def execute(self, argv): try: opts, args = getopt.gnu_getopt(argv, 'i:v', [ 'instance=', 'database=', 'backend=', 'force', 'verbose', 'debug', 'help']) except getopt.GetoptError as e: logger.error(e) self.print_help() sys.exit(1) name = 'acme' instance_name = 'pki-tomcat' force = False for o, a in opts: if o in ('-i', '--instance'): instance_name = a elif o == '--force': force = True elif o in ('-v', '--verbose'): logging.getLogger().setLevel(logging.INFO) elif o == '--debug': logging.getLogger().setLevel(logging.DEBUG) elif o == '--help': self.print_help() sys.exit() else: logger.error('Unknown option: %s', o) self.print_help() sys.exit(1) if len(args) > 0: name = args[0] instance = pki.server.instance.PKIServerFactory.create(instance_name) if not instance.is_valid(): raise Exception('Invalid instance: %s' % instance_name) instance.load() acme_conf_dir = os.path.join(instance.conf_dir, name) logging.info('Creating %s', acme_conf_dir) instance.makedirs(acme_conf_dir, force=force) acme_share_dir = os.path.join(pki.server.PKIServer.SHARE_DIR, 'acme') metadata_template = os.path.join(acme_share_dir, 'conf', 'metadata.json') metadata_conf = os.path.join(acme_conf_dir, 'metadata.json') logging.info('Creating %s', metadata_conf) instance.copy(metadata_template, metadata_conf, force=force) database_template = os.path.join(acme_share_dir, 'conf', 'database.json') database_conf = os.path.join(acme_conf_dir, 'database.json') logging.info('Creating %s', database_conf) instance.copy(database_template, database_conf, force=force) validators_template = os.path.join(acme_share_dir, 'conf', 'validators.json') validators_conf = os.path.join(acme_conf_dir, 'validators.json') logging.info('Creating %s', validators_conf) instance.copy(validators_template, validators_conf, force=force) backend_template = os.path.join(acme_share_dir, 'conf', 'backend.json') backend_conf = os.path.join(acme_conf_dir, 'backend.json') logging.info('Creating %s', backend_conf) instance.copy(backend_template, backend_conf, force=force)
def spawn(self, deployer): if config.str2bool(deployer.mdict['pki_skip_installation']): logger.info('Skipping instance creation') return logger.info('Preparing %s instance', deployer.mdict['pki_instance_name']) instance = self.instance instance.load() instance_conf_path = deployer.mdict['pki_instance_configuration_path'] logger.info('Creating %s', instance_conf_path) instance.makedirs(instance_conf_path, force=True) logger.info('Creating %s', deployer.mdict['pki_shared_password_conf']) # Configuring internal token password internal_token = deployer.mdict['pki_self_signed_token'] if not pki.nssdb.normalize_token(internal_token): internal_token = pki.nssdb.INTERNAL_TOKEN_NAME # If instance already exists and has password, reuse the password if internal_token in instance.passwords: logger.info('Reusing server NSS database password') deployer.mdict['pki_server_database_password'] = instance.passwords.get(internal_token) # Otherwise, use user-provided password if specified elif deployer.mdict['pki_server_database_password']: logger.info('Using specified server NSS database password') # Otherwise, use user-provided pin if specified elif deployer.mdict['pki_pin']: logger.info('Using specified PIN as server NSS database password') deployer.mdict['pki_server_database_password'] = deployer.mdict['pki_pin'] # Otherwise, generate a random password else: logger.info('Generating random server NSS database password') deployer.mdict['pki_server_database_password'] = pki.generate_password() instance.passwords[internal_token] = deployer.mdict['pki_server_database_password'] # Configuring HSM password if config.str2bool(deployer.mdict['pki_hsm_enable']): hsm_token = deployer.mdict['pki_token_name'] instance.passwords['hardware-%s' % hsm_token] = deployer.mdict['pki_token_password'] # Configuring internal database password if 'internaldb' in instance.passwords: logger.info('Reusing internal database password') deployer.mdict['pki_ds_password'] = instance.passwords.get('internaldb') else: logger.info('Using specified internal database password') instance.passwords['internaldb'] = deployer.mdict['pki_ds_password'] # Configuring replication manager password # Bug #430745 Create separate password for replication manager # Use user-provided password if specified if 'replicationdb' in instance.passwords: logger.info('Reusing replication manager password') elif deployer.mdict['pki_replication_password']: logger.info('Using specified replication manager password') instance.passwords['replicationdb'] = deployer.mdict['pki_replication_password'] else: logger.info('Generating random replication manager password') instance.passwords['replicationdb'] = pki.generate_password() instance.store_passwords() # if this is not the first subsystem, skip if len(deployer.instance.tomcat_instance_subsystems()) != 1: logger.info('Installing %s instance', deployer.mdict['pki_instance_name']) return deployer.directory.create(deployer.mdict['pki_instance_log_path']) shared_conf_path = deployer.mdict['pki_source_server_path'] # Copy /usr/share/pki/server/conf/tomcat.conf to # /var/lib/pki/<instance>/conf/tomcat.conf. deployer.file.copy_with_slot_substitution( os.path.join(shared_conf_path, 'tomcat.conf'), os.path.join(instance_conf_path, 'tomcat.conf')) # Copy /usr/share/pki/server/conf/server.xml # to /etc/pki/<instance>/server.xml. deployer.file.copy_with_slot_substitution( deployer.mdict['pki_source_server_xml'], deployer.mdict['pki_target_server_xml'], overwrite_flag=True) # Link /etc/pki/<instance>/catalina.properties # to /usr/share/pki/server/conf/catalina.properties. logger.info('Creating %s', os.path.join(instance_conf_path, 'catalina.properties')) instance.symlink( os.path.join(shared_conf_path, 'catalina.properties'), os.path.join(instance_conf_path, 'catalina.properties'), force=True) # Link /etc/pki/<instance>/context.xml # to /usr/share/tomcat/conf/context.xml. logger.info('Creating %s', instance.context_xml) context_xml = os.path.join(pki.server.Tomcat.CONF_DIR, 'context.xml') instance.symlink(context_xml, instance.context_xml, force=True) # Link /etc/pki/<instance>/logging.properties # to /usr/share/pki/server/conf/logging.properties. logger.info('Creating %s', os.path.join(instance_conf_path, 'logging.properties')) instance.symlink( os.path.join(shared_conf_path, 'logging.properties'), os.path.join(instance_conf_path, 'logging.properties'), force=True) # create /etc/sysconfig/<instance> deployer.file.copy_with_slot_substitution( deployer.mdict['pki_source_tomcat_conf'], deployer.mdict['pki_target_tomcat_conf_instance_id'], overwrite_flag=True) # create /var/lib/pki/<instance>/conf/tomcat.conf deployer.file.copy_with_slot_substitution( deployer.mdict['pki_source_tomcat_conf'], deployer.mdict['pki_target_tomcat_conf'], overwrite_flag=True) # Link /etc/pki/<instance>/web.xml # to /usr/share/tomcat/conf/web.xml. logger.info('Creating %s', instance.web_xml) web_xml = os.path.join(pki.server.Tomcat.CONF_DIR, 'web.xml') instance.symlink(web_xml, instance.web_xml, force=True) catalina_dir = os.path.join(instance_conf_path, 'Catalina') logger.info('Creating %s', catalina_dir) instance.makedirs(catalina_dir, force=True) localhost_dir = os.path.join(catalina_dir, 'localhost') logger.info('Creating %s', localhost_dir) instance.makedirs(localhost_dir, force=True) logger.info('Deploying ROOT web application') instance.deploy_webapp( "ROOT", os.path.join( shared_conf_path, "Catalina", "localhost", "ROOT.xml")) logger.info('Deploying /pki web application') # Deploy pki web application which includes themes, # admin templates, and JS libraries instance.deploy_webapp( "pki", os.path.join( shared_conf_path, "Catalina", "localhost", "pki.xml")) instance.with_maven_deps = deployer.with_maven_deps instance.create_libs(force=True) deployer.directory.create(deployer.mdict['pki_tomcat_tmpdir_path']) deployer.directory.create(deployer.mdict['pki_tomcat_work_path']) deployer.directory.create(deployer.mdict['pki_tomcat_work_catalina_path']) deployer.directory.create(deployer.mdict['pki_tomcat_work_catalina_host_path']) deployer.directory.create(deployer.mdict['pki_tomcat_work_catalina_host_run_path']) deployer.directory.create(deployer.mdict['pki_tomcat_work_catalina_host_subsystem_path']) # establish Tomcat instance logs # establish Tomcat instance registry # establish Tomcat instance convenience symbolic links deployer.symlink.create( deployer.mdict['pki_tomcat_bin_path'], deployer.mdict['pki_tomcat_bin_link']) # create systemd links deployer.symlink.create( deployer.mdict['pki_tomcat_systemd'], deployer.mdict['pki_instance_systemd_link'], uid=0, gid=0) user = deployer.mdict['pki_user'] group = deployer.mdict['pki_group'] if user != 'pkiuser' or group != 'pkiuser': deployer.systemd.set_override( 'Service', 'User', user, 'user.conf') deployer.systemd.set_override( 'Service', 'Group', group, 'user.conf') deployer.systemd.write_overrides() deployer.systemd.daemon_reload() deployer.symlink.create( instance_conf_path, deployer.mdict['pki_instance_conf_link']) deployer.symlink.create( deployer.mdict['pki_instance_log_path'], deployer.mdict['pki_instance_logs_link']) # create Tomcat instance systemd service link deployer.symlink.create(deployer.mdict['pki_systemd_service'], deployer.mdict['pki_systemd_service_link']) # create instance registry deployer.file.copy_with_slot_substitution( deployer.mdict['pki_source_registry'], os.path.join(deployer.mdict['pki_instance_registry_path'], deployer.mdict['pki_instance_name']), overwrite_flag=True)
def spawn(self, deployer): if config.str2bool(deployer.mdict['pki_skip_installation']): logger.info('Skipping subsystem creation') return logger.info('Creating %s subsystem', deployer.mdict['pki_subsystem']) # If pki_one_time_pin is not specified, generate a new one if 'pki_one_time_pin' not in deployer.mdict: pin = ''.join( random.choice(string.ascii_letters + string.digits) for x in range(20)) deployer.mdict['pki_one_time_pin'] = pin deployer.mdict['PKI_RANDOM_NUMBER_SLOT'] = pin instance = self.instance # Create /var/log/pki/<instance>/<subsystem> logger.info('Creating %s', deployer.mdict['pki_subsystem_log_path']) instance.makedirs(deployer.mdict['pki_subsystem_log_path'], exist_ok=True) # Create /var/log/pki/<instance>/<subsystem>/archive logger.info('Creating %s', deployer.mdict['pki_subsystem_archive_log_path']) instance.makedirs(deployer.mdict['pki_subsystem_archive_log_path'], exist_ok=True) # Create /var/log/pki/<instance>/<subsystem>/signedAudit logger.info('Creating %s', deployer.mdict['pki_subsystem_signed_audit_log_path']) instance.makedirs( deployer.mdict['pki_subsystem_signed_audit_log_path'], exist_ok=True) # Create /etc/pki/<instance>/<subsystem> logger.info('Creating %s', deployer.mdict['pki_subsystem_configuration_path']) instance.makedirs(deployer.mdict['pki_subsystem_configuration_path'], exist_ok=True) # Copy /usr/share/pki/<subsystem_type>/conf # to /etc/pki/<instance>/<subsystem> # logger.info('Creating %s', deployer.mdict['pki_subsystem_configuration_path']) # instance.copy( # deployer.mdict['pki_source_conf_path'], # deployer.mdict['pki_subsystem_configuration_path']) # Copy /usr/share/pki/<subsystem>/conf/CS.cfg # to /etc/pki/<instance>/<subsystem>/CS.cfg logger.info('Creating %s', deployer.mdict['pki_target_cs_cfg']) instance.copyfile(deployer.mdict['pki_source_cs_cfg'], deployer.mdict['pki_target_cs_cfg'], slots=deployer.slots, params=deployer.mdict) # Copy /usr/share/pki/<subsystem>/conf/registry.cfg # to /etc/pki/<instance>/<subsystem>/registry.cfg logger.info('Creating %s', deployer.mdict['pki_target_registry_cfg']) instance.copy(deployer.mdict['pki_source_registry_cfg'], deployer.mdict['pki_target_registry_cfg']) if deployer.mdict['pki_subsystem'] == "CA": # Copy /usr/share/pki/ca/emails # to /var/lib/pki/<instance>/<subsystem>/emails logger.info('Creating %s', deployer.mdict['pki_subsystem_emails_path']) instance.copy(deployer.mdict['pki_source_emails'], deployer.mdict['pki_subsystem_emails_path']) # Copy /usr/share/pki/ca/profiles/ca # to /var/lib/pki/<instance>/<subsystem>/profiles/ca logger.info('Creating %s', deployer.mdict['pki_subsystem_profiles_path']) instance.copy(deployer.mdict['pki_source_profiles'], deployer.mdict['pki_subsystem_profiles_path']) # Copy /usr/share/pki/<subsystem>/conf/flatfile.txt # to /etc/pki/<instance>/<subsystem>/flatfile.txt logger.info('Creating %s', deployer.mdict['pki_target_flatfile_txt']) instance.copy(deployer.mdict['pki_source_flatfile_txt'], deployer.mdict['pki_target_flatfile_txt']) # Copy /usr/share/pki/<subsystem>/conf/<type>AdminCert.profile # to /etc/pki/<instance>/<subsystem>/adminCert.profile logger.info('Creating %s', deployer.mdict['pki_target_admincert_profile']) instance.copy(deployer.mdict['pki_source_admincert_profile'], deployer.mdict['pki_target_admincert_profile']) # Copy /usr/share/pki/<subsystem>/conf/caAuditSigningCert.profile # to /etc/pki/<instance>/<subsystem>/caAuditSigningCert.profile logger.info( 'Creating %s', deployer.mdict['pki_target_caauditsigningcert_profile']) instance.copy( deployer.mdict['pki_source_caauditsigningcert_profile'], deployer.mdict['pki_target_caauditsigningcert_profile']) # Copy /usr/share/pki/<subsystem>/conf/caCert.profile # to /etc/pki/<instance>/<subsystem>/caCert.profile logger.info('Creating %s', deployer.mdict['pki_target_cacert_profile']) instance.copy(deployer.mdict['pki_source_cacert_profile'], deployer.mdict['pki_target_cacert_profile']) # Copy /usr/share/pki/<subsystem>/conf/caOCSPCert.profile # to /etc/pki/<instance>/<subsystem>/caOCSPCert.profile logger.info('Creating %s', deployer.mdict['pki_target_caocspcert_profile']) instance.copy(deployer.mdict['pki_source_caocspcert_profile'], deployer.mdict['pki_target_caocspcert_profile']) # Copy /usr/share/pki/<subsystem>/conf/<type>ServerCert.profile # to /etc/pki/<instance>/<subsystem>/serverCert.profile logger.info('Creating %s', deployer.mdict['pki_target_servercert_profile']) instance.copy(deployer.mdict['pki_source_servercert_profile'], deployer.mdict['pki_target_servercert_profile']) # Copy /usr/share/pki/<subsystem>/conf/<type>SubsystemCert.profile # to /etc/pki/<instance>/<subsystem>/subsystemCert.profile logger.info('Creating %s', deployer.mdict['pki_target_subsystemcert_profile']) instance.copy(deployer.mdict['pki_source_subsystemcert_profile'], deployer.mdict['pki_target_subsystemcert_profile']) # Copy /usr/share/pki/<subsystem>/conf/proxy.conf # to /etc/pki/<instance>/<subsystem>/proxy.conf logger.info('Creating %s', deployer.mdict['pki_target_proxy_conf']) instance.copyfile(deployer.mdict['pki_source_proxy_conf'], deployer.mdict['pki_target_proxy_conf'], slots=deployer.slots, params=deployer.mdict) elif deployer.mdict['pki_subsystem'] == "TPS": # Copy /usr/share/pki/<subsystem>/conf/registry.cfg # to /etc/pki/<instance>/<subsystem>/registry.cfg logger.info('Creating %s', deployer.mdict['pki_target_registry_cfg']) instance.copy(deployer.mdict['pki_source_registry_cfg'], deployer.mdict['pki_target_registry_cfg']) # Copy /usr/share/pki/<subsystem>/conf/phoneHome.xml # to /etc/pki/<instance>/<subsystem>/phoneHome.xml logger.info('Creating %s', deployer.mdict['pki_target_phone_home_xml']) instance.copyfile(deployer.mdict['pki_source_phone_home_xml'], deployer.mdict['pki_target_phone_home_xml'], slots=deployer.slots, params=deployer.mdict) # Link /var/lib/pki/<instance>/<subsystem>/conf # to /etc/pki/<instance>/<subsystem> logger.info('Creating %s', deployer.mdict['pki_subsystem_conf_link']) instance.symlink(deployer.mdict['pki_subsystem_configuration_path'], deployer.mdict['pki_subsystem_conf_link']) # Link /var/lib/pki/<instance>/<subsystem>/logs # to /var/log/pki/<instance>/<subsystem> logger.info('Creating %s', deployer.mdict['pki_subsystem_logs_link']) instance.symlink(deployer.mdict['pki_subsystem_log_path'], deployer.mdict['pki_subsystem_logs_link']) # Link /var/lib/pki/<instance>/<subsystem>/registry # to /etc/sysconfig/pki/tomcat/<instance> logger.info('Creating %s', deployer.mdict['pki_subsystem_registry_link']) instance.symlink(deployer.mdict['pki_instance_registry_path'], deployer.mdict['pki_subsystem_registry_link']) instance = self.instance instance.load() subsystem = instance.get_subsystem( deployer.mdict['pki_subsystem'].lower()) subsystem.config['preop.subsystem.name'] = deployer.mdict[ 'pki_subsystem_name'] # configure security domain if deployer.mdict['pki_security_domain_type'] == 'new': subsystem.config['preop.cert.subsystem.type'] = 'local' subsystem.config[ 'preop.cert.subsystem.profile'] = 'subsystemCert.profile' else: # deployer.mdict['pki_security_domain_type'] == 'existing': subsystem.config['preop.cert.subsystem.type'] = 'remote' if subsystem.type == 'CA' and not config.str2bool( deployer.mdict['pki_clone']): if config.str2bool(deployer.mdict['pki_external']) or \ config.str2bool(deployer.mdict['pki_subordinate']): subsystem.config['preop.cert.signing.type'] = 'remote' else: subsystem.config['preop.ca.type'] = 'sdca' # configure cloning if config.str2bool(deployer.mdict['pki_clone']): subsystem.config['subsystem.select'] = 'Clone' else: subsystem.config['subsystem.select'] = 'New' # configure CA hierarchy if subsystem.type == 'CA': if config.str2bool(deployer.mdict['pki_external']) or \ config.str2bool(deployer.mdict['pki_subordinate']): subsystem.config['hierarchy.select'] = 'Subordinate' else: subsystem.config['hierarchy.select'] = 'Root' # configure TPS if subsystem.type == 'TPS': subsystem.config['auths.instance.ldap1.ldap.basedn'] = \ deployer.mdict['pki_authdb_basedn'] subsystem.config['auths.instance.ldap1.ldap.ldapconn.host'] = \ deployer.mdict['pki_authdb_hostname'] subsystem.config['auths.instance.ldap1.ldap.ldapconn.port'] = \ deployer.mdict['pki_authdb_port'] subsystem.config['auths.instance.ldap1.ldap.ldapconn.secureConn'] = \ deployer.mdict['pki_authdb_secure_conn'] subsystem.save()
def spawn(self, deployer): external = deployer.configuration_file.external standalone = deployer.configuration_file.standalone subordinate = deployer.configuration_file.subordinate clone = deployer.configuration_file.clone if config.str2bool(deployer.mdict['pki_skip_installation']): logger.info('Skipping subsystem creation') return logger.info('Creating %s subsystem', deployer.mdict['pki_subsystem']) # If pki_one_time_pin is not specified, generate a new one if 'pki_one_time_pin' not in deployer.mdict: pin = ''.join( random.choice(string.ascii_letters + string.digits) for x in range(20)) deployer.mdict['pki_one_time_pin'] = pin deployer.mdict['PKI_RANDOM_NUMBER_SLOT'] = pin instance = self.instance # Create /var/log/pki/<instance>/<subsystem> logger.info('Creating %s', deployer.mdict['pki_subsystem_log_path']) instance.makedirs(deployer.mdict['pki_subsystem_log_path'], exist_ok=True) # Create /var/log/pki/<instance>/<subsystem>/archive logger.info('Creating %s', deployer.mdict['pki_subsystem_archive_log_path']) instance.makedirs(deployer.mdict['pki_subsystem_archive_log_path'], exist_ok=True) # Create /var/log/pki/<instance>/<subsystem>/signedAudit logger.info('Creating %s', deployer.mdict['pki_subsystem_signed_audit_log_path']) instance.makedirs( deployer.mdict['pki_subsystem_signed_audit_log_path'], exist_ok=True) # Create /etc/pki/<instance>/<subsystem> logger.info('Creating %s', deployer.mdict['pki_subsystem_configuration_path']) instance.makedirs(deployer.mdict['pki_subsystem_configuration_path'], exist_ok=True) # Copy /usr/share/pki/<subsystem_type>/conf # to /etc/pki/<instance>/<subsystem> # logger.info('Creating %s', deployer.mdict['pki_subsystem_configuration_path']) # instance.copy( # deployer.mdict['pki_source_conf_path'], # deployer.mdict['pki_subsystem_configuration_path']) # Copy /usr/share/pki/<subsystem>/conf/CS.cfg # to /etc/pki/<instance>/<subsystem>/CS.cfg logger.info('Creating %s', deployer.mdict['pki_target_cs_cfg']) instance.copyfile(deployer.mdict['pki_source_cs_cfg'], deployer.mdict['pki_target_cs_cfg'], slots=deployer.slots, params=deployer.mdict) # Copy /usr/share/pki/<subsystem>/conf/registry.cfg # to /etc/pki/<instance>/<subsystem>/registry.cfg logger.info('Creating %s', deployer.mdict['pki_target_registry_cfg']) instance.copy(deployer.mdict['pki_source_registry_cfg'], deployer.mdict['pki_target_registry_cfg']) if deployer.mdict['pki_subsystem'] == "CA": # Copy /usr/share/pki/ca/emails # to /var/lib/pki/<instance>/<subsystem>/emails logger.info('Creating %s', deployer.mdict['pki_subsystem_emails_path']) instance.copy(deployer.mdict['pki_source_emails'], deployer.mdict['pki_subsystem_emails_path']) # Copy /usr/share/pki/ca/profiles/ca # to /var/lib/pki/<instance>/<subsystem>/profiles/ca logger.info('Creating %s', deployer.mdict['pki_subsystem_profiles_path']) instance.copy(deployer.mdict['pki_source_profiles'], deployer.mdict['pki_subsystem_profiles_path']) # Copy /usr/share/pki/<subsystem>/conf/flatfile.txt # to /etc/pki/<instance>/<subsystem>/flatfile.txt logger.info('Creating %s', deployer.mdict['pki_target_flatfile_txt']) instance.copy(deployer.mdict['pki_source_flatfile_txt'], deployer.mdict['pki_target_flatfile_txt']) # Copy /usr/share/pki/<subsystem>/conf/<type>AdminCert.profile # to /etc/pki/<instance>/<subsystem>/adminCert.profile logger.info('Creating %s', deployer.mdict['pki_target_admincert_profile']) instance.copy(deployer.mdict['pki_source_admincert_profile'], deployer.mdict['pki_target_admincert_profile']) # Copy /usr/share/pki/<subsystem>/conf/caAuditSigningCert.profile # to /etc/pki/<instance>/<subsystem>/caAuditSigningCert.profile logger.info( 'Creating %s', deployer.mdict['pki_target_caauditsigningcert_profile']) instance.copy( deployer.mdict['pki_source_caauditsigningcert_profile'], deployer.mdict['pki_target_caauditsigningcert_profile']) # Copy /usr/share/pki/<subsystem>/conf/caCert.profile # to /etc/pki/<instance>/<subsystem>/caCert.profile logger.info('Creating %s', deployer.mdict['pki_target_cacert_profile']) instance.copy(deployer.mdict['pki_source_cacert_profile'], deployer.mdict['pki_target_cacert_profile']) # Copy /usr/share/pki/<subsystem>/conf/caOCSPCert.profile # to /etc/pki/<instance>/<subsystem>/caOCSPCert.profile logger.info('Creating %s', deployer.mdict['pki_target_caocspcert_profile']) instance.copy(deployer.mdict['pki_source_caocspcert_profile'], deployer.mdict['pki_target_caocspcert_profile']) # Copy /usr/share/pki/<subsystem>/conf/<type>ServerCert.profile # to /etc/pki/<instance>/<subsystem>/serverCert.profile logger.info('Creating %s', deployer.mdict['pki_target_servercert_profile']) instance.copy(deployer.mdict['pki_source_servercert_profile'], deployer.mdict['pki_target_servercert_profile']) # Copy /usr/share/pki/<subsystem>/conf/<type>SubsystemCert.profile # to /etc/pki/<instance>/<subsystem>/subsystemCert.profile logger.info('Creating %s', deployer.mdict['pki_target_subsystemcert_profile']) instance.copy(deployer.mdict['pki_source_subsystemcert_profile'], deployer.mdict['pki_target_subsystemcert_profile']) # Copy /usr/share/pki/<subsystem>/conf/proxy.conf # to /etc/pki/<instance>/<subsystem>/proxy.conf logger.info('Creating %s', deployer.mdict['pki_target_proxy_conf']) instance.copyfile(deployer.mdict['pki_source_proxy_conf'], deployer.mdict['pki_target_proxy_conf'], slots=deployer.slots, params=deployer.mdict) elif deployer.mdict['pki_subsystem'] == "TPS": # Copy /usr/share/pki/<subsystem>/conf/registry.cfg # to /etc/pki/<instance>/<subsystem>/registry.cfg logger.info('Creating %s', deployer.mdict['pki_target_registry_cfg']) instance.copy(deployer.mdict['pki_source_registry_cfg'], deployer.mdict['pki_target_registry_cfg']) # Copy /usr/share/pki/<subsystem>/conf/phoneHome.xml # to /etc/pki/<instance>/<subsystem>/phoneHome.xml logger.info('Creating %s', deployer.mdict['pki_target_phone_home_xml']) instance.copyfile(deployer.mdict['pki_source_phone_home_xml'], deployer.mdict['pki_target_phone_home_xml'], slots=deployer.slots, params=deployer.mdict) # Link /var/lib/pki/<instance>/<subsystem>/conf # to /etc/pki/<instance>/<subsystem> logger.info('Creating %s', deployer.mdict['pki_subsystem_conf_link']) instance.symlink(deployer.mdict['pki_subsystem_configuration_path'], deployer.mdict['pki_subsystem_conf_link']) # Link /var/lib/pki/<instance>/<subsystem>/logs # to /var/log/pki/<instance>/<subsystem> logger.info('Creating %s', deployer.mdict['pki_subsystem_logs_link']) instance.symlink(deployer.mdict['pki_subsystem_log_path'], deployer.mdict['pki_subsystem_logs_link']) # Link /var/lib/pki/<instance>/<subsystem>/registry # to /etc/sysconfig/pki/tomcat/<instance> logger.info('Creating %s', deployer.mdict['pki_subsystem_registry_link']) instance.symlink(deployer.mdict['pki_instance_registry_path'], deployer.mdict['pki_subsystem_registry_link']) instance = self.instance instance.load() subsystem = instance.get_subsystem( deployer.mdict['pki_subsystem'].lower()) subsystem.config['preop.subsystem.name'] = deployer.mdict[ 'pki_subsystem_name'] certs = subsystem.find_system_certs() for cert in certs: # get CS.cfg tag and pkispawn tag config_tag = cert['id'] deploy_tag = config_tag if config_tag == 'signing': # for CA and OCSP deploy_tag = subsystem.name + '_signing' keytype = deployer.mdict['pki_%s_key_type' % deploy_tag] subsystem.config['preop.cert.%s.keytype' % config_tag] = keytype # configure SSL server cert if subsystem.type == 'CA' and clone or subsystem.type != 'CA': subsystem.config['preop.cert.sslserver.type'] = 'remote' keytype = subsystem.config['preop.cert.sslserver.keytype'] if keytype.lower() == 'ecc': subsystem.config[ 'preop.cert.sslserver.profile'] = 'caECInternalAuthServerCert' elif keytype.lower() == 'rsa': subsystem.config[ 'preop.cert.sslserver.profile'] = 'caInternalAuthServerCert' # configure subsystem cert if deployer.mdict['pki_security_domain_type'] == 'new': subsystem.config['preop.cert.subsystem.type'] = 'local' subsystem.config[ 'preop.cert.subsystem.profile'] = 'subsystemCert.profile' else: # deployer.mdict['pki_security_domain_type'] == 'existing': subsystem.config['preop.cert.subsystem.type'] = 'remote' keytype = subsystem.config['preop.cert.subsystem.keytype'] if keytype.lower() == 'ecc': subsystem.config[ 'preop.cert.subsystem.profile'] = 'caECInternalAuthSubsystemCert' elif keytype.lower() == 'rsa': subsystem.config[ 'preop.cert.subsystem.profile'] = 'caInternalAuthSubsystemCert' if external or standalone: # This is needed by IPA to detect step 1 completion. # See is_step_one_done() in ipaserver/install/cainstance.py. subsystem.config['preop.ca.type'] = 'otherca' elif subsystem.type != 'CA' or subordinate: subsystem.config['preop.ca.type'] = 'sdca' # configure cloning if config.str2bool(deployer.mdict['pki_clone']): subsystem.config['subsystem.select'] = 'Clone' else: subsystem.config['subsystem.select'] = 'New' # configure CA if subsystem.type == 'CA': if external or subordinate: subsystem.config['hierarchy.select'] = 'Subordinate' else: subsystem.config['hierarchy.select'] = 'Root' if subordinate: subsystem.config['preop.cert.signing.type'] = 'remote' subsystem.config[ 'preop.cert.signing.profile'] = 'caInstallCACert' # configure TPS if subsystem.type == 'TPS': subsystem.config['auths.instance.ldap1.ldap.basedn'] = \ deployer.mdict['pki_authdb_basedn'] subsystem.config['auths.instance.ldap1.ldap.ldapconn.host'] = \ deployer.mdict['pki_authdb_hostname'] subsystem.config['auths.instance.ldap1.ldap.ldapconn.port'] = \ deployer.mdict['pki_authdb_port'] subsystem.config['auths.instance.ldap1.ldap.ldapconn.secureConn'] = \ deployer.mdict['pki_authdb_secure_conn'] subsystem.save()
def spawn(self, deployer): if config.str2bool(deployer.mdict['pki_skip_installation']): logger.info('Skipping NSS database creation') return instance = self.instance instance.load() usePSSForRSASigningAlg = \ deployer.mdict['pki_use_pss_rsa_signing_algorithm'] if usePSSForRSASigningAlg == "True": self.set_signing_algs_for_pss(deployer) subsystem = instance.get_subsystem(deployer.mdict['pki_subsystem'].lower()) if config.str2bool(deployer.mdict['pki_hsm_enable']): hsm_token = deployer.mdict['pki_token_name'] subsystem.config['preop.module.token'] = hsm_token # Since 'certutil' does NOT strip the 'token=' portion of # the 'token=password' entries, create a temporary server 'pfile' # which ONLY contains the 'password' for the purposes of # allowing 'certutil' to generate the security databases logger.info('Creating password file: %s', deployer.mdict['pki_shared_pfile']) deployer.password.create_password_conf( deployer.mdict['pki_shared_pfile'], deployer.mdict['pki_server_database_password'], pin_sans_token=True) deployer.file.modify(deployer.mdict['pki_shared_password_conf']) if not os.path.isdir(deployer.mdict['pki_server_database_path']): instance.makedirs(deployer.mdict['pki_server_database_path'], force=True) nssdb = pki.nssdb.NSSDatabase( directory=deployer.mdict['pki_server_database_path'], password_file=deployer.mdict['pki_shared_pfile']) try: if not nssdb.exists(): logger.info('Creating NSS database: %s', deployer.mdict['pki_server_database_path']) nssdb.create() finally: nssdb.close() if not os.path.islink(deployer.mdict['pki_instance_database_link']): instance.symlink( deployer.mdict['pki_server_database_path'], deployer.mdict['pki_instance_database_link'], force=True) instance.symlink( deployer.mdict['pki_instance_database_link'], deployer.mdict['pki_subsystem_database_link'], force=True) if config.str2bool(deployer.mdict['pki_hsm_enable']) and \ not nssdb.module_exists(deployer.mdict['pki_hsm_modulename']): nssdb.add_module( deployer.mdict['pki_hsm_modulename'], deployer.mdict['pki_hsm_libfile']) # Set the initial NSS database ownership and permissions. pki.util.chown( deployer.mdict['pki_server_database_path'], deployer.mdict['pki_uid'], deployer.mdict['pki_gid']) pki.util.chmod( deployer.mdict['pki_server_database_path'], config.PKI_DEPLOYMENT_DEFAULT_SECURITY_DATABASE_PERMISSIONS) os.chmod( deployer.mdict['pki_server_database_path'], pki.server.DEFAULT_DIR_MODE) # import system certificates before starting the server pki_server_pkcs12_path = deployer.mdict['pki_server_pkcs12_path'] if pki_server_pkcs12_path: pki_server_pkcs12_password = deployer.mdict[ 'pki_server_pkcs12_password'] if not pki_server_pkcs12_password: raise Exception('Missing pki_server_pkcs12_password property.') nssdb = pki.nssdb.NSSDatabase( directory=deployer.mdict['pki_server_database_path'], password_file=deployer.mdict['pki_shared_pfile']) try: nssdb.import_pkcs12( pkcs12_file=pki_server_pkcs12_path, pkcs12_password=pki_server_pkcs12_password) finally: nssdb.close() # update external CA file (if needed) external_certs_path = deployer.mdict['pki_server_external_certs_path'] if external_certs_path is not None: self.update_external_certs_conf(external_certs_path, deployer) # import CA certificates from PKCS #12 file for cloning pki_clone_pkcs12_path = deployer.mdict['pki_clone_pkcs12_path'] pki_server_database_path = deployer.mdict['pki_server_database_path'] if pki_clone_pkcs12_path: pki_clone_pkcs12_password = deployer.mdict[ 'pki_clone_pkcs12_password'] if not pki_clone_pkcs12_password: raise Exception('Missing pki_clone_pkcs12_password property.') nssdb = pki.nssdb.NSSDatabase( directory=pki_server_database_path, password_file=deployer.mdict['pki_shared_pfile']) try: print('Importing certificates from %s:' % pki_clone_pkcs12_path) # The PKCS12 class requires an NSS database to run. For simplicity # it uses the NSS database that has just been created. pkcs12 = pki.pkcs12.PKCS12( path=pki_clone_pkcs12_path, password=pki_clone_pkcs12_password, nssdb=nssdb) try: pkcs12.show_certs() finally: pkcs12.close() # Import certificates nssdb.import_pkcs12( pkcs12_file=pki_clone_pkcs12_path, pkcs12_password=pki_clone_pkcs12_password) print('Imported certificates into %s:' % pki_server_database_path) nssdb.show_certs() finally: nssdb.close() # Export CA certificate to PEM file; same command as in # PKIServer.setup_cert_authentication(). # openssl pkcs12 -in <p12_file_path> -out /tmp/auth.pem -nodes -nokeys pki_ca_crt_path = os.path.join(pki_server_database_path, 'ca.crt') cmd_export_ca = [ 'openssl', 'pkcs12', '-in', pki_clone_pkcs12_path, '-out', pki_ca_crt_path, '-nodes', '-nokeys', '-passin', 'pass:'******'utf-8') logger.debug('Result of CA certificate export: %s', res_ca) # At this point, we're running as root. However, the subsystem # will eventually start up as non-root and will attempt to do a # migration. If we don't fix the permissions now, migration will # fail and subsystem won't start up. pki.util.chmod(pki_ca_crt_path, 0o644) pki.util.chown(pki_ca_crt_path, deployer.mdict['pki_uid'], deployer.mdict['pki_gid']) ca_cert_path = deployer.mdict.get('pki_cert_chain_path') if ca_cert_path and os.path.exists(ca_cert_path): destination = os.path.join(instance.nssdb_dir, "ca.crt") if not os.path.exists(destination): # When we're passed a CA certificate file and we don't already # have a CA file for some reason, we need to copy the passed # file as the root CA certificate to establish trust in the # Python code. It doesn't import it into the NSS DB for Java # code, but so far we haven't had any issues with certificate # validation there. This is only usually necessary when # installing a non-CA subsystem on a fresh system. instance.copyfile(ca_cert_path, destination) if len(deployer.instance.tomcat_instance_subsystems()) < 2: # Check to see if a secure connection is being used for the DS if config.str2bool(deployer.mdict['pki_ds_secure_connection']): # Check to see if a directory server CA certificate # using the same nickname already exists # # NOTE: ALWAYS use the software DB regardless of whether # the instance will utilize 'softokn' or an HSM # rv = deployer.certutil.verify_certificate_exists( path=deployer.mdict['pki_server_database_path'], token=deployer.mdict['pki_self_signed_token'], nickname=deployer.mdict[ 'pki_ds_secure_connection_ca_nickname' ], password_file=deployer.mdict['pki_shared_pfile']) if not rv: # Import the directory server CA certificate rv = deployer.certutil.import_cert( deployer.mdict['pki_ds_secure_connection_ca_nickname'], deployer.mdict[ 'pki_ds_secure_connection_ca_trustargs'], deployer.mdict['pki_ds_secure_connection_ca_pem_file'], password_file=deployer.mdict['pki_shared_pfile'], path=deployer.mdict['pki_server_database_path'], token=deployer.mdict['pki_self_signed_token']) # Always delete the temporary 'pfile' deployer.file.delete(deployer.mdict['pki_shared_pfile']) # Store system cert parameters in installation step to guarantee the # parameters exist during configuration step and to allow customization. certs = subsystem.find_system_certs() for cert in certs: # get CS.cfg tag and pkispawn tag config_tag = cert['id'] deploy_tag = config_tag if config_tag == 'signing': # for CA and OCSP deploy_tag = subsystem.name + '_signing' # store nickname nickname = deployer.mdict['pki_%s_nickname' % deploy_tag] subsystem.config['%s.%s.nickname' % (subsystem.name, config_tag)] = nickname subsystem.config['preop.cert.%s.nickname' % config_tag] = nickname # store tokenname tokenname = deployer.mdict['pki_%s_token' % deploy_tag] subsystem.config['%s.%s.tokenname' % (subsystem.name, config_tag)] = tokenname fullname = nickname if pki.nssdb.normalize_token(tokenname): fullname = tokenname + ':' + nickname subsystem.config['%s.cert.%s.nickname' % (subsystem.name, config_tag)] = fullname # store subject DN subject_dn = deployer.mdict['pki_%s_subject_dn' % deploy_tag] subsystem.config['preop.cert.%s.dn' % config_tag] = subject_dn keyalgorithm = deployer.mdict['pki_%s_key_algorithm' % deploy_tag] subsystem.config['preop.cert.%s.keyalgorithm' % config_tag] = keyalgorithm signingalgorithm = deployer.mdict.get( 'pki_%s_signing_algorithm' % deploy_tag, keyalgorithm) subsystem.config['preop.cert.%s.signingalgorithm' % config_tag] = signingalgorithm if subsystem.name == 'ca': if config_tag == 'signing': subsystem.config['ca.signing.defaultSigningAlgorithm'] = signingalgorithm subsystem.config['ca.crl.MasterCRL.signingAlgorithm'] = signingalgorithm elif config_tag == 'ocsp_signing': subsystem.config['ca.ocsp_signing.defaultSigningAlgorithm'] = signingalgorithm elif subsystem.name == 'ocsp': if config_tag == 'signing': subsystem.config['ocsp.signing.defaultSigningAlgorithm'] = signingalgorithm elif subsystem.name == 'kra': if config_tag == 'transport': subsystem.config['kra.transportUnit.signingAlgorithm'] = signingalgorithm # TODO: move more system cert params here admin_dn = deployer.mdict['pki_admin_subject_dn'] subsystem.config['preop.cert.admin.dn'] = admin_dn # If specified in the deployment parameter, add generic CA signing cert # extension parameters into the CS.cfg. Generic extension for other # system certs can be added directly into CS.cfg after before the # configuration step. if subsystem.type == 'CA': signing_nickname = subsystem.config['ca.signing.nickname'] subsystem.config['ca.signing.certnickname'] = signing_nickname subsystem.config['ca.signing.cacertnickname'] = signing_nickname ocsp_signing_nickname = subsystem.config['ca.ocsp_signing.nickname'] subsystem.config['ca.ocsp_signing.certnickname'] = ocsp_signing_nickname subsystem.config['ca.ocsp_signing.cacertnickname'] = ocsp_signing_nickname if deployer.configuration_file.add_req_ext: subsystem.config['preop.cert.signing.ext.oid'] = \ deployer.configuration_file.req_ext_oid subsystem.config['preop.cert.signing.ext.data'] = \ deployer.configuration_file.req_ext_data subsystem.config['preop.cert.signing.ext.critical'] = \ deployer.configuration_file.req_ext_critical.lower() if deployer.configuration_file.req_ski: subsystem.config['preop.cert.signing.subject_key_id'] = \ deployer.configuration_file.req_ski if subsystem.type == 'KRA': storage_nickname = subsystem.config['kra.storage.nickname'] storage_token = subsystem.config['kra.storage.tokenname'] if pki.nssdb.normalize_token(storage_token): subsystem.config['kra.storageUnit.hardware'] = storage_token subsystem.config['kra.storageUnit.nickName'] = \ storage_token + ':' + storage_nickname else: subsystem.config['kra.storageUnit.nickName'] = \ storage_nickname transport_nickname = subsystem.config['kra.transport.nickname'] transport_token = subsystem.config['kra.transport.tokenname'] if pki.nssdb.normalize_token(transport_token): subsystem.config['kra.transportUnit.nickName'] = \ transport_token + ':' + transport_nickname else: subsystem.config['kra.transportUnit.nickName'] = \ transport_nickname if subsystem.type == 'OCSP': signing_nickname = subsystem.config['ocsp.signing.nickname'] subsystem.config['ocsp.signing.certnickname'] = signing_nickname subsystem.config['ocsp.signing.cacertnickname'] = signing_nickname audit_nickname = subsystem.config['%s.audit_signing.nickname' % subsystem.name] audit_token = subsystem.config['%s.audit_signing.tokenname' % subsystem.name] if pki.nssdb.normalize_token(audit_token): audit_nickname = audit_token + ':' + audit_nickname subsystem.config['log.instance.SignedAudit.signedAuditCertNickname'] = audit_nickname san_inject = config.str2bool(deployer.mdict['pki_san_inject']) logger.info('Injecting SAN: %s', san_inject) san_for_server_cert = deployer.mdict.get('pki_san_for_server_cert') logger.info('SSL server cert SAN: %s', san_for_server_cert) if san_inject and san_for_server_cert: subsystem.config['service.injectSAN'] = 'true' subsystem.config['service.sslserver.san'] = san_for_server_cert subsystem.save() # Place 'slightly' less restrictive permissions on # the top-level client directory ONLY deployer.directory.create( deployer.mdict['pki_client_subsystem_dir'], uid=0, gid=0, perms=config.PKI_DEPLOYMENT_DEFAULT_CLIENT_DIR_PERMISSIONS) # Since 'certutil' does NOT strip the 'token=' portion of # the 'token=password' entries, create a client password file # which ONLY contains the 'password' for the purposes of # allowing 'certutil' to generate the security databases logger.info('Creating password file: %s', deployer.mdict['pki_client_password_conf']) deployer.password.create_password_conf( deployer.mdict['pki_client_password_conf'], deployer.mdict['pki_client_database_password'], pin_sans_token=True) deployer.file.modify( deployer.mdict['pki_client_password_conf'], uid=0, gid=0) # Similarly, create a simple password file containing the # PKCS #12 password used when exporting the 'Admin Certificate' # into a PKCS #12 file deployer.password.create_client_pkcs12_password_conf( deployer.mdict['pki_client_pkcs12_password_conf']) deployer.file.modify(deployer.mdict['pki_client_pkcs12_password_conf']) pki.util.makedirs(deployer.mdict['pki_client_database_dir'], force=True) nssdb = pki.nssdb.NSSDatabase( directory=deployer.mdict['pki_client_database_dir'], password_file=deployer.mdict['pki_client_password_conf']) try: if not nssdb.exists(): nssdb.create() finally: nssdb.close()
def spawn(self, deployer): if config.str2bool(deployer.mdict['pki_skip_installation']): logger.info('Skipping NSS database creation') return logger.info('Creating NSS database') instance = pki.server.instance.PKIInstance( deployer.mdict['pki_instance_name']) instance.load() subsystem = instance.get_subsystem( deployer.mdict['pki_subsystem'].lower()) if config.str2bool(deployer.mdict['pki_hsm_enable']): hsm_token = deployer.mdict['pki_token_name'] subsystem.config['preop.module.token'] = hsm_token # Since 'certutil' does NOT strip the 'token=' portion of # the 'token=password' entries, create a temporary server 'pfile' # which ONLY contains the 'password' for the purposes of # allowing 'certutil' to generate the security databases logger.info('Creating password file: %s', deployer.mdict['pki_shared_pfile']) deployer.password.create_password_conf( deployer.mdict['pki_shared_pfile'], deployer.mdict['pki_server_database_password'], pin_sans_token=True) deployer.file.modify(deployer.mdict['pki_shared_password_conf']) if not os.path.isdir(deployer.mdict['pki_server_database_path']): instance.makedirs(deployer.mdict['pki_server_database_path'], force=True) nssdb = pki.nssdb.NSSDatabase( directory=deployer.mdict['pki_server_database_path'], password_file=deployer.mdict['pki_shared_pfile']) try: if not nssdb.exists(): nssdb.create() finally: nssdb.close() if not os.path.islink(deployer.mdict['pki_instance_database_link']): instance.symlink(deployer.mdict['pki_server_database_path'], deployer.mdict['pki_instance_database_link'], force=True) instance.symlink(deployer.mdict['pki_instance_database_link'], deployer.mdict['pki_subsystem_database_link'], force=True) if config.str2bool(deployer.mdict['pki_hsm_enable']): deployer.modutil.register_security_module( deployer.mdict['pki_server_database_path'], deployer.mdict['pki_hsm_modulename'], deployer.mdict['pki_hsm_libfile']) pki.util.chown(deployer.mdict['pki_server_database_path'], deployer.mdict['pki_uid'], deployer.mdict['pki_uid']) pki.util.chmod( deployer.mdict['pki_server_database_path'], config.PKI_DEPLOYMENT_DEFAULT_SECURITY_DATABASE_PERMISSIONS) os.chmod(deployer.mdict['pki_server_database_path'], config.PKI_DEPLOYMENT_DEFAULT_DIR_PERMISSIONS) # import system certificates before starting the server pki_server_pkcs12_path = deployer.mdict['pki_server_pkcs12_path'] if pki_server_pkcs12_path: pki_server_pkcs12_password = deployer.mdict[ 'pki_server_pkcs12_password'] if not pki_server_pkcs12_password: raise Exception('Missing pki_server_pkcs12_password property.') nssdb = pki.nssdb.NSSDatabase( directory=deployer.mdict['pki_server_database_path'], password_file=deployer.mdict['pki_shared_pfile']) try: nssdb.import_pkcs12(pkcs12_file=pki_server_pkcs12_path, pkcs12_password=pki_server_pkcs12_password) finally: nssdb.close() # update external CA file (if needed) external_certs_path = deployer.mdict[ 'pki_server_external_certs_path'] if external_certs_path is not None: self.update_external_certs_conf(external_certs_path, deployer) # import CA certificates from PKCS #12 file for cloning pki_clone_pkcs12_path = deployer.mdict['pki_clone_pkcs12_path'] if pki_clone_pkcs12_path: pki_clone_pkcs12_password = deployer.mdict[ 'pki_clone_pkcs12_password'] if not pki_clone_pkcs12_password: raise Exception('Missing pki_clone_pkcs12_password property.') nssdb = pki.nssdb.NSSDatabase( directory=deployer.mdict['pki_server_database_path'], password_file=deployer.mdict['pki_shared_pfile']) try: print('Importing certificates from %s:' % pki_clone_pkcs12_path) # The PKCS12 class requires an NSS database to run. For simplicity # it uses the NSS database that has just been created. pkcs12 = pki.pkcs12.PKCS12(path=pki_clone_pkcs12_path, password=pki_clone_pkcs12_password, nssdb=nssdb) try: pkcs12.show_certs() finally: pkcs12.close() # Import certificates nssdb.import_pkcs12(pkcs12_file=pki_clone_pkcs12_path, pkcs12_password=pki_clone_pkcs12_password) # Set certificate trust flags if subsystem.type == 'CA': nssdb.modify_cert( nickname=deployer.mdict['pki_ca_signing_nickname'], trust_attributes='CTu,Cu,Cu') nssdb.modify_cert( nickname=deployer.mdict['pki_audit_signing_nickname'], trust_attributes='u,u,Pu') print('Imported certificates into %s:' % deployer.mdict['pki_server_database_path']) nssdb.show_certs() finally: nssdb.close() if len(deployer.instance.tomcat_instance_subsystems()) < 2: # Check to see if a secure connection is being used for the DS if config.str2bool(deployer.mdict['pki_ds_secure_connection']): # Check to see if a directory server CA certificate # using the same nickname already exists # # NOTE: ALWAYS use the software DB regardless of whether # the instance will utilize 'softokn' or an HSM # rv = deployer.certutil.verify_certificate_exists( path=deployer.mdict['pki_server_database_path'], token=deployer.mdict['pki_self_signed_token'], nickname=deployer. mdict['pki_ds_secure_connection_ca_nickname'], password_file=deployer.mdict['pki_shared_pfile']) if not rv: # Import the directory server CA certificate rv = deployer.certutil.import_cert( deployer.mdict['pki_ds_secure_connection_ca_nickname'], deployer. mdict['pki_ds_secure_connection_ca_trustargs'], deployer.mdict['pki_ds_secure_connection_ca_pem_file'], password_file=deployer.mdict['pki_shared_pfile'], path=deployer.mdict['pki_server_database_path'], token=deployer.mdict['pki_self_signed_token']) # Always delete the temporary 'pfile' deployer.file.delete(deployer.mdict['pki_shared_pfile']) # Store system cert parameters in installation step to guarantee the # parameters exist during configuration step and to allow customization. certs = subsystem.find_system_certs() for cert in certs: # get CS.cfg tag and pkispawn tag config_tag = cert['id'] deploy_tag = config_tag if config_tag == 'signing': # for CA and OCSP deploy_tag = subsystem.name + '_signing' # store nickname nickname = deployer.mdict['pki_%s_nickname' % deploy_tag] subsystem.config['%s.%s.nickname' % (subsystem.name, config_tag)] = nickname subsystem.config['preop.cert.%s.nickname' % config_tag] = nickname # store tokenname tokenname = deployer.mdict['pki_%s_token' % deploy_tag] subsystem.config['%s.%s.tokenname' % (subsystem.name, config_tag)] = tokenname # store subject DN subject_dn = deployer.mdict['pki_%s_subject_dn' % deploy_tag] subsystem.config['preop.cert.%s.dn' % config_tag] = subject_dn keytype = deployer.mdict['pki_%s_key_type' % deploy_tag] subsystem.config['preop.cert.%s.keytype' % config_tag] = keytype keyalgorithm = deployer.mdict['pki_%s_key_algorithm' % deploy_tag] subsystem.config['preop.cert.%s.keyalgorithm' % config_tag] = keyalgorithm signingalgorithm = deployer.mdict.get( 'pki_%s_signing_algorithm' % deploy_tag, keyalgorithm) subsystem.config['preop.cert.%s.signingalgorithm' % config_tag] = signingalgorithm # TODO: move more system cert params here # If specified in the deployment parameter, add generic CA signing cert # extension parameters into the CS.cfg. Generic extension for other # system certs can be added directly into CS.cfg after before the # configuration step. if subsystem.type == 'CA': if deployer.configuration_file.add_req_ext: subsystem.config['preop.cert.signing.ext.oid'] = \ deployer.configuration_file.req_ext_oid subsystem.config['preop.cert.signing.ext.data'] = \ deployer.configuration_file.req_ext_data subsystem.config['preop.cert.signing.ext.critical'] = \ deployer.configuration_file.req_ext_critical.lower() if deployer.configuration_file.req_ski: subsystem.config['preop.cert.signing.subject_key_id'] = \ deployer.configuration_file.req_ski if subsystem.type == 'KRA': if deployer.configuration_file.clone: token = subsystem.config['preop.module.token'] if pki.nssdb.normalize_token(token): storage_subsystem = subsystem.config[ 'preop.cert.storage.subsystem'] storage_nickname = subsystem.config[ 'preop.cert.storage.nickname'] transport_nickname = subsystem.config[ 'preop.cert.transport.nickname'] subsystem.config['%s.storageUnit.hardware' % storage_subsystem] = token subsystem.config['%s.storageUnit.nickName' % storage_subsystem] = \ token + ':' + storage_nickname subsystem.config['%s.transportUnit.nickName' % storage_subsystem] = \ token + ':' + transport_nickname if deployer.configuration_file.clone: nickname = subsystem.config['%s.audit_signing.nickname' % subsystem.name] token = subsystem.config['%s.audit_signing.tokenname' % subsystem.name] if pki.nssdb.normalize_token(token): nickname = token + ':' + nickname subsystem.config[ 'log.instance.SignedAudit.signedAuditCertNickname'] = nickname subsystem.save() # Place 'slightly' less restrictive permissions on # the top-level client directory ONLY deployer.directory.create( deployer.mdict['pki_client_subsystem_dir'], uid=0, gid=0, perms=config.PKI_DEPLOYMENT_DEFAULT_CLIENT_DIR_PERMISSIONS) # Since 'certutil' does NOT strip the 'token=' portion of # the 'token=password' entries, create a client password file # which ONLY contains the 'password' for the purposes of # allowing 'certutil' to generate the security databases logger.info('Creating password file: %s', deployer.mdict['pki_client_password_conf']) deployer.password.create_password_conf( deployer.mdict['pki_client_password_conf'], deployer.mdict['pki_client_database_password'], pin_sans_token=True) deployer.file.modify(deployer.mdict['pki_client_password_conf'], uid=0, gid=0) # Similarly, create a simple password file containing the # PKCS #12 password used when exporting the 'Admin Certificate' # into a PKCS #12 file deployer.password.create_client_pkcs12_password_conf( deployer.mdict['pki_client_pkcs12_password_conf']) deployer.file.modify(deployer.mdict['pki_client_pkcs12_password_conf']) pki.util.makedirs(deployer.mdict['pki_client_database_dir'], force=True) nssdb = pki.nssdb.NSSDatabase( directory=deployer.mdict['pki_client_database_dir'], password_file=deployer.mdict['pki_client_password_conf']) try: if not nssdb.exists(): nssdb.create() finally: nssdb.close()