def execute(self, argv):
logging.basicConfig(format='%(levelname)s: %(message)s')
try:
opts, args = getopt.gnu_getopt(
argv, 'i:v',
['instance=', 'remove-key', 'verbose', 'debug', 'help'])
except getopt.GetoptError as e:
logger.error(e)
self.print_help()
sys.exit(1)
instance_name = 'pki-tomcat'
remove_key = False
for o, a in opts:
if o in ('-i', '--instance'):
instance_name = a
elif o == '--remove-key':
remove_key = True
elif o in ('-v', '--verbose'):
self.set_verbose(True)
logging.getLogger().setLevel(logging.INFO)
elif o == '--debug':
self.set_verbose(True)
self.set_debug(True)
logging.getLogger().setLevel(logging.DEBUG)
elif o == '--help':
self.print_help()
sys.exit()
else:
logger.error('option %s not recognized', o)
self.print_help()
sys.exit(1)
if len(args) < 1:
logger.error('Missing cert ID.')
self.print_help()
sys.exit(1)
cert_id = args[0]
instance = server.PKIInstance(instance_name)
if not instance.is_valid():
logger.error('Invalid instance %s.', instance_name)
sys.exit(1)
# Load the instance. Default: pki-tomcat
instance.load()
logger.info('Removing %s certificate from NSS database', cert_id)
instance.cert_del(cert_id=cert_id, remove_key=remove_key)
def execute(self, argv):
try:
opts, args = getopt.gnu_getopt(argv, 'i:',
['subsystem=', 'instance=', 'help'])
except getopt.GetoptError as e:
print('ERROR: ' + str(e))
self.print_help()
sys.exit(1)
subsystem = None
test = None
instance_name = 'pki-tomcat'
if len(args) == 1:
test = args[0]
for o, a in opts:
if o in ('-i', '--instance'):
instance_name = a
elif o == '--subsystem':
subsystem = a
elif o == '--help':
self.print_help()
sys.exit()
else:
print('ERROR: unknown option ' + o)
self.print_help()
sys.exit(1)
# Load instance
instance = server.PKIInstance(instance_name)
if not instance.is_valid():
print('ERROR: Invalid instance %s.' % instance_name)
sys.exit(1)
instance.load()
SelfTestCLI.set_startup_test_critical(instance=instance,
subsystem=subsystem,
test=test,
critical=True)
def execute(self, argv):
try:
opts, args = getopt.gnu_getopt(argv, 'i:d:c:C:n:v', [
'instance=', 'verbose', 'temp', 'serial=', 'output=', 'renew',
'help'
])
except getopt.GetoptError as e:
print('ERROR: ' + str(e))
self.usage()
sys.exit(1)
instance_name = 'pki-tomcat'
create_temp_cert = False
serial = None
client_nssdb_location = os.getenv('HOME') + '/.dogtag/nssdb'
client_nssdb_password = None
client_nssdb_pass_file = None
client_cert = None
output = None
renew = False
connection = None
for o, a in opts:
if o in ('-i', '--instance'):
instance_name = a
elif o in ('-v', '--verbose'):
self.set_verbose(True)
elif o == '-d':
client_nssdb_location = a
elif o == '-c':
client_nssdb_password = a
elif o == '-C':
client_nssdb_pass_file = a
elif o == '-n':
client_cert = a
elif o == '--help':
self.usage()
sys.exit()
elif o == '--temp':
create_temp_cert = True
elif o == '--serial':
serial = a
elif o == '--output':
output = a
elif o == '--renew':
renew = True
else:
self.print_message('ERROR: unknown option ' + o)
self.usage()
sys.exit(1)
if len(args) < 1:
print('ERROR: missing cert ID')
self.usage()
sys.exit(1)
if not create_temp_cert:
# For permanent certificate, password of NSS db is required.
if not client_nssdb_password and not client_nssdb_pass_file:
print('ERROR: NSS db password is required.')
self.usage()
sys.exit(1)
cert_id = args[0]
instance = server.PKIInstance(instance_name)
if not instance.is_valid():
print('ERROR: Invalid instance %s.' % instance_name)
sys.exit(1)
# Load the instance. Default: pki-tomcat
instance.load()
subsystem_name = None
cert_tag = cert_id
if cert_id != 'sslserver' and cert_id != 'subsystem':
# To avoid ambiguity where cert ID can contain more than 1 _, we limit to one split
temp_cert_identify = cert_id.split('_', 1)
subsystem_name = temp_cert_identify[0]
cert_tag = temp_cert_identify[1]
# If cert ID is instance specific, get it from first subsystem
if not subsystem_name:
subsystem_name = instance.subsystems[0].name
# Get the subsystem - Eg: ca, kra, tps, tks
subsystem = instance.get_subsystem(subsystem_name)
if not subsystem:
print('ERROR: No %s subsystem in instance '
'%s.' % (subsystem_name, instance_name))
sys.exit(1)
nssdb = instance.open_nssdb()
tmpdir = tempfile.mkdtemp()
try:
cert_folder = os.path.join(pki.CONF_DIR, instance_name, 'certs')
if not os.path.exists(cert_folder):
os.makedirs(cert_folder)
new_cert_file = os.path.join(cert_folder, cert_id + '.crt')
if output:
new_cert_file = output
if create_temp_cert:
if not serial:
# If admin doesn't provide a serial number, find the highest in NSS db
# and add 1 to it
serial = 0
for sub in instance.subsystems:
for n_cert in sub.find_system_certs():
if int(n_cert['serial_number']) > serial:
serial = int(n_cert['serial_number'])
# Add 1 and then rewrap it as a string
serial = str(serial + 1)
else:
# Create permanent certificate
if not renew:
# Fixme: Support rekey
raise Exception('Rekey is not supported yet.')
connection = self.setup_authentication(
subsystem=subsystem,
c_nssdb_pass=client_nssdb_password,
c_cert=client_cert,
c_nssdb_pass_file=client_nssdb_pass_file,
c_nssdb=client_nssdb_location,
tmpdir=tmpdir)
if cert_tag == 'sslserver':
self.create_ssl_cert(instance=instance,
subsystem=subsystem,
is_temp_cert=create_temp_cert,
new_cert_file=new_cert_file,
nssdb=nssdb,
serial=serial,
tmpdir=tmpdir,
connection=connection)
elif cert_tag == 'subsystem':
self.create_subsystem_cert(is_temp_cert=create_temp_cert,
serial=serial,
subsystem=subsystem,
new_cert_file=new_cert_file,
connection=connection)
elif cert_id in ['ca_ocsp_signing', 'ocsp_signing']:
self.create_ocsp_cert(is_temp_cert=create_temp_cert,
serial=serial,
subsystem=subsystem,
new_cert_file=new_cert_file,
connection=connection)
elif cert_tag == 'audit_signing':
self.create_audit_cert(is_temp_cert=create_temp_cert,
serial=serial,
subsystem=subsystem,
new_cert_file=new_cert_file,
connection=connection)
else:
# renewal not yet supported
raise Exception('Renewal for %s not yet supported.' % cert_id)
finally:
nssdb.close()
shutil.rmtree(tmpdir)
def execute(self, argv):
try:
opts, args = getopt.gnu_getopt(argv, 'i:v',
['instance=', 'verbose', 'help'])
except getopt.GetoptError as e:
print('ERROR: ' + str(e))
self.usage()
sys.exit(1)
instance_name = 'pki-tomcat'
for o, a in opts:
if o in ('-i', '--instance'):
instance_name = a
elif o in ('-v', '--verbose'):
self.set_verbose(True)
elif o == '--help':
self.usage()
sys.exit()
else:
print('ERROR: unknown option ' + o)
self.usage()
sys.exit(1)
if len(args) < 1:
print('ERROR: missing cert ID')
self.usage()
sys.exit(1)
cert_id = args[0]
instance = server.PKIInstance(instance_name)
if not instance.is_valid():
print('ERROR: Invalid instance %s.' % instance_name)
sys.exit(1)
instance.load()
subsystem_name = None
cert_tag = cert_id
if cert_id != 'sslserver' and cert_id != 'subsystem':
# To avoid ambiguity where cert ID can contain more than 1 _, we limit to one split
temp_cert_identify = cert_id.split('_', 1)
subsystem_name = temp_cert_identify[0]
cert_tag = temp_cert_identify[1]
# If cert ID is instance specific, get it from first subsystem
if not subsystem_name:
subsystem_name = instance.subsystems[0].name
subsystem = instance.get_subsystem(subsystem_name)
if not subsystem:
print('ERROR: No %s subsystem in instance '
'%s.' % (subsystem_name, instance_name))
sys.exit(1)
subsystem_cert = subsystem.get_subsystem_cert(cert_tag)
if self.verbose:
print('Retrieving certificate %s from %s' %
(subsystem_cert['nickname'], subsystem_cert['token']))
token = subsystem_cert['token']
nssdb = instance.open_nssdb(token)
# Get the cert data from NSS DB
data = nssdb.get_cert(nickname=subsystem_cert['nickname'],
output_format='base64')
subsystem_cert['data'] = data
# format cert data for LDAP database
lines = [data[i:i + 64] for i in range(0, len(data), 64)]
data = '\r\n'.join(lines) + '\r\n'
# Get the cert request from LDAP database
if self.verbose:
print('Retrieving certificate request from CA database')
# TODO: add support for remote CA
ca = instance.get_subsystem('ca')
if not ca:
print('ERROR: No CA subsystem in instance %s.' % instance_name)
sys.exit(1)
results = ca.find_cert_requests(cert=data)
if results:
cert_request = results[-1]
request = cert_request['request']
# format cert request for CS.cfg
lines = request.splitlines()
if lines[0] == '-----BEGIN CERTIFICATE REQUEST-----':
lines = lines[1:]
if lines[-1] == '-----END CERTIFICATE REQUEST-----':
lines = lines[:-1]
request = ''.join(lines)
subsystem_cert['request'] = request
else:
print('WARNING: Certificate request not found')
# store cert data and request in CS.cfg
if cert_id == 'sslserver' or cert_id == 'subsystem':
# Update for all subsystems
for subsystem in instance.subsystems:
subsystem.update_subsystem_cert(subsystem_cert)
subsystem.save()
else:
subsystem.update_subsystem_cert(subsystem_cert)
subsystem.save()
self.print_message('Updated "%s" system certificate' % cert_id)
def execute(self, argv):
try:
opts, _ = getopt.gnu_getopt(
argv, 'i:v', ['instance=', 'show-all', 'verbose', 'help'])
except getopt.GetoptError as e:
print('ERROR: ' + str(e))
self.print_help()
sys.exit(1)
instance_name = 'pki-tomcat'
show_all = False
for o, a in opts:
if o in ('-i', '--instance'):
instance_name = a
elif o == '--show-all':
show_all = True
elif o in ('-v', '--verbose'):
self.set_verbose(True)
elif o == '--help':
self.print_help()
sys.exit()
else:
print('ERROR: unknown option ' + o)
self.print_help()
sys.exit(1)
instance = server.PKIInstance(instance_name)
if not instance.is_valid():
print('ERROR: Invalid instance %s.' % instance_name)
sys.exit(1)
instance.load()
results = []
for subsystem in instance.subsystems:
# Retrieve the subsystem's system certificate
sub_system_certs = subsystem.find_system_certs()
# Iterate on all subsystem's system certificate to prepend subsystem name to the ID
for subsystem_cert in sub_system_certs:
if subsystem_cert['id'] != 'sslserver' and subsystem_cert[
'id'] != 'subsystem':
subsystem_cert[
'id'] = subsystem.name + '_' + subsystem_cert['id']
# Append only unique certificates to other subsystem certificate list
if subsystem_cert not in results:
results.append(subsystem_cert)
self.print_message('%s entries matched' % len(results))
first = True
for cert in results:
if first:
first = False
else:
print()
CertCLI.print_system_cert(cert, show_all)
def execute(self, argv):
logging.basicConfig(format='%(levelname)s: %(message)s')
try:
opts, args = getopt.gnu_getopt(
argv, 'i:v',
['instance=', 'input=', 'verbose', 'debug', 'help'])
except getopt.GetoptError as e:
logger.error(e)
self.print_help()
sys.exit(1)
instance_name = 'pki-tomcat'
cert_file = None
for o, a in opts:
if o in ('-i', '--instance'):
instance_name = a
elif o == '--input':
cert_file = a
elif o in ('-v', '--verbose'):
self.set_verbose(True)
logging.getLogger().setLevel(logging.INFO)
elif o == '--debug':
self.set_verbose(True)
self.set_debug(True)
logging.getLogger().setLevel(logging.DEBUG)
elif o == '--help':
self.print_help()
sys.exit()
else:
logger.error('option %s not recognized', o)
self.print_help()
sys.exit(1)
if len(args) < 1:
logger.error('Missing cert ID.')
self.print_help()
sys.exit(1)
cert_id = args[0]
instance = server.PKIInstance(instance_name)
if not instance.is_valid():
logger.error('Invalid instance %s.', instance_name)
sys.exit(1)
# Load the instance. Default: pki-tomcat
instance.load()
if cert_id == 'sslserver' or cert_id == 'subsystem':
subsystem_name = None
cert_tag = cert_id
else:
parts = cert_id.split('_', 1)
subsystem_name = parts[0]
cert_tag = parts[1]
# If cert ID is instance specific, get it from first subsystem
if not subsystem_name:
subsystem_name = instance.subsystems[0].name
subsystem = instance.get_subsystem(subsystem_name)
if not subsystem:
logger.error('No %s subsystem in instance %s.', subsystem_name,
instance_name)
sys.exit(1)
nssdb = instance.open_nssdb()
try:
cert_folder = os.path.join(pki.CONF_DIR, instance_name, 'certs')
if not cert_file:
cert_file = os.path.join(cert_folder, cert_id + '.crt')
if not os.path.isfile(cert_file):
logger.error('No %s such file.', cert_file)
self.print_help()
sys.exit(1)
cert = subsystem.get_subsystem_cert(cert_tag)
logger.info('Checking existing %s certificate in NSS database',
cert_id)
if nssdb.get_cert(nickname=cert['nickname'], token=cert['token']):
logger.error('Certificate already exists: %s', cert_id)
sys.exit(1)
logger.info('Importing new %s certificate into NSS database',
cert_id)
nssdb.add_cert(nickname=cert['nickname'],
token=cert['token'],
cert_file=cert_file)
logger.info('Updating CS.cfg with the new certificate')
data = nssdb.get_cert(nickname=cert['nickname'],
token=cert['token'],
output_format='base64')
cert['data'] = data
if cert_id == 'sslserver' or cert_id == 'subsystem':
# Update all subsystem's CS.cfg
for subsystem in instance.subsystems:
subsystem.update_subsystem_cert(cert)
subsystem.save()
else:
subsystem.update_subsystem_cert(cert)
subsystem.save()
finally:
nssdb.close()
def execute(self, argv):
logging.basicConfig(format='%(levelname)s: %(message)s')
try:
opts, args = getopt.gnu_getopt(argv, 'i:d:c:C:n:v', [
'instance=', 'temp', 'serial=', 'output=', 'renew', 'verbose',
'debug', 'help'
])
except getopt.GetoptError as e:
logger.error(e)
self.print_help()
sys.exit(1)
instance_name = 'pki-tomcat'
create_temp_cert = False
serial = None
client_nssdb_location = os.getenv('HOME') + '/.dogtag/nssdb'
client_nssdb_password = None
client_nssdb_pass_file = None
client_cert = None
output = None
renew = False
connection = None
for o, a in opts:
if o in ('-i', '--instance'):
instance_name = a
elif o == '-d':
client_nssdb_location = a
elif o == '-c':
client_nssdb_password = a
elif o == '-C':
client_nssdb_pass_file = a
elif o == '-n':
client_cert = a
elif o == '--temp':
create_temp_cert = True
elif o == '--serial':
serial = a
elif o == '--output':
output = a
elif o == '--renew':
renew = True
elif o in ('-v', '--verbose'):
self.set_verbose(True)
logging.getLogger().setLevel(logging.INFO)
elif o == '--debug':
self.set_verbose(True)
self.set_debug(True)
logging.getLogger().setLevel(logging.DEBUG)
elif o == '--help':
self.print_help()
sys.exit()
else:
logger.error('option %s not recognized', o)
self.print_help()
sys.exit(1)
if len(args) < 1:
logger.error('Missing cert ID.')
self.print_help()
sys.exit(1)
if not create_temp_cert:
# For permanent certificate, password of NSS db is required.
if not client_nssdb_password and not client_nssdb_pass_file:
logger.error('NSS database password is required.')
self.print_help()
sys.exit(1)
cert_id = args[0]
instance = server.PKIInstance(instance_name)
if not instance.is_valid():
logger.error('Invalid instance %s.', instance_name)
sys.exit(1)
# Load the instance. Default: pki-tomcat
instance.load()
subsystem_name = None
cert_tag = cert_id
if cert_id == 'sslserver' or cert_id == 'subsystem':
subsystem_name = None
cert_tag = cert_id
else:
parts = cert_id.split('_', 1)
subsystem_name = parts[0]
cert_tag = parts[1]
# If cert ID is instance specific, get it from first subsystem
if not subsystem_name:
subsystem_name = instance.subsystems[0].name
subsystem = instance.get_subsystem(subsystem_name)
if not subsystem:
logger.error('No %s subsystem in instance %s.', subsystem_name,
instance_name)
sys.exit(1)
nssdb = instance.open_nssdb()
tmpdir = tempfile.mkdtemp()
try:
cert_folder = os.path.join(pki.CONF_DIR, instance_name, 'certs')
if not os.path.exists(cert_folder):
os.makedirs(cert_folder)
new_cert_file = os.path.join(cert_folder, cert_id + '.crt')
if output:
new_cert_file = output
if create_temp_cert:
if not serial:
# If admin doesn't provide a serial number, find the highest in NSS db
# and add 1 to it
serial = 0
for sub in instance.subsystems:
for n_cert in sub.find_system_certs():
if int(n_cert['serial_number']) > serial:
serial = int(n_cert['serial_number'])
# Add 1 and then rewrap it as a string
serial = str(serial + 1)
else:
# Create permanent certificate
if not renew:
# Fixme: Support rekey
raise Exception('Rekey is not supported yet.')
connection = self.setup_authentication(
subsystem=subsystem,
c_nssdb_pass=client_nssdb_password,
c_cert=client_cert,
c_nssdb_pass_file=client_nssdb_pass_file,
c_nssdb=client_nssdb_location,
tmpdir=tmpdir)
if cert_tag == 'sslserver':
self.create_ssl_cert(instance=instance,
subsystem=subsystem,
is_temp_cert=create_temp_cert,
new_cert_file=new_cert_file,
nssdb=nssdb,
serial=serial,
tmpdir=tmpdir,
connection=connection)
elif cert_tag == 'subsystem':
self.create_subsystem_cert(is_temp_cert=create_temp_cert,
serial=serial,
subsystem=subsystem,
new_cert_file=new_cert_file,
connection=connection)
elif cert_id in ['ca_ocsp_signing', 'ocsp_signing']:
self.create_ocsp_cert(is_temp_cert=create_temp_cert,
serial=serial,
subsystem=subsystem,
new_cert_file=new_cert_file,
connection=connection)
elif cert_tag == 'audit_signing':
self.create_audit_cert(is_temp_cert=create_temp_cert,
serial=serial,
subsystem=subsystem,
new_cert_file=new_cert_file,
connection=connection)
else:
# renewal not yet supported
raise Exception('Renewal for %s not yet supported.' % cert_id)
finally:
nssdb.close()
shutil.rmtree(tmpdir)
def execute(self, argv):
logging.basicConfig(format='%(levelname)s: %(message)s')
try:
opts, args = getopt.gnu_getopt(
argv, 'i:v', ['instance=', 'verbose', 'debug', 'help'])
except getopt.GetoptError as e:
logger.error(e)
self.print_help()
sys.exit(1)
instance_name = 'pki-tomcat'
for o, a in opts:
if o in ('-i', '--instance'):
instance_name = a
elif o in ('-v', '--verbose'):
self.set_verbose(True)
logging.getLogger().setLevel(logging.INFO)
elif o == '--debug':
self.set_verbose(True)
self.set_debug(True)
logging.getLogger().setLevel(logging.DEBUG)
elif o == '--help':
self.print_help()
sys.exit()
else:
logger.error('option %s not recognized', o)
self.print_help()
sys.exit(1)
if len(args) < 1:
logger.error('Missing cert ID.')
self.print_help()
sys.exit(1)
cert_id = args[0]
instance = server.PKIInstance(instance_name)
if not instance.is_valid():
logger.error('Invalid instance %s.', instance_name)
sys.exit(1)
instance.load()
subsystem_name = None
cert_tag = cert_id
if cert_id == 'sslserver' or cert_id == 'subsystem':
subsystem_name = None
cert_tag = cert_id
else:
parts = cert_id.split('_', 1)
subsystem_name = parts[0]
cert_tag = parts[1]
# If cert ID is instance specific, get it from first subsystem
if not subsystem_name:
subsystem_name = instance.subsystems[0].name
subsystem = instance.get_subsystem(subsystem_name)
if not subsystem:
logger.error('No %s subsystem in instance %s.', subsystem_name,
instance_name)
sys.exit(1)
subsystem_cert = subsystem.get_subsystem_cert(cert_tag)
logger.info('Retrieving certificate %s from %s',
subsystem_cert['nickname'], subsystem_cert['token'])
token = subsystem_cert['token']
nssdb = instance.open_nssdb(token)
# Get the cert data from NSS DB
data = nssdb.get_cert(nickname=subsystem_cert['nickname'],
output_format='base64')
subsystem_cert['data'] = data
# format cert data for LDAP database
lines = [data[i:i + 64] for i in range(0, len(data), 64)]
data = '\r\n'.join(lines) + '\r\n'
# Get the cert request from LDAP database
logger.info('Retrieving certificate request from CA database')
# TODO: add support for remote CA
ca = instance.get_subsystem('ca')
if not ca:
logger.error('No CA subsystem in instance %s.', instance_name)
sys.exit(1)
results = ca.find_cert_requests(cert=data)
if results:
cert_request = results[-1]
request = cert_request['request']
# format cert request for CS.cfg
lines = request.splitlines()
if lines[0] == '-----BEGIN CERTIFICATE REQUEST-----':
lines = lines[1:]
if lines[-1] == '-----END CERTIFICATE REQUEST-----':
lines = lines[:-1]
request = ''.join(lines)
subsystem_cert['request'] = request
else:
print('WARNING: Certificate request not found')
# store cert data and request in CS.cfg
if cert_id == 'sslserver' or cert_id == 'subsystem':
# Update for all subsystems
for subsystem in instance.subsystems:
subsystem.update_subsystem_cert(subsystem_cert)
subsystem.save()
else:
subsystem.update_subsystem_cert(subsystem_cert)
subsystem.save()
self.print_message('Updated "%s" system certificate' % cert_id)
def execute(self, argv):
logging.basicConfig(format='%(levelname)s: %(message)s')
try:
opts, args = getopt.gnu_getopt(
argv, 'i:v',
['instance=', 'remove-key', 'verbose', 'debug', 'help'])
except getopt.GetoptError as e:
logger.error(e)
self.print_help()
sys.exit(1)
instance_name = 'pki-tomcat'
remove_key = False
for o, a in opts:
if o in ('-i', '--instance'):
instance_name = a
elif o == '--remove-key':
remove_key = True
elif o in ('-v', '--verbose'):
self.set_verbose(True)
logging.getLogger().setLevel(logging.INFO)
elif o == '--debug':
self.set_verbose(True)
self.set_debug(True)
logging.getLogger().setLevel(logging.DEBUG)
elif o == '--help':
self.print_help()
sys.exit()
else:
logger.error('option %s not recognized', o)
self.print_help()
sys.exit(1)
if len(args) < 1:
logger.error('Missing cert ID.')
self.print_help()
sys.exit(1)
cert_id = args[0]
instance = server.PKIInstance(instance_name)
if not instance.is_valid():
logger.error('Invalid instance %s.', instance_name)
sys.exit(1)
# Load the instance. Default: pki-tomcat
instance.load()
if cert_id == 'sslserver' or cert_id == 'subsystem':
subsystem_name = None
cert_tag = cert_id
else:
parts = cert_id.split('_', 1)
subsystem_name = parts[0]
cert_tag = parts[1]
# If cert ID is instance specific, get it from first subsystem
if not subsystem_name:
subsystem_name = instance.subsystems[0].name
subsystem = instance.get_subsystem(subsystem_name)
if not subsystem:
logger.error('No %s subsystem in instance %s.', subsystem_name,
instance_name)
sys.exit(1)
cert = subsystem.get_subsystem_cert(cert_tag)
nssdb = instance.open_nssdb()
try:
logger.info('Removing %s certificate from NSS database', cert_id)
nssdb.remove_cert(nickname=cert['nickname'],
token=cert['token'],
remove_key=remove_key)
finally:
nssdb.close()
def execute(self, argv):
logging.basicConfig(format='%(levelname)s: %(message)s')
try:
opts, args = getopt.gnu_getopt(argv, 'i:v', [
'instance=', 'cert-file=', 'csr-file=', 'pkcs12-file=',
'pkcs12-password='******'pkcs12-password-file=', 'friendly-name=',
'cert-encryption=', 'key-encryption=', 'append',
'no-trust-flags', 'no-key', 'no-chain', 'verbose', 'debug',
'help'
])
except getopt.GetoptError as e:
logger.error(e)
self.print_help()
sys.exit(1)
instance_name = 'pki-tomcat'
cert_file = None
csr_file = None
pkcs12_file = None
pkcs12_password = None
pkcs12_password_file = None
friendly_name = None
cert_encryption = None
key_encryption = None
append = False
include_trust_flags = True
include_key = True
include_chain = True
for o, a in opts:
if o in ('-i', '--instance'):
instance_name = a
elif o == '--cert-file':
cert_file = a
elif o == '--csr-file':
csr_file = a
elif o == '--pkcs12-file':
pkcs12_file = a
elif o == '--pkcs12-password':
pkcs12_password = a
elif o == '--pkcs12-password-file':
pkcs12_password_file = a
elif o == '--friendly-name':
friendly_name = a
elif o == '--cert-encryption':
cert_encryption = a
elif o == '--key-encryption':
key_encryption = a
elif o == '--append':
append = True
elif o == '--no-trust-flags':
include_trust_flags = False
elif o == '--no-key':
include_key = False
elif o == '--no-chain':
include_chain = False
elif o in ('-v', '--verbose'):
self.set_verbose(True)
logging.getLogger().setLevel(logging.INFO)
elif o == '--debug':
self.set_verbose(True)
self.set_debug(True)
logging.getLogger().setLevel(logging.DEBUG)
elif o == '--help':
self.print_help()
sys.exit()
else:
logger.error('option %s not recognized', o)
self.print_help()
sys.exit(1)
if len(args) < 1:
logger.error('Missing cert ID.')
self.print_help()
sys.exit(1)
cert_id = args[0]
if not (cert_file or csr_file or pkcs12_file):
logger.error('missing output file')
self.print_help()
sys.exit(1)
instance = server.PKIInstance(instance_name)
if not instance.is_valid():
logger.error('Invalid instance %s.', instance_name)
sys.exit(1)
instance.load()
subsystem_name = None
cert_tag = cert_id
if cert_id == 'sslserver' or cert_id == 'subsystem':
subsystem_name = None
cert_tag = cert_id
else:
parts = cert_id.split('_', 1)
subsystem_name = parts[0]
cert_tag = parts[1]
# If cert ID is instance specific, get it from first subsystem
if not subsystem_name:
subsystem_name = instance.subsystems[0].name
subsystem = instance.get_subsystem(subsystem_name)
if not subsystem:
logger.error('No %s subsystem in instance %s.', subsystem_name,
instance_name)
sys.exit(1)
cert = subsystem.get_subsystem_cert(cert_tag)
if not cert:
logger.error('missing %s certificate', cert_id)
self.print_help()
sys.exit(1)
if cert_id == 'sslserver':
# get nickname and token from serverCertNick.conf
full_name = instance.get_sslserver_cert_nickname()
i = full_name.find(':')
if i < 0:
nickname = full_name
token = None
else:
nickname = full_name[i + 1:]
token = full_name[:i]
else:
# get nickname and token from CS.cfg
nickname = cert['nickname']
token = cert['token']
logger.info('Nickname: %s', nickname)
logger.info('Token: %s', token)
nssdb = instance.open_nssdb(token)
try:
if cert_file:
logger.info('Exporting %s certificate into %s.', cert_id,
cert_file)
cert_data = cert.get('data', None)
if cert_data is None:
logger.error('Unable to find certificate data for %s',
cert_id)
sys.exit(1)
cert_data = pki.nssdb.convert_cert(cert_data, 'base64', 'pem')
with open(cert_file, 'w') as f:
f.write(cert_data)
if csr_file:
logger.info('Exporting %s CSR into %s.', cert_id, csr_file)
cert_request = cert.get('request', None)
if cert_request is None:
logger.error('Unable to find certificate request for %s',
cert_id)
sys.exit(1)
csr_data = pki.nssdb.convert_csr(cert_request, 'base64', 'pem')
with open(csr_file, 'w') as f:
f.write(csr_data)
if pkcs12_file:
logger.info('Exporting %s certificate and key into %s.',
cert_id, pkcs12_file)
if not pkcs12_password and not pkcs12_password_file:
pkcs12_password = getpass.getpass(
prompt='Enter password for PKCS #12 file: ')
logger.info('Friendly name: %s', friendly_name)
nssdb.export_cert(nickname=nickname,
pkcs12_file=pkcs12_file,
pkcs12_password=pkcs12_password,
pkcs12_password_file=pkcs12_password_file,
friendly_name=friendly_name,
cert_encryption=cert_encryption,
key_encryption=key_encryption,
append=append,
include_trust_flags=include_trust_flags,
include_key=include_key,
include_chain=include_chain,
debug=self.debug)
finally:
nssdb.close()
def execute(self, argv):
logging.basicConfig(format='%(levelname)s: %(message)s')
try:
opts, _ = getopt.gnu_getopt(
argv, 'i:v',
['instance=', 'show-all', 'verbose', 'debug', 'help'])
except getopt.GetoptError as e:
logger.error(e)
self.print_help()
sys.exit(1)
instance_name = 'pki-tomcat'
show_all = False
for o, a in opts:
if o in ('-i', '--instance'):
instance_name = a
elif o == '--show-all':
show_all = True
elif o in ('-v', '--verbose'):
self.set_verbose(True)
logging.getLogger().setLevel(logging.INFO)
elif o == '--debug':
self.set_verbose(True)
self.set_debug(True)
logging.getLogger().setLevel(logging.DEBUG)
elif o == '--help':
self.print_help()
sys.exit()
else:
logger.error('option %s not recognized', o)
self.print_help()
sys.exit(1)
instance = server.PKIInstance(instance_name)
if not instance.is_valid():
logger.error('Invalid instance %s.', instance_name)
sys.exit(1)
instance.load()
first = True
results = []
for subsystem in instance.subsystems:
# Retrieve the subsystem's system certificate
certs = subsystem.find_system_certs()
# Iterate on all subsystem's system certificate to prepend subsystem name to the ID
for cert in certs:
if cert['id'] != 'sslserver' and cert['id'] != 'subsystem':
cert['id'] = subsystem.name + '_' + cert['id']
# Append only unique certificates to other subsystem certificate list
if cert['id'] in results:
continue
results.append(cert['id'])
if first:
first = False
else:
print()
CertCLI.print_system_cert(cert, show_all)
def execute(self, argv):
logging.basicConfig(format='%(levelname)s: %(message)s')
try:
opts, args = getopt.gnu_getopt(
argv, 'i:v',
['instance=', 'input=', 'verbose', 'debug', 'help'])
except getopt.GetoptError as e:
logger.error(e)
self.print_help()
sys.exit(1)
instance_name = 'pki-tomcat'
cert_file = None
for o, a in opts:
if o in ('-i', '--instance'):
instance_name = a
elif o == '--input':
cert_file = a
elif o in ('-v', '--verbose'):
self.set_verbose(True)
logging.getLogger().setLevel(logging.INFO)
elif o == '--debug':
self.set_verbose(True)
self.set_debug(True)
logging.getLogger().setLevel(logging.DEBUG)
elif o == '--help':
self.print_help()
sys.exit()
else:
logger.error('option %s not recognized', o)
self.print_help()
sys.exit(1)
if len(args) < 1:
logger.error('Missing cert ID.')
self.print_help()
sys.exit(1)
cert_id = args[0]
instance = server.PKIInstance(instance_name)
if not instance.is_valid():
logger.error('Invalid instance %s.', instance_name)
sys.exit(1)
# Load the instance. Default: pki-tomcat
instance.load()
try:
# Load the cert into NSS db and update all corresponding subsystem's CS.cfg
instance.cert_import(cert_id, cert_file)
except server.PKIServerException as e:
logger.error(str(e))
sys.exit(1)
def execute(self, argv):
logging.basicConfig(format='%(levelname)s: %(message)s')
try:
opts, args = getopt.gnu_getopt(argv, 'i:d:c:C:n:v', [
'instance=', 'temp', 'serial=', 'output=', 'renew', 'verbose',
'debug', 'help'
])
except getopt.GetoptError as e:
logger.error(e)
self.print_help()
sys.exit(1)
instance_name = 'pki-tomcat'
temp_cert = False
serial = None
client_nssdb = os.getenv('HOME') + '/.dogtag/nssdb'
client_nssdb_password = None
client_nssdb_pass_file = None
client_cert = None
output = None
renew = False
for o, a in opts:
if o in ('-i', '--instance'):
instance_name = a
elif o == '-d':
client_nssdb = a
elif o == '-c':
client_nssdb_password = a
elif o == '-C':
client_nssdb_pass_file = a
elif o == '-n':
client_cert = a
elif o == '--temp':
temp_cert = True
elif o == '--serial':
# string containing the dec or hex value for the identifier
serial = str(int(a, 0))
elif o == '--output':
output = a
elif o == '--renew':
renew = True
elif o in ('-v', '--verbose'):
self.set_verbose(True)
logging.getLogger().setLevel(logging.INFO)
elif o == '--debug':
self.set_verbose(True)
self.set_debug(True)
logging.getLogger().setLevel(logging.DEBUG)
elif o == '--help':
self.print_help()
sys.exit()
else:
logger.error('option %s not recognized', o)
self.print_help()
sys.exit(1)
if len(args) < 1:
logger.error('Missing cert ID.')
self.print_help()
sys.exit(1)
if not temp_cert:
# For permanent certificate, password of NSS db is required.
if not client_nssdb_password and not client_nssdb_pass_file:
logger.error('NSS database password is required.')
self.print_help()
sys.exit(1)
cert_id = args[0]
instance = server.PKIInstance(instance_name)
if not instance.is_valid():
logger.error('Invalid instance %s.', instance_name)
sys.exit(1)
# Load the instance. Default: pki-tomcat
instance.load()
try:
instance.cert_create(cert_id, client_cert, client_nssdb,
client_nssdb_password, client_nssdb_pass_file,
serial, temp_cert, renew, output)
except server.PKIServerException as e:
logger.error(str(e))
sys.exit(1)
def execute(self, argv):
logging.basicConfig(format='%(levelname)s: %(message)s')
try:
opts, _ = getopt.gnu_getopt(
argv, 'i:d:c:C:n:v',
['instance=', 'cert=', 'verbose', 'debug', 'help'])
except getopt.GetoptError as e:
logger.error(e)
self.print_help()
sys.exit(1)
instance_name = 'pki-tomcat'
all_certs = True
client_nssdb = os.getenv('HOME') + '/.dogtag/nssdb'
client_nssdb_pass = None
client_nssdb_pass_file = None
client_cert = None
fix_certs = []
for o, a in opts:
if o in ('-i', '--instance'):
instance_name = a
elif o == '--cert':
all_certs = False
fix_certs.append(a)
elif o == '-d':
client_nssdb = a
elif o == '-c':
client_nssdb_pass = a
elif o == '-C':
client_nssdb_pass_file = a
elif o == '-n':
client_cert = a
elif o in ('-v', '--verbose'):
self.set_verbose(True)
logging.getLogger().setLevel(logging.INFO)
elif o == '--debug':
self.set_verbose(True)
self.set_debug(True)
logging.getLogger().setLevel(logging.DEBUG)
elif o == '--help':
self.print_help()
sys.exit()
else:
logger.error('option %s not recognized', o)
self.print_help()
sys.exit(1)
if not client_cert:
logger.error('Client nick name is required.')
self.print_help()
sys.exit(1)
if not client_nssdb_pass and not client_nssdb_pass_file:
logger.error('Client NSS db password is required.')
self.print_help()
sys.exit(1)
instance = server.PKIInstance(instance_name)
if not instance.is_valid():
logger.error('Invalid instance %s.', instance_name)
sys.exit(1)
instance.load()
# 1. Make a list of certs to fix OR use the list provided through CLI options
if all_certs:
# TODO: Identify only certs that are EXPIRED or ALMOST EXPIRED
for subsystem in instance.subsystems:
# Retrieve the subsystem's system certificate
certs = subsystem.find_system_certs()
# Iterate on all subsystem's system certificate to prepend
# subsystem name to the ID
for cert in certs:
if cert['id'] != 'sslserver' and cert['id'] != 'subsystem':
cert['id'] = subsystem.name + '_' + cert['id']
# Append only unique certificates to other subsystem certificate list
# ca_signing isn't supported yet
if cert['id'] in fix_certs or cert['id'] == 'ca_signing':
continue
fix_certs.append(cert['id'])
logger.info('Fixing the following certs: %s', fix_certs)
# 2. Stop the server, if it's up
instance.stop()
# 3. Find the subsystem and disable Self-tests
try:
# Placeholder used to hold subsystems whose selftest have been turned off
# Note: This is initialized as a set to avoid duplicates
# Example of duplicates:
# fix_certs = [ca_ocsp_signing, ca_audit_signing] -> will add 'ca' entry twice
target_subsys = set()
if 'sslserver' in fix_certs or 'subsystem' in fix_certs:
# If the cert is either sslserver/subsystem, disable selftest for all
# subsystems since all subsystems use these 2 certs.
target_subsys = set(instance.subsystems)
else:
for cert_id in fix_certs:
# Since we already filtered sslserver/subsystem, we can be quite sure
# that this split will definitely be of form: <subsys>_<cert_tag>
subsystem_name = cert_id.split('_', 1)[0]
subsystem = instance.get_subsystem(subsystem_name)
# If the subsystem is wrong, stop the process
if not subsystem:
logger.error('No %s subsystem in instance %s.',
subsystem_name, instance_name)
sys.exit(1)
target_subsys.add(subsystem)
# Convert set to list
target_subsys = list(target_subsys)
for subsystem in target_subsys:
subsystem.set_startup_test_criticality(False)
subsystem.save()
logger.info('Selftests disabled for subsystems: %s',
', '.join(str(x.name) for x in target_subsys))
# 4. Bring up the server using a temp SSL cert if the sslcert is expired
if 'sslserver' in fix_certs:
# 4a. Create temp SSL cert
instance.cert_create(cert_id='sslserver', temp_cert=True)
# 4b. Delete the existing SSL Cert
instance.cert_del('sslserver')
# 4d. Import the temp sslcert into the instance
instance.cert_import('sslserver')
# 5. Bring up the server temporarily
instance.start()
# 6. Place renewal request for all certs in fix_certs
for cert_id in fix_certs:
instance.cert_create(
cert_id=cert_id,
client_cert=client_cert,
client_nssdb=client_nssdb,
client_nssdb_pass=client_nssdb_pass,
client_nssdb_pass_file=client_nssdb_pass_file,
renew=True)
# 7. Stop the server
instance.stop()
# 8. Delete existing certs and then import the renewed system cert(s)
for cert_id in fix_certs:
# Delete the existing cert from the instance
instance.cert_del(cert_id)
# Import this new cert into the instance
instance.cert_import(cert_id)
# 9. Enable self tests for the subsystems disabled earlier
for subsystem in target_subsys:
subsystem.set_startup_test_criticality(True)
# 10. Bring up the server
instance.start()
except server.PKIServerException as e:
logger.error(str(e))
sys.exit(1)
def execute(self, argv):
try:
opts, args = getopt.gnu_getopt(
argv, 'i:v', ['instance=', 'verbose', 'input=', 'help'])
except getopt.GetoptError as e:
print('ERROR: ' + str(e))
self.usage()
sys.exit(1)
instance_name = 'pki-tomcat'
cert_file = None
for o, a in opts:
if o in ('-i', '--instance'):
instance_name = a
elif o in ('-v', '--verbose'):
self.set_verbose(True)
elif o == '--help':
self.usage()
sys.exit()
elif o == '--input':
cert_file = a
else:
self.print_message('ERROR: unknown option ' + o)
self.usage()
sys.exit(1)
if len(args) < 1:
print('ERROR: missing cert ID')
self.usage()
sys.exit(1)
cert_id = args[0]
instance = server.PKIInstance(instance_name)
if not instance.is_valid():
print('ERROR: Invalid instance %s.' % instance_name)
sys.exit(1)
# Load the instance. Default: pki-tomcat
instance.load()
subsystem_name = None
cert_tag = cert_id
if cert_id != 'sslserver' and cert_id != 'subsystem':
# To avoid ambiguity where cert ID can contain more than 1 _, we limit to one split
temp_cert_identify = cert_id.split('_', 1)
subsystem_name = temp_cert_identify[0]
cert_tag = temp_cert_identify[1]
# If cert ID is instance specific, get it from first subsystem
if not subsystem_name:
subsystem_name = instance.subsystems[0].name
# Get the subsystem - Eg: ca, kra, tps, tks
subsystem = instance.get_subsystem(subsystem_name)
if not subsystem:
print('ERROR: No %s subsystem in instance.'
'%s.' % (subsystem_name, instance_name))
sys.exit(1)
nssdb = instance.open_nssdb()
try:
cert_folder = os.path.join(pki.CONF_DIR, instance_name, 'certs')
if not cert_file:
cert_file = os.path.join(cert_folder, cert_id + '.crt')
if not os.path.isfile(cert_file):
print('ERROR: No %s such file.' % cert_file)
self.usage()
sys.exit(1)
cert = subsystem.get_subsystem_cert(cert_tag)
# Import cert into NSS db
if self.verbose:
print('Removing old %s certificate from NSS database.' %
cert_id)
nssdb.remove_cert(cert['nickname'])
if self.verbose:
print('Adding new %s certificate into NSS database.' % cert_id)
nssdb.add_cert(nickname=cert['nickname'], cert_file=cert_file)
# Update CS.cfg with the new certificate
if self.verbose:
print('Updating CS.cfg')
data = nssdb.get_cert(nickname=cert['nickname'],
output_format='base64')
cert['data'] = data
if cert_id == 'sslserver' or cert_id == 'subsystem':
# Update all subsystem's CS.cfg
for subsystem in instance.subsystems:
subsystem.update_subsystem_cert(cert)
subsystem.save()
else:
subsystem.update_subsystem_cert(cert)
subsystem.save()
finally:
nssdb.close()
def execute(self, argv):
logging.basicConfig(format='%(levelname)s: %(message)s')
try:
opts, args = getopt.gnu_getopt(argv, 'i:v', [
'instance=', 'show-all', 'pretty-print', 'verbose', 'debug',
'help'
])
except getopt.GetoptError as e:
logger.error(e)
self.print_help()
sys.exit(1)
instance_name = 'pki-tomcat'
show_all = False
pretty_print = False
for o, a in opts:
if o in ('-i', '--instance'):
instance_name = a
elif o == '--show-all':
show_all = True
elif o == '--pretty-print':
pretty_print = True
elif o in ('-v', '--verbose'):
self.set_verbose(True)
logging.getLogger().setLevel(logging.INFO)
elif o == '--debug':
self.set_verbose(True)
self.set_debug(True)
logging.getLogger().setLevel(logging.DEBUG)
elif o == '--help':
self.print_help()
sys.exit()
else:
logger.error('option %s not recognized', o)
self.print_help()
sys.exit(1)
if len(args) < 1:
logger.error('Missing cert ID.')
self.print_help()
sys.exit(1)
cert_id = args[0]
instance = server.PKIInstance(instance_name)
if not instance.is_valid():
logger.error('Invalid instance %s.', instance_name)
sys.exit(1)
instance.load()
if cert_id == 'sslserver' or cert_id == 'subsystem':
subsystem_name = None
cert_tag = cert_id
else:
parts = cert_id.split('_', 1)
subsystem_name = parts[0]
cert_tag = parts[1]
# If cert ID is instance specific, get it from first subsystem
if not subsystem_name:
subsystem_name = instance.subsystems[0].name
subsystem = instance.get_subsystem(subsystem_name)
if not subsystem:
logger.error('No %s subsystem in instance %s.', subsystem_name,
instance_name)
sys.exit(1)
cert = subsystem.get_subsystem_cert(cert_tag)
CertCLI.print_system_cert(cert, show_all)
if pretty_print:
nssdb = instance.open_nssdb()
try:
output = nssdb.get_cert(nickname=cert['nickname'],
token=cert['token'],
output_format='pretty-print')
print()
print(output)
finally:
nssdb.close()
def execute(self, argv):
try:
opts, args = getopt.gnu_getopt(argv, 'i:v', [
'instance=', 'cert-file=', 'csr-file=', 'pkcs12-file=',
'pkcs12-password='******'pkcs12-password-file=', 'append',
'no-trust-flags', 'no-key', 'no-chain', 'verbose', 'debug',
'help'
])
except getopt.GetoptError as e:
print('ERROR: ' + str(e))
self.usage()
sys.exit(1)
instance_name = 'pki-tomcat'
cert_file = None
csr_file = None
pkcs12_file = None
pkcs12_password = None
pkcs12_password_file = None
append = False
include_trust_flags = True
include_key = True
include_chain = True
debug = False
for o, a in opts:
if o in ('-i', '--instance'):
instance_name = a
elif o == '--cert-file':
cert_file = a
elif o == '--csr-file':
csr_file = a
elif o == '--pkcs12-file':
pkcs12_file = a
elif o == '--pkcs12-password':
pkcs12_password = a
elif o == '--pkcs12-password-file':
pkcs12_password_file = a
elif o == '--append':
append = True
elif o == '--no-trust-flags':
include_trust_flags = False
elif o == '--no-key':
include_key = False
elif o == '--no-chain':
include_chain = False
elif o in ('-v', '--verbose'):
self.set_verbose(True)
elif o == '--debug':
debug = True
elif o == '--help':
self.usage()
sys.exit()
else:
self.print_message('ERROR: unknown option ' + o)
self.usage()
sys.exit(1)
if len(args) < 1:
print('ERROR: missing cert ID')
self.usage()
sys.exit(1)
cert_id = args[0]
if not (cert_file or csr_file or pkcs12_file):
print('ERROR: missing output file')
self.usage()
sys.exit(1)
instance = server.PKIInstance(instance_name)
if not instance.is_valid():
print('ERROR: Invalid instance %s.' % instance_name)
sys.exit(1)
instance.load()
subsystem_name = None
cert_tag = cert_id
if cert_id != 'sslserver' and cert_id != 'subsystem':
# To avoid ambiguity where cert ID can contain more than 1 _, we limit to one split
temp_cert_identify = cert_id.split('_', 1)
subsystem_name = temp_cert_identify[0]
cert_tag = temp_cert_identify[1]
# If cert ID is instance specific, get it from first subsystem
if not subsystem_name:
subsystem_name = instance.subsystems[0].name
subsystem = instance.get_subsystem(subsystem_name)
if not subsystem:
print('ERROR: No %s subsystem in instance.'
'%s.' % (subsystem_name, instance_name))
sys.exit(1)
nssdb = instance.open_nssdb()
try:
cert = subsystem.get_subsystem_cert(cert_tag)
if not cert:
print('ERROR: missing %s certificate' % cert_id)
self.usage()
sys.exit(1)
if cert_file:
if self.verbose:
print('Exporting %s certificate into %s.' %
(cert_id, cert_file))
cert_data = cert.get('data', None)
if cert_data is None:
print("ERROR: Unable to find certificate data for %s" %
cert_id)
sys.exit(1)
cert_data = pki.nssdb.convert_cert(cert_data, 'base64', 'pem')
with open(cert_file, 'w') as f:
f.write(cert_data)
if csr_file:
if self.verbose:
print('Exporting %s CSR into %s.' % (cert_id, csr_file))
cert_request = cert.get('request', None)
if cert_request is None:
print("ERROR: Unable to find certificate request for %s" %
cert_id)
sys.exit(1)
csr_data = pki.nssdb.convert_csr(cert_request, 'base64', 'pem')
with open(csr_file, 'w') as f:
f.write(csr_data)
if pkcs12_file:
if self.verbose:
print('Exporting %s certificate and key into %s.' %
(cert_id, pkcs12_file))
if not pkcs12_password and not pkcs12_password_file:
pkcs12_password = getpass.getpass(
prompt='Enter password for PKCS #12 file: ')
nicknames = []
nicknames.append(cert['nickname'])
nssdb.export_pkcs12(pkcs12_file=pkcs12_file,
pkcs12_password=pkcs12_password,
pkcs12_password_file=pkcs12_password_file,
nicknames=nicknames,
append=append,
include_trust_flags=include_trust_flags,
include_key=include_key,
include_chain=include_chain,
debug=debug)
finally:
nssdb.close()
def execute(self, argv):
try:
opts, args = getopt.gnu_getopt(argv, 'i:', [
'subsystem=', 'instance=', 'help'])
except getopt.GetoptError as e:
print('ERROR: ' + str(e))
self.print_help()
sys.exit(1)
# To hold the subsystem names
subsystems = []
test = None
instance_name = 'pki-tomcat'
if len(args) == 1:
test = args[0]
for o, a in opts:
if o in ('-i', '--instance'):
instance_name = a
elif o == '--subsystem':
subsystems.append(a)
elif o == '--help':
self.print_help()
sys.exit()
else:
print('ERROR: unknown option ' + o)
self.print_help()
sys.exit(1)
# Load instance
instance = server.PKIInstance(instance_name)
if not instance.is_valid():
print('ERROR: Invalid instance %s.' % instance_name)
sys.exit(1)
instance.load()
# To hold the instance of the loaded subsystems
target_subsystems = []
# Load subsystem or subsystems
if not subsystems:
for subsys in instance.subsystems:
target_subsystems.append(subsys)
else:
for subsys in subsystems:
target_subsystems.append(instance.get_subsystem(subsys))
try:
# Enable critical tests for all subsystems listed in target_subsystems
for subsys in target_subsystems:
subsys.set_startup_test_criticality(test=test, critical=True)
# Save the updated CS.cfg to disk
subsys.save()
except server.PKIServerException as e:
logger.error(str(e))
sys.exit(1)
