getPort();
+ } catch( MalformedURLException e ) {
+ errorString = "Malformed SSL Admin HTTPS URL";
+ throw new IOException( errorString );
}
-
- context.put("sdomainURL", url);
- config.putString("preop.securitydomain.url", url);
- config.putString("preop.securitydomain.host", hostname);
- config.putString("securitydomain.host", hostname);
- config.putInteger("preop.securitydomain.httpsport", port);
- config.putInteger("securitydomain.httpsport", port);
- } else {
- config.putString("preop.securitydomain.url", "");
+
+ context.put( "sdomainURL", admin_url );
+ config.putString( "securitydomain.host", hostname );
+ config.putInteger( "securitydomain.httpsadminport",
+ admin_port );
}
try {
@@ -345,8 +362,8 @@ public class SecurityDomainPanel extends WizardPanelBase {
} catch (EBaseException e) {}
ConfigCertApprovalCallback certApprovalCallback = new ConfigCertApprovalCallback();
- updateCertChain(config, "securitydomain", hostname, port, true,
- context, certApprovalCallback);
+ updateCertChain( config, "securitydomain", hostname, admin_port,
+ true, context, certApprovalCallback );
} else {
CMS.debug("SecurityDomainPanel: invalid choice " + select);
errorString = "Invalid choice";
@@ -369,7 +386,7 @@ public class SecurityDomainPanel extends WizardPanelBase {
}
/**
- * If validiate() returns false, this method will be called.
+ * If validate() returns false, this method will be called.
*/
public void displayError(HttpServletRequest request,
HttpServletResponse response,
@@ -381,9 +398,24 @@ public class SecurityDomainPanel extends WizardPanelBase {
}
try {
context.put("machineName", config.getString("machineName"));
- context.put("https_port", CMS.getEESSLPort());
- context.put("http_port", CMS.getEENonSSLPort());
+ context.put("http_ee_port", CMS.getEENonSSLPort());
+ context.put("https_agent_port", CMS.getAgentPort());
+ context.put("https_ee_port", CMS.getEESSLPort());
+ context.put("https_admin_port", CMS.getAdminPort());
+ context.put("sdomainAdminURL",
+ config.getString("preop.securitydomain.admin_url"));
} catch (EBaseException e) {}
+
+ // Information for "existing" Security Domain CAs
+ String instanceId = "&lt;security_domain_instance_name&gt;";
+ String os = System.getProperty( "os.name" );
+ if( os.equalsIgnoreCase( "Linux" ) ) {
+ context.put( "initCommand", "/sbin/service " + instanceId );
+ } else {
+ /* default case: e. g. - ( os.equalsIgnoreCase( "SunOS" ) */
+ context.put( "initCommand", "/etc/init.d/" + instanceId );
+ }
+
context.put("title", "Security Domain");
context.put("panel", "admin/console/config/securitydomainpanel.vm");
}
diff --git a/pki/base/common/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java b/pki/base/common/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java
index 2b9f7328..e96d82bb 100644
--- a/pki/base/common/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java
+++ b/pki/base/common/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java
@@ -244,6 +244,9 @@ public class UpdateDomainXML extends CMSServlet {
String host = httpReq.getParameter("host");
String name = httpReq.getParameter("name");
String sport = httpReq.getParameter("sport");
+ String agentsport = httpReq.getParameter("agentsport");
+ String adminsport = httpReq.getParameter("adminsport");
+ String httpport = httpReq.getParameter("httpport");
String domainmgr = httpReq.getParameter("dm");
String clone = httpReq.getParameter("clone");
String operation = httpReq.getParameter("operation");
@@ -268,7 +271,7 @@ public class UpdateDomainXML extends CMSServlet {
ILdapConnFactory connFactory = null;
LDAPConnection conn = null;
String listName = type + "List";
- String cn = host + ":" + sport;
+ String cn = host + ":" + adminsport;
String dn = "cn=" + cn + ",cn=" + listName + ",ou=Security Domain," + basedn;
CMS.debug("UpdateDomainXML: updating LDAP entry: " + dn);
@@ -279,6 +282,9 @@ public class UpdateDomainXML extends CMSServlet {
attrs.add(new LDAPAttribute("cn", cn));
attrs.add(new LDAPAttribute("Host", host));
attrs.add(new LDAPAttribute("SecurePort", sport));
+ attrs.add(new LDAPAttribute("SecureAgentPort", agentsport));
+ attrs.add(new LDAPAttribute("SecureAdminPort", adminsport));
+ attrs.add(new LDAPAttribute("UnSecurePort", httpport));
attrs.add(new LDAPAttribute("DomainManager", domainmgr));
attrs.add(new LDAPAttribute("clone", clone));
attrs.add(new LDAPAttribute("SubsystemName", name));
@@ -286,7 +292,7 @@ public class UpdateDomainXML extends CMSServlet {
if ((operation != null) && (operation.equals("remove"))) {
status = remove_from_ldap(dn);
- String adminUserDN = "uid=" + type + "-" + host + "-" + sport + ",ou=People," + basedn;
+ String adminUserDN = "uid=" + type + "-" + host + "-" + adminsport + ",ou=People," + basedn;
if (status.equals(SUCCESS)) {
// remove the client cert for this subsystem's admin
status = remove_from_ldap(adminUserDN);
@@ -327,9 +333,9 @@ public class UpdateDomainXML extends CMSServlet {
Node nn = (Node) nodeList.item(i);
Vector v_name = parser.getValuesFromContainer(nn, "SubsystemName");
Vector v_host = parser.getValuesFromContainer(nn, "Host");
- Vector v_port = parser.getValuesFromContainer(nn, "SecurePort");
+ Vector v_adminport = parser.getValuesFromContainer(nn, "SecureAdminPort");
if ((v_name.elementAt(0).equals(name)) && (v_host.elementAt(0).equals(host))
- && (v_port.elementAt(0).equals(sport))) {
+ && (v_adminport.elementAt(0).equals(adminsport))) {
Node parent = nn.getParentNode();
Node remNode = parent.removeChild(nn);
count --;
@@ -342,6 +348,9 @@ public class UpdateDomainXML extends CMSServlet {
parser.addItemToContainer(parent, "SubsystemName", name);
parser.addItemToContainer(parent, "Host", host);
parser.addItemToContainer(parent, "SecurePort", sport);
+ parser.addItemToContainer(parent, "SecureAgentPort", agentsport);
+ parser.addItemToContainer(parent, "SecureAdminPort", adminsport);
+ parser.addItemToContainer(parent, "UnSecurePort", httpport);
parser.addItemToContainer(parent, "DomainManager", domainmgr);
parser.addItemToContainer(parent, "Clone", clone);
count ++;
diff --git a/pki/base/common/src/com/netscape/cms/servlet/csadmin/WizardPanelBase.java b/pki/base/common/src/com/netscape/cms/servlet/csadmin/WizardPanelBase.java
index cd063049..6ebdc9df 100644
--- a/pki/base/common/src/com/netscape/cms/servlet/csadmin/WizardPanelBase.java
+++ b/pki/base/common/src/com/netscape/cms/servlet/csadmin/WizardPanelBase.java
@@ -284,11 +284,11 @@ public class WizardPanelBase implements IWizardPanel {
}
}
- public int getSubsystemCount(String hostname, int port, boolean https,
- String type)
- throws IOException {
+ public int getSubsystemCount( String hostname, int https_admin_port,
+ boolean https, String type )
+ throws IOException {
CMS.debug("WizardPanelBase getSubsystemCount start");
- String c = getDomainXML(hostname, port, true);
+ String c = getDomainXML(hostname, https_admin_port, true);
if (c != null) {
try {
ByteArrayInputStream bis = new ByteArrayInputStream(c.getBytes());
@@ -327,12 +327,12 @@ public class WizardPanelBase implements IWizardPanel {
return -1;
}
- public String getDomainXML(String hostname, int port, boolean https)
- throws IOException {
+ public String getDomainXML( String hostname, int https_admin_port,
+ boolean https )
+ throws IOException {
CMS.debug("WizardPanelBase getDomainXML start");
- String c = getHttpResponse(hostname, port, https, "/ca/ee/ca/getDomainXML",
- null, null);
-
+ String c = getHttpResponse( hostname, https_admin_port, https,
+ "/ca/admin/ca/getDomainXML", null, null );
if (c != null) {
try {
ByteArrayInputStream bis = new ByteArrayInputStream(c.getBytes());
@@ -440,12 +440,16 @@ public class WizardPanelBase implements IWizardPanel {
}
}
- public String getCertChain(String hostname, int port, boolean https,
- ConfigCertApprovalCallback certApprovalCallback)
- throws IOException {
- CMS.debug("WizardPanelBase getCertChain start");
- String c = getHttpResponse(hostname, port, https,
- "/ca/ee/ca/getCertChain", null, null, certApprovalCallback);
+ public String getCertChainUsingSecureAdminPort( String hostname,
+ int https_admin_port,
+ boolean https,
+ ConfigCertApprovalCallback
+ certApprovalCallback )
+ throws IOException {
+ CMS.debug("WizardPanelBase getCertChainUsingSecureAdminPort start");
+ String c = getHttpResponse( hostname, https_admin_port, https,
+ "/ca/admin/ca/getCertChain", null, null,
+ certApprovalCallback );
if (c != null) {
try {
@@ -455,21 +459,21 @@ public class WizardPanelBase implements IWizardPanel {
try {
parser = new XMLObject(bis);
} catch (Exception e) {
- CMS.debug( "WizardPanelBase::getCertChain() - "
+ CMS.debug( "WizardPanelBase::getCertChainUsingSecureAdminPort() - "
+ "Exception="+e.toString() );
throw new IOException( e.toString() );
}
String status = parser.getValue("Status");
- CMS.debug("WizardPanelBase getCertChain: status=" + status);
+ CMS.debug("WizardPanelBase getCertChainUsingSecureAdminPort: status=" + status);
if (status.equals(SUCCESS)) {
String certchain = parser.getValue("ChainBase64");
certchain = CryptoUtil.normalizeCertStr(certchain);
CMS.debug(
- "WizardPanelBase getCertChain: certchain="
+ "WizardPanelBase getCertChainUsingSecureAdminPort: certchain="
+ certchain);
return certchain;
} else {
@@ -478,10 +482,63 @@ public class WizardPanelBase implements IWizardPanel {
throw new IOException(error);
}
} catch (IOException e) {
- CMS.debug("WizardPanelBase: getCertChain: " + e.toString());
+ CMS.debug("WizardPanelBase: getCertChainUsingSecureAdminPort: " + e.toString());
throw e;
} catch (Exception e) {
- CMS.debug("WizardPanelBase: getCertChain: " + e.toString());
+ CMS.debug("WizardPanelBase: getCertChainUsingSecureAdminPort: " + e.toString());
+ throw new IOException(e.toString());
+ }
+ }
+
+ return null;
+ }
+
+ public String getCertChainUsingSecureEEPort( String hostname,
+ int https_ee_port,
+ boolean https,
+ ConfigCertApprovalCallback
+ certApprovalCallback )
+ throws IOException {
+ CMS.debug("WizardPanelBase getCertChainUsingSecureEEPort start");
+ String c = getHttpResponse( hostname, https_ee_port, https,
+ "/ca/ee/ca/getCertChain", null, null,
+ certApprovalCallback );
+
+ if (c != null) {
+ try {
+ ByteArrayInputStream bis = new ByteArrayInputStream(c.getBytes());
+ XMLObject parser = null;
+
+ try {
+ parser = new XMLObject(bis);
+ } catch (Exception e) {
+ CMS.debug( "WizardPanelBase::getCertChainUsingSecureEEPort() - "
+ + "Exception="+e.toString() );
+ throw new IOException( e.toString() );
+ }
+
+ String status = parser.getValue("Status");
+
+ CMS.debug("WizardPanelBase getCertChainUsingSecureEEPort: status=" + status);
+
+ if (status.equals(SUCCESS)) {
+ String certchain = parser.getValue("ChainBase64");
+
+ certchain = CryptoUtil.normalizeCertStr(certchain);
+ CMS.debug(
+ "WizardPanelBase getCertChainUsingSecureEEPort: certchain="
+ + certchain);
+ return certchain;
+ } else {
+ String error = parser.getValue("Error");
+
+ throw new IOException(error);
+ }
+ } catch (IOException e) {
+ CMS.debug("WizardPanelBase: getCertChainUsingSecureEEPort: " + e.toString());
+ throw e;
+ } catch (Exception e) {
+ CMS.debug("WizardPanelBase: getCertChainUsingSecureEEPort: " + e.toString());
throw new IOException(e.toString());
}
}
@@ -860,15 +917,17 @@ public class WizardPanelBase implements IWizardPanel {
return c;
}
- public Vector getMasterUrlListFromSecurityDomain(IConfigStore config, String type) {
+ public Vector getMasterUrlListFromSecurityDomain( IConfigStore config,
+ String type,
+ String portType ) {
Vector v = new Vector();
try {
- String hostname = config.getString("preop.securitydomain.host");
- int httpsport = config.getInteger("preop.securitydomain.httpsport");
+ String hostname = config.getString("securitydomain.host");
+ int httpsadminport = config.getInteger("securitydomain.httpsadminport");
CMS.debug("Getting domain.xml from CA...");
- String c = getDomainXML(hostname, httpsport, true);
+ String c = getDomainXML(hostname, httpsadminport, true);
String list = "";
CMS.debug("Type " + type);
@@ -882,13 +941,23 @@ public class WizardPanelBase implements IWizardPanel {
list = "TKSList";
}
+ CMS.debug( "Getting " + portType + " from Security Domain ..." );
+ if( !portType.equals( "UnSecurePort" ) &&
+ !portType.equals( "SecureAgentPort" ) &&
+ !portType.equals( "SecurePort" ) &&
+ !portType.equals( "SecureAdminPort" ) ) {
+ CMS.debug( "getPortFromSecurityDomain: " +
+ "unknown port type " + portType );
+ return v;
+ }
+
ByteArrayInputStream bis = new ByteArrayInputStream(c.getBytes());
XMLObject parser = new XMLObject(bis);
Document doc = parser.getDocument();
NodeList nodeList = doc.getElementsByTagName(type);
// save domain name in cfg
- config.putString("preop.securitydomain.name",
+ config.putString("securitydomain.name",
parser.getValue("Name"));
int len = nodeList.getLength();
@@ -905,11 +974,13 @@ public class WizardPanelBase implements IWizardPanel {
Vector v_host = parser.getValuesFromContainer(nodeList.item(i),
"Host");
Vector v_port = parser.getValuesFromContainer(nodeList.item(i),
- "SecurePort");
+ portType);
- v.addElement(
- v_name.elementAt(0) + " - https://" + v_host.elementAt(0)
- + ":" + v_port.elementAt(0));
+ v.addElement( v_name.elementAt(0)
+ + " - https://"
+ + v_host.elementAt(0)
+ + ":"
+ + v_port.elementAt(0) );
}
} catch (Exception e) {
CMS.debug(e.toString());
@@ -918,18 +989,20 @@ public class WizardPanelBase implements IWizardPanel {
return v;
}
- public Vector getUrlListFromSecurityDomain(IConfigStore config, String type) {
+ public Vector getUrlListFromSecurityDomain( IConfigStore config,
+ String type,
+ String portType ) {
Vector v = new Vector();
try {
- String hostname = config.getString("preop.securitydomain.host");
- int httpsport = config.getInteger("preop.securitydomain.httpsport");
+ String hostname = config.getString("securitydomain.host");
+ int httpsadminport = config.getInteger("securitydomain.httpsadminport");
CMS.debug("Getting domain.xml from CA...");
- String c = getDomainXML(hostname, httpsport, true);
+ String c = getDomainXML(hostname, httpsadminport, true);
String list = "";
- CMS.debug("Type " + type);
+ CMS.debug("Subsystem Type " + type);
if (type.equals("CA")) {
list = "CAList";
} else if (type.equals("KRA")) {
@@ -940,13 +1013,23 @@ public class WizardPanelBase implements IWizardPanel {
list = "TKSList";
}
+ CMS.debug( "Getting " + portType + " from Security Domain ..." );
+ if( !portType.equals( "UnSecurePort" ) &&
+ !portType.equals( "SecureAgentPort" ) &&
+ !portType.equals( "SecurePort" ) &&
+ !portType.equals( "SecureAdminPort" ) ) {
+ CMS.debug( "getPortFromSecurityDomain: " +
+ "unknown port type " + portType );
+ return v;
+ }
+
ByteArrayInputStream bis = new ByteArrayInputStream(c.getBytes());
XMLObject parser = new XMLObject(bis);
Document doc = parser.getDocument();
NodeList nodeList = doc.getElementsByTagName(type);
// save domain name in cfg
- config.putString("preop.securitydomain.name",
+ config.putString("securitydomain.name",
parser.getValue("Name"));
int len = nodeList.getLength();
@@ -958,11 +1041,13 @@ public class WizardPanelBase implements IWizardPanel {
Vector v_host = parser.getValuesFromContainer(nodeList.item(i),
"Host");
Vector v_port = parser.getValuesFromContainer(nodeList.item(i),
- "SecurePort");
+ portType);
- v.addElement(
- v_name.elementAt(0) + " - https://" + v_host.elementAt(0)
- + ":" + v_port.elementAt(0));
+ v.addElement( v_name.elementAt(0)
+ + " - https://"
+ + v_host.elementAt(0)
+ + ":"
+ + v_port.elementAt(0) );
}
} catch (Exception e) {
CMS.debug(e.toString());
@@ -971,37 +1056,105 @@ public class WizardPanelBase implements IWizardPanel {
return v;
}
- public String pingCS(String hostname, int port, boolean https,
- SSLCertificateApprovalCallback certApprovalCallback)
+ public String getSecurityDomainPort( IConfigStore config,
+ String portType ) {
+ String port = new String();
+
+ try {
+ String hostname = config.getString( "securitydomain.host" );
+ int httpsadminport =
+ config.getInteger( "securitydomain.httpsadminport" );
+
+ CMS.debug( "Getting domain.xml from CA ..." );
+ String c = getDomainXML( hostname, httpsadminport, true );
+
+ CMS.debug( "Getting " + portType + " from Security Domain ..." );
+ if( !portType.equals( "UnSecurePort" ) &&
+ !portType.equals( "SecureAgentPort" ) &&
+ !portType.equals( "SecurePort" ) &&
+ !portType.equals( "SecureAdminPort" ) ) {
+ CMS.debug( "getPortFromSecurityDomain: " +
+ "unknown port type " + portType );
+ return "";
+ }
+
+ ByteArrayInputStream bis = new ByteArrayInputStream( c.getBytes() );
+ XMLObject parser = new XMLObject( bis );
+ Document doc = parser.getDocument();
+ NodeList nodeList = doc.getElementsByTagName( "CA" );
+
+ int len = nodeList.getLength();
+ for( int i = 0; i < len; i++ ) {
+ Vector v_admin_port =
+ parser.getValuesFromContainer( nodeList.item(i),
+ "SecureAdminPort" );
+
+ Vector v_port = null;
+ if( portType.equals( "UnSecurePort" ) ) {
+ v_port = parser.getValuesFromContainer( nodeList.item(i),
+ "UnSecurePort" );
+ } else if( portType.equals( "SecureAgentPort" ) ) {
+ v_port = parser.getValuesFromContainer( nodeList.item(i),
+ "SecureAgentPort" );
+ } else if( portType.equals( "SecurePort" ) ) {
+ v_port = parser.getValuesFromContainer( nodeList.item(i),
+ "SecurePort" );
+ } else if( portType.equals( "SecureAdminPort" ) ) {
+ v_port = parser.getValuesFromContainer( nodeList.item(i),
+ "SecureAdminPort" );
+ }
+
+ if( ( v_port != null ) &&
+ ( v_admin_port.elementAt( 0 ).equals(
+ Integer.toString( httpsadminport ) ) ) ) {
+ port = v_port.elementAt( 0 ).toString();
+ break;
+ }
+ }
+ } catch (Exception e) {
+ CMS.debug( e.toString() );
+ }
+
+ return( port );
+ }
+
+ public String pingCS( String hostname, int port, boolean https,
+ SSLCertificateApprovalCallback certApprovalCallback )
throws IOException {
- CMS.debug("WizardPanelBase pingCS start");
- String c = getHttpResponse(hostname, port, https, "/ca/ee/ca/getStatus",
- null, null, certApprovalCallback);
+ CMS.debug( "WizardPanelBase pingCS: started" );
- if (c != null) {
+ String c = getHttpResponse( hostname, port, https,
+ "/ca/admin/ca/getStatus",
+ null, null, certApprovalCallback );
+
+ if( c != null ) {
try {
- ByteArrayInputStream bis = new ByteArrayInputStream(c.getBytes());
+ ByteArrayInputStream bis = new
+ ByteArrayInputStream( c.getBytes() );
XMLObject parser = null;
- String state = null;
+ String state = null;
try {
- parser = new XMLObject(bis);
- CMS.debug("WizardPanelBase pingCS: got XML parsed");
- state = parser.getValue("State");
+ parser = new XMLObject( bis );
+ CMS.debug( "WizardPanelBase pingCS: got XML parsed" );
+ state = parser.getValue( "State" );
- if (state != null)
- CMS.debug("WizardPanelBase pingCS: state=" + state);
+ if( state != null ) {
+ CMS.debug( "WizardPanelBase pingCS: state=" + state );
+ }
} catch (Exception e) {
- CMS.debug("WizardPanelBase: pingCS: parser failed" + e.toString());
- }
+ CMS.debug( "WizardPanelBase: pingCS: parser failed"
+ + e.toString() );
+ }
- return state;
- } catch (Exception e) {
- CMS.debug("WizardPanelBase: pingCS: " + e.toString());
- throw new IOException(e.toString());
+ return state;
+ } catch( Exception e ) {
+ CMS.debug( "WizardPanelBase: pingCS: " + e.toString() );
+ throw new IOException( e.toString() );
}
}
+ CMS.debug( "WizardPanelBase pingCS: stopped" );
return null;
}
@@ -1021,12 +1174,12 @@ public class WizardPanelBase implements IWizardPanel {
}
public void getTokenInfo(IConfigStore config, String type, String host,
- int port, boolean https, Context context,
+ int https_ee_port, boolean https, Context context,
ConfigCertApprovalCallback certApprovalCallback) throws IOException {
CMS.debug("WizardPanelBase getTokenInfo start");
String uri = "/"+type+"/ee/"+type+"/getTokenInfo";
CMS.debug("WizardPanelBase getTokenInfo: uri="+uri);
- String c = getHttpResponse(host, port, https, uri, null, null,
+ String c = getHttpResponse(host, https_ee_port, https, uri, null, null,
certApprovalCallback);
if (c != null) {
try {
@@ -1127,14 +1280,65 @@ public class WizardPanelBase implements IWizardPanel {
}
public void updateCertChain(IConfigStore config, String name, String host,
- int port, boolean https, Context context) throws IOException {
- updateCertChain(config, name, host, port, https, context, null);
+ int https_admin_port, boolean https, Context context) throws IOException {
+ updateCertChain( config, name, host, https_admin_port,
+ https, context, null );
}
public void updateCertChain(IConfigStore config, String name, String host,
- int port, boolean https, Context context,
+ int https_admin_port, boolean https, Context context,
ConfigCertApprovalCallback certApprovalCallback) throws IOException {
- String certchain = getCertChain(host, port, https, certApprovalCallback);
+ String certchain = getCertChainUsingSecureAdminPort( host,
+ https_admin_port,
+ https,
+ certApprovalCallback );
+ config.putString("preop."+name+".pkcs7", certchain);
+
+ byte[] decoded = CryptoUtil.base64Decode(certchain);
+ java.security.cert.X509Certificate[] b_certchain = null;
+
+ try {
+ b_certchain = CryptoUtil.getX509CertificateFromPKCS7(decoded);
+ } catch (Exception e) {
+ context.put("errorString",
+ "Failed to get the certificate chain.");
+ return;
+ }
+
+ int size = 0;
+ if (b_certchain != null) {
+ size = b_certchain.length;
+ }
+ config.putInteger("preop."+name+".certchain.size", size);
+ for (int i = 0; i < size; i++) {
+ byte[] bb = null;
+
+ try {
+ bb = b_certchain[i].getEncoded();
+ } catch (Exception e) {
+ context.put("errorString",
+ "Failed to get the der-encoded certificate chain.");
+ return;
+ }
+ config.putString("preop."+name+".certchain." + i,
+ CryptoUtil.normalizeCertStr(CryptoUtil.base64Encode(bb)));
+ }
+
+ try {
+ config.commit(false);
+ } catch (EBaseException e) {
+ }
+ }
+
+ public void updateCertChainUsingSecureEEPort( IConfigStore config,
+ String name, String host,
+ int https_ee_port,
+ boolean https,
+ Context context,
+ ConfigCertApprovalCallback certApprovalCallback ) throws IOException {
+ String certchain = getCertChainUsingSecureEEPort( host, https_ee_port,
+ https,
+ certApprovalCallback);
config.putString("preop."+name+".pkcs7", certchain);
byte[] decoded = CryptoUtil.base64Decode(certchain);
@@ -1238,13 +1442,15 @@ public class WizardPanelBase implements IWizardPanel {
public void reloginSecurityDomain(HttpServletResponse response) {
IConfigStore cs = CMS.getConfigStore();
try {
- String hostname = cs.getString("preop.securitydomain.host", "");
- int port = cs.getInteger("preop.securitydomain.httpsport", -1);
+ String hostname = cs.getString("securitydomain.host", "");
+ int port = cs.getInteger("securitydomain.httpsadminport", -1);
+ String cs_hostname = cs.getString("machineName", "");
+ int cs_port = cs.getInteger("pkicreate.admin_secure_port", -1);
int panel = getPanelNo();
String subsystem = cs.getString("cs.type", "");
- String urlVal = "https://"+CMS.getEESSLHost()+":"+CMS.getEESSLPort()+"/"+toLowerCaseSubsystemType(subsystem)+"/admin/console/config/wizard?p="+panel+"&subsystem="+subsystem;
+ String urlVal = "https://"+cs_hostname+":"+cs_port+"/"+toLowerCaseSubsystemType(subsystem)+"/admin/console/config/wizard?p="+panel+"&subsystem="+subsystem;
String encodedValue = URLEncoder.encode(urlVal, "UTF-8");
- String sdurl = "https://"+hostname+":"+port+"/ca/ee/ca/securityDomainLogin?url="+encodedValue;
+ String sdurl = "https://"+hostname+":"+port+"/ca/admin/ca/securityDomainLogin?url="+encodedValue;
response.sendRedirect(sdurl);
} catch (Exception e) {
CMS.debug("WizardPanelBase reloginSecurityDomain: Exception="+e.toString());
diff --git a/pki/base/kra/shared/conf/CS.cfg b/pki/base/kra/shared/conf/CS.cfg
index e30a224b..8d10595c 100644
--- a/pki/base/kra/shared/conf/CS.cfg
+++ b/pki/base/kra/shared/conf/CS.cfg
@@ -1,13 +1,13 @@
-pkicreate.arg01.pki_instance_root=[PKI_INSTANCE_ROOT]
-pkicreate.arg02.pki_instance_name=[PKI_INSTANCE_ID]
-pkicreate.arg03.subsystem_type=[PKI_SUBSYSTEM_TYPE]
-pkicreate.arg04.agent_secure_port=[PKI_AGENT_SECURE_PORT]
-pkicreate.arg05.ee_secure_port=[PKI_EE_SECURE_PORT]
-pkicreate.arg06.admin_secure_port=[PKI_ADMIN_SECURE_PORT]
-pkicreate.arg07.secure_port=[PKI_SECURE_PORT]
-pkicreate.arg08.unsecure_port=[PKI_UNSECURE_PORT]
-pkicreate.arg09.tomcat_server_port=[TOMCAT_SERVER_PORT]
-pkicreate.arg10.user=[PKI_USER]
+pkicreate.pki_instance_root=[PKI_INSTANCE_ROOT]
+pkicreate.pki_instance_name=[PKI_INSTANCE_ID]
+pkicreate.subsystem_type=[PKI_SUBSYSTEM_TYPE]
+pkicreate.agent_secure_port=[PKI_AGENT_SECURE_PORT]
+pkicreate.ee_secure_port=[PKI_EE_SECURE_PORT]
+pkicreate.admin_secure_port=[PKI_ADMIN_SECURE_PORT]
+pkicreate.secure_port=[PKI_SECURE_PORT]
+pkicreate.unsecure_port=[PKI_UNSECURE_PORT]
+pkicreate.tomcat_server_port=[TOMCAT_SERVER_PORT]
+pkicreate.user=[PKI_USER]
pkicreate.arg11.group=[PKI_GROUP]
installDate=[INSTALL_TIME]
preop.wizard.name=DRM Setup Wizard
@@ -20,11 +20,16 @@ cs.type=KRA
admin.interface.uri=kra/admin/console/config/wizard
agent.interface.uri=kra/agent/kra
authType=pwd
-preop.securitydomain.url=https://[PKI_MACHINE_NAME]:9444
+preop.securitydomain.admin_url=https://[PKI_MACHINE_NAME]:9445
instanceRoot=[PKI_INSTANCE_PATH]
machineName=[PKI_MACHINE_NAME]
instanceId=[PKI_INSTANCE_ID]
-service.securePort=[PKI_SECURE_PORT]
+service.machineName=[PKI_MACHINE_NAME]
+service.instanceDir=[PKI_INSTANCE_ROOT]
+service.securePort=[PKI_AGENT_SECURE_PORT]
+service.non_clientauth_securePort=[PKI_EE_SECURE_PORT]
+service.unsecurePort=[PKI_UNSECURE_PORT]
+service.instanceID=[PKI_INSTANCE_ID]
preop.admin.name=Data Recovery Manager Administrator
preop.admin.group=Data Recovery Manager Agents
preop.admincert.profile=caAdminCert
diff --git a/pki/base/kra/shared/conf/schema.ldif b/pki/base/kra/shared/conf/schema.ldif
index 823543dc..269b3f57 100644
--- a/pki/base/kra/shared/conf/schema.ldif
+++ b/pki/base/kra/shared/conf/schema.ldif
@@ -381,6 +381,21 @@ attributeTypes: ( SecurePort-oid NAME 'SecurePort' SYNTAX 1.3.6.1.4.1.1466.115.
dn: cn=schema
changetype: modify
add: attributeTypes
+attributeTypes: ( SecureAgentPort-oid NAME 'SecureAgentPort' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'user defined' )
+
+dn: cn=schema
+changetype: modify
+add: attributeTypes
+attributeTypes: ( SecureAdminPort-oid NAME 'SecureAdminPort' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'user defined' )
+
+dn: cn=schema
+changetype: modify
+add: attributeTypes
+attributeTypes: ( UnSecurePort-oid NAME 'UnSecurePort' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'user defined' )
+
+dn: cn=schema
+changetype: modify
+add: attributeTypes
attributeTypes: ( SubsystemName-oid NAME 'SubsystemName' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'user defined' )
dn: cn=schema
@@ -441,7 +456,7 @@ objectClasses: ( pkiSecurityGroup-oid NAME 'pkiSecurityGroup' DESC 'CMS defined
dn: cn=schema
changetype: modify
add: objectClasses
-objectClasses: ( pkiSubsystem-oid NAME 'pkiSubsystem' DESC 'CMS defined class' SUP top STRUCTURAL MUST ( cn $ Host $ SecurePort $ SubsystemName $ Clone ) MAY ( DomainManager ) X-ORIGIN 'user defined' )
+objectClasses: ( pkiSubsystem-oid NAME 'pkiSubsystem' DESC 'CMS defined class' SUP top STRUCTURAL MUST ( cn $ Host $ SecurePort $ SubsystemName $ Clone ) MAY ( DomainManager $ SecureAgentPort $ SecureAdminPort $ UnSecurePort ) X-ORIGIN 'user defined' )
dn: cn=schema
changetype: modify
diff --git a/pki/base/kra/shared/conf/server.xml b/pki/base/kra/shared/conf/server.xml
index 7dd9f6cc..58cd6166 100644
--- a/pki/base/kra/shared/conf/server.xml
+++ b/pki/base/kra/shared/conf/server.xml
@@ -98,7 +98,7 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown)
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
- clientAuth="true" sslProtocol="SSL"
+ clientAuth="[PKI_AGENT_CLIENTAUTH]" sslProtocol="SSL"
sslOptions="ssl2=true,ssl3=true,tls=true"
ssl2Ciphers="-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5"
ssl3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,+TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA"
diff --git a/pki/base/kra/shared/webapps/kra/WEB-INF/web.xml b/pki/base/kra/shared/webapps/kra/WEB-INF/web.xml
index 84dfcabb..8af3e56e 100644
--- a/pki/base/kra/shared/webapps/kra/WEB-INF/web.xml
+++ b/pki/base/kra/shared/webapps/kra/WEB-INF/web.xml
@@ -782,8 +782,6 @@
<param-value> services </param-value> </init-param>
<init-param><param-name> templatePath </param-name>
<param-value> /services.template </param-value> </init-param>
- <init-param><param-name> interface </param-name>
- <param-value> ee </param-value> </init-param>
</servlet>
<servlet>
@@ -851,6 +849,25 @@
[PKI_OPEN_SEPARATE_PORTS_WEB_COMMENT]
<filter-mapping>
<filter-name> PassThroughRequestFilter </filter-name>
+ <url-pattern> /index </url-pattern>
+
+ <url-pattern> /server </url-pattern>
+ <url-pattern> /kra </url-pattern>
+ <url-pattern> /log </url-pattern>
+ <url-pattern> /registry </url-pattern>
+ <url-pattern> /ug </url-pattern>
+ <url-pattern> /acl </url-pattern>
+ <url-pattern> /jobsScheduler </url-pattern>
+ <url-pattern> /krapolicy </url-pattern>
+
+ <url-pattern> /services </url-pattern>
+
+ <url-pattern> /start </url-pattern>
+ <url-pattern> /dynamicVars.js </url-pattern>
+ </filter-mapping>
+
+ <filter-mapping>
+ <filter-name> AgentRequestFilter </filter-name>
<url-pattern> /agent/* </url-pattern>
</filter-mapping>
diff --git a/pki/base/migrate/80/MigrateSecurityDomain.java b/pki/base/migrate/80/MigrateSecurityDomain.java
index 5cfdf584..33bbb72b 100644
--- a/pki/base/migrate/80/MigrateSecurityDomain.java
+++ b/pki/base/migrate/80/MigrateSecurityDomain.java
@@ -191,6 +191,13 @@ public class MigrateSecurityDomain {
attrs.add(new LDAPAttribute("SubsystemName", (String)v_name.elementAt(0)));
attrs.add(new LDAPAttribute("cn", cn));
attrs.add(new LDAPAttribute("DomainManager", "true"));
+ // Since the initial port separation feature didn't occur
+ // until an RHCS 7.3 errata, simply store the "SecurePort"
+ // value for BOTH the "SecureAgentPort" and the
+ // "SecureAdminPort", and DON'T store any values for the
+ // "UnSecurePort"
+ attrs.add(new LDAPAttribute("SecureAgentPort", (String)v_port.elementAt(0)));
+ attrs.add(new LDAPAttribute("SecureAdminPort", (String)v_port.elementAt(0)));
entry = new LDAPEntry(dn, attrs);
try {
diff --git a/pki/base/migrate/80/schema-add.ldif b/pki/base/migrate/80/schema-add.ldif
index 7d9cec64..fe6577e5 100644
--- a/pki/base/migrate/80/schema-add.ldif
+++ b/pki/base/migrate/80/schema-add.ldif
@@ -11,7 +11,22 @@ attributeTypes: ( DomainManager-oid NAME 'DomainManager' SYNTAX 1.3.6.1.4.1.146
dn: cn=schema
changetype: modify
add: attributeTypes
-attributeTypes: ( securePort-oid NAME 'securePort' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'user defined' )
+attributeTypes: ( SecurePort-oid NAME 'SecurePort' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'user defined' )
+
+dn: cn=schema
+changetype: modify
+add: attributeTypes
+attributeTypes: ( SecureAgentPort-oid NAME 'SecureAgentPort' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'user defined' )
+
+dn: cn=schema
+changetype: modify
+add: attributeTypes
+attributeTypes: ( SecureAdminPort-oid NAME 'SecureAdminPort' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'user defined' )
+
+dn: cn=schema
+changetype: modify
+add: attributeTypes
+attributeTypes: ( UnSecurePort-oid NAME 'UnSecurePort' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'user defined' )
dn: cn=schema
changetype: modify
@@ -31,6 +46,5 @@ objectClasses: ( pkiSecurityGroup-oid NAME 'pkiSecurityGroup' DESC 'CMS defined
dn: cn=schema
changetype: modify
add: objectClasses
-objectClasses: ( pkiSubsystem-oid NAME 'pkiSubsystem' DESC 'CMS defined class' SUP top STRUCTURAL MUST ( cn $ Host $ SecurePort $ SubsystemName $ Clone ) MAY ( DomainManager ) X-ORIGIN 'user defined' )
-
+objectClasses: ( pkiSubsystem-oid NAME 'pkiSubsystem' DESC 'CMS defined class' SUP top STRUCTURAL MUST ( cn $ Host $ SecurePort $ SubsystemName $ Clone ) MAY ( DomainManager $ SecureAgentPort $ SecureAdminPort $ UnSecurePort ) X-ORIGIN 'user defined' )
diff --git a/pki/base/ocsp/shared/conf/CS.cfg b/pki/base/ocsp/shared/conf/CS.cfg
index 59185dd8..0544fc63 100644
--- a/pki/base/ocsp/shared/conf/CS.cfg
+++ b/pki/base/ocsp/shared/conf/CS.cfg
@@ -3,17 +3,17 @@
# All rights reserved.
# --- END COPYRIGHT BLOCK ---
#
-pkicreate.arg01.pki_instance_root=[PKI_INSTANCE_ROOT]
-pkicreate.arg02.pki_instance_name=[PKI_INSTANCE_ID]
-pkicreate.arg03.subsystem_type=[PKI_SUBSYSTEM_TYPE]
-pkicreate.arg04.agent_secure_port=[PKI_AGENT_SECURE_PORT]
-pkicreate.arg05.ee_secure_port=[PKI_EE_SECURE_PORT]
-pkicreate.arg06.admin_secure_port=[PKI_ADMIN_SECURE_PORT]
-pkicreate.arg07.secure_port=[PKI_SECURE_PORT]
-pkicreate.arg08.unsecure_port=[PKI_UNSECURE_PORT]
-pkicreate.arg09.tomcat_server_port=[TOMCAT_SERVER_PORT]
-pkicreate.arg10.user=[PKI_USER]
-pkicreate.arg11.group=[PKI_GROUP]
+pkicreate.pki_instance_root=[PKI_INSTANCE_ROOT]
+pkicreate.pki_instance_name=[PKI_INSTANCE_ID]
+pkicreate.subsystem_type=[PKI_SUBSYSTEM_TYPE]
+pkicreate.agent_secure_port=[PKI_AGENT_SECURE_PORT]
+pkicreate.ee_secure_port=[PKI_EE_SECURE_PORT]
+pkicreate.admin_secure_port=[PKI_ADMIN_SECURE_PORT]
+pkicreate.secure_port=[PKI_SECURE_PORT]
+pkicreate.unsecure_port=[PKI_UNSECURE_PORT]
+pkicreate.tomcat_server_port=[TOMCAT_SERVER_PORT]
+pkicreate.user=[PKI_USER]
+pkicreate.group=[PKI_GROUP]
installDate=[INSTALL_TIME]
cs.type=OCSP
admin.interface.uri=ocsp/admin/console/config/wizard
@@ -21,7 +21,7 @@ agent.interface.uri=ocsp/agent/ocsp
preop.admin.name=Online Certificate Status Manager Administrator
preop.admin.group=Online Certificate Status Manager Agents
preop.admincert.profile=caAdminCert
-preop.securitydomain.url=https://[PKI_MACHINE_NAME]:9444
+preop.securitydomain.admin_url=https://[PKI_MACHINE_NAME]:9445
preop.wizard.name=OCSP Setup Wizard
preop.product.name=CS
preop.product.version=
@@ -88,7 +88,12 @@ authType=pwd
instanceRoot=[PKI_INSTANCE_PATH]
machineName=[PKI_MACHINE_NAME]
instanceId=[PKI_INSTANCE_ID]
-service.securePort=[PKI_SECURE_PORT]
+service.machineName=[PKI_MACHINE_NAME]
+service.instanceDir=[PKI_INSTANCE_ROOT]
+service.securePort=[PKI_AGENT_SECURE_PORT]
+service.non_clientauth_securePort=[PKI_EE_SECURE_PORT]
+service.unsecurePort=[PKI_UNSECURE_PORT]
+service.instanceID=[PKI_INSTANCE_ID]
preop.pin=[PKI_RANDOM_NUMBER]
passwordFile=[PKI_INSTANCE_PATH]/conf/password.conf
passwordClass=com.netscape.cmsutil.password.PlainPasswordFile
diff --git a/pki/base/ocsp/shared/conf/schema.ldif b/pki/base/ocsp/shared/conf/schema.ldif
index 823543dc..d61f83dd 100644
--- a/pki/base/ocsp/shared/conf/schema.ldif
+++ b/pki/base/ocsp/shared/conf/schema.ldif
@@ -381,6 +381,21 @@ attributeTypes: ( SecurePort-oid NAME 'SecurePort' SYNTAX 1.3.6.1.4.1.1466.115.
dn: cn=schema
changetype: modify
add: attributeTypes
+attributeTypes: ( SecureAgentPort-oid NAME 'SecureAgentPort' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'user defined' )
+
+dn: cn=schema
+changetype: modify
+add: attributeTypes
+attributeTypes: ( SecureAdminPort-oid NAME 'SecureAdminPort' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'user defined' )
+
+dn: cn=schema
+changetype: modify
+add: attributeTypes
+attributeTypes: ( UnSecurePort-oid NAME 'UnSecurePort' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'user defined' )
+
+dn: cn=schema
+changetype: modify
+add: attributeTypes
attributeTypes: ( SubsystemName-oid NAME 'SubsystemName' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'user defined' )
dn: cn=schema
@@ -441,7 +456,7 @@ objectClasses: ( pkiSecurityGroup-oid NAME 'pkiSecurityGroup' DESC 'CMS defined
dn: cn=schema
changetype: modify
add: objectClasses
-objectClasses: ( pkiSubsystem-oid NAME 'pkiSubsystem' DESC 'CMS defined class' SUP top STRUCTURAL MUST ( cn $ Host $ SecurePort $ SubsystemName $ Clone ) MAY ( DomainManager ) X-ORIGIN 'user defined' )
+objectClasses: ( pkiSubsystem-oid NAME 'pkiSubsystem' DESC 'CMS defined class' SUP top STRUCTURAL MUST ( cn $ Host $ SecurePort $ SubsystemName $ Clone ) MAY ( DomainManager $ SecureAgentPort $ SecureAdminPort $ UnSecurePort ) X-ORIGIN 'user defined' )
dn: cn=schema
changetype: modify
diff --git a/pki/base/ocsp/shared/conf/server.xml b/pki/base/ocsp/shared/conf/server.xml
index 7dd9f6cc..58cd6166 100644
--- a/pki/base/ocsp/shared/conf/server.xml
+++ b/pki/base/ocsp/shared/conf/server.xml
@@ -98,7 +98,7 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown)
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
- clientAuth="true" sslProtocol="SSL"
+ clientAuth="[PKI_AGENT_CLIENTAUTH]" sslProtocol="SSL"
sslOptions="ssl2=true,ssl3=true,tls=true"
ssl2Ciphers="-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5"
ssl3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,+TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA"
diff --git a/pki/base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml b/pki/base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml
index a7768b88..37ac36cf 100644
--- a/pki/base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml
+++ b/pki/base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml
@@ -438,8 +438,6 @@
<param-value> services </param-value> </init-param>
<init-param><param-name> templatePath </param-name>
<param-value> /services.template </param-value> </init-param>
- <init-param><param-name> interface </param-name>
- <param-value> ee </param-value> </init-param>
</servlet>
<servlet>
@@ -491,6 +489,21 @@
[PKI_OPEN_SEPARATE_PORTS_WEB_COMMENT]
<filter-mapping>
+ <filter-name> PassThroughRequestFilter </filter-name>
+ <url-pattern> /registry </url-pattern>
+ <url-pattern> /acl </url-pattern>
+ <url-pattern> /jobsScheduler </url-pattern>
+ <url-pattern> /ug </url-pattern>
+ <url-pattern> /server </url-pattern>
+ <url-pattern> /log </url-pattern>
+ <url-pattern> /ocsp </url-pattern>
+
+ <url-pattern> /services </url-pattern>
+
+ <url-pattern> /start </url-pattern>
+ </filter-mapping>
+
+ <filter-mapping>
<filter-name> AgentRequestFilter </filter-name>
<url-pattern> /agent/* </url-pattern>
</filter-mapping>
diff --git a/pki/base/ra/doc/CS.cfg b/pki/base/ra/doc/CS.cfg
index 697853bd..c580d274 100644
--- a/pki/base/ra/doc/CS.cfg
+++ b/pki/base/ra/doc/CS.cfg
@@ -16,14 +16,14 @@
# All rights reserved.
# --- END COPYRIGHT BLOCK ---
#
-pkicreate.arg01.pki_instance_root=[INSTANCE_ROOT]
-pkicreate.arg02.pki_instance_name=[INSTANCE_ID]
-pkicreate.arg03.subsystem_type=[SUBSYSTEM_TYPE]
-pkicreate.arg04.secure_port=[SECURE_PORT]
-pkicreate.arg05.non_clientauth_secure_port=[NON_CLIENTAUTH_SECURE_PORT]
-pkicreate.arg06.unsecure_port=[PORT]
-pkicreate.arg07.user=[USERID]
-pkicreate.arg08.group=[GROUPID]
+pkicreate.pki_instance_root=[INSTANCE_ROOT]
+pkicreate.pki_instance_name=[INSTANCE_ID]
+pkicreate.subsystem_type=[SUBSYSTEM_TYPE]
+pkicreate.secure_port=[SECURE_PORT]
+pkicreate.non_clientauth_secure_port=[NON_CLIENTAUTH_SECURE_PORT]
+pkicreate.unsecure_port=[PORT]
+pkicreate.user=[USERID]
+pkicreate.group=[GROUPID]
request._000=#########################################
request._001=# Request Queue Parameters
request._002=#########################################
@@ -250,6 +250,6 @@ preop.keysize._000=#########################################
preop.keysize._001=# Installation configuration "preop" keysize parameters
preop.keysize._002=#########################################
preop.keysize.customsize=2048
-preop.keysize.select=custom
+preop.keysize.select=default
preop.keysize.size=2048
preop.keysize.ecc.size=256
diff --git a/pki/base/ra/forms/ee/user/renewal.cgi b/pki/base/ra/forms/ee/user/renewal.cgi
index 63a211ef..a4bbc458 100755
--- a/pki/base/ra/forms/ee/user/renewal.cgi
+++ b/pki/base/ra/forms/ee/user/renewal.cgi
@@ -53,7 +53,7 @@ sub process()
$self->debug_params($cfg, $q);
my $host = $cfg->get("service.machineName");
- my $port = $cfg->get("service.securePort");
+ my $port = $cfg->get("service.non_clientauth_securePort");
my %context;
$context{url} = "https://$host:$port/ee/user/renew.cgi";
diff --git a/pki/base/ra/forms/index.cgi b/pki/base/ra/forms/index.cgi
index e71e1ec6..0e643166 100755
--- a/pki/base/ra/forms/index.cgi
+++ b/pki/base/ra/forms/index.cgi
@@ -55,6 +55,7 @@ sub process()
$self->debug_params($cfg, $q);
$::symbol{machineName} = $cfg->get("service.machineName");
+ $::symbol{non_clientauth_securePort} = $cfg->get("service.non_clientauth_securePort");
$::symbol{securePort} = $cfg->get("service.securePort");
$::symbol{unsecurePort} = $cfg->get("service.unsecurePort");
diff --git a/pki/base/ra/lib/perl/PKI/RA/AdminPanel.pm b/pki/base/ra/lib/perl/PKI/RA/AdminPanel.pm
index d67a9b2e..e0803291 100755
--- a/pki/base/ra/lib/perl/PKI/RA/AdminPanel.pm
+++ b/pki/base/ra/lib/perl/PKI/RA/AdminPanel.pm
@@ -99,12 +99,12 @@ sub update
my $cainfo = $::config->get("preop.ca.url");
&PKI::RA::Wizard::debug_log("AdminPanel: preop.ca.url=$cainfo");
if ($cainfo eq "" || $cainfo =~ /:$/) {
- $cainfo = $::config->get("config.sdomainURL");
- &PKI::RA::Wizard::debug_log("AdminPanel: config.sdomainURL=$cainfo");
+ $cainfo = $::config->get("config.sdomainEEURL");
+ &PKI::RA::Wizard::debug_log("AdminPanel: config.sdomainEEURL=$cainfo");
}
&PKI::RA::Wizard::debug_log("AdminPanel: Connecting to CA: $cainfo");
my $cainfo_url = new URI::URL($cainfo);
- my $sdom = $::config->get("config.sdomainURL");
+ my $sdom = $::config->get("config.sdomainEEURL");
my $sdom_url = new URI::URL($sdom);
my $machineName = $::config->get("service.machineName");
@@ -132,15 +132,15 @@ sub update
"auth_hostname=" . $sdom_url->host . "&" .
"auth_port=" . $sdom_url->port;
- my $host = $cainfo_url->host;
- my $port = $cainfo_url->port;
+ my $ca_host = $cainfo_url->host;
+ my $https_ee_port = $cainfo_url->port;
my $content = "";
my $tmpfile = "/tmp/admin-$$";
if (($tokenname eq "") || ($tokenname eq "NSS Certificate DB")) {
- system("/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"$db_password\" -v -n \"$nickname\" -r \"/ca/ee/ca/profileSubmit\" $host:$port > $tmpfile");
+ system("/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"$db_password\" -v -n \"$nickname\" -r \"/ca/ee/ca/profileSubmit\" $ca_host:$https_ee_port > $tmpfile");
$content = `cat $tmpfile`;
} else {
- system("/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"$token_pwd\" -v -n \"$nickname\" -r \"/ca/ee/ca/profileSubmit\" $host:$port > $tmpfile");
+ system("/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"$token_pwd\" -v -n \"$nickname\" -r \"/ca/ee/ca/profileSubmit\" $ca_host:$https_ee_port > $tmpfile");
$content = `cat $tmpfile`;
}
system("rm $tmpfile");
@@ -158,8 +158,8 @@ sub update
my $admincert = $response->{Requests}->{Request}->{b64};
&PKI::RA::Wizard::debug_log("AdminPanel: admincert " . $admincert);
- $host = $::config->get("preop.database.host");
- $port = $::config->get("preop.database.port");
+ my $ldap_host = $::config->get("preop.database.host");
+ my $ldap_port = $::config->get("preop.database.port");
my $basedn = $::config->get("preop.database.basedn");
my $binddn = $::config->get("preop.database.binddn");
# my $bindpwd = $::config->get("tokendb.bindPass");
@@ -221,7 +221,7 @@ sub update
# system("sed -e 's/\$TOKENDB_ROOT/$basedn/' " .
# "-e 's/\$TOKENDB_AGENT_CERT/$admincert/' " .
# "/usr/share/$flavor/ra/scripts/addAgents.ldif > $tmp");
-# system("$mozldap_path/ldapmodify -h '$host' -p '$port' -D '$binddn' " .
+# system("$mozldap_path/ldapmodify -h '$ldap_host' -p '$ldap_port' -D '$binddn' " .
# "-w '$bindpwd' -a " .
# "-f '$tmp'");
system("rm $tmp");
diff --git a/pki/base/ra/lib/perl/PKI/RA/CAInfoPanel.pm b/pki/base/ra/lib/perl/PKI/RA/CAInfoPanel.pm
index dbfc42ee..901be9a3 100755
--- a/pki/base/ra/lib/perl/PKI/RA/CAInfoPanel.pm
+++ b/pki/base/ra/lib/perl/PKI/RA/CAInfoPanel.pm
@@ -84,29 +84,29 @@ sub update
my $instanceID = $::config->get("service.instanceID");
my $host = "";
- my $port = "";
+ my $https_ee_port = "";
if ($count =~ /http/) {
my $info = new URI::URL($count);
$host = $info->host;
- $port = $info->port;
+ $https_ee_port = $info->port;
} else {
$host = $::config->get("preop.securitydomain.ca$count.host");
- $port = $::config->get("preop.securitydomain.ca$count.secureport");
+ $https_ee_port = $::config->get("preop.securitydomain.ca$count.secureport");
}
- if (($host eq "") || ($port eq "")) {
+ if (($host eq "") || ($https_ee_port eq "")) {
$::symbol{errorString} = "no CA found. CA, TKS and optionally DRM must be installed prior to RA installation";
return 0;
}
- &PKI::RA::Wizard::debug_log("CAInfoPanel: update - host= $host, port= $port");
+ &PKI::RA::Wizard::debug_log("CAInfoPanel: update - host= $host, https_ee_port= $https_ee_port");
- $::config->put("preop.cainfo.select", "https://$host:$port");
+ $::config->put("preop.cainfo.select", "https://$host:$https_ee_port");
my $serverCertNickName = $::config->get("preop.cert.sslserver.nickname");
my $subsystemCertNickName = $::config->get("preop.cert.subsystem.nickname");
$::config->put("conn.ca1.clientNickname", $subsystemCertNickName);
- $::config->put("conn.ca1.hostport", $host . ":" . $port);
+ $::config->put("conn.ca1.hostport", $host . ":" . $https_ee_port);
$::config->commit();
@@ -116,7 +116,7 @@ sub update
my $db_password = `grep \"internal:\" \"$instanceDir/conf/password.conf\" | cut -c10-`;
$db_password =~ s/\n$//g;
my $tmpfile = "/tmp/ca-$$";
- system("/usr/bin/sslget -d \"$instanceDir/alias\" -p \"$db_password\" -v -n \"$serverCertNickName\" -r \"/ca/ee/ca/getCertChain\" $host:$port > $tmpfile");
+ system("/usr/bin/sslget -d \"$instanceDir/alias\" -p \"$db_password\" -v -n \"$serverCertNickName\" -r \"/ca/ee/ca/getCertChain\" $host:$https_ee_port > $tmpfile");
my $cmd = `cat $tmpfile`;
system("rm $tmpfile");
my $caCert;
@@ -165,10 +165,10 @@ sub display
if ($host eq "") {
goto DONE;
}
- my $port = $::config->get("preop.securitydomain.ca$count.secureport");
+ my $https_ee_port = $::config->get("preop.securitydomain.ca$count.secureport");
my $name = $::config->get("preop.securitydomain.ca$count.subsystemname");
- my $item = $name . " - https://" . $host . ":" . $port;
-# my $item = "https://" . $host . ":" . $port;
+ my $item = $name . " - https://" . $host . ":" . $https_ee_port;
+# my $item = "https://" . $host . ":" . $https_ee_port;
# unshift(@{$::symbol{urls}}, $item);
$::symbol{urls}[$count++] = $item;
if ($first eq 1) {
diff --git a/pki/base/ra/lib/perl/PKI/RA/DRMInfoPanel.pm b/pki/base/ra/lib/perl/PKI/RA/DRMInfoPanel.pm
index 707a45dc..924fe0cb 100755
--- a/pki/base/ra/lib/perl/PKI/RA/DRMInfoPanel.pm
+++ b/pki/base/ra/lib/perl/PKI/RA/DRMInfoPanel.pm
@@ -81,24 +81,24 @@ sub update
my $count = $q->param('urls');
my $instanceID = $::config->get("service.instanceID");
my $host = "";
- my $port = "";
+ my $https_agent_port = "";
if ($count =~ /http/) {
my $info = new URI::URL($count);
$host = $info->host;
- $port = $info->port;
+ $https_agent_port = $info->port;
} else {
$host = $::config->get("preop.securitydomain.kra$count.host");
- $port = $::config->get("preop.securitydomain.kra$count.secureport");
+ $https_agent_port = $::config->get("preop.securitydomain.kra$count.secureagentport");
}
- if (($host eq "") || ($port eq "")) {
+ if (($host eq "") || ($https_agent_port eq "")) {
$::symbol{errorString} = "no DRM found. CA, TKS and DRM must be installed prior to RA installation";
return 0;
}
- $::config->put("preop.krainfo.select", "https://$host:$port");
+ $::config->put("preop.krainfo.select", "https://$host:$https_agent_port");
my $subsystemCertNickName = $::config->get("preop.cert.subsystem.nickname");
$::config->put("conn.drm1.clientNickname", $subsystemCertNickName);
- $::config->put("conn.drm1.hostport", $host . ":" . $port);
+ $::config->put("conn.drm1.hostport", $host . ":" . $https_agent_port);
$::config->put("conn.tks1.serverKeygen", "true");
$::config->put("op.enroll.userKey.keyGen.encryption.serverKeygen.enable", "true");
$::config->put("op.enroll.userKeyTemporary.keyGen.encryption.serverKeygen.enable", "true");
@@ -127,9 +127,9 @@ sub display
if ($host eq "") {
goto DONE;
}
- my $port = $::config->get("preop.securitydomain.kra$count.secureport");
+ my $https_agent_port = $::config->get("preop.securitydomain.kra$count.secureagentport");
my $name = $::config->get("preop.securitydomain.kra$count.subsystemname");
- $::symbol{urls}[$count++] = $name . " - https://" . $host . ":" . $port;
+ $::symbol{urls}[$count++] = $name . " - https://" . $host . ":" . $https_agent_port;
}
DONE:
$::symbol{urls_size} = $count;
diff --git a/pki/base/ra/lib/perl/PKI/RA/DisplayCertChainPanel.pm b/pki/base/ra/lib/perl/PKI/RA/DisplayCertChainPanel.pm
index c0c89713..54e9b85c 100755
--- a/pki/base/ra/lib/perl/PKI/RA/DisplayCertChainPanel.pm
+++ b/pki/base/ra/lib/perl/PKI/RA/DisplayCertChainPanel.pm
@@ -102,25 +102,25 @@ sub update
$tmp = `rm $instanceDir/conf/caCert.der`;
$tmp = `rm $instanceDir/conf/caCert_pp.txt`;
- # complete the SeucrityDomain task
- my $sdomainURL = $::config->get("config.sdomainURL");
- if ($sdomainURL eq "") {
+ # complete the SecurityDomain task
+ my $sdomainAdminURL = $::config->get("config.sdomainAdminURL");
+ if ($sdomainAdminURL eq "") {
return 2;
}
my $machineName = $::config->get("service.machineName");
- my $securePort = $::config->get("service.securePort");
+ my $non_clientauth_securePort = $::config->get("service.non_clientauth_securePort");
my $unsecurePort = $::config->get("service.unsecurePort");
# check if url is accessible
# redirect to the security domain authentication
if ($ENV{'SERVER_PORT'} eq $unsecurePort) {
- $::symbol{redirect} = $sdomainURL . "/ca/ee/ca/securityDomainLogin?url=http%3A%2F%2F" . $machineName . "%3A" . $unsecurePort . "%2Fra%2Fadmin%2Fconsole%2Fconfig%2Fwizard%3Fp%3D3%26subsystem%3DRA";
+ $::symbol{redirect} = $sdomainAdminURL . "/ca/admin/ca/securityDomainLogin?url=http%3A%2F%2F" . $machineName . "%3A" . $unsecurePort . "%2Fra%2Fadmin%2Fconsole%2Fconfig%2Fwizard%3Fp%3D3%26subsystem%3DRA";
} else {
- $::symbol{redirect} = $sdomainURL . "/ca/ee/ca/securityDomainLogin?url=https%3A%2F%2F" . $machineName . "%3A" . $securePort . "%2Fra%2Fadmin%2Fconsole%2Fconfig%2Fwizard%3Fp%3D3%26subsystem%3DRA";
+ $::symbol{redirect} = $sdomainAdminURL . "/ca/admin/ca/securityDomainLogin?url=https%3A%2F%2F" . $machineName . "%3A" . $non_clientauth_securePort . "%2Fra%2Fadmin%2Fconsole%2Fconfig%2Fwizard%3Fp%3D3%26subsystem%3DRA";
}
- get_domain_xml($sdomainURL);
+ get_domain_xml($sdomainAdminURL);
return 3;
@@ -135,27 +135,27 @@ sub display
&PKI::RA::Wizard::debug_log("DisplayCertChainPanel: update connecting to CA and retrieve cert chain");
my $instanceID = $::config->get("service.instanceID");
my $instanceDir = $::config->get("service.instanceDir");
- my $sdomainURL = $::config->get("config.sdomainURL");
- if ($sdomainURL eq "") {
+ my $sdomainAdminURL = $::config->get("config.sdomainAdminURL");
+ if ($sdomainAdminURL eq "") {
return 2;
}
my $db_password = `grep \"internal:\" \"$instanceDir/conf/password.conf\" | cut -c10-`;
$db_password =~ s/\n$//g;
- my $url_info = new URI::URL($sdomainURL);
- my $host = $url_info->host;
- my $port = $url_info->port;
+ my $url_info = new URI::URL($sdomainAdminURL);
+ my $sd_host = $url_info->host;
+ my $sd_admin_port = $url_info->port;
my $nickname = $::config->get("preop.cert.sslserver.nickname");
- my $cmd = `/usr/bin/sslget -d \"$instanceDir/alias\" -p \"$db_password\" -v -n \"$nickname\" -r \"/ca/ee/ca/getCertChain\" $host:$port`;
+ my $cmd = `/usr/bin/sslget -d \"$instanceDir/alias\" -p \"$db_password\" -v -n \"$nickname\" -r \"/ca/admin/ca/getCertChain\" $sd_host:$sd_admin_port`;
- my $caCert;
+ my $caCert = "";
if ($cmd =~ /\<ChainBase64\>(.*)\<\/ChainBase64\>/) {
$caCert = $1;
&PKI::RA::Wizard::debug_log("DisplayCertChainPanel: ca= $caCert");
}
- my $certpp;
+ my $certpp = "";
if ($caCert ne "") {
open(F, ">$instanceDir/conf/caCert.txt");
print F $caCert;
@@ -199,13 +199,14 @@ sub display
return 1;
}
+
sub get_domain_xml
{
- my ($sdomainURL) = @_;
+ my ($sdomainAdminURL) = @_;
- my $sdom_info = new URI::URL($sdomainURL);
+ my $sdom_info = new URI::URL($sdomainAdminURL);
# get the domain xml
- # e. g. - https://water.sfbay.redhat.com:9444/ca/ee/ca/getDomainXML
+ # e. g. - https://water.sfbay.redhat.com:9445/ca/admin/ca/getDomainXML
my $nickname = $::config->get("preop.cert.sslserver.nickname");
my $instanceID = $::config->get("service.instanceID");
@@ -213,9 +214,9 @@ sub get_domain_xml
my $db_password = `grep \"internal:\" \"$instanceDir/conf/password.conf\" | cut -c10-`;
$db_password =~ s/\n$//g;
- my $host = $sdom_info->host;
- my $port = $sdom_info->port;
- my $content = `/usr/bin/sslget -d \"$instanceDir/alias\" -p \"$db_password\" -v -n \"$nickname\" -r \"/ca/ee/ca/getDomainXML\" $host:$port`;
+ my $sd_host = $sdom_info->host;
+ my $sd_admin_port = $sdom_info->port;
+ my $content = `/usr/bin/sslget -d \"$instanceDir/alias\" -p \"$db_password\" -v -n \"$nickname\" -r \"/ca/admin/ca/getDomainXML\" $sd_host:$sd_admin_port`;
$content =~ /(\<XMLResponse\>.*\<\/XMLResponse\>)/;
$content = $1;
@@ -241,8 +242,40 @@ sub get_domain_xml
$c->{'SubsystemName'}[0]);
$::config->put("preop.securitydomain.ca" . $count . ".secureport",
$c->{'SecurePort'}[0]);
+ $::config->put("preop.securitydomain.ca" . $count . ".secureagentport",
+ $c->{'SecureAgentPort'}[0]);
+ $::config->put("preop.securitydomain.ca" . $count . ".secureadminport",
+ $c->{'SecureAdminPort'}[0]);
+ $::config->put("preop.securitydomain.ca" . $count . ".unsecureport",
+ $c->{'UnSecurePort'}[0]);
$::config->put("preop.securitydomain.ca" . $count . ".host",
$c->{'Host'}[0]);
+
+ # The user previously specified the CA Security Domain's
+ # SSL Admin URL in the "Security Domain Panel";
+ # now retrieve this specified CA Security Domain's
+ # non-SSL EE, SSL Agent, and SSL EE URLs:
+ if( $sd_admin_port eq $c->{'SecureAdminPort'}[0] ) {
+ # Build the URLs
+ my $http_ee_port = "https://"
+ . $c->{'Host'}[0]
+ . ":"
+ . $c->{'UnSecurePort'}[0];
+ my $https_agent_port = "https://"
+ . $c->{'Host'}[0]
+ . ":"
+ . $c->{'SecureAgentPort'}[0];
+ my $https_ee_port = "https://"
+ . $c->{'Host'}[0]
+ . ":"
+ . $c->{'SecurePort'}[0];
+
+ # Store the URLs
+ $::config->put( "config.sdomainHttpURL", $http_ee_port );
+ $::config->put( "config.sdomainAgentURL", $https_agent_port );
+ $::config->put( "config.sdomainEEURL", $https_ee_port );
+ }
+
$count++;
}
@@ -254,6 +287,12 @@ sub get_domain_xml
$c->{'SubsystemName'}[0]);
$::config->put("preop.securitydomain.tks" . $count . ".secureport",
$c->{'SecurePort'}[0]);
+ $::config->put("preop.securitydomain.tks" . $count . ".secureagentport",
+ $c->{'SecureAgentPort'}[0]);
+ $::config->put("preop.securitydomain.tks" . $count . ".secureadminport",
+ $c->{'SecureAdminPort'}[0]);
+ $::config->put("preop.securitydomain.tks" . $count . ".unsecureport",
+ $c->{'UnSecurePort'}[0]);
$::config->put("preop.securitydomain.tks" . $count . ".host",
$c->{'Host'}[0]);
$count++;
@@ -267,6 +306,12 @@ sub get_domain_xml
$c->{'SubsystemName'}[0]);
$::config->put("preop.securitydomain.kra" . $count . ".secureport",
$c->{'SecurePort'}[0]);
+ $::config->put("preop.securitydomain.kra" . $count . ".secureagentport",
+ $c->{'SecureAgentPort'}[0]);
+ $::config->put("preop.securitydomain.kra" . $count . ".secureadminport",
+ $c->{'SecureAdminPort'}[0]);
+ $::config->put("preop.securitydomain.kra" . $count . ".unsecureport",
+ $c->{'UnSecurePort'}[0]);
$::config->put("preop.securitydomain.kra" . $count . ".host",
$c->{'Host'}[0]);
$count++;
@@ -279,7 +324,11 @@ sub get_domain_xml
$::config->put("preop.securitydomain.ra" . $count . ".subsystemname",
$c->{'SubsystemName'}[0]);
$::config->put("preop.securitydomain.ra" . $count . ".secureport",
+ $c->{'SecureAgentPort'}[0]);
+ $::config->put("preop.securitydomain.ra" . $count . ".non_clientauth_secure_port",
$c->{'SecurePort'}[0]);
+ $::config->put("preop.securitydomain.ra" . $count . ".unsecureport",
+ $c->{'UnSecurePort'}[0]);
$::config->put("preop.securitydomain.ra" . $count . ".host",
$c->{'Host'}[0]);
$count++;
diff --git a/pki/base/ra/lib/perl/PKI/RA/DonePanel.pm b/pki/base/ra/lib/perl/PKI/RA/DonePanel.pm
index 086d51e4..87d8bd8c 100755
--- a/pki/base/ra/lib/perl/PKI/RA/DonePanel.pm
+++ b/pki/base/ra/lib/perl/PKI/RA/DonePanel.pm
@@ -91,13 +91,15 @@ sub register_ra
&PKI::RA::Wizard::debug_log("DonePanel: Connecting to Security Domain");
my $machineName = $::config->get("service.machineName");
+ my $unsecurePort = $::config->get("service.unsecurePort");
my $securePort = $::config->get("service.securePort");
+ my $non_clientauth_securePort = $::config->get("service.non_clientauth_securePort");
my $session_id = $::config->get("preop.sessionID");
&PKI::RA::Wizard::debug_log("DonePanel: Security Domain Info " . $url);
- # add service.securityDomainPort to the config file in case pkiremove needs to
- # remove system reference from the security domain
+ # add service.securityDomainPort to the config file in case pkiremove
+ # needs to remove system reference from the security domain
$::config->put("service.securityDomainPort", $securePort);
$::config->commit();
@@ -183,7 +185,9 @@ sub get_kra_transport_cert
my $krainfo_url = new URI::URL($krainfo);
my $machineName = $::config->get("service.machineName");
+ my $unsecurePort = $::config->get("service.unsecurePort");
my $securePort = $::config->get("service.securePort");
+ my $non_clientauth_securePort = $::config->get("service.non_clientauth_securePort");
my $session_id = $::config->get("preop.sessionID");
my $nickname = $::config->get("preop.cert.sslserver.nickname");
@@ -234,7 +238,9 @@ sub send_kra_transport_cert
my $tksinfo_url = new URI::URL($tksinfo);
my $machineName = $::config->get("service.machineName");
+ my $unsecurePort = $::config->get("service.unsecurePort");
my $securePort = $::config->get("service.securePort");
+ my $non_clientauth_securePort = $::config->get("service.non_clientauth_securePort");
my $session_id = $::config->get("preop.sessionID");
my $nickname = $::config->get("preop.cert.sslserver.nickname");
@@ -296,7 +302,7 @@ sub display
}
# Add this RA's server certificate to the subsystems
- my $sdom = $::config->get("config.sdomainURL");
+ my $sdom = $::config->get("config.sdomainEEURL");
my $cainfo = $::config->get("preop.cainfo.select");
$cainfo =~ s/.* - //g;
&register_ra($sdom, $cainfo, $::config->get("conn.ca1.servlet.addagent"), "CA");
@@ -368,8 +374,9 @@ sub display
&PKI::RA::Wizard::debug_log("DonePanel: Connecting to Security Domain");
my $machineName = $::config->get("service.machineName");
- my $securePort = $::config->get("service.securePort");
my $unsecurePort = $::config->get("service.unsecurePort");
+ my $securePort = $::config->get("service.securePort");
+ my $non_clientauth_securePort = $::config->get("service.non_clientauth_securePort");
my $instanceID = $::config->get("service.instanceID");
my $initCommand = "";
@@ -381,8 +388,9 @@ sub display
}
$::symbol{host} = $machineName;
- $::symbol{port} = $securePort;
$::symbol{unsecurePort} = $unsecurePort;
+ $::symbol{port} = $securePort;
+ $::symbol{non_clientauth_port} = $non_clientauth_securePort;
$::symbol{initCommand} = $initCommand;
$::config->deleteSubstore("preop.");
diff --git a/pki/base/ra/lib/perl/PKI/RA/ImportAdminCertPanel.pm b/pki/base/ra/lib/perl/PKI/RA/ImportAdminCertPanel.pm
index 7ee15e59..54159a33 100755
--- a/pki/base/ra/lib/perl/PKI/RA/ImportAdminCertPanel.pm
+++ b/pki/base/ra/lib/perl/PKI/RA/ImportAdminCertPanel.pm
@@ -75,7 +75,7 @@ sub update
&PKI::RA::Wizard::debug_log("ImportAdminCertPanel: update");
# register to Security Domain
- my $sdom = $::config->get("config.sdomainURL");
+ my $sdom = $::config->get("config.sdomainAgentURL");
my $sdom_url = new URI::URL($sdom);
#
@@ -102,6 +102,18 @@ sub update
my $cmd = `/usr/bin/sslget -d \"$instanceDir/alias\" -p \"$db_password\" -v -n \"$subCertNickName\" -r \"/ca/agent/ca/updateDomainXML?$params\" $sdom_url->host:$sdom_url->port`;
+ # Fetch the "updated" security domain and display it
+ &PKI::RA::Wizard::debug_log("ImportAdminCertPanel: Dump contents of updated Security Domain . . .");
+ my $sdomainAdminURL = $::config->get("config.sdomainAdminURL");
+ my $sdom_info = new URI::URL($sdomainAdminURL);
+ my $nickname = $::config->get("preop.cert.sslserver.nickname");
+ my $sd_host = $sdom_info->host;
+ my $sd_admin_port = $sdom_info->port;
+ my $content = `/usr/bin/sslget -d \"$instanceDir/alias\" -p \"$db_password\" -v -n \"$nickname\" -r \"/ca/admin/ca/getDomainXML\" $sd_host:$sd_admin_port`;
+ $content =~ /(\<XMLResponse\>.*\<\/XMLResponse\>)/;
+ $content = $1;
+ &PKI::RA::Wizard::debug_log($content);
+
return 1;
}
diff --git a/pki/base/ra/lib/perl/PKI/RA/NamePanel.pm b/pki/base/ra/lib/perl/PKI/RA/NamePanel.pm
index 38365418..221f9326 100755
--- a/pki/base/ra/lib/perl/PKI/RA/NamePanel.pm
+++ b/pki/base/ra/lib/perl/PKI/RA/NamePanel.pm
@@ -87,25 +87,25 @@ sub update
&PKI::RA::Wizard::debug_log("NamePanel: update - selected ca= $count");
my $host = "";
- my $port = "";
+ my $https_ee_port = "";
my $useExternalCA = "off";
if ($count =~ /http/) {
my $info = new URI::URL($count);
$host = $info->host;
- $port = $info->port;
+ $https_ee_port = $info->port;
} else {
$host = $::config->get("preop.securitydomain.ca$count.host");
if ($host eq "") {
$useExternalCA = "on";
} else {
- $port = $::config->get("preop.securitydomain.ca$count.secureport");
- &PKI::RA::Wizard::debug_log("NamePanel: update - host= $host, port= $port");
+ $https_ee_port = $::config->get("preop.securitydomain.ca$count.secureport");
+ &PKI::RA::Wizard::debug_log("NamePanel: update - host= $host, https_ee_port= $https_ee_port");
}
}
$::config->put("preop.certenroll.useExternalCA", $useExternalCA);
- $::config->put("preop.ca.url", "https://" . $host . ":" . $port);
+ $::config->put("preop.ca.url", "https://" . $host . ":" . $https_ee_port);
my $tokenname = $::config->get("preop.module.token");
&PKI::RA::Wizard::debug_log("NamePanel: update got token name = $tokenname");
@@ -242,7 +242,7 @@ GEN_CERT:
# see if there is an existing cert
my $cert = $::config->get("preop.cert.$certtag.cert");
- my $sdom = $::config->get("config.sdomainURL");
+ my $sdom = $::config->get("config.sdomainEEURL");
my $sdom_url = new URI::URL($sdom);
if (($useExternalCA eq "on") && ($certtag ne "subsystem")) {
@@ -293,14 +293,14 @@ GEN_CERT:
if ($certtag eq "subsystem") {
$host = $sdom_url->host;
- $port = $sdom_url->port;
+ $https_ee_port = $sdom_url->port;
}
if ($changed eq "true") {
-$req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"$token_pwd\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $host:$port";
-$debug_req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"(sensitive)\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $host:$port";
+$req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"$token_pwd\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $host:$https_ee_port";
+$debug_req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"(sensitive)\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $host:$https_ee_port";
} else {
-$req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"$db_password\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $host:$port";
-$debug_req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"(sensitive)\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $host:$port";
+$req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"$db_password\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $host:$https_ee_port";
+$debug_req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"(sensitive)\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $host:$https_ee_port";
}
&PKI::RA::Wizard::debug_log("debug_req = " . $debug_req);
@@ -480,9 +480,9 @@ sub display
if ($host eq "") {
goto DONE;
}
- my $port = $::config->get("preop.securitydomain.ca$count.secureport");
+ my $https_ee_port = $::config->get("preop.securitydomain.ca$count.secureport");
my $name = $::config->get("preop.securitydomain.ca$count.subsystemname");
- my $item = $name . " - https://" . $host . ":" . $port;
+ my $item = $name . " - https://" . $host . ":" . $https_ee_port;
$::symbol{urls}[$count++] = $item;
}
diff --git a/pki/base/ra/lib/perl/PKI/RA/SecurityDomainPanel.pm b/pki/base/ra/lib/perl/PKI/RA/SecurityDomainPanel.pm
index 468a5b1c..ce622f91 100755
--- a/pki/base/ra/lib/perl/PKI/RA/SecurityDomainPanel.pm
+++ b/pki/base/ra/lib/perl/PKI/RA/SecurityDomainPanel.pm
@@ -26,6 +26,7 @@ use strict;
use warnings;
use PKI::RA::GlobalVar;
use PKI::RA::Common;
+use URI::URL;
use XML::Simple;
use Data::Dumper;
@@ -78,7 +79,7 @@ sub display
$::symbol{panelname} = "Security Domain";
$::symbol{sdomainName} = "Security Domain";
my $hostname = $::config->get("service.machineName");
- $::symbol{sdomainURL} = "https://" . $hostname . ":9444";
+ $::symbol{sdomainAdminURL} = "https://" . $hostname . ":9445";
return 1;
}
@@ -90,15 +91,22 @@ sub update
&PKI::RA::Wizard::debug_log("SecurityPanel: update");
my $sdomainURL = $q->param("sdomainURL");
+ my $sdomainURL_info = new URI::URL($sdomainURL);
+
if ($sdomainURL eq "") {
&PKI::RA::Wizard::debug_log("SecurityPanel: sdomainURL not found");
- $::symbol{errorString} = "Security Domain URL not found";
+ $::symbol{errorString} = "Security Domain HTTPS Admin URL not found";
return 0;
}
- # save url in CS.cfg
+ # save urls in CS.cfg
&PKI::RA::Wizard::debug_log("SecurityPanel: sdomainURL=" . $sdomainURL);
- $::config->put("config.sdomainURL", $sdomainURL);
+ $::config->put("config.sdomainAdminURL", $sdomainURL);
+
+ # Add values necessary for 'pkiremove' . . .
+ $::config->put("securitydomain.select", "existing");
+ $::config->put("securitydomain.host", $sdomainURL_info->host);
+ $::config->put("securitydomain.httpsadminport", $sdomainURL_info->port);
$::config->commit();
return 1;
diff --git a/pki/base/ra/lib/perl/PKI/RA/SizePanel.pm b/pki/base/ra/lib/perl/PKI/RA/SizePanel.pm
index 763b184b..3a1ba77d 100755
--- a/pki/base/ra/lib/perl/PKI/RA/SizePanel.pm
+++ b/pki/base/ra/lib/perl/PKI/RA/SizePanel.pm
@@ -211,11 +211,11 @@ sub display
#for "common key settings"
my $select = $::config->get("preop.keysize.select");
- if ($select ne "") {
+ if (($select eq "") || ($select eq "default")) {
+ $::symbol{select} = "default";
+ } else {
&PKI::RA::Wizard::debug_log("SizePanel: display keysize select= $select");
$::symbol{select} = $select;
- } else {
- $::symbol{select} = "default";
}
my $default_size = $::config->get("preop.keysize.size");
if ($default_size eq "") {
diff --git a/pki/base/ra/lib/perl/PKI/RA/SubsystemTypePanel.pm b/pki/base/ra/lib/perl/PKI/RA/SubsystemTypePanel.pm
index 4f98bee6..4a086942 100755
--- a/pki/base/ra/lib/perl/PKI/RA/SubsystemTypePanel.pm
+++ b/pki/base/ra/lib/perl/PKI/RA/SubsystemTypePanel.pm
@@ -76,7 +76,9 @@ sub update
$::symbol{subsystemName} = "Registration Authority";
$::symbol{fullsystemname} = "Registration Authority";
$::symbol{machineName} = "localhost";
- $::symbol{https_port} = "7889";
+ $::symbol{http_port} = "12888";
+ $::symbol{https_port} = "12889";
+ $::symbol{non_clientauth_https_port} = "12890";
$::symbol{check_clonesubsystem} = " ";
$::symbol{check_newsubsystem} = " ";
$::symbol{disableClone} = 1;
@@ -97,12 +99,15 @@ sub display
$::symbol{fullsystemname} = "Registration Authority ";
my $machineName = $::config->get("service.machineName");
- my $securePort = $::config->get("service.securePort");
my $unsecurePort = $::config->get("service.unsecurePort");
+ my $securePort = $::config->get("service.securePort");
+ my $non_clientauth_securePort = $::config->get("service.non_clientauth_securePort");
$::symbol{machineName} = $machineName;
+ $::symbol{http_port} = $unsecurePort;
$::symbol{https_port} = $securePort;
+ $::symbol{non_clientauth_https_port} = $non_clientauth_securePort;
$::symbol{check_clonesubsystem} = "";
$::symbol{check_newsubsystem} = "checked ";
@@ -117,7 +122,7 @@ sub display
if ($host eq "") {
goto DONE;
}
- my $port = $::config->get("preop.securitydomain.ra$count.secureport");
+ my $port = $::config->get("preop.securitydomain.ra$count.non_clientauth_secure_port");
my $name = $::config->get("preop.securitydomain.ra$count.subsystemname");
unshift(@{$::symbol{urls}}, "https://" . $host . ":" . $port);
$count++;
diff --git a/pki/base/ra/lib/perl/PKI/RA/TKSInfoPanel.pm b/pki/base/ra/lib/perl/PKI/RA/TKSInfoPanel.pm
index a219e74c..6a4f6b16 100755
--- a/pki/base/ra/lib/perl/PKI/RA/TKSInfoPanel.pm
+++ b/pki/base/ra/lib/perl/PKI/RA/TKSInfoPanel.pm
@@ -79,28 +79,28 @@ sub update
my $instanceID = $::config->get("service.instanceID");
my $host = "";
- my $port = "";
+ my $https_agent_port = "";
if ($count =~ /http/) {
my $info = new URI::URL($count);
$host = $info->host;
- $port = $info->port;
- if (($host eq "") || ($port eq "")) {
+ $https_agent_port = $info->port;
+ if (($host eq "") || ($https_agent_port eq "")) {
$::symbol{errorString} = "no TKS found. CA, TKS and optionally DRM must be installed prior to RA installation";
return 0;
}
$::config->put("preop.tksinfo.select", $count);
} else {
$host = $::config->get("preop.securitydomain.tks$count.host");
- $port = $::config->get("preop.securitydomain.tks$count.secureport");
- if (($host eq "") || ($port eq "")) {
+ $https_agent_port = $::config->get("preop.securitydomain.tks$count.secureagentport");
+ if (($host eq "") || ($https_agent_port eq "")) {
$::symbol{errorString} = "no TKS found. CA, TKS and optionally DRM must be installed prior to RA installation";
return 0;
}
- $::config->put("preop.tksinfo.select", "https://$host:$port");
+ $::config->put("preop.tksinfo.select", "https://$host:$https_agent_port");
}
my $subsystemCertNickName = $::config->get("preop.cert.subsystem.nickname");
$::config->put("conn.tks1.clientNickname", $subsystemCertNickName);
- $::config->put("conn.tks1.hostport", $host . ":" . $port);
+ $::config->put("conn.tks1.hostport", $host . ":" . $https_agent_port);
$::config->commit();
return 1;
@@ -117,9 +117,9 @@ sub display
if ($host eq "") {
goto DONE;
}
- my $port = $::config->get("preop.securitydomain.tks$count.secureport");
+ my $https_agent_port = $::config->get("preop.securitydomain.tks$count.secureagentport");
my $name = $::config->get("preop.securitydomain.tks$count.subsystemname");
- $::symbol{urls}[$count++] = $name . " - https://" . $host . ":" . $port;
+ $::symbol{urls}[$count++] = $name . " - https://" . $host . ":" . $https_agent_port;
}
DONE:
$::symbol{urls_size} = $count;
diff --git a/pki/base/setup/pkicreate b/pki/base/setup/pkicreate
index fd960985..8f327147 100755
--- a/pki/base/setup/pkicreate
+++ b/pki/base/setup/pkicreate
@@ -337,6 +337,7 @@ my $FORTITUDE_REVOCATOR_MODULES = "FORTITUDE_REVOCATOR_MODULES";
# Template slot constants (CA, KRA, OCSP, TKS)
my $INSTALL_TIME = "INSTALL_TIME";
+my $PKI_AGENT_CLIENTAUTH_SLOT = "PKI_AGENT_CLIENTAUTH";
my $PKI_CERT_DB_PASSWORD_SLOT = "PKI_CERT_DB_PASSWORD";
my $PKI_CFG_PATH_NAME_SLOT = "PKI_CFG_PATH_NAME";
my $PKI_GROUP_SLOT = "PKI_GROUP";
@@ -1036,6 +1037,7 @@ sub parse_arguments()
# (always overwrite this file)
$logfile = "/var/log/$pki_instance_name-install.log";
open_logfile( $logfile );
+ chmod( $default_file_permissions, $logfile );
push( @installed_files, $logfile );
emit( "Capturing installation information in $logfile.\n" );
@@ -1174,7 +1176,7 @@ sub parse_arguments()
emit( " ee_secure_port $ee_secure_port\n");
} else {
- if(agent_secure_port >= 0) {
+ if($agent_secure_port >= 0) {
emit( "Must include value for ee_secure_port if agent_secure_port is given!\n");
}
}
@@ -1187,7 +1189,7 @@ sub parse_arguments()
emit( " admin_secure_port $admin_secure_port\n");
} else {
- if(agent_secure_port >= 0) {
+ if($agent_secure_port >= 0) {
emit( "Must include value for admin_secure_port if agent_secure_port is given!\n");
}
}
@@ -2312,7 +2314,6 @@ LoadModule nss_module /opt/fortitude/modules.local/mod_rev.so
$slot_hash{$PKI_SECURE_PORT_CONNECTOR_NAME_SLOT} = $PKI_AGENT_SECURE_PORT_NAME;
$slot_hash{$PKI_ADMIN_SECURE_PORT_CONNECTOR_NAME_SLOT} = $PKI_ADMIN_SECURE_PORT_NAME;
$slot_hash{$PKI_EE_SECURE_PORT_CONNECTOR_NAME_SLOT} = $PKI_EE_SECURE_PORT_NAME;
-my $PKI_SECURE_PORT_NAME = "Secure";
# Establish "Port Separation" Connector Ports
$slot_hash{$PKI_SECURE_PORT_SLOT} = $agent_secure_port;
@@ -2326,6 +2327,9 @@ my $PKI_SECURE_PORT_NAME = "Secure";
$slot_hash{$PKI_ADMIN_SECURE_PORT_COMMENT_SERVER_SLOT} = $PKI_ADMIN_SECURE_SEPARATE_PORTS_COMMENT;
$slot_hash{$PKI_EE_SECURE_PORT_COMMENT_SERVER_SLOT} = $PKI_EE_SECURE_SEPARATE_PORTS_COMMENT;
+ # Set appropriate "clientAuth" parameter for "Port Separation"
+ $slot_hash{$PKI_AGENT_CLIENTAUTH_SLOT} = "true";
+
# Do NOT comment out the "Admin/EE" Ports
$slot_hash{$PKI_OPEN_SEPARATE_PORTS_COMMENT_SERVER_SLOT} = "";
$slot_hash{$PKI_CLOSE_SEPARATE_PORTS_COMMENT_SERVER_SLOT} = "";
@@ -2353,6 +2357,9 @@ my $PKI_SECURE_PORT_NAME = "Secure";
$slot_hash{$PKI_ADMIN_SECURE_PORT_COMMENT_SERVER_SLOT} = "";
$slot_hash{$PKI_EE_SECURE_PORT_COMMENT_SERVER_SLOT} = "";
+ # Set appropriate "clientAuth" parameter for "Shared Ports"
+ $slot_hash{$PKI_AGENT_CLIENTAUTH_SLOT} = "agent";
+
# Comment out the "Admin/EE" Ports
$slot_hash{$PKI_OPEN_SEPARATE_PORTS_COMMENT_SERVER_SLOT} = $PKI_OPEN_COMMENT;
$slot_hash{$PKI_CLOSE_SEPARATE_PORTS_COMMENT_SERVER_SLOT} = $PKI_CLOSE_COMMENT;;
@@ -3613,44 +3620,61 @@ ASK_AGAIN:
system( "$command" );
+ # Notify user to check firewall settings . . .
print( STDOUT
- "Server can be operated with "
- . "$pki_start_stop_command "
- . "start | stop | restart\n\n" );
- emit( "Server can be operated with "
- . "$pki_start_stop_command "
- . "start | stop | restart\n",
- "log" );
+ "Before proceeding with the configuration, make sure \n"
+ . "the firewall settings of this machine permit proper \n"
+ . "access to this subsystem. \n\n");
# EXCEPTION: To enable a user to easily configure their PKI subsystem,
# this is the ONLY instance in which we print out the actual
# value of the the one-time random PIN, as well as store this
# message at the end of the initialization log.
- if( $ee_secure_port > 0 ) {
- print( STDOUT
- "Please start the configuration by accessing:\n"
- . "https://$host:$ee_secure_port/$subsystem_type/admin/"
- . "console/config/login?pin=$random\n\n" );
- emit( "Configuration Wizard listening on\n"
- . "https://$host:$ee_secure_port/$subsystem_type/admin/"
- . "console/config/login?pin=$random\n",
- "log" );
- } else {
+ if( $subsystem_type eq $CA ||
+ $subsystem_type eq $KRA ||
+ $subsystem_type eq $OCSP ||
+ $subsystem_type eq $TKS ) {
+ if( $admin_secure_port > 0 ) {
+ # Port Separation: CA, KRA, OCSP, TKS
+ print( STDOUT
+ "Please start the configuration by accessing:\n\n"
+ . "https://$host:$admin_secure_port/$subsystem_type/admin/"
+ . "console/config/login?pin=$random\n\n" );
+ emit( "Configuration Wizard listening on\n"
+ . "https://$host:$admin_secure_port/$subsystem_type/admin/"
+ . "console/config/login?pin=$random\n",
+ "log" );
+ } else {
+ # Shared Ports: CA, KRA, OCSP, TKS
+ print( STDOUT
+ "Please start the configuration by accessing:\n\n"
+ . "https://$host:$secure_port/$subsystem_type/admin/"
+ . "console/config/login?pin=$random\n\n" );
+ emit( "Configuration Wizard listening on\n"
+ . "https://$host:$secure_port/$subsystem_type/admin/"
+ . "console/config/login?pin=$random\n",
+ "log" );
+ }
+ } else {
+ # Port Separation: RA, TPS
print( STDOUT
- "Please start the configuration by accessing:\n"
- . "http://$host:$unsecure_port/$subsystem_type/admin/"
- . "console/config/login?pin=$random\n\n" );
+ "Please start the configuration by accessing:\n\n"
+ . "https://$host:$non_clientauth_secure_port/$subsystem_type/"
+ . "admin/console/config/login?pin=$random\n\n" );
emit( "Configuration Wizard listening on\n"
- . "http://$host:$unsecure_port/$subsystem_type/admin/"
- . "console/config/login?pin=$random\n",
+ . "https://$host:$non_clientauth_secure_port/$subsystem_type/"
+ . "admin/console/config/login?pin=$random\n",
"log" );
}
- # Notify user to check firewall settings . . .
print( STDOUT
- "Before proceeding with the configuration, make sure \n"
- . "the firewall settings of this machine permit proper \n"
- . "access to this subsystem. \n");
+ "After configuration, the server can be operated by the command:\n\n"
+ . " $pki_start_stop_command "
+ . "start | stop | restart\n\n" );
+ emit( "After configuration, the server can be operated by the command:\n"
+ . "$pki_start_stop_command "
+ . "start | stop | restart\n",
+ "log" );
# If it exists, close the log file
close_logfile( $logfile );
diff --git a/pki/base/setup/pkiremove b/pki/base/setup/pkiremove
index e3a828a1..707ba221 100755
--- a/pki/base/setup/pkiremove
+++ b/pki/base/setup/pkiremove
@@ -209,7 +209,10 @@ sub update_domain()
my $conf_file = $pki_instance_path . "/conf/CS.cfg";
my $sport;
my $ncsport;
- my $secport;
+ my $httpport;
+ my $seceeport;
+ my $secagentport;
+ my $secadminport;
my $secselect;
my $typeval;
my $machinename;
@@ -220,18 +223,34 @@ sub update_domain()
foreach my $line (@conf_data) {
chomp($line);
(my $varname, my $valname) = split(/=/, $line);
+
+ if ($varname eq "cs.type") { $typeval = $valname; }
+ if ($varname eq "service.machineName") { $machinename = $valname; }
if ($varname eq "service.securityDomainPort") { $sport = $valname; }
if ($varname eq "service.non_clientauth_securePort") { $ncsport = $valname; }
if ($varname eq "securitydomain.host") { $sechost = $valname; }
- if ($varname eq "securitydomain.httpsport") { $secport = $valname; }
+ if ($varname eq "securitydomain.httpport") { $httpport = $valname; }
+ if ($varname eq "securitydomain.httpseeport") { $seceeport = $valname; }
+ if ($varname eq "securitydomain.httpsagentport") { $secagentport = $valname; }
+ if ($varname eq "securitydomain.httpsadminport") { $secadminport = $valname; }
if ($varname eq "securitydomain.select") { $secselect = $valname; }
- if ($varname eq "cs.type") { $typeval = $valname; }
- if ($varname eq "machineName") { $machinename = $valname; }
- if ($varname =~ /[a-z]*.subsystem.nickname/) { $subsystemnick = $valname; }
+ # CA, KRA, OCSP, TKS
+ if ($varname =~ /[a-z]*.subsystem.nickname/) {
+ $subsystemnick = $valname;
+ }
+ # RA, TPS
+ if ($varname =~ /conn.[a-z]*.clientNickname/) {
+ $subsystemnick = $valname;
+ }
}
close(DAT);
- if ((!defined($sechost)) || (!defined($secport))) {
+ # NOTE: Don't check for the existence of "$httpport", as this will
+ # be undefined for a Security Domain that has been migrated!
+ if ((!defined($sechost)) ||
+ (!defined($seceeport)) ||
+ (!defined($secagentport)) ||
+ (!defined($secadminport))) {
print (STDOUT "No security domain defined.\nIf this is an unconfigured instance, then that is OK.\n" .
"Otherwise, manually delete the entry from the security domain master.\n" );
return;
@@ -241,10 +260,12 @@ sub update_domain()
# This is not a domain master, so we need to update the master
print (STDOUT "Contacting the security domain master to update the security domain\n");
my $listval = $typeval . "List";
- my $urlheader = "https://" . $sechost . ":" . $secport;
+ my $urlheader = "https://" . $sechost . ":" . $seceeport;
+ my $urlagentheader = "https://" . $sechost . ":" . $secagentport;
+ my $urladminheader = "https://" . $sechost . ":" . $secadminport;
my $updateURL = "/ca/agent/ca/updateDomainXML";
- my $loginURL = "/ca/ee/ca/securityDomainLogin";
- my $cookieURL = "/ca/ee/ca/getCookie";
+ my $loginURL = "/ca/admin/ca/securityDomainLogin";
+ my $cookieURL = "/ca/admin/ca/getCookie";
# Login to security domain
use LWP;
@@ -257,8 +278,16 @@ sub update_domain()
my @pw_data=<DAT>;
foreach my $line (@pw_data) {
chomp($line);
- (my $varname, my $valname) = split(/=/, $line);
- if ($varname eq "internal") { $intpw = $valname; }
+ if (($typeval eq "CA") ||
+ ($typeval eq "KRA") ||
+ ($typeval eq "OCSP") ||
+ ($typeval eq "TKS")) {
+ (my $varname, my $valname) = split(/=/, $line);
+ if ($varname eq "internal") { $intpw = $valname; }
+ } else { # TPS, RA
+ (my $varname, my $valname) = split(/:/, $line);
+ if ($varname eq "internal") { $intpw = $valname; }
+ }
}
close($pwfile);
@@ -277,7 +306,7 @@ sub update_domain()
#update domainXML
- $url = $urlheader . $updateURL;
+ $url = $urlagentheader . $updateURL;
#$ENV{HTTPS_DEBUG} = 1;
$ENV{HTTPS_PKCS12_FILE} = $tempfile;
$ENV{HTTPS_PKCS12_PASSWORD} = $p12pw;
diff --git a/pki/base/silent/src/ca/ConfigureCA.java b/pki/base/silent/src/ca/ConfigureCA.java
index a85768e9..1dacffef 100644
--- a/pki/base/silent/src/ca/ConfigureCA.java
+++ b/pki/base/silent/src/ca/ConfigureCA.java
@@ -61,8 +61,8 @@ public class ConfigureCA {
public static String domain_uri = "/ca/ee/ca/domain";
public static String ee_uri = "/ca/ee/ca/getBySerial";
public static String pkcs12_uri = "/ca/admin/console/config/savepkcs12";
- public static String sd_login_uri = "/ca/ee/ca/securityDomainLogin";
- public static String sd_get_cookie_uri = "/ca/ee/ca/getCookie";
+ public static String sd_login_uri = "/ca/admin/ca/securityDomainLogin";
+ public static String sd_get_cookie_uri = "/ca/admin/ca/getCookie";
public static String cs_hostname = null;
public static String cs_port = null;
diff --git a/pki/base/silent/src/drm/ConfigureDRM.java b/pki/base/silent/src/drm/ConfigureDRM.java
index 1050cb59..ae0130a6 100644
--- a/pki/base/silent/src/drm/ConfigureDRM.java
+++ b/pki/base/silent/src/drm/ConfigureDRM.java
@@ -58,8 +58,8 @@ public class ConfigureDRM
public static String domain_uri = "/kra/ee/ca/domain";
public static String ee_uri = "/ca/ee/ca/getBySerial";
- public static String sd_login_uri = "/ca/ee/ca/securityDomainLogin";
- public static String sd_get_cookie_uri = "/ca/ee/ca/getCookie";
+ public static String sd_login_uri = "/ca/admin/ca/securityDomainLogin";
+ public static String sd_get_cookie_uri = "/ca/admin/ca/getCookie";
public static String pkcs12_uri = "/kra/admin/console/config/savepkcs12";
public static String cs_hostname = null;
diff --git a/pki/base/silent/src/ocsp/ConfigureOCSP.java b/pki/base/silent/src/ocsp/ConfigureOCSP.java
index 2103229c..f0ab09ab 100644
--- a/pki/base/silent/src/ocsp/ConfigureOCSP.java
+++ b/pki/base/silent/src/ocsp/ConfigureOCSP.java
@@ -57,8 +57,8 @@ public class ConfigureOCSP
public static String wizard_uri = "/ocsp/admin/console/config/wizard";
public static String ee_uri = "/ca/ee/ca/getBySerial";
- public static String sd_login_uri = "/ca/ee/ca/securityDomainLogin";
- public static String sd_get_cookie_uri = "/ca/ee/ca/getCookie";
+ public static String sd_login_uri = "/ca/admin/ca/securityDomainLogin";
+ public static String sd_get_cookie_uri = "/ca/admin/ca/getCookie";
public static String pkcs12_uri = "/ocsp/admin/console/config/savepkcs12";
public static String cs_hostname = null;
diff --git a/pki/base/silent/src/ra/ConfigureRA.java b/pki/base/silent/src/ra/ConfigureRA.java
index 06e4f088..a4a1ba80 100644
--- a/pki/base/silent/src/ra/ConfigureRA.java
+++ b/pki/base/silent/src/ra/ConfigureRA.java
@@ -58,8 +58,8 @@ public class ConfigureRA
public static String domain_uri = "/ra/ee/ca/domain";
public static String ee_uri = "/ca/ee/ca/getBySerial";
- public static String sd_login_uri = "/ca/ee/ca/securityDomainLogin";
- public static String sd_get_cookie_uri = "/ca/ee/ca/getCookie";
+ public static String sd_login_uri = "/ca/admin/ca/securityDomainLogin";
+ public static String sd_get_cookie_uri = "/ca/admin/ca/getCookie";
public static String pkcs12_uri = "/ra/admin/console/config/savepkcs12";
public static String cs_hostname = null;
diff --git a/pki/base/silent/src/subca/ConfigureSubCA.java b/pki/base/silent/src/subca/ConfigureSubCA.java
index 4dc56d69..fa7737a3 100644
--- a/pki/base/silent/src/subca/ConfigureSubCA.java
+++ b/pki/base/silent/src/subca/ConfigureSubCA.java
@@ -57,8 +57,8 @@ public class ConfigureSubCA
public static String wizard_uri = "/ca/admin/console/config/wizard";
public static String domain_uri = "/ca/ee/ca/domain";
public static String ee_uri = "/ca/ee/ca/getBySerial";
- public static String sd_login_uri = "/ca/ee/ca/securityDomainLogin";
- public static String sd_get_cookie_uri = "/ca/ee/ca/getCookie";
+ public static String sd_login_uri = "/ca/admin/ca/securityDomainLogin";
+ public static String sd_get_cookie_uri = "/ca/admin/ca/getCookie";
public static String pkcs12_uri = "/ca/admin/console/config/savepkcs12";
public static String cs_hostname = null;
diff --git a/pki/base/silent/src/tks/ConfigureTKS.java b/pki/base/silent/src/tks/ConfigureTKS.java
index 32df2481..0b6ae2eb 100644
--- a/pki/base/silent/src/tks/ConfigureTKS.java
+++ b/pki/base/silent/src/tks/ConfigureTKS.java
@@ -57,8 +57,8 @@ public class ConfigureTKS
public static String wizard_uri = "/tks/admin/console/config/wizard";
public static String ee_uri = "/ca/ee/ca/getBySerial";
- public static String sd_login_uri = "/ca/ee/ca/securityDomainLogin";
- public static String sd_get_cookie_uri = "/ca/ee/ca/getCookie";
+ public static String sd_login_uri = "/ca/admin/ca/securityDomainLogin";
+ public static String sd_get_cookie_uri = "/ca/admin/ca/getCookie";
public static String pkcs12_uri = "/tks/admin/console/config/savepkcs12";
public static String cs_hostname = null;
diff --git a/pki/base/silent/src/tps/ConfigureTPS.java b/pki/base/silent/src/tps/ConfigureTPS.java
index abfb321d..753caa5f 100644
--- a/pki/base/silent/src/tps/ConfigureTPS.java
+++ b/pki/base/silent/src/tps/ConfigureTPS.java
@@ -58,8 +58,8 @@ public class ConfigureTPS
public static String domain_uri = "/tps/ee/ca/domain";
public static String ee_uri = "/ca/ee/ca/getBySerial";
- public static String sd_login_uri = "/ca/ee/ca/securityDomainLogin";
- public static String sd_get_cookie_uri = "/ca/ee/ca/getCookie";
+ public static String sd_login_uri = "/ca/admin/ca/securityDomainLogin";
+ public static String sd_get_cookie_uri = "/ca/admin/ca/getCookie";
public static String pkcs12_uri = "/tps/admin/console/config/savepkcs12";
public static String cs_hostname = null;
diff --git a/pki/base/tks/shared/conf/CS.cfg b/pki/base/tks/shared/conf/CS.cfg
index 6de39a15..7c1dcec5 100644
--- a/pki/base/tks/shared/conf/CS.cfg
+++ b/pki/base/tks/shared/conf/CS.cfg
@@ -6,24 +6,24 @@
_000=##
_001=## File Created On : Mon Oct 10 15:57:03 PDT 2005
_002=##
-pkicreate.arg01.pki_instance_root=[PKI_INSTANCE_ROOT]
-pkicreate.arg02.pki_instance_name=[PKI_INSTANCE_ID]
-pkicreate.arg03.subsystem_type=[PKI_SUBSYSTEM_TYPE]
-pkicreate.arg04.agent_secure_port=[PKI_AGENT_SECURE_PORT]
-pkicreate.arg05.ee_secure_port=[PKI_EE_SECURE_PORT]
-pkicreate.arg06.admin_secure_port=[PKI_ADMIN_SECURE_PORT]
-pkicreate.arg07.secure_port=[PKI_SECURE_PORT]
-pkicreate.arg08.unsecure_port=[PKI_UNSECURE_PORT]
-pkicreate.arg09.tomcat_server_port=[TOMCAT_SERVER_PORT]
-pkicreate.arg10.user=[PKI_USER]
-pkicreate.arg11.group=[PKI_GROUP]
+pkicreate.pki_instance_root=[PKI_INSTANCE_ROOT]
+pkicreate.pki_instance_name=[PKI_INSTANCE_ID]
+pkicreate.subsystem_type=[PKI_SUBSYSTEM_TYPE]
+pkicreate.agent_secure_port=[PKI_AGENT_SECURE_PORT]
+pkicreate.ee_secure_port=[PKI_EE_SECURE_PORT]
+pkicreate.admin_secure_port=[PKI_ADMIN_SECURE_PORT]
+pkicreate.secure_port=[PKI_SECURE_PORT]
+pkicreate.unsecure_port=[PKI_UNSECURE_PORT]
+pkicreate.tomcat_server_port=[TOMCAT_SERVER_PORT]
+pkicreate.user=[PKI_USER]
+pkicreate.group=[PKI_GROUP]
installDate=[INSTALL_TIME]
cs.type=TKS
admin.interface.uri=tks/admin/console/config/wizard
preop.admin.name=Token Key Service Manager Administrator
preop.admin.group=Token Key Service Manager Agents
preop.admincert.profile=caAdminCert
-preop.securitydomain.url=https://[PKI_MACHINE_NAME]:9444
+preop.securitydomain.admin_url=https://[PKI_MACHINE_NAME]:9445
preop.wizard.name=TKS Setup Wizard
preop.system.name=TKS
preop.product.name=CS
@@ -86,7 +86,12 @@ instanceRoot=[PKI_INSTANCE_PATH]
machineName=[PKI_MACHINE_NAME]
instanceId=[PKI_INSTANCE_ID]
preop.pin=[PKI_RANDOM_NUMBER]
-service.securePort=[PKI_SECURE_PORT]
+service.machineName=[PKI_MACHINE_NAME]
+service.instanceDir=[PKI_INSTANCE_ROOT]
+service.securePort=[PKI_AGENT_SECURE_PORT]
+service.non_clientauth_securePort=[PKI_EE_SECURE_PORT]
+service.unsecurePort=[PKI_UNSECURE_PORT]
+service.instanceID=[PKI_INSTANCE_ID]
passwordFile=[PKI_INSTANCE_PATH]/conf/password.conf
passwordClass=com.netscape.cmsutil.password.PlainPasswordFile
multiroles=true
diff --git a/pki/base/tks/shared/conf/schema.ldif b/pki/base/tks/shared/conf/schema.ldif
index 823543dc..d61f83dd 100644
--- a/pki/base/tks/shared/conf/schema.ldif
+++ b/pki/base/tks/shared/conf/schema.ldif
@@ -381,6 +381,21 @@ attributeTypes: ( SecurePort-oid NAME 'SecurePort' SYNTAX 1.3.6.1.4.1.1466.115.
dn: cn=schema
changetype: modify
add: attributeTypes
+attributeTypes: ( SecureAgentPort-oid NAME 'SecureAgentPort' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'user defined' )
+
+dn: cn=schema
+changetype: modify
+add: attributeTypes
+attributeTypes: ( SecureAdminPort-oid NAME 'SecureAdminPort' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'user defined' )
+
+dn: cn=schema
+changetype: modify
+add: attributeTypes
+attributeTypes: ( UnSecurePort-oid NAME 'UnSecurePort' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'user defined' )
+
+dn: cn=schema
+changetype: modify
+add: attributeTypes
attributeTypes: ( SubsystemName-oid NAME 'SubsystemName' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'user defined' )
dn: cn=schema
@@ -441,7 +456,7 @@ objectClasses: ( pkiSecurityGroup-oid NAME 'pkiSecurityGroup' DESC 'CMS defined
dn: cn=schema
changetype: modify
add: objectClasses
-objectClasses: ( pkiSubsystem-oid NAME 'pkiSubsystem' DESC 'CMS defined class' SUP top STRUCTURAL MUST ( cn $ Host $ SecurePort $ SubsystemName $ Clone ) MAY ( DomainManager ) X-ORIGIN 'user defined' )
+objectClasses: ( pkiSubsystem-oid NAME 'pkiSubsystem' DESC 'CMS defined class' SUP top STRUCTURAL MUST ( cn $ Host $ SecurePort $ SubsystemName $ Clone ) MAY ( DomainManager $ SecureAgentPort $ SecureAdminPort $ UnSecurePort ) X-ORIGIN 'user defined' )
dn: cn=schema
changetype: modify
diff --git a/pki/base/tks/shared/conf/server.xml b/pki/base/tks/shared/conf/server.xml
index 7dd9f6cc..58cd6166 100644
--- a/pki/base/tks/shared/conf/server.xml
+++ b/pki/base/tks/shared/conf/server.xml
@@ -98,7 +98,7 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown)
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
- clientAuth="true" sslProtocol="SSL"
+ clientAuth="[PKI_AGENT_CLIENTAUTH]" sslProtocol="SSL"
sslOptions="ssl2=true,ssl3=true,tls=true"
ssl2Ciphers="-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5"
ssl3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,+TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA"
diff --git a/pki/base/tks/shared/webapps/tks/WEB-INF/web.xml b/pki/base/tks/shared/webapps/tks/WEB-INF/web.xml
index 8e7a99ee..d0ad4489 100644
--- a/pki/base/tks/shared/webapps/tks/WEB-INF/web.xml
+++ b/pki/base/tks/shared/webapps/tks/WEB-INF/web.xml
@@ -295,8 +295,6 @@
<param-value> services </param-value> </init-param>
<init-param><param-name> templatePath </param-name>
<param-value> /services.template </param-value> </init-param>
- <init-param><param-name> interface </param-name>
- <param-value> ee </param-value> </init-param>
</servlet>
<servlet>
@@ -350,16 +348,30 @@
[PKI_OPEN_SEPARATE_PORTS_WEB_COMMENT]
<filter-mapping>
<filter-name> PassThroughRequestFilter </filter-name>
+ <url-pattern> /ug </url-pattern>
+ <url-pattern> /log </url-pattern>
+ <url-pattern> /registry </url-pattern>
+ <url-pattern> /jobsScheduler </url-pattern>
+ <url-pattern> /acl </url-pattern>
+ <url-pattern> /server </url-pattern>
+
+ <url-pattern> /services </url-pattern>
+
+ <url-pattern> /start </url-pattern>
+ </filter-mapping>
+
+ <filter-mapping>
+ <filter-name> AgentRequestFilter </filter-name>
<url-pattern> /agent/* </url-pattern>
</filter-mapping>
<filter-mapping>
+ <filter-mapping>
<filter-name> AdminRequestFilter </filter-name>
<url-pattern> /admin/* </url-pattern>
<url-pattern> /auths </url-pattern>
</filter-mapping>
- <filter-mapping>
<filter-name> EERequestFilter </filter-name>
<url-pattern> /ee/* </url-pattern>
</filter-mapping>
diff --git a/pki/base/tps/doc/CS.cfg b/pki/base/tps/doc/CS.cfg
index 2dd000a2..814913b5 100644
--- a/pki/base/tps/doc/CS.cfg
+++ b/pki/base/tps/doc/CS.cfg
@@ -18,14 +18,14 @@
# All rights reserved.
# --- END COPYRIGHT BLOCK ---
#
-pkicreate.arg01.pki_instance_root=[INSTANCE_ROOT]
-pkicreate.arg02.pki_instance_name=[INSTANCE_ID]
-pkicreate.arg03.subsystem_type=[SUBSYSTEM_TYPE]
-pkicreate.arg04.secure_port=[SECURE_PORT]
-pkicreate.arg05.non_clientauth_secure_port=[NON_CLIENTAUTH_SECURE_PORT]
-pkicreate.arg06.unsecure_port=[PORT]
-pkicreate.arg07.user=[USERID]
-pkicreate.arg08.group=[GROUPID]
+pkicreate.pki_instance_root=[INSTANCE_ROOT]
+pkicreate.pki_instance_name=[INSTANCE_ID]
+pkicreate.subsystem_type=[SUBSYSTEM_TYPE]
+pkicreate.secure_port=[SECURE_PORT]
+pkicreate.non_clientauth_secure_port=[NON_CLIENTAUTH_SECURE_PORT]
+pkicreate.unsecure_port=[PORT]
+pkicreate.user=[USERID]
+pkicreate.group=[GROUPID]
cs.type=TPS
service.machineName=[SERVER_NAME]
service.instanceDir=[SERVER_ROOT]
@@ -371,7 +371,7 @@ preop.keysize._000=#########################################
preop.keysize._001=# Installation configuration "preop" keysize parameters
preop.keysize._002=#########################################
preop.keysize.customsize=2048
-preop.keysize.select=custom
+preop.keysize.select=default
preop.keysize.size=2048
preop.keysize.ecc.size=256
op.enroll._000=#########################################
diff --git a/pki/base/tps/lib/perl/PKI/TPS/AdminPanel.pm b/pki/base/tps/lib/perl/PKI/TPS/AdminPanel.pm
index 5c03ddac..6607abd1 100755
--- a/pki/base/tps/lib/perl/PKI/TPS/AdminPanel.pm
+++ b/pki/base/tps/lib/perl/PKI/TPS/AdminPanel.pm
@@ -97,12 +97,12 @@ sub update
my $cainfo = $::config->get("preop.ca.url");
&PKI::TPS::Wizard::debug_log("AdminPanel: preop.ca.url=$cainfo");
if ($cainfo eq "" || $cainfo =~ /:$/) {
- $cainfo = $::config->get("config.sdomainURL");
- &PKI::TPS::Wizard::debug_log("AdminPanel: config.sdomainURL=$cainfo");
+ $cainfo = $::config->get("config.sdomainEEURL");
+ &PKI::TPS::Wizard::debug_log("AdminPanel: config.sdomainEEURL=$cainfo");
}
&PKI::TPS::Wizard::debug_log("AdminPanel: Connecting to CA: $cainfo");
my $cainfo_url = new URI::URL($cainfo);
- my $sdom = $::config->get("config.sdomainURL");
+ my $sdom = $::config->get("config.sdomainEEURL");
my $sdom_url = new URI::URL($sdom);
my $machineName = $::config->get("service.machineName");
@@ -130,15 +130,15 @@ sub update
"auth_hostname=" . $sdom_url->host . "&" .
"auth_port=" . $sdom_url->port;
- my $host = $cainfo_url->host;
- my $port = $cainfo_url->port;
+ my $ca_host = $cainfo_url->host;
+ my $https_ee_port = $cainfo_url->port;
my $content = "";
my $tmpfile = "/tmp/admin-$$";
if (($tokenname eq "") || ($tokenname eq "NSS Certificate DB")) {
- system("/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"$db_password\" -v -n \"$nickname\" -r \"/ca/ee/ca/profileSubmit\" $host:$port > $tmpfile");
+ system("/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"$db_password\" -v -n \"$nickname\" -r \"/ca/ee/ca/profileSubmit\" $ca_host:$https_ee_port > $tmpfile");
$content = `cat $tmpfile`;
} else {
- system("/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"$token_pwd\" -v -n \"$nickname\" -r \"/ca/ee/ca/profileSubmit\" $host:$port > $tmpfile");
+ system("/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"$token_pwd\" -v -n \"$nickname\" -r \"/ca/ee/ca/profileSubmit\" $ca_host:$https_ee_port > $tmpfile");
$content = `cat $tmpfile`;
}
system("rm $tmpfile");
@@ -156,8 +156,8 @@ sub update
my $admincert = $response->{Requests}->{Request}->{b64};
&PKI::TPS::Wizard::debug_log("AdminPanel: admincert " . $admincert);
- $host = $::config->get("preop.database.host");
- $port = $::config->get("preop.database.port");
+ my $ldap_host = $::config->get("preop.database.host");
+ my $ldap_port = $::config->get("preop.database.port");
my $basedn = $::config->get("preop.database.basedn");
my $binddn = $::config->get("preop.database.binddn");
# my $bindpwd = $::config->get("tokendb.bindPass");
@@ -183,7 +183,7 @@ sub update
"-e 's/\$TOKENDB_AGENT_PWD/$password/' " .
"-e 's/\$TOKENDB_AGENT_CERT/$admincert/' " .
"/usr/share/$flavor/tps/scripts/addAgents.ldif > $tmp");
- system("$mozldap_path/ldapmodify -h '$host' -p '$port' -D '$binddn' " .
+ system("$mozldap_path/ldapmodify -h '$ldap_host' -p '$ldap_port' -D '$binddn' " .
"-w '$bindpwd' -a " .
"-f '$tmp'");
system("rm $tmp");
diff --git a/pki/base/tps/lib/perl/PKI/TPS/CAInfoPanel.pm b/pki/base/tps/lib/perl/PKI/TPS/CAInfoPanel.pm
index 9056e2ef..eb789dc6 100755
--- a/pki/base/tps/lib/perl/PKI/TPS/CAInfoPanel.pm
+++ b/pki/base/tps/lib/perl/PKI/TPS/CAInfoPanel.pm
@@ -83,29 +83,29 @@ sub update
my $instanceID = $::config->get("service.instanceID");
my $host = "";
- my $port = "";
+ my $https_ee_port = "";
if ($count =~ /http/) {
my $info = new URI::URL($count);
$host = $info->host;
- $port = $info->port;
+ $https_ee_port = $info->port;
} else {
$host = $::config->get("preop.securitydomain.ca$count.host");
- $port = $::config->get("preop.securitydomain.ca$count.secureport");
+ $https_ee_port = $::config->get("preop.securitydomain.ca$count.secureport");
}
- if (($host eq "") || ($port eq "")) {
+ if (($host eq "") || ($https_ee_port eq "")) {
$::symbol{errorString} = "no CA found. CA, TKS and optionally DRM must be installed prior to TPS installation";
return 0;
}
- &PKI::TPS::Wizard::debug_log("CAInfoPanel: update - host= $host, port= $port");
+ &PKI::TPS::Wizard::debug_log("CAInfoPanel: update - host= $host, https_ee_port= $https_ee_port");
- $::config->put("preop.cainfo.select", "https://$host:$port");
+ $::config->put("preop.cainfo.select", "https://$host:$https_ee_port");
my $serverCertNickName = $::config->get("preop.cert.sslserver.nickname");
my $subsystemCertNickName = $::config->get("preop.cert.subsystem.nickname");
$::config->put("conn.ca1.clientNickname", $subsystemCertNickName);
- $::config->put("conn.ca1.hostport", $host . ":" . $port);
+ $::config->put("conn.ca1.hostport", $host . ":" . $https_ee_port);
$::config->commit();
@@ -115,7 +115,7 @@ sub update
my $db_password = `grep \"internal:\" \"$instanceDir/conf/password.conf\" | cut -c10-`;
$db_password =~ s/\n$//g;
my $tmpfile = "/tmp/ca-$$";
- system("/usr/bin/sslget -d \"$instanceDir/alias\" -p \"$db_password\" -v -n \"$serverCertNickName\" -r \"/ca/ee/ca/getCertChain\" $host:$port > $tmpfile");
+ system("/usr/bin/sslget -d \"$instanceDir/alias\" -p \"$db_password\" -v -n \"$serverCertNickName\" -r \"/ca/ee/ca/getCertChain\" $host:$https_ee_port > $tmpfile");
my $cmd = `cat $tmpfile`;
system("rm $tmpfile");
my $caCert;
@@ -164,10 +164,10 @@ sub display
if ($host eq "") {
goto DONE;
}
- my $port = $::config->get("preop.securitydomain.ca$count.secureport");
+ my $https_ee_port = $::config->get("preop.securitydomain.ca$count.secureport");
my $name = $::config->get("preop.securitydomain.ca$count.subsystemname");
- my $item = $name . " - https://" . $host . ":" . $port;
-# my $item = "https://" . $host . ":" . $port;
+ my $item = $name . " - https://" . $host . ":" . $https_ee_port;
+# my $item = "https://" . $host . ":" . $https_ee_port;
# unshift(@{$::symbol{urls}}, $item);
$::symbol{urls}[$count++] = $item;
if ($first eq 1) {
diff --git a/pki/base/tps/lib/perl/PKI/TPS/DRMInfoPanel.pm b/pki/base/tps/lib/perl/PKI/TPS/DRMInfoPanel.pm
index 2533a12d..61d3fb52 100755
--- a/pki/base/tps/lib/perl/PKI/TPS/DRMInfoPanel.pm
+++ b/pki/base/tps/lib/perl/PKI/TPS/DRMInfoPanel.pm
@@ -80,24 +80,24 @@ sub update
my $count = $q->param('urls');
my $instanceID = $::config->get("service.instanceID");
my $host = "";
- my $port = "";
+ my $https_agent_port = "";
if ($count =~ /http/) {
my $info = new URI::URL($count);
$host = $info->host;
- $port = $info->port;
+ $https_agent_port = $info->port;
} else {
$host = $::config->get("preop.securitydomain.kra$count.host");
- $port = $::config->get("preop.securitydomain.kra$count.secureport");
+ $https_agent_port = $::config->get("preop.securitydomain.kra$count.secureagentport");
}
- if (($host eq "") || ($port eq "")) {
+ if (($host eq "") || ($https_agent_port eq "")) {
$::symbol{errorString} = "no DRM found. CA, TKS and DRM must be installed prior to TPS installation";
return 0;
}
- $::config->put("preop.krainfo.select", "https://$host:$port");
+ $::config->put("preop.krainfo.select", "https://$host:$https_agent_port");
my $subsystemCertNickName = $::config->get("preop.cert.subsystem.nickname");
$::config->put("conn.drm1.clientNickname", $subsystemCertNickName);
- $::config->put("conn.drm1.hostport", $host . ":" . $port);
+ $::config->put("conn.drm1.hostport", $host . ":" . $https_agent_port);
$::config->put("conn.tks1.serverKeygen", "true");
$::config->put("op.enroll.userKey.keyGen.encryption.serverKeygen.enable", "true");
$::config->put("op.enroll.userKeyTemporary.keyGen.encryption.serverKeygen.enable", "true");
@@ -134,9 +134,9 @@ sub display
if ($host eq "") {
goto DONE;
}
- my $port = $::config->get("preop.securitydomain.kra$count.secureport");
+ my $https_agent_port = $::config->get("preop.securitydomain.kra$count.secureagentport");
my $name = $::config->get("preop.securitydomain.kra$count.subsystemname");
- $::symbol{urls}[$count++] = $name . " - https://" . $host . ":" . $port;
+ $::symbol{urls}[$count++] = $name . " - https://" . $host . ":" . $https_agent_port;
}
DONE:
$::symbol{urls_size} = $count;
diff --git a/pki/base/tps/lib/perl/PKI/TPS/DisplayCertChainPanel.pm b/pki/base/tps/lib/perl/PKI/TPS/DisplayCertChainPanel.pm
index 4b374575..841d9dcc 100755
--- a/pki/base/tps/lib/perl/PKI/TPS/DisplayCertChainPanel.pm
+++ b/pki/base/tps/lib/perl/PKI/TPS/DisplayCertChainPanel.pm
@@ -101,25 +101,25 @@ sub update
$tmp = `rm $instanceDir/conf/caCert.der`;
$tmp = `rm $instanceDir/conf/caCert_pp.txt`;
- # complete the SeucrityDomain task
- my $sdomainURL = $::config->get("config.sdomainURL");
- if ($sdomainURL eq "") {
+ # complete the SecurityDomain task
+ my $sdomainAdminURL = $::config->get("config.sdomainAdminURL");
+ if ($sdomainAdminURL eq "") {
return 2;
}
my $machineName = $::config->get("service.machineName");
- my $securePort = $::config->get("service.securePort");
+ my $non_clientauth_securePort = $::config->get("service.non_clientauth_securePort");
my $unsecurePort = $::config->get("service.unsecurePort");
# check if url is accessible
# redirect to the security domain authentication
if ($ENV{'SERVER_PORT'} eq $unsecurePort) {
- $::symbol{redirect} = $sdomainURL . "/ca/ee/ca/securityDomainLogin?url=http%3A%2F%2F" . $machineName . "%3A" . $unsecurePort . "%2Ftps%2Fadmin%2Fconsole%2Fconfig%2Fwizard%3Fp%3D3%26subsystem%3DTPS";
+ $::symbol{redirect} = $sdomainAdminURL . "/ca/admin/ca/securityDomainLogin?url=http%3A%2F%2F" . $machineName . "%3A" . $unsecurePort . "%2Ftps%2Fadmin%2Fconsole%2Fconfig%2Fwizard%3Fp%3D3%26subsystem%3DTPS";
} else {
- $::symbol{redirect} = $sdomainURL . "/ca/ee/ca/securityDomainLogin?url=https%3A%2F%2F" . $machineName . "%3A" . $securePort . "%2Ftps%2Fadmin%2Fconsole%2Fconfig%2Fwizard%3Fp%3D3%26subsystem%3DTPS";
+ $::symbol{redirect} = $sdomainAdminURL . "/ca/admin/ca/securityDomainLogin?url=https%3A%2F%2F" . $machineName . "%3A" . $non_clientauth_securePort . "%2Ftps%2Fadmin%2Fconsole%2Fconfig%2Fwizard%3Fp%3D3%26subsystem%3DTPS";
}
- get_domain_xml($sdomainURL);
+ get_domain_xml($sdomainAdminURL);
return 3;
@@ -134,27 +134,27 @@ sub display
&PKI::TPS::Wizard::debug_log("DisplayCertChainPanel: update connecting to CA and retrieve cert chain");
my $instanceID = $::config->get("service.instanceID");
my $instanceDir = $::config->get("service.instanceDir");
- my $sdomainURL = $::config->get("config.sdomainURL");
- if ($sdomainURL eq "") {
+ my $sdomainAdminURL = $::config->get("config.sdomainAdminURL");
+ if ($sdomainAdminURL eq "") {
return 2;
}
my $db_password = `grep \"internal:\" \"$instanceDir/conf/password.conf\" | cut -c10-`;
$db_password =~ s/\n$//g;
- my $url_info = new URI::URL($sdomainURL);
- my $host = $url_info->host;
- my $port = $url_info->port;
+ my $url_info = new URI::URL($sdomainAdminURL);
+ my $sd_host = $url_info->host;
+ my $sd_admin_port = $url_info->port;
my $nickname = $::config->get("preop.cert.sslserver.nickname");
- my $cmd = `/usr/bin/sslget -d \"$instanceDir/alias\" -p \"$db_password\" -v -n \"$nickname\" -r \"/ca/ee/ca/getCertChain\" $host:$port`;
+ my $cmd = `/usr/bin/sslget -d \"$instanceDir/alias\" -p \"$db_password\" -v -n \"$nickname\" -r \"/ca/admin/ca/getCertChain\" $sd_host:$sd_admin_port`;
- my $caCert;
+ my $caCert = "";
if ($cmd =~ /\<ChainBase64\>(.*)\<\/ChainBase64\>/) {
$caCert = $1;
&PKI::TPS::Wizard::debug_log("DisplayCertChainPanel: ca= $caCert");
}
- my $certpp;
+ my $certpp = "";
if ($caCert ne "") {
open(F, ">$instanceDir/conf/caCert.txt");
print F $caCert;
@@ -198,13 +198,14 @@ sub display
return 1;
}
+
sub get_domain_xml
{
- my ($sdomainURL) = @_;
+ my ($sdomainAdminURL) = @_;
- my $sdom_info = new URI::URL($sdomainURL);
+ my $sdom_info = new URI::URL($sdomainAdminURL);
# get the domain xml
- # e. g. - https://water.sfbay.redhat.com:9444/ca/ee/ca/getDomainXML
+ # e. g. - https://water.sfbay.redhat.com:9445/ca/admin/ca/getDomainXML
my $nickname = $::config->get("preop.cert.sslserver.nickname");
my $instanceID = $::config->get("service.instanceID");
@@ -212,9 +213,9 @@ sub get_domain_xml
my $db_password = `grep \"internal:\" \"$instanceDir/conf/password.conf\" | cut -c10-`;
$db_password =~ s/\n$//g;
- my $host = $sdom_info->host;
- my $port = $sdom_info->port;
- my $content = `/usr/bin/sslget -d \"$instanceDir/alias\" -p \"$db_password\" -v -n \"$nickname\" -r \"/ca/ee/ca/getDomainXML\" $host:$port`;
+ my $sd_host = $sdom_info->host;
+ my $sd_admin_port = $sdom_info->port;
+ my $content = `/usr/bin/sslget -d \"$instanceDir/alias\" -p \"$db_password\" -v -n \"$nickname\" -r \"/ca/admin/ca/getDomainXML\" $sd_host:$sd_admin_port`;
$content =~ /(\<XMLResponse\>.*\<\/XMLResponse\>)/;
$content = $1;
@@ -240,8 +241,40 @@ sub get_domain_xml
$c->{'SubsystemName'}[0]);
$::config->put("preop.securitydomain.ca" . $count . ".secureport",
$c->{'SecurePort'}[0]);
+ $::config->put("preop.securitydomain.ca" . $count . ".secureagentport",
+ $c->{'SecureAgentPort'}[0]);
+ $::config->put("preop.securitydomain.ca" . $count . ".secureadminport",
+ $c->{'SecureAdminPort'}[0]);
+ $::config->put("preop.securitydomain.ca" . $count . ".unsecureport",
+ $c->{'UnSecurePort'}[0]);
$::config->put("preop.securitydomain.ca" . $count . ".host",
$c->{'Host'}[0]);
+
+ # The user previously specified the CA Security Domain's
+ # SSL Admin URL in the "Security Domain Panel";
+ # now retrieve this specified CA Security Domain's
+ # non-SSL EE, SSL Agent, and SSL EE URLs:
+ if( $sd_admin_port eq $c->{'SecureAdminPort'}[0] ) {
+ # Build the URLs
+ my $http_ee_port = "https://"
+ . $c->{'Host'}[0]
+ . ":"
+ . $c->{'UnSecurePort'}[0];
+ my $https_agent_port = "https://"
+ . $c->{'Host'}[0]
+ . ":"
+ . $c->{'SecureAgentPort'}[0];
+ my $https_ee_port = "https://"
+ . $c->{'Host'}[0]
+ . ":"
+ . $c->{'SecurePort'}[0];
+
+ # Store the URLs
+ $::config->put( "config.sdomainHttpURL", $http_ee_port );
+ $::config->put( "config.sdomainAgentURL", $https_agent_port );
+ $::config->put( "config.sdomainEEURL", $https_ee_port );
+ }
+
$count++;
}
@@ -253,6 +286,12 @@ sub get_domain_xml
$c->{'SubsystemName'}[0]);
$::config->put("preop.securitydomain.tks" . $count . ".secureport",
$c->{'SecurePort'}[0]);
+ $::config->put("preop.securitydomain.tks" . $count . ".secureagentport",
+ $c->{'SecureAgentPort'}[0]);
+ $::config->put("preop.securitydomain.tks" . $count . ".secureadminport",
+ $c->{'SecureAdminPort'}[0]);
+ $::config->put("preop.securitydomain.tks" . $count . ".unsecureport",
+ $c->{'UnSecurePort'}[0]);
$::config->put("preop.securitydomain.tks" . $count . ".host",
$c->{'Host'}[0]);
$count++;
@@ -266,6 +305,12 @@ sub get_domain_xml
$c->{'SubsystemName'}[0]);
$::config->put("preop.securitydomain.kra" . $count . ".secureport",
$c->{'SecurePort'}[0]);
+ $::config->put("preop.securitydomain.kra" . $count . ".secureagentport",
+ $c->{'SecureAgentPort'}[0]);
+ $::config->put("preop.securitydomain.kra" . $count . ".secureadminport",
+ $c->{'SecureAdminPort'}[0]);
+ $::config->put("preop.securitydomain.kra" . $count . ".unsecureport",
+ $c->{'UnSecurePort'}[0]);
$::config->put("preop.securitydomain.kra" . $count . ".host",
$c->{'Host'}[0]);
$count++;
@@ -278,7 +323,11 @@ sub get_domain_xml
$::config->put("preop.securitydomain.tps" . $count . ".subsystemname",
$c->{'SubsystemName'}[0]);
$::config->put("preop.securitydomain.tps" . $count . ".secureport",
+ $c->{'SecureAgentPort'}[0]);
+ $::config->put("preop.securitydomain.tps" . $count . ".non_clientauth_secure_port",
$c->{'SecurePort'}[0]);
+ $::config->put("preop.securitydomain.tps" . $count . ".unsecureport",
+ $c->{'UnSecurePort'}[0]);
$::config->put("preop.securitydomain.tps" . $count . ".host",
$c->{'Host'}[0]);
$count++;
diff --git a/pki/base/tps/lib/perl/PKI/TPS/DonePanel.pm b/pki/base/tps/lib/perl/PKI/TPS/DonePanel.pm
index 5315c40c..641ecf21 100755
--- a/pki/base/tps/lib/perl/PKI/TPS/DonePanel.pm
+++ b/pki/base/tps/lib/perl/PKI/TPS/DonePanel.pm
@@ -90,13 +90,15 @@ sub register_tps
&PKI::TPS::Wizard::debug_log("DonePanel: Connecting to Security Domain");
my $machineName = $::config->get("service.machineName");
+ my $unsecurePort = $::config->get("service.unsecurePort");
my $securePort = $::config->get("service.securePort");
+ my $non_clientauth_securePort = $::config->get("service.non_clientauth_securePort");
my $session_id = $::config->get("preop.sessionID");
&PKI::TPS::Wizard::debug_log("DonePanel: Security Domain Info " . $url);
- # add service.securityDomainPort to the config file in case pkiremove needs to
- # remove system reference from the security domain
+ # add service.securityDomainPort to the config file in case pkiremove
+ # needs to remove system reference from the security domain
$::config->put("service.securityDomainPort", $securePort);
$::config->commit();
@@ -182,7 +184,9 @@ sub get_kra_transport_cert
my $krainfo_url = new URI::URL($krainfo);
my $machineName = $::config->get("service.machineName");
+ my $unsecurePort = $::config->get("service.unsecurePort");
my $securePort = $::config->get("service.securePort");
+ my $non_clientauth_securePort = $::config->get("service.non_clientauth_securePort");
my $session_id = $::config->get("preop.sessionID");
my $nickname = $::config->get("preop.cert.sslserver.nickname");
@@ -233,7 +237,9 @@ sub send_kra_transport_cert
my $tksinfo_url = new URI::URL($tksinfo);
my $machineName = $::config->get("service.machineName");
+ my $unsecurePort = $::config->get("service.unsecurePort");
my $securePort = $::config->get("service.securePort");
+ my $non_clientauth_securePort = $::config->get("service.non_clientauth_securePort");
my $session_id = $::config->get("preop.sessionID");
my $nickname = $::config->get("preop.cert.sslserver.nickname");
@@ -295,7 +301,7 @@ sub display
}
# Add this TPS's server certificate to the subsystems
- my $sdom = $::config->get("config.sdomainURL");
+ my $sdom = $::config->get("config.sdomainEEURL");
my $cainfo = $::config->get("preop.cainfo.select");
$cainfo =~ s/.* - //g;
&register_tps($sdom, $cainfo, "/ca/admin/ca/registerUser", "CA");
@@ -381,8 +387,9 @@ sub display
&PKI::TPS::Wizard::debug_log("DonePanel: Connecting to Security Domain");
my $machineName = $::config->get("service.machineName");
- my $securePort = $::config->get("service.securePort");
my $unsecurePort = $::config->get("service.unsecurePort");
+ my $securePort = $::config->get("service.securePort");
+ my $non_clientauth_securePort = $::config->get("service.non_clientauth_securePort");
my $instanceID = $::config->get("service.instanceID");
my $initCommand = "";
@@ -394,8 +401,9 @@ sub display
}
$::symbol{host} = $machineName;
- $::symbol{port} = $securePort;
$::symbol{unsecurePort} = $unsecurePort;
+ $::symbol{port} = $securePort;
+ $::symbol{non_clientauth_port} = $non_clientauth_securePort;
$::symbol{initCommand} = $initCommand;
$::config->deleteSubstore("preop.");
diff --git a/pki/base/tps/lib/perl/PKI/TPS/ImportAdminCertPanel.pm b/pki/base/tps/lib/perl/PKI/TPS/ImportAdminCertPanel.pm
index e14020d6..1112319c 100755
--- a/pki/base/tps/lib/perl/PKI/TPS/ImportAdminCertPanel.pm
+++ b/pki/base/tps/lib/perl/PKI/TPS/ImportAdminCertPanel.pm
@@ -74,7 +74,7 @@ sub update
&PKI::TPS::Wizard::debug_log("ImportAdminCertPanel: update");
# register to Security Domain
- my $sdom = $::config->get("config.sdomainURL");
+ my $sdom = $::config->get("config.sdomainAgentURL");
my $sdom_url = new URI::URL($sdom);
#
@@ -101,6 +101,18 @@ sub update
my $cmd = `/usr/bin/sslget -d \"$instanceDir/alias\" -p \"$db_password\" -v -n \"$subCertNickName\" -r \"/ca/agent/ca/updateDomainXML?$params\" $sdom_url->host:$sdom_url->port`;
+ # Fetch the "updated" security domain and display it
+ &PKI::TPS::Wizard::debug_log("ImportAdminCertPanel: Dump contents of updated Security Domain . . .");
+ my $sdomainAdminURL = $::config->get("config.sdomainAdminURL");
+ my $sdom_info = new URI::URL($sdomainAdminURL);
+ my $nickname = $::config->get("preop.cert.sslserver.nickname");
+ my $sd_host = $sdom_info->host;
+ my $sd_admin_port = $sdom_info->port;
+ my $content = `/usr/bin/sslget -d \"$instanceDir/alias\" -p \"$db_password\" -v -n \"$nickname\" -r \"/ca/admin/ca/getDomainXML\" $sd_host:$sd_admin_port`;
+ $content =~ /(\<XMLResponse\>.*\<\/XMLResponse\>)/;
+ $content = $1;
+ &PKI::TPS::Wizard::debug_log($content);
+
return 1;
}
diff --git a/pki/base/tps/lib/perl/PKI/TPS/NamePanel.pm b/pki/base/tps/lib/perl/PKI/TPS/NamePanel.pm
index 8baaafad..9d8335a2 100755
--- a/pki/base/tps/lib/perl/PKI/TPS/NamePanel.pm
+++ b/pki/base/tps/lib/perl/PKI/TPS/NamePanel.pm
@@ -86,25 +86,25 @@ sub update
&PKI::TPS::Wizard::debug_log("NamePanel: update - selected ca= $count");
my $host = "";
- my $port = "";
+ my $https_ee_port = "";
my $useExternalCA = "off";
if ($count =~ /http/) {
my $info = new URI::URL($count);
$host = $info->host;
- $port = $info->port;
+ $https_ee_port = $info->port;
} else {
$host = $::config->get("preop.securitydomain.ca$count.host");
if ($host eq "") {
$useExternalCA = "on";
} else {
- $port = $::config->get("preop.securitydomain.ca$count.secureport");
- &PKI::TPS::Wizard::debug_log("NamePanel: update - host= $host, port= $port");
+ $https_ee_port = $::config->get("preop.securitydomain.ca$count.secureport");
+ &PKI::TPS::Wizard::debug_log("NamePanel: update - host= $host, https_ee_port= $https_ee_port");
}
}
$::config->put("preop.certenroll.useExternalCA", $useExternalCA);
- $::config->put("preop.ca.url", "https://" . $host . ":" . $port);
+ $::config->put("preop.ca.url", "https://" . $host . ":" . $https_ee_port);
my $tokenname = $::config->get("preop.module.token");
&PKI::TPS::Wizard::debug_log("NamePanel: update got token name = $tokenname");
@@ -240,7 +240,7 @@ GEN_CERT:
# see if there is an existing cert
my $cert = $::config->get("preop.cert.$certtag.cert");
- my $sdom = $::config->get("config.sdomainURL");
+ my $sdom = $::config->get("config.sdomainEEURL");
my $sdom_url = new URI::URL($sdom);
if (($useExternalCA eq "on") && ($certtag ne "subsystem")) {
@@ -291,14 +291,14 @@ GEN_CERT:
if ($certtag eq "subsystem") {
$host = $sdom_url->host;
- $port = $sdom_url->port;
+ $https_ee_port = $sdom_url->port;
}
if ($changed eq "true") {
-$req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"$token_pwd\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $host:$port";
-$debug_req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"(sensitive)\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $host:$port";
+$req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"$token_pwd\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $host:$https_ee_port";
+$debug_req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"(sensitive)\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $host:$https_ee_port";
} else {
-$req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"$db_password\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $host:$port";
-$debug_req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"(sensitive)\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $host:$port";
+$req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"$db_password\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $host:$https_ee_port";
+$debug_req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"(sensitive)\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $host:$https_ee_port";
}
&PKI::TPS::Wizard::debug_log("debug_req = " . $debug_req);
@@ -479,9 +479,9 @@ sub display
if ($host eq "") {
goto DONE;
}
- my $port = $::config->get("preop.securitydomain.ca$count.secureport");
+ my $https_ee_port = $::config->get("preop.securitydomain.ca$count.secureport");
my $name = $::config->get("preop.securitydomain.ca$count.subsystemname");
- my $item = $name . " - https://" . $host . ":" . $port;
+ my $item = $name . " - https://" . $host . ":" . $https_ee_port;
$::symbol{urls}[$count++] = $item;
}
diff --git a/pki/base/tps/lib/perl/PKI/TPS/SecurityDomainPanel.pm b/pki/base/tps/lib/perl/PKI/TPS/SecurityDomainPanel.pm
index 1027a5c3..700fc487 100755
--- a/pki/base/tps/lib/perl/PKI/TPS/SecurityDomainPanel.pm
+++ b/pki/base/tps/lib/perl/PKI/TPS/SecurityDomainPanel.pm
@@ -25,6 +25,7 @@ use strict;
use warnings;
use PKI::TPS::GlobalVar;
use PKI::TPS::Common;
+use URI::URL;
use XML::Simple;
use Data::Dumper;
@@ -77,7 +78,7 @@ sub display
$::symbol{panelname} = "Security Domain";
$::symbol{sdomainName} = "Security Domain";
my $hostname = $::config->get("service.machineName");
- $::symbol{sdomainURL} = "https://" . $hostname . ":9444";
+ $::symbol{sdomainAdminURL} = "https://" . $hostname . ":9445";
return 1;
}
@@ -89,15 +90,22 @@ sub update
&PKI::TPS::Wizard::debug_log("SecurityPanel: update");
my $sdomainURL = $q->param("sdomainURL");
+ my $sdomainURL_info = new URI::URL($sdomainURL);
+
if ($sdomainURL eq "") {
&PKI::TPS::Wizard::debug_log("SecurityPanel: sdomainURL not found");
- $::symbol{errorString} = "Security Domain URL not found";
+ $::symbol{errorString} = "Security Domain HTTPS Admin URL not found";
return 0;
}
- # save url in CS.cfg
+ # save urls in CS.cfg
&PKI::TPS::Wizard::debug_log("SecurityPanel: sdomainURL=" . $sdomainURL);
- $::config->put("config.sdomainURL", $sdomainURL);
+ $::config->put("config.sdomainAdminURL", $sdomainURL);
+
+ # Add values necessary for 'pkiremove' . . .
+ $::config->put("securitydomain.select", "existing");
+ $::config->put("securitydomain.host", $sdomainURL_info->host);
+ $::config->put("securitydomain.httpsadminport", $sdomainURL_info->port);
$::config->commit();
return 1;
diff --git a/pki/base/tps/lib/perl/PKI/TPS/SizePanel.pm b/pki/base/tps/lib/perl/PKI/TPS/SizePanel.pm
index eb1fc6c3..3f8151fe 100755
--- a/pki/base/tps/lib/perl/PKI/TPS/SizePanel.pm
+++ b/pki/base/tps/lib/perl/PKI/TPS/SizePanel.pm
@@ -210,11 +210,11 @@ sub display
#for "common key settings"
my $select = $::config->get("preop.keysize.select");
- if ($select ne "") {
+ if (($select eq "") || ($select eq "default")) {
+ $::symbol{select} = "default";
+ } else {
&PKI::TPS::Wizard::debug_log("SizePanel: display keysize select= $select");
$::symbol{select} = $select;
- } else {
- $::symbol{select} = "default";
}
my $default_size = $::config->get("preop.keysize.size");
if ($default_size eq "") {
diff --git a/pki/base/tps/lib/perl/PKI/TPS/SubsystemTypePanel.pm b/pki/base/tps/lib/perl/PKI/TPS/SubsystemTypePanel.pm
index dba4aa33..d36ef8fa 100755
--- a/pki/base/tps/lib/perl/PKI/TPS/SubsystemTypePanel.pm
+++ b/pki/base/tps/lib/perl/PKI/TPS/SubsystemTypePanel.pm
@@ -75,7 +75,9 @@ sub update
$::symbol{subsystemName} = "Token Processing System";
$::symbol{fullsystemname} = "Token Processing System ";
$::symbol{machineName} = "localhost";
+ $::symbol{http_port} = "7888";
$::symbol{https_port} = "7889";
+ $::symbol{non_clientauth_https_port} = "7890";
$::symbol{check_clonesubsystem} = " ";
$::symbol{check_newsubsystem} = " ";
$::symbol{disableClone} = 1;
@@ -96,12 +98,15 @@ sub display
$::symbol{fullsystemname} = "Token Processing System ";
my $machineName = $::config->get("service.machineName");
- my $securePort = $::config->get("service.securePort");
my $unsecurePort = $::config->get("service.unsecurePort");
+ my $securePort = $::config->get("service.securePort");
+ my $non_clientauth_securePort = $::config->get("service.non_clientauth_securePort");
$::symbol{machineName} = $machineName;
+ $::symbol{http_port} = $unsecurePort;
$::symbol{https_port} = $securePort;
+ $::symbol{non_clientauth_https_port} = $non_clientauth_securePort;
$::symbol{check_clonesubsystem} = "";
$::symbol{check_newsubsystem} = "checked ";
@@ -116,7 +121,7 @@ sub display
if ($host eq "") {
goto DONE;
}
- my $port = $::config->get("preop.securitydomain.tps$count.secureport");
+ my $port = $::config->get("preop.securitydomain.tps$count.non_clientauth_secure_port");
my $name = $::config->get("preop.securitydomain.tps$count.subsystemname");
unshift(@{$::symbol{urls}}, "https://" . $host . ":" . $port);
$count++;
diff --git a/pki/base/tps/lib/perl/PKI/TPS/TKSInfoPanel.pm b/pki/base/tps/lib/perl/PKI/TPS/TKSInfoPanel.pm
index bfdaa0ed..8a85b13c 100755
--- a/pki/base/tps/lib/perl/PKI/TPS/TKSInfoPanel.pm
+++ b/pki/base/tps/lib/perl/PKI/TPS/TKSInfoPanel.pm
@@ -78,28 +78,28 @@ sub update
my $instanceID = $::config->get("service.instanceID");
my $host = "";
- my $port = "";
+ my $https_agent_port = "";
if ($count =~ /http/) {
my $info = new URI::URL($count);
$host = $info->host;
- $port = $info->port;
- if (($host eq "") || ($port eq "")) {
+ $https_agent_port = $info->port;
+ if (($host eq "") || ($https_agent_port eq "")) {
$::symbol{errorString} = "no TKS found. CA, TKS and optionally DRM must be installed prior to TPS installation";
return 0;
}
$::config->put("preop.tksinfo.select", $count);
} else {
$host = $::config->get("preop.securitydomain.tks$count.host");
- $port = $::config->get("preop.securitydomain.tks$count.secureport");
- if (($host eq "") || ($port eq "")) {
+ $https_agent_port = $::config->get("preop.securitydomain.tks$count.secureagentport");
+ if (($host eq "") || ($https_agent_port eq "")) {
$::symbol{errorString} = "no TKS found. CA, TKS and optionally DRM must be installed prior to TPS installation";
return 0;
}
- $::config->put("preop.tksinfo.select", "https://$host:$port");
+ $::config->put("preop.tksinfo.select", "https://$host:$https_agent_port");
}
my $subsystemCertNickName = $::config->get("preop.cert.subsystem.nickname");
$::config->put("conn.tks1.clientNickname", $subsystemCertNickName);
- $::config->put("conn.tks1.hostport", $host . ":" . $port);
+ $::config->put("conn.tks1.hostport", $host . ":" . $https_agent_port);
$::config->commit();
return 1;
@@ -116,9 +116,9 @@ sub display
if ($host eq "") {
goto DONE;
}
- my $port = $::config->get("preop.securitydomain.tks$count.secureport");
+ my $https_agent_port = $::config->get("preop.securitydomain.tks$count.secureagentport");
my $name = $::config->get("preop.securitydomain.tks$count.subsystemname");
- $::symbol{urls}[$count++] = $name . " - https://" . $host . ":" . $port;
+ $::symbol{urls}[$count++] = $name . " - https://" . $host . ":" . $https_agent_port;
}
DONE:
$::symbol{urls_size} = $count;
generated by cgit (git 2.34.1) at 2024-06-08 23:25:20 +0000