def spawn(self, deployer):
if config.str2bool(deployer.mdict['pki_skip_installation']):
logger.info('Skipping subsystem creation')
return
logger.info('Creating %s subsystem', deployer.mdict['pki_subsystem'])
# If pki_one_time_pin is not specified, generate a new one
if 'pki_one_time_pin' not in deployer.mdict:
pin = ''.join(
random.choice(string.ascii_letters + string.digits)
for x in range(20))
deployer.mdict['pki_one_time_pin'] = pin
deployer.mdict['PKI_RANDOM_NUMBER_SLOT'] = pin
instance = self.instance
# Create /var/log/pki/<instance>/<subsystem>
logger.info('Creating %s', deployer.mdict['pki_subsystem_log_path'])
instance.makedirs(deployer.mdict['pki_subsystem_log_path'],
exist_ok=True)
# Create /var/log/pki/<instance>/<subsystem>/archive
logger.info('Creating %s',
deployer.mdict['pki_subsystem_archive_log_path'])
instance.makedirs(deployer.mdict['pki_subsystem_archive_log_path'],
exist_ok=True)
# Create /var/log/pki/<instance>/<subsystem>/signedAudit
logger.info('Creating %s',
deployer.mdict['pki_subsystem_signed_audit_log_path'])
instance.makedirs(
deployer.mdict['pki_subsystem_signed_audit_log_path'],
exist_ok=True)
# Create /etc/pki/<instance>/<subsystem>
logger.info('Creating %s',
deployer.mdict['pki_subsystem_configuration_path'])
instance.makedirs(deployer.mdict['pki_subsystem_configuration_path'],
exist_ok=True)
# Copy /usr/share/pki/<subsystem_type>/conf
# to /etc/pki/<instance>/<subsystem>
# logger.info('Creating %s', deployer.mdict['pki_subsystem_configuration_path'])
# instance.copy(
# deployer.mdict['pki_source_conf_path'],
# deployer.mdict['pki_subsystem_configuration_path'])
# Copy /usr/share/pki/<subsystem>/conf/CS.cfg
# to /etc/pki/<instance>/<subsystem>/CS.cfg
logger.info('Creating %s', deployer.mdict['pki_target_cs_cfg'])
instance.copyfile(deployer.mdict['pki_source_cs_cfg'],
deployer.mdict['pki_target_cs_cfg'],
slots=deployer.slots,
params=deployer.mdict)
# Copy /usr/share/pki/<subsystem>/conf/registry.cfg
# to /etc/pki/<instance>/<subsystem>/registry.cfg
logger.info('Creating %s', deployer.mdict['pki_target_registry_cfg'])
instance.copy(deployer.mdict['pki_source_registry_cfg'],
deployer.mdict['pki_target_registry_cfg'])
if deployer.mdict['pki_subsystem'] == "CA":
# Copy /usr/share/pki/ca/emails
# to /var/lib/pki/<instance>/<subsystem>/emails
logger.info('Creating %s',
deployer.mdict['pki_subsystem_emails_path'])
instance.copy(deployer.mdict['pki_source_emails'],
deployer.mdict['pki_subsystem_emails_path'])
# Copy /usr/share/pki/ca/profiles/ca
# to /var/lib/pki/<instance>/<subsystem>/profiles/ca
logger.info('Creating %s',
deployer.mdict['pki_subsystem_profiles_path'])
instance.copy(deployer.mdict['pki_source_profiles'],
deployer.mdict['pki_subsystem_profiles_path'])
# Copy /usr/share/pki/<subsystem>/conf/flatfile.txt
# to /etc/pki/<instance>/<subsystem>/flatfile.txt
logger.info('Creating %s',
deployer.mdict['pki_target_flatfile_txt'])
instance.copy(deployer.mdict['pki_source_flatfile_txt'],
deployer.mdict['pki_target_flatfile_txt'])
# Copy /usr/share/pki/<subsystem>/conf/<type>AdminCert.profile
# to /etc/pki/<instance>/<subsystem>/adminCert.profile
logger.info('Creating %s',
deployer.mdict['pki_target_admincert_profile'])
instance.copy(deployer.mdict['pki_source_admincert_profile'],
deployer.mdict['pki_target_admincert_profile'])
# Copy /usr/share/pki/<subsystem>/conf/caAuditSigningCert.profile
# to /etc/pki/<instance>/<subsystem>/caAuditSigningCert.profile
logger.info(
'Creating %s',
deployer.mdict['pki_target_caauditsigningcert_profile'])
instance.copy(
deployer.mdict['pki_source_caauditsigningcert_profile'],
deployer.mdict['pki_target_caauditsigningcert_profile'])
# Copy /usr/share/pki/<subsystem>/conf/caCert.profile
# to /etc/pki/<instance>/<subsystem>/caCert.profile
logger.info('Creating %s',
deployer.mdict['pki_target_cacert_profile'])
instance.copy(deployer.mdict['pki_source_cacert_profile'],
deployer.mdict['pki_target_cacert_profile'])
# Copy /usr/share/pki/<subsystem>/conf/caOCSPCert.profile
# to /etc/pki/<instance>/<subsystem>/caOCSPCert.profile
logger.info('Creating %s',
deployer.mdict['pki_target_caocspcert_profile'])
instance.copy(deployer.mdict['pki_source_caocspcert_profile'],
deployer.mdict['pki_target_caocspcert_profile'])
# Copy /usr/share/pki/<subsystem>/conf/<type>ServerCert.profile
# to /etc/pki/<instance>/<subsystem>/serverCert.profile
logger.info('Creating %s',
deployer.mdict['pki_target_servercert_profile'])
instance.copy(deployer.mdict['pki_source_servercert_profile'],
deployer.mdict['pki_target_servercert_profile'])
# Copy /usr/share/pki/<subsystem>/conf/<type>SubsystemCert.profile
# to /etc/pki/<instance>/<subsystem>/subsystemCert.profile
logger.info('Creating %s',
deployer.mdict['pki_target_subsystemcert_profile'])
instance.copy(deployer.mdict['pki_source_subsystemcert_profile'],
deployer.mdict['pki_target_subsystemcert_profile'])
# Copy /usr/share/pki/<subsystem>/conf/proxy.conf
# to /etc/pki/<instance>/<subsystem>/proxy.conf
logger.info('Creating %s', deployer.mdict['pki_target_proxy_conf'])
instance.copyfile(deployer.mdict['pki_source_proxy_conf'],
deployer.mdict['pki_target_proxy_conf'],
slots=deployer.slots,
params=deployer.mdict)
elif deployer.mdict['pki_subsystem'] == "TPS":
# Copy /usr/share/pki/<subsystem>/conf/registry.cfg
# to /etc/pki/<instance>/<subsystem>/registry.cfg
logger.info('Creating %s',
deployer.mdict['pki_target_registry_cfg'])
instance.copy(deployer.mdict['pki_source_registry_cfg'],
deployer.mdict['pki_target_registry_cfg'])
# Copy /usr/share/pki/<subsystem>/conf/phoneHome.xml
# to /etc/pki/<instance>/<subsystem>/phoneHome.xml
logger.info('Creating %s',
deployer.mdict['pki_target_phone_home_xml'])
instance.copyfile(deployer.mdict['pki_source_phone_home_xml'],
deployer.mdict['pki_target_phone_home_xml'],
slots=deployer.slots,
params=deployer.mdict)
# Link /var/lib/pki/<instance>/<subsystem>/conf
# to /etc/pki/<instance>/<subsystem>
logger.info('Creating %s', deployer.mdict['pki_subsystem_conf_link'])
instance.symlink(deployer.mdict['pki_subsystem_configuration_path'],
deployer.mdict['pki_subsystem_conf_link'])
# Link /var/lib/pki/<instance>/<subsystem>/logs
# to /var/log/pki/<instance>/<subsystem>
logger.info('Creating %s', deployer.mdict['pki_subsystem_logs_link'])
instance.symlink(deployer.mdict['pki_subsystem_log_path'],
deployer.mdict['pki_subsystem_logs_link'])
# Link /var/lib/pki/<instance>/<subsystem>/registry
# to /etc/sysconfig/pki/tomcat/<instance>
logger.info('Creating %s',
deployer.mdict['pki_subsystem_registry_link'])
instance.symlink(deployer.mdict['pki_instance_registry_path'],
deployer.mdict['pki_subsystem_registry_link'])
instance = self.instance
instance.load()
subsystem = instance.get_subsystem(
deployer.mdict['pki_subsystem'].lower())
subsystem.config['preop.subsystem.name'] = deployer.mdict[
'pki_subsystem_name']
# configure security domain
if deployer.mdict['pki_security_domain_type'] == 'new':
subsystem.config['preop.cert.subsystem.type'] = 'local'
subsystem.config[
'preop.cert.subsystem.profile'] = 'subsystemCert.profile'
else: # deployer.mdict['pki_security_domain_type'] == 'existing':
subsystem.config['preop.cert.subsystem.type'] = 'remote'
if subsystem.type == 'CA' and not config.str2bool(
deployer.mdict['pki_clone']):
if config.str2bool(deployer.mdict['pki_external']) or \
config.str2bool(deployer.mdict['pki_subordinate']):
subsystem.config['preop.cert.signing.type'] = 'remote'
else:
subsystem.config['preop.ca.type'] = 'sdca'
# configure cloning
if config.str2bool(deployer.mdict['pki_clone']):
subsystem.config['subsystem.select'] = 'Clone'
else:
subsystem.config['subsystem.select'] = 'New'
# configure CA hierarchy
if subsystem.type == 'CA':
if config.str2bool(deployer.mdict['pki_external']) or \
config.str2bool(deployer.mdict['pki_subordinate']):
subsystem.config['hierarchy.select'] = 'Subordinate'
else:
subsystem.config['hierarchy.select'] = 'Root'
# configure TPS
if subsystem.type == 'TPS':
subsystem.config['auths.instance.ldap1.ldap.basedn'] = \
deployer.mdict['pki_authdb_basedn']
subsystem.config['auths.instance.ldap1.ldap.ldapconn.host'] = \
deployer.mdict['pki_authdb_hostname']
subsystem.config['auths.instance.ldap1.ldap.ldapconn.port'] = \
deployer.mdict['pki_authdb_port']
subsystem.config['auths.instance.ldap1.ldap.ldapconn.secureConn'] = \
deployer.mdict['pki_authdb_secure_conn']
subsystem.save()
def execute(self, argv):
try:
opts, args = getopt.gnu_getopt(argv, 'i:v', [
'instance=', 'database=', 'backend=',
'force',
'verbose', 'debug', 'help'])
except getopt.GetoptError as e:
logger.error(e)
self.print_help()
sys.exit(1)
name = 'acme'
instance_name = 'pki-tomcat'
force = False
for o, a in opts:
if o in ('-i', '--instance'):
instance_name = a
elif o == '--force':
force = True
elif o in ('-v', '--verbose'):
logging.getLogger().setLevel(logging.INFO)
elif o == '--debug':
logging.getLogger().setLevel(logging.DEBUG)
elif o == '--help':
self.print_help()
sys.exit()
else:
logger.error('Unknown option: %s', o)
self.print_help()
sys.exit(1)
if len(args) > 0:
name = args[0]
instance = pki.server.instance.PKIServerFactory.create(instance_name)
if not instance.is_valid():
raise Exception('Invalid instance: %s' % instance_name)
instance.load()
acme_conf_dir = os.path.join(instance.conf_dir, name)
logging.info('Creating %s', acme_conf_dir)
instance.makedirs(acme_conf_dir, force=force)
acme_share_dir = os.path.join(pki.server.PKIServer.SHARE_DIR, 'acme')
metadata_template = os.path.join(acme_share_dir, 'conf', 'metadata.json')
metadata_conf = os.path.join(acme_conf_dir, 'metadata.json')
logging.info('Creating %s', metadata_conf)
instance.copy(metadata_template, metadata_conf, force=force)
database_template = os.path.join(acme_share_dir, 'conf', 'database.json')
database_conf = os.path.join(acme_conf_dir, 'database.json')
logging.info('Creating %s', database_conf)
instance.copy(database_template, database_conf, force=force)
validators_template = os.path.join(acme_share_dir, 'conf', 'validators.json')
validators_conf = os.path.join(acme_conf_dir, 'validators.json')
logging.info('Creating %s', validators_conf)
instance.copy(validators_template, validators_conf, force=force)
backend_template = os.path.join(acme_share_dir, 'conf', 'backend.json')
backend_conf = os.path.join(acme_conf_dir, 'backend.json')
logging.info('Creating %s', backend_conf)
instance.copy(backend_template, backend_conf, force=force)
def spawn(self, deployer):
external = deployer.configuration_file.external
standalone = deployer.configuration_file.standalone
subordinate = deployer.configuration_file.subordinate
clone = deployer.configuration_file.clone
if config.str2bool(deployer.mdict['pki_skip_installation']):
logger.info('Skipping subsystem creation')
return
logger.info('Creating %s subsystem', deployer.mdict['pki_subsystem'])
# If pki_one_time_pin is not specified, generate a new one
if 'pki_one_time_pin' not in deployer.mdict:
pin = ''.join(
random.choice(string.ascii_letters + string.digits)
for x in range(20))
deployer.mdict['pki_one_time_pin'] = pin
deployer.mdict['PKI_RANDOM_NUMBER_SLOT'] = pin
instance = self.instance
# Create /var/log/pki/<instance>/<subsystem>
logger.info('Creating %s', deployer.mdict['pki_subsystem_log_path'])
instance.makedirs(deployer.mdict['pki_subsystem_log_path'],
exist_ok=True)
# Create /var/log/pki/<instance>/<subsystem>/archive
logger.info('Creating %s',
deployer.mdict['pki_subsystem_archive_log_path'])
instance.makedirs(deployer.mdict['pki_subsystem_archive_log_path'],
exist_ok=True)
# Create /var/log/pki/<instance>/<subsystem>/signedAudit
logger.info('Creating %s',
deployer.mdict['pki_subsystem_signed_audit_log_path'])
instance.makedirs(
deployer.mdict['pki_subsystem_signed_audit_log_path'],
exist_ok=True)
# Create /etc/pki/<instance>/<subsystem>
logger.info('Creating %s',
deployer.mdict['pki_subsystem_configuration_path'])
instance.makedirs(deployer.mdict['pki_subsystem_configuration_path'],
exist_ok=True)
# Copy /usr/share/pki/<subsystem_type>/conf
# to /etc/pki/<instance>/<subsystem>
# logger.info('Creating %s', deployer.mdict['pki_subsystem_configuration_path'])
# instance.copy(
# deployer.mdict['pki_source_conf_path'],
# deployer.mdict['pki_subsystem_configuration_path'])
# Copy /usr/share/pki/<subsystem>/conf/CS.cfg
# to /etc/pki/<instance>/<subsystem>/CS.cfg
logger.info('Creating %s', deployer.mdict['pki_target_cs_cfg'])
instance.copyfile(deployer.mdict['pki_source_cs_cfg'],
deployer.mdict['pki_target_cs_cfg'],
slots=deployer.slots,
params=deployer.mdict)
# Copy /usr/share/pki/<subsystem>/conf/registry.cfg
# to /etc/pki/<instance>/<subsystem>/registry.cfg
logger.info('Creating %s', deployer.mdict['pki_target_registry_cfg'])
instance.copy(deployer.mdict['pki_source_registry_cfg'],
deployer.mdict['pki_target_registry_cfg'])
if deployer.mdict['pki_subsystem'] == "CA":
# Copy /usr/share/pki/ca/emails
# to /var/lib/pki/<instance>/<subsystem>/emails
logger.info('Creating %s',
deployer.mdict['pki_subsystem_emails_path'])
instance.copy(deployer.mdict['pki_source_emails'],
deployer.mdict['pki_subsystem_emails_path'])
# Copy /usr/share/pki/ca/profiles/ca
# to /var/lib/pki/<instance>/<subsystem>/profiles/ca
logger.info('Creating %s',
deployer.mdict['pki_subsystem_profiles_path'])
instance.copy(deployer.mdict['pki_source_profiles'],
deployer.mdict['pki_subsystem_profiles_path'])
# Copy /usr/share/pki/<subsystem>/conf/flatfile.txt
# to /etc/pki/<instance>/<subsystem>/flatfile.txt
logger.info('Creating %s',
deployer.mdict['pki_target_flatfile_txt'])
instance.copy(deployer.mdict['pki_source_flatfile_txt'],
deployer.mdict['pki_target_flatfile_txt'])
# Copy /usr/share/pki/<subsystem>/conf/<type>AdminCert.profile
# to /etc/pki/<instance>/<subsystem>/adminCert.profile
logger.info('Creating %s',
deployer.mdict['pki_target_admincert_profile'])
instance.copy(deployer.mdict['pki_source_admincert_profile'],
deployer.mdict['pki_target_admincert_profile'])
# Copy /usr/share/pki/<subsystem>/conf/caAuditSigningCert.profile
# to /etc/pki/<instance>/<subsystem>/caAuditSigningCert.profile
logger.info(
'Creating %s',
deployer.mdict['pki_target_caauditsigningcert_profile'])
instance.copy(
deployer.mdict['pki_source_caauditsigningcert_profile'],
deployer.mdict['pki_target_caauditsigningcert_profile'])
# Copy /usr/share/pki/<subsystem>/conf/caCert.profile
# to /etc/pki/<instance>/<subsystem>/caCert.profile
logger.info('Creating %s',
deployer.mdict['pki_target_cacert_profile'])
instance.copy(deployer.mdict['pki_source_cacert_profile'],
deployer.mdict['pki_target_cacert_profile'])
# Copy /usr/share/pki/<subsystem>/conf/caOCSPCert.profile
# to /etc/pki/<instance>/<subsystem>/caOCSPCert.profile
logger.info('Creating %s',
deployer.mdict['pki_target_caocspcert_profile'])
instance.copy(deployer.mdict['pki_source_caocspcert_profile'],
deployer.mdict['pki_target_caocspcert_profile'])
# Copy /usr/share/pki/<subsystem>/conf/<type>ServerCert.profile
# to /etc/pki/<instance>/<subsystem>/serverCert.profile
logger.info('Creating %s',
deployer.mdict['pki_target_servercert_profile'])
instance.copy(deployer.mdict['pki_source_servercert_profile'],
deployer.mdict['pki_target_servercert_profile'])
# Copy /usr/share/pki/<subsystem>/conf/<type>SubsystemCert.profile
# to /etc/pki/<instance>/<subsystem>/subsystemCert.profile
logger.info('Creating %s',
deployer.mdict['pki_target_subsystemcert_profile'])
instance.copy(deployer.mdict['pki_source_subsystemcert_profile'],
deployer.mdict['pki_target_subsystemcert_profile'])
# Copy /usr/share/pki/<subsystem>/conf/proxy.conf
# to /etc/pki/<instance>/<subsystem>/proxy.conf
logger.info('Creating %s', deployer.mdict['pki_target_proxy_conf'])
instance.copyfile(deployer.mdict['pki_source_proxy_conf'],
deployer.mdict['pki_target_proxy_conf'],
slots=deployer.slots,
params=deployer.mdict)
elif deployer.mdict['pki_subsystem'] == "TPS":
# Copy /usr/share/pki/<subsystem>/conf/registry.cfg
# to /etc/pki/<instance>/<subsystem>/registry.cfg
logger.info('Creating %s',
deployer.mdict['pki_target_registry_cfg'])
instance.copy(deployer.mdict['pki_source_registry_cfg'],
deployer.mdict['pki_target_registry_cfg'])
# Copy /usr/share/pki/<subsystem>/conf/phoneHome.xml
# to /etc/pki/<instance>/<subsystem>/phoneHome.xml
logger.info('Creating %s',
deployer.mdict['pki_target_phone_home_xml'])
instance.copyfile(deployer.mdict['pki_source_phone_home_xml'],
deployer.mdict['pki_target_phone_home_xml'],
slots=deployer.slots,
params=deployer.mdict)
# Link /var/lib/pki/<instance>/<subsystem>/conf
# to /etc/pki/<instance>/<subsystem>
logger.info('Creating %s', deployer.mdict['pki_subsystem_conf_link'])
instance.symlink(deployer.mdict['pki_subsystem_configuration_path'],
deployer.mdict['pki_subsystem_conf_link'])
# Link /var/lib/pki/<instance>/<subsystem>/logs
# to /var/log/pki/<instance>/<subsystem>
logger.info('Creating %s', deployer.mdict['pki_subsystem_logs_link'])
instance.symlink(deployer.mdict['pki_subsystem_log_path'],
deployer.mdict['pki_subsystem_logs_link'])
# Link /var/lib/pki/<instance>/<subsystem>/registry
# to /etc/sysconfig/pki/tomcat/<instance>
logger.info('Creating %s',
deployer.mdict['pki_subsystem_registry_link'])
instance.symlink(deployer.mdict['pki_instance_registry_path'],
deployer.mdict['pki_subsystem_registry_link'])
instance = self.instance
instance.load()
subsystem = instance.get_subsystem(
deployer.mdict['pki_subsystem'].lower())
subsystem.config['preop.subsystem.name'] = deployer.mdict[
'pki_subsystem_name']
certs = subsystem.find_system_certs()
for cert in certs:
# get CS.cfg tag and pkispawn tag
config_tag = cert['id']
deploy_tag = config_tag
if config_tag == 'signing': # for CA and OCSP
deploy_tag = subsystem.name + '_signing'
keytype = deployer.mdict['pki_%s_key_type' % deploy_tag]
subsystem.config['preop.cert.%s.keytype' % config_tag] = keytype
# configure SSL server cert
if subsystem.type == 'CA' and clone or subsystem.type != 'CA':
subsystem.config['preop.cert.sslserver.type'] = 'remote'
keytype = subsystem.config['preop.cert.sslserver.keytype']
if keytype.lower() == 'ecc':
subsystem.config[
'preop.cert.sslserver.profile'] = 'caECInternalAuthServerCert'
elif keytype.lower() == 'rsa':
subsystem.config[
'preop.cert.sslserver.profile'] = 'caInternalAuthServerCert'
# configure subsystem cert
if deployer.mdict['pki_security_domain_type'] == 'new':
subsystem.config['preop.cert.subsystem.type'] = 'local'
subsystem.config[
'preop.cert.subsystem.profile'] = 'subsystemCert.profile'
else: # deployer.mdict['pki_security_domain_type'] == 'existing':
subsystem.config['preop.cert.subsystem.type'] = 'remote'
keytype = subsystem.config['preop.cert.subsystem.keytype']
if keytype.lower() == 'ecc':
subsystem.config[
'preop.cert.subsystem.profile'] = 'caECInternalAuthSubsystemCert'
elif keytype.lower() == 'rsa':
subsystem.config[
'preop.cert.subsystem.profile'] = 'caInternalAuthSubsystemCert'
if external or standalone:
# This is needed by IPA to detect step 1 completion.
# See is_step_one_done() in ipaserver/install/cainstance.py.
subsystem.config['preop.ca.type'] = 'otherca'
elif subsystem.type != 'CA' or subordinate:
subsystem.config['preop.ca.type'] = 'sdca'
# configure cloning
if config.str2bool(deployer.mdict['pki_clone']):
subsystem.config['subsystem.select'] = 'Clone'
else:
subsystem.config['subsystem.select'] = 'New'
# configure CA
if subsystem.type == 'CA':
if external or subordinate:
subsystem.config['hierarchy.select'] = 'Subordinate'
else:
subsystem.config['hierarchy.select'] = 'Root'
if subordinate:
subsystem.config['preop.cert.signing.type'] = 'remote'
subsystem.config[
'preop.cert.signing.profile'] = 'caInstallCACert'
# configure TPS
if subsystem.type == 'TPS':
subsystem.config['auths.instance.ldap1.ldap.basedn'] = \
deployer.mdict['pki_authdb_basedn']
subsystem.config['auths.instance.ldap1.ldap.ldapconn.host'] = \
deployer.mdict['pki_authdb_hostname']
subsystem.config['auths.instance.ldap1.ldap.ldapconn.port'] = \
deployer.mdict['pki_authdb_port']
subsystem.config['auths.instance.ldap1.ldap.ldapconn.secureConn'] = \
deployer.mdict['pki_authdb_secure_conn']
subsystem.save()
