def check_ds(parser):
try:
# Verify existence of Directory Server Password
if 'pki_ds_password' not in parser.mdict or \
not len(parser.mdict['pki_ds_password']):
config.pki_log.error(
log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2,
"pki_ds_password",
parser.mdict['pki_user_deployment_cfg'],
extra=config.PKI_INDENTATION_LEVEL_0)
sys.exit(1)
if not config.str2bool(parser.mdict['pki_skip_ds_verify']):
parser.ds_verify_configuration()
if parser.ds_base_dn_exists() and not \
config.str2bool(parser.mdict['pki_ds_remove_data']):
print('ERROR: Base DN already exists.')
sys.exit(1)
except ldap.LDAPError as e:
server = parser.protocol + '://' + parser.hostname + ':' + parser.port
print('ERROR: Unable to access directory server (' + server + '): ' +
e.args[0]['desc'])
sys.exit(1)
def check_security_domain(parser):
if parser.mdict['pki_security_domain_type'] != "new":
try:
# Verify existence of Security Domain Password
if 'pki_security_domain_password' not in parser.mdict or \
not len(parser.mdict['pki_security_domain_password']):
config.pki_log.error(
log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2,
"pki_security_domain_password",
parser.mdict['pki_user_deployment_cfg'],
extra=config.PKI_INDENTATION_LEVEL_0)
sys.exit(1)
if not config.str2bool(parser.mdict['pki_skip_sd_verify']):
parser.sd_connect()
info = parser.sd_get_info()
parser.set_property(deployer.subsystem_name,
'pki_security_domain_name', info.name)
parser.sd_authenticate()
except requests.exceptions.ConnectionError as e:
print(('ERROR: Unable to access security domain: ' + str(e)))
sys.exit(1)
except requests.exceptions.HTTPError as e:
print(('ERROR: Unable to access security domain: ' + str(e)))
sys.exit(1)
def print_final_install_information(mdict):
print(log.PKI_SPAWN_INFORMATION_HEADER)
print(" Administrator's username: %s" %
mdict['pki_admin_uid'])
if os.path.isfile(mdict['pki_client_admin_cert_p12']):
print(" Administrator's PKCS #12 file:\n %s" %
mdict['pki_client_admin_cert_p12'])
if not config.str2bool(mdict['pki_client_database_purge']) and \
not config.str2bool(mdict['pki_clone']):
print()
print(" Administrator's certificate nickname:\n %s" %
mdict['pki_admin_nickname'])
print(" Administrator's certificate database:\n %s" %
mdict['pki_client_database_dir'])
if config.str2bool(mdict['pki_clone']):
print()
print(" This %s subsystem of the '%s' instance\n"
" is a clone." %
(deployer.subsystem_name, mdict['pki_instance_name']))
if mdict['pki_fips_mode_enabled']:
print()
print(" This %s subsystem of the '%s' instance\n"
" has FIPS mode enabled on this operating system." %
(deployer.subsystem_name, mdict['pki_instance_name']))
print()
print(
" REMINDER: Don't forget to update the appropriate FIPS\n"
" algorithms in server.xml in the '%s' instance." %
mdict['pki_instance_name'])
print(log.PKI_CHECK_STATUS_MESSAGE % mdict['pki_instance_name'])
print(log.PKI_INSTANCE_RESTART_MESSAGE % mdict['pki_instance_name'])
print(log.PKI_ACCESS_URL % (mdict['pki_hostname'], mdict['pki_https_port'],
deployer.subsystem_name.lower()))
if not config.str2bool(mdict['pki_enable_on_system_boot']):
print(log.PKI_SYSTEM_BOOT_STATUS_MESSAGE % "disabled")
else:
print(log.PKI_SYSTEM_BOOT_STATUS_MESSAGE % "enabled")
print(log.PKI_SPAWN_INFORMATION_FOOTER)
def print_final_install_information(mdict):
print(log.PKI_SPAWN_INFORMATION_HEADER)
print(" Administrator's username: %s" %
mdict['pki_admin_uid'])
if os.path.isfile(mdict['pki_client_admin_cert_p12']):
print(" Administrator's PKCS #12 file:\n %s" %
mdict['pki_client_admin_cert_p12'])
if not config.str2bool(mdict['pki_client_database_purge']) and \
not config.str2bool(mdict['pki_clone']):
print()
print(" Administrator's certificate nickname:\n %s"
% mdict['pki_admin_nickname'])
print(" Administrator's certificate database:\n %s"
% mdict['pki_client_database_dir'])
if config.str2bool(mdict['pki_clone']):
print()
print(" This %s subsystem of the '%s' instance\n"
" is a clone." %
(deployer.subsystem_name, mdict['pki_instance_name']))
if mdict['pki_fips_mode_enabled']:
print()
print(" This %s subsystem of the '%s' instance\n"
" has FIPS mode enabled on this operating system." %
(deployer.subsystem_name, mdict['pki_instance_name']))
print()
print(" REMINDER: Don't forget to update the appropriate FIPS\n"
" algorithms in server.xml in the '%s' instance."
% mdict['pki_instance_name'])
print(log.PKI_CHECK_STATUS_MESSAGE % mdict['pki_instance_name'])
print(log.PKI_INSTANCE_RESTART_MESSAGE % mdict['pki_instance_name'])
print(log.PKI_ACCESS_URL % (mdict['pki_hostname'],
mdict['pki_https_port'],
deployer.subsystem_name.lower()))
if not config.str2bool(mdict['pki_enable_on_system_boot']):
print(log.PKI_SYSTEM_BOOT_STATUS_MESSAGE % "disabled")
else:
print(log.PKI_SYSTEM_BOOT_STATUS_MESSAGE % "enabled")
print(log.PKI_SPAWN_INFORMATION_FOOTER)
def check_ds():
try:
# Verify existence of Directory Server Password
if 'pki_ds_password' not in deployer.mdict or \
not len(deployer.mdict['pki_ds_password']):
logger.error(log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2,
"pki_ds_password",
deployer.mdict['pki_user_deployment_cfg'])
sys.exit(1)
if not config.str2bool(deployer.mdict['pki_skip_ds_verify']):
verify_ds_configuration()
if base_dn_exists() and not \
config.str2bool(deployer.mdict['pki_ds_remove_data']):
print('ERROR: Base DN already exists.')
sys.exit(1)
except ldap.LDAPError:
logger.error('Unable to access LDAP server: %s', deployer.ds_url)
raise
def check_ds(parser):
try:
# Verify existence of Directory Server Password
if 'pki_ds_password' not in parser.mdict or \
not len(parser.mdict['pki_ds_password']):
config.pki_log.error(
log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2,
"pki_ds_password",
parser.mdict['pki_user_deployment_cfg'],
extra=config.PKI_INDENTATION_LEVEL_0)
sys.exit(1)
if not config.str2bool(parser.mdict['pki_skip_ds_verify']):
parser.ds_verify_configuration()
if parser.ds_base_dn_exists() and not \
config.str2bool(parser.mdict['pki_ds_remove_data']):
print('ERROR: Base DN already exists.')
sys.exit(1)
except ldap.LDAPError as e:
print('ERROR: Unable to access directory server: ' +
e.args[0]['desc'])
sys.exit(1)
def print_skip_configuration_information(mdict):
print(log.PKI_SPAWN_INFORMATION_HEADER)
print(" The %s subsystem of the '%s' instance\n"
" must still be configured!" %
(deployer.subsystem_name, mdict['pki_instance_name']))
print(log.PKI_CHECK_STATUS_MESSAGE % mdict['pki_instance_name'])
print(log.PKI_INSTANCE_RESTART_MESSAGE % mdict['pki_instance_name'])
print(log.PKI_ACCESS_URL % (mdict['pki_hostname'], mdict['pki_https_port'],
deployer.subsystem_name.lower()))
if not config.str2bool(mdict['pki_enable_on_system_boot']):
print(log.PKI_SYSTEM_BOOT_STATUS_MESSAGE % "disabled")
else:
print(log.PKI_SYSTEM_BOOT_STATUS_MESSAGE % "enabled")
print(log.PKI_SPAWN_INFORMATION_FOOTER)
def print_skip_configuration_information(mdict):
print(log.PKI_SPAWN_INFORMATION_HEADER)
print(" The %s subsystem of the '%s' instance\n"
" must still be configured!" %
(deployer.subsystem_name, mdict['pki_instance_name']))
print(log.PKI_CHECK_STATUS_MESSAGE % mdict['pki_instance_name'])
print(log.PKI_INSTANCE_RESTART_MESSAGE % mdict['pki_instance_name'])
print(log.PKI_ACCESS_URL % (mdict['pki_hostname'],
mdict['pki_https_port'],
deployer.subsystem_name.lower()))
if not config.str2bool(mdict['pki_enable_on_system_boot']):
print(log.PKI_SYSTEM_BOOT_STATUS_MESSAGE % "disabled")
else:
print(log.PKI_SYSTEM_BOOT_STATUS_MESSAGE % "enabled")
print(log.PKI_SPAWN_INFORMATION_FOOTER)
def check_security_domain():
# If the subsystem being installed is joining an existing security domain,
# or it is a subordinate CA (either joining the security domain or creating
# a new one), connect to and authenticate against the security domain.
if deployer.mdict['pki_security_domain_type'] == 'existing' \
or config.str2bool(deployer.mdict['pki_subordinate']):
if 'pki_security_domain_password' not in deployer.mdict or \
not len(deployer.mdict['pki_security_domain_password']):
raise Exception('Missing security domain password')
deployer.sd_connect()
info = deployer.get_domain_info()
deployer.set_property('pki_security_domain_name', info.id)
logger.info('Logging into security domain %s', info.id)
deployer.sd_login()
def check_security_domain():
if deployer.mdict['pki_security_domain_type'] != "new":
try:
# Verify existence of Security Domain Password
if 'pki_security_domain_password' not in deployer.mdict or \
not len(deployer.mdict['pki_security_domain_password']):
logger.error(
log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2,
"pki_security_domain_password",
deployer.mdict['pki_user_deployment_cfg'])
sys.exit(1)
if not config.str2bool(deployer.mdict['pki_skip_sd_verify']):
deployer.sd_connect()
info = deployer.get_domain_info()
deployer.set_property('pki_security_domain_name', info.id)
deployer.sd_login()
deployer.sd_logout()
except requests.exceptions.RequestException:
logger.error(
'Unable to access security domain: %s',
deployer.mdict['pki_security_domain_uri'])
raise
def check_security_domain(parser):
if parser.mdict['pki_security_domain_type'] != "new":
try:
# Verify existence of Security Domain Password
if 'pki_security_domain_password' not in parser.mdict or \
not len(parser.mdict['pki_security_domain_password']):
config.pki_log.error(
log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2,
"pki_security_domain_password",
parser.mdict['pki_user_deployment_cfg'],
extra=config.PKI_INDENTATION_LEVEL_0)
sys.exit(1)
if not config.str2bool(parser.mdict['pki_skip_sd_verify']):
parser.sd_connect()
info = parser.sd_get_info()
parser.set_property(deployer.subsystem_name,
'pki_security_domain_name',
info.name)
parser.sd_authenticate()
except requests.exceptions.RequestException as e:
print(('ERROR: Unable to access security domain: ' + str(e)))
sys.exit(1)
def main(argv):
"""main entry point"""
config.pki_deployment_executable = os.path.basename(argv[0])
# Set the umask
os.umask(config.PKI_DEPLOYMENT_DEFAULT_UMASK)
# Read and process command-line arguments.
parser = PKIConfigParser('PKI Instance Installation and Configuration',
log.PKISPAWN_EPILOG,
deployer=deployer)
parser.optional.add_argument('-f',
dest='user_deployment_cfg',
action='store',
nargs=1,
metavar='<file>',
help='configuration filename '
'(MUST specify complete path)')
parser.optional.add_argument('--precheck',
dest='precheck',
action='store_true',
help='Execute pre-checks and exit')
parser.optional.add_argument('--skip-configuration',
dest='skip_configuration',
action='store_true',
help='skip configuration step')
parser.optional.add_argument('--skip-installation',
dest='skip_installation',
action='store_true',
help='skip installation step')
args = parser.process_command_line_arguments()
config.default_deployment_cfg = \
config.PKI_DEPLOYMENT_DEFAULT_CONFIGURATION_FILE
# -f <user deployment config>
if args.user_deployment_cfg is not None:
config.user_deployment_cfg = str(
args.user_deployment_cfg).strip('[\']')
parser.validate()
interactive = False
if config.user_deployment_cfg is None:
interactive = True
parser.indent = 0
print(log.PKISPAWN_INTERACTIVE_INSTALLATION)
else:
sanitize_user_deployment_cfg(config.user_deployment_cfg)
# Only run this program as "root".
if not os.geteuid() == 0:
sys.exit("'%s' must be run as root!" % argv[0])
while True:
# -s <subsystem>
if args.pki_subsystem is None:
interactive = True
parser.indent = 0
deployer.subsystem_name = parser.read_text(
'Subsystem (CA/KRA/OCSP/TKS/TPS)',
options=['CA', 'KRA', 'OCSP', 'TKS', 'TPS'],
default='CA',
case_sensitive=False).upper()
print()
else:
deployer.subsystem_name = str(args.pki_subsystem).strip('[\']')
parser.init_config()
if config.user_deployment_cfg is None:
if args.precheck:
sys.exit(
'precheck mode is only valid for non-interactive installs')
interactive = True
parser.indent = 2
print("Tomcat:")
instance_name = parser.read_text('Instance', 'DEFAULT',
'pki_instance_name')
existing_data = parser.read_existing_deployment_data(instance_name)
set_port(parser, 'pki_http_port', 'HTTP port', existing_data)
set_port(parser, 'pki_https_port', 'Secure HTTP port',
existing_data)
set_port(parser, 'pki_ajp_port', 'AJP port', existing_data)
set_port(parser, 'pki_tomcat_server_port', 'Management port',
existing_data)
print()
print("Administrator:")
parser.read_text('Username', deployer.subsystem_name,
'pki_admin_uid')
admin_password = parser.read_password(
'Password',
deployer.subsystem_name,
'pki_admin_password',
verifyMessage='Verify password')
parser.set_property(deployer.subsystem_name, 'pki_backup_password',
admin_password)
parser.set_property(deployer.subsystem_name,
'pki_client_database_password', admin_password)
parser.set_property(deployer.subsystem_name,
'pki_client_pkcs12_password', admin_password)
if parser.mdict['pki_import_admin_cert'] == 'True':
import_cert = 'Y'
else:
import_cert = 'N'
import_cert = parser.read_text('Import certificate (Yes/No)',
default=import_cert,
options=['Yes', 'Y', 'No', 'N'],
sign='?',
case_sensitive=False).lower()
if import_cert == 'y' or import_cert == 'yes':
parser.set_property(deployer.subsystem_name,
'pki_import_admin_cert', 'True')
parser.read_text('Import certificate from',
deployer.subsystem_name,
'pki_admin_cert_file')
else:
parser.set_property(deployer.subsystem_name,
'pki_import_admin_cert', 'False')
parser.read_text('Export certificate to',
deployer.subsystem_name,
'pki_client_admin_cert')
# if parser.mdict['pki_hsm_enable'] == 'True':
# use_hsm = 'Y'
# else:
# use_hsm = 'N'
# use_hsm = parser.read_text(
# 'Using hardware security module (HSM) (Yes/No)',
# default=use_hsm, options=['Yes', 'Y', 'No', 'N'],
# sign='?', case_sensitive=False).lower()
# if use_hsm == 'y' or use_hsm == 'yes':
# # XXX: Suppress interactive HSM installation
# print "Interactive HSM installation is currently unsupported."
# sys.exit(0)
# TBD: Interactive HSM installation
# parser.set_property(deployer.subsystem_name,
# 'pki_hsm_enable',
# 'True')
# modulename = parser.read_text(
# 'HSM Module Name (e. g. - nethsm)', allow_empty=False)
# parser.set_property(deployer.subsystem_name,
# 'pki_hsm_modulename',
# modulename)
# libfile = parser.read_text(
# 'HSM Lib File ' +
# '(e. g. - /opt/nfast/toolkits/pkcs11/libcknfast.so)',
# allow_empty=False)
# parser.set_property(deployer.subsystem_name,
# 'pki_hsm_libfile',
# libfile)
print()
print("Directory Server:")
while True:
parser.read_text('Hostname', deployer.subsystem_name,
'pki_ds_hostname')
if parser.mdict['pki_ds_secure_connection'] == 'True':
secure = 'Y'
else:
secure = 'N'
secure = parser.read_text(
'Use a secure LDAPS connection (Yes/No/Quit)',
default=secure,
options=['Yes', 'Y', 'No', 'N', 'Quit', 'Q'],
sign='?',
case_sensitive=False).lower()
if secure == 'q' or secure == 'quit':
print("Installation canceled.")
sys.exit(0)
if secure == 'y' or secure == 'yes':
# Set secure DS connection to true
parser.set_property(deployer.subsystem_name,
'pki_ds_secure_connection', 'True')
# Prompt for secure 'ldaps' port
parser.read_text('Secure LDAPS Port',
deployer.subsystem_name,
'pki_ds_ldaps_port')
# Specify complete path to a directory server
# CA certificate pem file
pem_file = parser.read_text(
'Directory Server CA certificate pem file',
allow_empty=False)
parser.set_property(
deployer.subsystem_name,
'pki_ds_secure_connection_ca_pem_file', pem_file)
else:
parser.read_text('LDAP Port', deployer.subsystem_name,
'pki_ds_ldap_port')
parser.read_text('Bind DN', deployer.subsystem_name,
'pki_ds_bind_dn')
parser.read_password('Password', deployer.subsystem_name,
'pki_ds_password')
try:
parser.ds_verify_configuration()
except ldap.LDAPError as e:
parser.print_text('ERROR: ' + e.args[0]['desc'])
continue
parser.read_text('Base DN', deployer.subsystem_name,
'pki_ds_base_dn')
try:
if not parser.ds_base_dn_exists():
break
except ldap.LDAPError as e:
parser.print_text('ERROR: ' + e.args[0]['desc'])
continue
remove = parser.read_text(
'Base DN already exists. Overwrite (Yes/No/Quit)',
options=['Yes', 'Y', 'No', 'N', 'Quit', 'Q'],
sign='?',
allow_empty=False,
case_sensitive=False).lower()
if remove == 'q' or remove == 'quit':
print("Installation canceled.")
sys.exit(0)
if remove == 'y' or remove == 'yes':
break
print()
print("Security Domain:")
if deployer.subsystem_name == "CA":
parser.read_text('Name', deployer.subsystem_name,
'pki_security_domain_name')
else:
while True:
parser.read_text('Hostname', deployer.subsystem_name,
'pki_security_domain_hostname')
parser.read_text('Secure HTTP port',
deployer.subsystem_name,
'pki_security_domain_https_port')
try:
parser.sd_connect()
info = parser.sd_get_info()
parser.print_text('Name: ' + info.name)
parser.set_property(deployer.subsystem_name,
'pki_security_domain_name',
info.name)
break
except requests.exceptions.ConnectionError as e:
parser.print_text('ERROR: ' + str(e))
while True:
parser.read_text('Username', deployer.subsystem_name,
'pki_security_domain_user')
parser.read_password('Password', deployer.subsystem_name,
'pki_security_domain_password')
try:
parser.sd_authenticate()
break
except requests.exceptions.HTTPError as e:
parser.print_text('ERROR: ' + str(e))
print()
if deployer.subsystem_name == "TPS":
print("External Servers:")
while True:
parser.read_text('CA URL', deployer.subsystem_name,
'pki_ca_uri')
try:
status = parser.get_server_status('ca', 'pki_ca_uri')
if status == 'running':
break
parser.print_text('ERROR: CA is not running')
except requests.exceptions.ConnectionError as e:
parser.print_text('ERROR: ' + str(e))
while True:
parser.read_text('TKS URL', deployer.subsystem_name,
'pki_tks_uri')
try:
status = parser.get_server_status('tks', 'pki_tks_uri')
if status == 'running':
break
parser.print_text('ERROR: TKS is not running')
except requests.exceptions.ConnectionError as e:
parser.print_text('ERROR: ' + str(e))
while True:
keygen = parser.read_text(
'Enable server side key generation (Yes/No)',
options=['Yes', 'Y', 'No', 'N'],
default='N',
sign='?',
case_sensitive=False).lower()
if keygen == 'y' or keygen == 'yes':
parser.set_property(deployer.subsystem_name,
'pki_enable_server_side_keygen',
'True')
parser.read_text('KRA URL', deployer.subsystem_name,
'pki_kra_uri')
try:
status = parser.get_server_status(
'kra', 'pki_kra_uri')
if status == 'running':
break
parser.print_text('ERROR: KRA is not running')
except requests.exceptions.ConnectionError as e:
parser.print_text('ERROR: ' + str(e))
else:
parser.set_property(deployer.subsystem_name,
'pki_enable_server_side_keygen',
'False')
break
print()
print("Authentication Database:")
while True:
parser.read_text('Hostname', deployer.subsystem_name,
'pki_authdb_hostname')
parser.read_text('Port', deployer.subsystem_name,
'pki_authdb_port')
basedn = parser.read_text('Base DN', allow_empty=False)
parser.set_property(deployer.subsystem_name,
'pki_authdb_basedn', basedn)
try:
parser.authdb_connect()
if parser.authdb_base_dn_exists():
break
else:
parser.print_text('ERROR: base DN does not exist')
except ldap.LDAPError as e:
parser.print_text('ERROR: ' + e.args[0]['desc'])
print()
if interactive:
parser.indent = 0
begin = parser.read_text(
'Begin installation (Yes/No/Quit)',
options=['Yes', 'Y', 'No', 'N', 'Quit', 'Q'],
sign='?',
allow_empty=False,
case_sensitive=False).lower()
print()
if begin == 'q' or begin == 'quit':
print("Installation canceled.")
sys.exit(0)
if begin == 'y' or begin == 'yes':
break
else:
break
if not os.path.exists(config.PKI_DEPLOYMENT_SOURCE_ROOT + "/" +
deployer.subsystem_name.lower()):
print("ERROR: " + log.PKI_SUBSYSTEM_NOT_INSTALLED_1 %
deployer.subsystem_name.lower())
sys.exit(1)
start_logging()
# Read the specified PKI configuration file.
rv = parser.read_pki_configuration_file()
if rv != 0:
config.pki_log.error(log.PKI_UNABLE_TO_PARSE_1,
rv,
extra=config.PKI_INDENTATION_LEVEL_0)
sys.exit(1)
# --skip-configuration
if args.skip_configuration:
parser.set_property(deployer.subsystem_name, 'pki_skip_configuration',
'True')
# --skip-installation
if args.skip_installation:
parser.set_property(deployer.subsystem_name, 'pki_skip_installation',
'True')
create_master_dictionary(parser)
if not interactive and \
not config.str2bool(parser.mdict['pki_skip_configuration']):
check_ds(parser)
check_security_domain(parser)
if args.precheck:
print('pre-checks completed successfully.')
sys.exit(0)
print("Installing " + deployer.subsystem_name + " into " +
parser.mdict['pki_instance_path'] + ".")
# Process the various "scriptlets" to create the specified PKI subsystem.
pki_subsystem_scriptlets = parser.mdict['spawn_scriplets'].split()
deployer.init(parser)
try:
for scriptlet_name in pki_subsystem_scriptlets:
scriptlet_module = __import__("pki.server.deployment.scriptlets." +
scriptlet_name,
fromlist=[scriptlet_name])
scriptlet = scriptlet_module.PkiScriptlet()
scriptlet.spawn(deployer)
except subprocess.CalledProcessError as e:
log_error_details()
print()
print("Installation failed: Command failed: %s" % ' '.join(e.cmd))
print()
print('Please check pkispawn logs in %s/%s' %
(config.pki_log_dir, config.pki_log_name))
sys.exit(1)
except requests.HTTPError as e:
r = e.response
print()
print('Installation failed:')
if r.headers['content-type'] == 'application/json':
data = r.json()
print('%s: %s' % (data['ClassName'], data['Message']))
else:
print(r.text)
print()
print('Please check the %s logs in %s.' %
(deployer.subsystem_name,
deployer.mdict['pki_subsystem_log_path']))
sys.exit(1)
except Exception as e: # pylint: disable=broad-except
log_error_details()
print()
print("Installation failed: %s" % e)
print()
sys.exit(1)
# ALWAYS archive configuration file and manifest file
config.pki_log.info(
log.PKI_ARCHIVE_CONFIG_MESSAGE_1,
deployer.mdict['pki_user_deployment_cfg_spawn_archive'],
extra=config.PKI_INDENTATION_LEVEL_1)
# For debugging/auditing purposes, save a timestamped copy of
# this configuration file in the subsystem archive
deployer.file.copy(deployer.mdict['pki_user_deployment_cfg_replica'],
deployer.mdict['pki_user_deployment_cfg_spawn_archive'])
config.pki_log.info(log.PKI_ARCHIVE_MANIFEST_MESSAGE_1,
deployer.mdict['pki_manifest_spawn_archive'],
extra=config.PKI_INDENTATION_LEVEL_1)
# for record in manifest.database:
# print tuple(record)
manifest_file = manifest.File(deployer.manifest_db)
manifest_file.register(deployer.mdict['pki_manifest'])
manifest_file.write()
deployer.file.modify(deployer.mdict['pki_manifest'], silent=True)
# Also, for debugging/auditing purposes, save a timestamped copy of
# this installation manifest file
deployer.file.copy(deployer.mdict['pki_manifest'],
deployer.mdict['pki_manifest_spawn_archive'])
external = deployer.configuration_file.external
standalone = deployer.configuration_file.standalone
step_one = deployer.configuration_file.external_step_one
skip_configuration = deployer.configuration_file.skip_configuration
if skip_configuration:
print_skip_configuration_information(parser.mdict)
elif (external or standalone) and step_one:
if deployer.subsystem_name == 'CA':
print_external_ca_step_one_information(parser.mdict)
elif deployer.subsystem_name == 'KRA':
print_kra_step_one_information(parser.mdict)
else: # OCSP
print_ocsp_step_one_information(parser.mdict)
else:
print_final_install_information(parser.mdict)
def main(argv):
"""main entry point"""
config.pki_deployment_executable = os.path.basename(argv[0])
# Set the umask
os.umask(config.PKI_DEPLOYMENT_DEFAULT_UMASK)
# Read and process command-line arguments.
parser = PKIConfigParser(
'PKI Instance Installation and Configuration',
log.PKISPAWN_EPILOG,
deployer=deployer)
parser.optional.add_argument(
'-f',
dest='user_deployment_cfg', action='store',
nargs=1, metavar='<file>',
help='configuration filename '
'(MUST specify complete path)')
parser.optional.add_argument(
'--precheck',
dest='precheck', action='store_true',
help='Execute pre-checks and exit')
parser.optional.add_argument(
'--skip-configuration',
dest='skip_configuration',
action='store_true',
help='skip configuration step')
parser.optional.add_argument(
'--skip-installation',
dest='skip_installation',
action='store_true',
help='skip installation step')
parser.optional.add_argument(
'--enforce-hostname',
dest='enforce_hostname',
action='store_true',
help='enforce strict hostname/FQDN checks')
args = parser.process_command_line_arguments()
config.default_deployment_cfg = \
config.PKI_DEPLOYMENT_DEFAULT_CONFIGURATION_FILE
# -f <user deployment config>
if args.user_deployment_cfg is not None:
config.user_deployment_cfg = str(
args.user_deployment_cfg).strip('[\']')
parser.validate()
# Currently the only logic in deployer's validation is the
# hostname check; at some point this might need to be updated.
if args.enforce_hostname:
deployer.validate()
interactive = False
if config.user_deployment_cfg is None:
interactive = True
parser.indent = 0
print(log.PKISPAWN_INTERACTIVE_INSTALLATION)
else:
sanitize_user_deployment_cfg(config.user_deployment_cfg)
# Only run this program as "root".
if not os.geteuid() == 0:
sys.exit("'%s' must be run as root!" % argv[0])
while True:
# -s <subsystem>
if args.pki_subsystem is None:
interactive = True
parser.indent = 0
deployer.subsystem_name = parser.read_text(
'Subsystem (CA/KRA/OCSP/TKS/TPS)',
options=['CA', 'KRA', 'OCSP', 'TKS', 'TPS'],
default='CA', case_sensitive=False).upper()
print()
else:
deployer.subsystem_name = str(args.pki_subsystem).strip('[\']')
parser.init_config()
if config.user_deployment_cfg is None:
if args.precheck:
sys.exit(
'precheck mode is only valid for non-interactive installs')
interactive = True
parser.indent = 2
print("Tomcat:")
instance_name = parser.read_text(
'Instance', 'DEFAULT', 'pki_instance_name')
existing_data = parser.read_existing_deployment_data(instance_name)
set_port(parser,
'pki_http_port',
'HTTP port',
existing_data)
set_port(parser,
'pki_https_port',
'Secure HTTP port',
existing_data)
set_port(parser,
'pki_ajp_port',
'AJP port',
existing_data)
set_port(parser,
'pki_tomcat_server_port',
'Management port',
existing_data)
print()
print("Administrator:")
parser.read_text('Username', deployer.subsystem_name, 'pki_admin_uid')
admin_password = parser.read_password(
'Password', deployer.subsystem_name, 'pki_admin_password',
verifyMessage='Verify password')
parser.set_property(deployer.subsystem_name, 'pki_backup_password',
admin_password)
parser.set_property(deployer.subsystem_name,
'pki_client_database_password',
admin_password)
parser.set_property(deployer.subsystem_name,
'pki_client_pkcs12_password',
admin_password)
if parser.mdict['pki_import_admin_cert'] == 'True':
import_cert = 'Y'
else:
import_cert = 'N'
import_cert = parser.read_text(
'Import certificate (Yes/No)',
default=import_cert, options=['Yes', 'Y', 'No', 'N'],
sign='?', case_sensitive=False).lower()
if import_cert == 'y' or import_cert == 'yes':
parser.set_property(deployer.subsystem_name,
'pki_import_admin_cert',
'True')
parser.read_text('Import certificate from',
deployer.subsystem_name,
'pki_admin_cert_file')
else:
parser.set_property(deployer.subsystem_name,
'pki_import_admin_cert',
'False')
parser.read_text('Export certificate to',
deployer.subsystem_name,
'pki_client_admin_cert')
# if parser.mdict['pki_hsm_enable'] == 'True':
# use_hsm = 'Y'
# else:
# use_hsm = 'N'
# use_hsm = parser.read_text(
# 'Using hardware security module (HSM) (Yes/No)',
# default=use_hsm, options=['Yes', 'Y', 'No', 'N'],
# sign='?', case_sensitive=False).lower()
# if use_hsm == 'y' or use_hsm == 'yes':
# # XXX: Suppress interactive HSM installation
# print "Interactive HSM installation is currently unsupported."
# sys.exit(0)
# TBD: Interactive HSM installation
# parser.set_property(deployer.subsystem_name,
# 'pki_hsm_enable',
# 'True')
# modulename = parser.read_text(
# 'HSM Module Name (e. g. - nethsm)', allow_empty=False)
# parser.set_property(deployer.subsystem_name,
# 'pki_hsm_modulename',
# modulename)
# libfile = parser.read_text(
# 'HSM Lib File ' +
# '(e. g. - /opt/nfast/toolkits/pkcs11/libcknfast.so)',
# allow_empty=False)
# parser.set_property(deployer.subsystem_name,
# 'pki_hsm_libfile',
# libfile)
print()
print("Directory Server:")
while True:
parser.read_text('Hostname',
deployer.subsystem_name,
'pki_ds_hostname')
if parser.mdict['pki_ds_secure_connection'] == 'True':
secure = 'Y'
else:
secure = 'N'
secure = parser.read_text(
'Use a secure LDAPS connection (Yes/No/Quit)',
default=secure,
options=['Yes', 'Y', 'No', 'N', 'Quit', 'Q'],
sign='?', case_sensitive=False).lower()
if secure == 'q' or secure == 'quit':
print("Installation canceled.")
sys.exit(0)
if secure == 'y' or secure == 'yes':
# Set secure DS connection to true
parser.set_property(deployer.subsystem_name,
'pki_ds_secure_connection',
'True')
# Prompt for secure 'ldaps' port
parser.read_text('Secure LDAPS Port',
deployer.subsystem_name,
'pki_ds_ldaps_port')
# Specify complete path to a directory server
# CA certificate pem file
pem_file = parser.read_text(
'Directory Server CA certificate pem file',
allow_empty=False)
parser.set_property(deployer.subsystem_name,
'pki_ds_secure_connection_ca_pem_file',
pem_file)
else:
parser.read_text('LDAP Port',
deployer.subsystem_name,
'pki_ds_ldap_port')
parser.read_text('Bind DN',
deployer.subsystem_name,
'pki_ds_bind_dn')
parser.read_password('Password',
deployer.subsystem_name,
'pki_ds_password')
try:
parser.ds_verify_configuration()
except ldap.LDAPError as e:
parser.print_text('ERROR: ' + e.args[0]['desc'])
continue
parser.read_text('Base DN',
deployer.subsystem_name,
'pki_ds_base_dn')
try:
if not parser.ds_base_dn_exists():
break
except ldap.LDAPError as e:
parser.print_text('ERROR: ' + e.args[0]['desc'])
continue
remove = parser.read_text(
'Base DN already exists. Overwrite (Yes/No/Quit)',
options=['Yes', 'Y', 'No', 'N', 'Quit', 'Q'],
sign='?', allow_empty=False, case_sensitive=False).lower()
if remove == 'q' or remove == 'quit':
print("Installation canceled.")
sys.exit(0)
if remove == 'y' or remove == 'yes':
break
print()
print("Security Domain:")
if deployer.subsystem_name == "CA":
parser.read_text('Name',
deployer.subsystem_name,
'pki_security_domain_name')
else:
while True:
parser.read_text('Hostname',
deployer.subsystem_name,
'pki_security_domain_hostname')
parser.read_text('Secure HTTP port',
deployer.subsystem_name,
'pki_security_domain_https_port')
try:
parser.sd_connect()
info = parser.sd_get_info()
parser.print_text('Name: ' + info.name)
parser.set_property(deployer.subsystem_name,
'pki_security_domain_name',
info.name)
break
except RETRYABLE_EXCEPTIONS as e:
parser.print_text('ERROR: ' + str(e))
while True:
parser.read_text('Username',
deployer.subsystem_name,
'pki_security_domain_user')
parser.read_password('Password',
deployer.subsystem_name,
'pki_security_domain_password')
try:
parser.sd_authenticate()
break
except requests.exceptions.HTTPError as e:
parser.print_text('ERROR: ' + str(e))
print()
if deployer.subsystem_name == "TPS":
print("External Servers:")
while True:
parser.read_text('CA URL',
deployer.subsystem_name,
'pki_ca_uri')
try:
status = parser.get_server_status('ca', 'pki_ca_uri')
if status == 'running':
break
parser.print_text('ERROR: CA is not running')
except RETRYABLE_EXCEPTIONS as e:
parser.print_text('ERROR: ' + str(e))
while True:
parser.read_text('TKS URL',
deployer.subsystem_name,
'pki_tks_uri')
try:
status = parser.get_server_status('tks', 'pki_tks_uri')
if status == 'running':
break
parser.print_text('ERROR: TKS is not running')
except RETRYABLE_EXCEPTIONS as e:
parser.print_text('ERROR: ' + str(e))
while True:
keygen = parser.read_text(
'Enable server side key generation (Yes/No)',
options=['Yes', 'Y', 'No', 'N'], default='N',
sign='?', case_sensitive=False).lower()
if keygen == 'y' or keygen == 'yes':
parser.set_property(deployer.subsystem_name,
'pki_enable_server_side_keygen',
'True')
parser.read_text('KRA URL',
deployer.subsystem_name,
'pki_kra_uri')
try:
status = parser.get_server_status(
'kra', 'pki_kra_uri')
if status == 'running':
break
parser.print_text('ERROR: KRA is not running')
except RETRYABLE_EXCEPTIONS as e:
parser.print_text('ERROR: ' + str(e))
else:
parser.set_property(deployer.subsystem_name,
'pki_enable_server_side_keygen',
'False')
break
print()
print("Authentication Database:")
while True:
parser.read_text('Hostname',
deployer.subsystem_name,
'pki_authdb_hostname')
parser.read_text('Port',
deployer.subsystem_name,
'pki_authdb_port')
basedn = parser.read_text('Base DN', allow_empty=False)
parser.set_property(deployer.subsystem_name,
'pki_authdb_basedn',
basedn)
try:
parser.authdb_connect()
if parser.authdb_base_dn_exists():
break
else:
parser.print_text('ERROR: base DN does not exist')
except ldap.LDAPError as e:
parser.print_text('ERROR: ' + e.args[0]['desc'])
print()
if interactive:
parser.indent = 0
begin = parser.read_text(
'Begin installation (Yes/No/Quit)',
options=['Yes', 'Y', 'No', 'N', 'Quit', 'Q'],
sign='?', allow_empty=False, case_sensitive=False).lower()
print()
if begin == 'q' or begin == 'quit':
print("Installation canceled.")
sys.exit(0)
if begin == 'y' or begin == 'yes':
break
else:
break
if not os.path.exists(config.PKI_DEPLOYMENT_SOURCE_ROOT +
"/" + deployer.subsystem_name.lower()):
print("ERROR: " + log.PKI_SUBSYSTEM_NOT_INSTALLED_1 %
deployer.subsystem_name.lower())
sys.exit(1)
start_logging()
# Read the specified PKI configuration file.
rv = parser.read_pki_configuration_file()
if rv != 0:
config.pki_log.error(log.PKI_UNABLE_TO_PARSE_1, rv,
extra=config.PKI_INDENTATION_LEVEL_0)
sys.exit(1)
# --skip-configuration
if args.skip_configuration:
parser.set_property(deployer.subsystem_name,
'pki_skip_configuration', 'True')
# --skip-installation
if args.skip_installation:
parser.set_property(deployer.subsystem_name,
'pki_skip_installation', 'True')
create_master_dictionary(parser)
if not interactive and \
not config.str2bool(parser.mdict['pki_skip_configuration']):
check_ds(parser)
check_security_domain(parser)
if args.precheck:
print('pre-checks completed successfully.')
sys.exit(0)
print("Installing " + deployer.subsystem_name + " into " +
parser.mdict['pki_instance_path'] + ".")
# Process the various "scriptlets" to create the specified PKI subsystem.
pki_subsystem_scriptlets = parser.mdict['spawn_scriplets'].split()
deployer.init(parser)
try:
for scriptlet_name in pki_subsystem_scriptlets:
scriptlet_module = __import__(
"pki.server.deployment.scriptlets." + scriptlet_name,
fromlist=[scriptlet_name])
scriptlet = scriptlet_module.PkiScriptlet()
scriptlet.spawn(deployer)
except subprocess.CalledProcessError as e:
log_error_details()
print()
print("Installation failed: Command failed: %s" % ' '.join(e.cmd))
if e.output:
print(e.output)
print()
print('Please check pkispawn logs in %s/%s' % (config.pki_log_dir, config.pki_log_name))
sys.exit(1)
except requests.HTTPError as e:
r = e.response
print()
print('Installation failed:')
if r.headers['content-type'] == 'application/json':
data = r.json()
print('%s: %s' % (data['ClassName'], data['Message']))
else:
print(r.text)
print()
print('Please check the %s logs in %s.' %
(deployer.subsystem_name, deployer.mdict['pki_subsystem_log_path']))
sys.exit(1)
except Exception as e: # pylint: disable=broad-except
log_error_details()
print()
print("Installation failed: %s" % e)
print()
sys.exit(1)
# ALWAYS archive configuration file and manifest file
config.pki_log.info(
log.PKI_ARCHIVE_CONFIG_MESSAGE_1,
deployer.mdict['pki_user_deployment_cfg_spawn_archive'],
extra=config.PKI_INDENTATION_LEVEL_1)
# For debugging/auditing purposes, save a timestamped copy of
# this configuration file in the subsystem archive
deployer.file.copy(
deployer.mdict['pki_user_deployment_cfg_replica'],
deployer.mdict['pki_user_deployment_cfg_spawn_archive'])
config.pki_log.info(
log.PKI_ARCHIVE_MANIFEST_MESSAGE_1,
deployer.mdict['pki_manifest_spawn_archive'],
extra=config.PKI_INDENTATION_LEVEL_1)
# for record in manifest.database:
# print tuple(record)
manifest_file = manifest.File(deployer.manifest_db)
manifest_file.register(deployer.mdict['pki_manifest'])
manifest_file.write()
deployer.file.modify(deployer.mdict['pki_manifest'], silent=True)
# Also, for debugging/auditing purposes, save a timestamped copy of
# this installation manifest file
deployer.file.copy(
deployer.mdict['pki_manifest'],
deployer.mdict['pki_manifest_spawn_archive'])
external = deployer.configuration_file.external
standalone = deployer.configuration_file.standalone
step_one = deployer.configuration_file.external_step_one
skip_configuration = deployer.configuration_file.skip_configuration
if skip_configuration:
print_skip_configuration_information(parser.mdict)
elif (external or standalone) and step_one:
if deployer.subsystem_name == 'CA':
print_external_ca_step_one_information(parser.mdict)
elif deployer.subsystem_name == 'KRA':
print_kra_step_one_information(parser.mdict)
else: # OCSP
print_ocsp_step_one_information(parser.mdict)
else:
print_final_install_information(parser.mdict)
