def execute(self, argv):
try:
opts, args = getopt.gnu_getopt(argv, 'i:v', [
'instance=', 'database=', 'backend=',
'force',
'verbose', 'debug', 'help'])
except getopt.GetoptError as e:
logger.error(e)
self.print_help()
sys.exit(1)
name = 'acme'
instance_name = 'pki-tomcat'
force = False
for o, a in opts:
if o in ('-i', '--instance'):
instance_name = a
elif o == '--force':
force = True
elif o in ('-v', '--verbose'):
logging.getLogger().setLevel(logging.INFO)
elif o == '--debug':
logging.getLogger().setLevel(logging.DEBUG)
elif o == '--help':
self.print_help()
sys.exit()
else:
logger.error('Unknown option: %s', o)
self.print_help()
sys.exit(1)
if len(args) > 0:
name = args[0]
instance = pki.server.instance.PKIServerFactory.create(instance_name)
if not instance.is_valid():
raise Exception('Invalid instance: %s' % instance_name)
instance.load()
acme_conf_dir = os.path.join(instance.conf_dir, name)
logging.info('Creating %s', acme_conf_dir)
instance.makedirs(acme_conf_dir, force=force)
acme_share_dir = os.path.join(pki.server.PKIServer.SHARE_DIR, 'acme')
metadata_template = os.path.join(acme_share_dir, 'conf', 'metadata.json')
metadata_conf = os.path.join(acme_conf_dir, 'metadata.json')
logging.info('Creating %s', metadata_conf)
instance.copy(metadata_template, metadata_conf, force=force)
database_template = os.path.join(acme_share_dir, 'conf', 'database.json')
database_conf = os.path.join(acme_conf_dir, 'database.json')
logging.info('Creating %s', database_conf)
instance.copy(database_template, database_conf, force=force)
validators_template = os.path.join(acme_share_dir, 'conf', 'validators.json')
validators_conf = os.path.join(acme_conf_dir, 'validators.json')
logging.info('Creating %s', validators_conf)
instance.copy(validators_template, validators_conf, force=force)
backend_template = os.path.join(acme_share_dir, 'conf', 'backend.json')
backend_conf = os.path.join(acme_conf_dir, 'backend.json')
logging.info('Creating %s', backend_conf)
instance.copy(backend_template, backend_conf, force=force)
def spawn(self, deployer):
if config.str2bool(deployer.mdict['pki_skip_installation']):
logger.info('Skipping instance creation')
return
logger.info('Preparing %s instance', deployer.mdict['pki_instance_name'])
instance = self.instance
instance.load()
instance_conf_path = deployer.mdict['pki_instance_configuration_path']
logger.info('Creating %s', instance_conf_path)
instance.makedirs(instance_conf_path, force=True)
logger.info('Creating %s', deployer.mdict['pki_shared_password_conf'])
# Configuring internal token password
internal_token = deployer.mdict['pki_self_signed_token']
if not pki.nssdb.normalize_token(internal_token):
internal_token = pki.nssdb.INTERNAL_TOKEN_NAME
# If instance already exists and has password, reuse the password
if internal_token in instance.passwords:
logger.info('Reusing server NSS database password')
deployer.mdict['pki_server_database_password'] = instance.passwords.get(internal_token)
# Otherwise, use user-provided password if specified
elif deployer.mdict['pki_server_database_password']:
logger.info('Using specified server NSS database password')
# Otherwise, use user-provided pin if specified
elif deployer.mdict['pki_pin']:
logger.info('Using specified PIN as server NSS database password')
deployer.mdict['pki_server_database_password'] = deployer.mdict['pki_pin']
# Otherwise, generate a random password
else:
logger.info('Generating random server NSS database password')
deployer.mdict['pki_server_database_password'] = pki.generate_password()
instance.passwords[internal_token] = deployer.mdict['pki_server_database_password']
# Configuring HSM password
if config.str2bool(deployer.mdict['pki_hsm_enable']):
hsm_token = deployer.mdict['pki_token_name']
instance.passwords['hardware-%s' % hsm_token] = deployer.mdict['pki_token_password']
# Configuring internal database password
if 'internaldb' in instance.passwords:
logger.info('Reusing internal database password')
deployer.mdict['pki_ds_password'] = instance.passwords.get('internaldb')
else:
logger.info('Using specified internal database password')
instance.passwords['internaldb'] = deployer.mdict['pki_ds_password']
# Configuring replication manager password
# Bug #430745 Create separate password for replication manager
# Use user-provided password if specified
if 'replicationdb' in instance.passwords:
logger.info('Reusing replication manager password')
elif deployer.mdict['pki_replication_password']:
logger.info('Using specified replication manager password')
instance.passwords['replicationdb'] = deployer.mdict['pki_replication_password']
else:
logger.info('Generating random replication manager password')
instance.passwords['replicationdb'] = pki.generate_password()
instance.store_passwords()
# if this is not the first subsystem, skip
if len(deployer.instance.tomcat_instance_subsystems()) != 1:
logger.info('Installing %s instance', deployer.mdict['pki_instance_name'])
return
deployer.directory.create(deployer.mdict['pki_instance_log_path'])
shared_conf_path = deployer.mdict['pki_source_server_path']
# Copy /usr/share/pki/server/conf/tomcat.conf to
# /var/lib/pki/<instance>/conf/tomcat.conf.
deployer.file.copy_with_slot_substitution(
os.path.join(shared_conf_path, 'tomcat.conf'),
os.path.join(instance_conf_path, 'tomcat.conf'))
# Copy /usr/share/pki/server/conf/server.xml
# to /etc/pki/<instance>/server.xml.
deployer.file.copy_with_slot_substitution(
deployer.mdict['pki_source_server_xml'],
deployer.mdict['pki_target_server_xml'],
overwrite_flag=True)
# Link /etc/pki/<instance>/catalina.properties
# to /usr/share/pki/server/conf/catalina.properties.
logger.info('Creating %s', os.path.join(instance_conf_path, 'catalina.properties'))
instance.symlink(
os.path.join(shared_conf_path, 'catalina.properties'),
os.path.join(instance_conf_path, 'catalina.properties'),
force=True)
# Link /etc/pki/<instance>/context.xml
# to /usr/share/tomcat/conf/context.xml.
logger.info('Creating %s', instance.context_xml)
context_xml = os.path.join(pki.server.Tomcat.CONF_DIR, 'context.xml')
instance.symlink(context_xml, instance.context_xml, force=True)
# Link /etc/pki/<instance>/logging.properties
# to /usr/share/pki/server/conf/logging.properties.
logger.info('Creating %s', os.path.join(instance_conf_path, 'logging.properties'))
instance.symlink(
os.path.join(shared_conf_path, 'logging.properties'),
os.path.join(instance_conf_path, 'logging.properties'),
force=True)
# create /etc/sysconfig/<instance>
deployer.file.copy_with_slot_substitution(
deployer.mdict['pki_source_tomcat_conf'],
deployer.mdict['pki_target_tomcat_conf_instance_id'],
overwrite_flag=True)
# create /var/lib/pki/<instance>/conf/tomcat.conf
deployer.file.copy_with_slot_substitution(
deployer.mdict['pki_source_tomcat_conf'],
deployer.mdict['pki_target_tomcat_conf'],
overwrite_flag=True)
# Link /etc/pki/<instance>/web.xml
# to /usr/share/tomcat/conf/web.xml.
logger.info('Creating %s', instance.web_xml)
web_xml = os.path.join(pki.server.Tomcat.CONF_DIR, 'web.xml')
instance.symlink(web_xml, instance.web_xml, force=True)
catalina_dir = os.path.join(instance_conf_path, 'Catalina')
logger.info('Creating %s', catalina_dir)
instance.makedirs(catalina_dir, force=True)
localhost_dir = os.path.join(catalina_dir, 'localhost')
logger.info('Creating %s', localhost_dir)
instance.makedirs(localhost_dir, force=True)
logger.info('Deploying ROOT web application')
instance.deploy_webapp(
"ROOT",
os.path.join(
shared_conf_path,
"Catalina",
"localhost",
"ROOT.xml"))
logger.info('Deploying /pki web application')
# Deploy pki web application which includes themes,
# admin templates, and JS libraries
instance.deploy_webapp(
"pki",
os.path.join(
shared_conf_path,
"Catalina",
"localhost",
"pki.xml"))
instance.with_maven_deps = deployer.with_maven_deps
instance.create_libs(force=True)
deployer.directory.create(deployer.mdict['pki_tomcat_tmpdir_path'])
deployer.directory.create(deployer.mdict['pki_tomcat_work_path'])
deployer.directory.create(deployer.mdict['pki_tomcat_work_catalina_path'])
deployer.directory.create(deployer.mdict['pki_tomcat_work_catalina_host_path'])
deployer.directory.create(deployer.mdict['pki_tomcat_work_catalina_host_run_path'])
deployer.directory.create(deployer.mdict['pki_tomcat_work_catalina_host_subsystem_path'])
# establish Tomcat instance logs
# establish Tomcat instance registry
# establish Tomcat instance convenience symbolic links
deployer.symlink.create(
deployer.mdict['pki_tomcat_bin_path'],
deployer.mdict['pki_tomcat_bin_link'])
# create systemd links
deployer.symlink.create(
deployer.mdict['pki_tomcat_systemd'],
deployer.mdict['pki_instance_systemd_link'],
uid=0, gid=0)
user = deployer.mdict['pki_user']
group = deployer.mdict['pki_group']
if user != 'pkiuser' or group != 'pkiuser':
deployer.systemd.set_override(
'Service', 'User', user, 'user.conf')
deployer.systemd.set_override(
'Service', 'Group', group, 'user.conf')
deployer.systemd.write_overrides()
deployer.systemd.daemon_reload()
deployer.symlink.create(
instance_conf_path,
deployer.mdict['pki_instance_conf_link'])
deployer.symlink.create(
deployer.mdict['pki_instance_log_path'],
deployer.mdict['pki_instance_logs_link'])
# create Tomcat instance systemd service link
deployer.symlink.create(deployer.mdict['pki_systemd_service'],
deployer.mdict['pki_systemd_service_link'])
# create instance registry
deployer.file.copy_with_slot_substitution(
deployer.mdict['pki_source_registry'],
os.path.join(deployer.mdict['pki_instance_registry_path'],
deployer.mdict['pki_instance_name']),
overwrite_flag=True)
def spawn(self, deployer):
if config.str2bool(deployer.mdict['pki_skip_installation']):
logger.info('Skipping subsystem creation')
return
logger.info('Creating %s subsystem', deployer.mdict['pki_subsystem'])
# If pki_one_time_pin is not specified, generate a new one
if 'pki_one_time_pin' not in deployer.mdict:
pin = ''.join(
random.choice(string.ascii_letters + string.digits)
for x in range(20))
deployer.mdict['pki_one_time_pin'] = pin
deployer.mdict['PKI_RANDOM_NUMBER_SLOT'] = pin
instance = self.instance
# Create /var/log/pki/<instance>/<subsystem>
logger.info('Creating %s', deployer.mdict['pki_subsystem_log_path'])
instance.makedirs(deployer.mdict['pki_subsystem_log_path'],
exist_ok=True)
# Create /var/log/pki/<instance>/<subsystem>/archive
logger.info('Creating %s',
deployer.mdict['pki_subsystem_archive_log_path'])
instance.makedirs(deployer.mdict['pki_subsystem_archive_log_path'],
exist_ok=True)
# Create /var/log/pki/<instance>/<subsystem>/signedAudit
logger.info('Creating %s',
deployer.mdict['pki_subsystem_signed_audit_log_path'])
instance.makedirs(
deployer.mdict['pki_subsystem_signed_audit_log_path'],
exist_ok=True)
# Create /etc/pki/<instance>/<subsystem>
logger.info('Creating %s',
deployer.mdict['pki_subsystem_configuration_path'])
instance.makedirs(deployer.mdict['pki_subsystem_configuration_path'],
exist_ok=True)
# Copy /usr/share/pki/<subsystem_type>/conf
# to /etc/pki/<instance>/<subsystem>
# logger.info('Creating %s', deployer.mdict['pki_subsystem_configuration_path'])
# instance.copy(
# deployer.mdict['pki_source_conf_path'],
# deployer.mdict['pki_subsystem_configuration_path'])
# Copy /usr/share/pki/<subsystem>/conf/CS.cfg
# to /etc/pki/<instance>/<subsystem>/CS.cfg
logger.info('Creating %s', deployer.mdict['pki_target_cs_cfg'])
instance.copyfile(deployer.mdict['pki_source_cs_cfg'],
deployer.mdict['pki_target_cs_cfg'],
slots=deployer.slots,
params=deployer.mdict)
# Copy /usr/share/pki/<subsystem>/conf/registry.cfg
# to /etc/pki/<instance>/<subsystem>/registry.cfg
logger.info('Creating %s', deployer.mdict['pki_target_registry_cfg'])
instance.copy(deployer.mdict['pki_source_registry_cfg'],
deployer.mdict['pki_target_registry_cfg'])
if deployer.mdict['pki_subsystem'] == "CA":
# Copy /usr/share/pki/ca/emails
# to /var/lib/pki/<instance>/<subsystem>/emails
logger.info('Creating %s',
deployer.mdict['pki_subsystem_emails_path'])
instance.copy(deployer.mdict['pki_source_emails'],
deployer.mdict['pki_subsystem_emails_path'])
# Copy /usr/share/pki/ca/profiles/ca
# to /var/lib/pki/<instance>/<subsystem>/profiles/ca
logger.info('Creating %s',
deployer.mdict['pki_subsystem_profiles_path'])
instance.copy(deployer.mdict['pki_source_profiles'],
deployer.mdict['pki_subsystem_profiles_path'])
# Copy /usr/share/pki/<subsystem>/conf/flatfile.txt
# to /etc/pki/<instance>/<subsystem>/flatfile.txt
logger.info('Creating %s',
deployer.mdict['pki_target_flatfile_txt'])
instance.copy(deployer.mdict['pki_source_flatfile_txt'],
deployer.mdict['pki_target_flatfile_txt'])
# Copy /usr/share/pki/<subsystem>/conf/<type>AdminCert.profile
# to /etc/pki/<instance>/<subsystem>/adminCert.profile
logger.info('Creating %s',
deployer.mdict['pki_target_admincert_profile'])
instance.copy(deployer.mdict['pki_source_admincert_profile'],
deployer.mdict['pki_target_admincert_profile'])
# Copy /usr/share/pki/<subsystem>/conf/caAuditSigningCert.profile
# to /etc/pki/<instance>/<subsystem>/caAuditSigningCert.profile
logger.info(
'Creating %s',
deployer.mdict['pki_target_caauditsigningcert_profile'])
instance.copy(
deployer.mdict['pki_source_caauditsigningcert_profile'],
deployer.mdict['pki_target_caauditsigningcert_profile'])
# Copy /usr/share/pki/<subsystem>/conf/caCert.profile
# to /etc/pki/<instance>/<subsystem>/caCert.profile
logger.info('Creating %s',
deployer.mdict['pki_target_cacert_profile'])
instance.copy(deployer.mdict['pki_source_cacert_profile'],
deployer.mdict['pki_target_cacert_profile'])
# Copy /usr/share/pki/<subsystem>/conf/caOCSPCert.profile
# to /etc/pki/<instance>/<subsystem>/caOCSPCert.profile
logger.info('Creating %s',
deployer.mdict['pki_target_caocspcert_profile'])
instance.copy(deployer.mdict['pki_source_caocspcert_profile'],
deployer.mdict['pki_target_caocspcert_profile'])
# Copy /usr/share/pki/<subsystem>/conf/<type>ServerCert.profile
# to /etc/pki/<instance>/<subsystem>/serverCert.profile
logger.info('Creating %s',
deployer.mdict['pki_target_servercert_profile'])
instance.copy(deployer.mdict['pki_source_servercert_profile'],
deployer.mdict['pki_target_servercert_profile'])
# Copy /usr/share/pki/<subsystem>/conf/<type>SubsystemCert.profile
# to /etc/pki/<instance>/<subsystem>/subsystemCert.profile
logger.info('Creating %s',
deployer.mdict['pki_target_subsystemcert_profile'])
instance.copy(deployer.mdict['pki_source_subsystemcert_profile'],
deployer.mdict['pki_target_subsystemcert_profile'])
# Copy /usr/share/pki/<subsystem>/conf/proxy.conf
# to /etc/pki/<instance>/<subsystem>/proxy.conf
logger.info('Creating %s', deployer.mdict['pki_target_proxy_conf'])
instance.copyfile(deployer.mdict['pki_source_proxy_conf'],
deployer.mdict['pki_target_proxy_conf'],
slots=deployer.slots,
params=deployer.mdict)
elif deployer.mdict['pki_subsystem'] == "TPS":
# Copy /usr/share/pki/<subsystem>/conf/registry.cfg
# to /etc/pki/<instance>/<subsystem>/registry.cfg
logger.info('Creating %s',
deployer.mdict['pki_target_registry_cfg'])
instance.copy(deployer.mdict['pki_source_registry_cfg'],
deployer.mdict['pki_target_registry_cfg'])
# Copy /usr/share/pki/<subsystem>/conf/phoneHome.xml
# to /etc/pki/<instance>/<subsystem>/phoneHome.xml
logger.info('Creating %s',
deployer.mdict['pki_target_phone_home_xml'])
instance.copyfile(deployer.mdict['pki_source_phone_home_xml'],
deployer.mdict['pki_target_phone_home_xml'],
slots=deployer.slots,
params=deployer.mdict)
# Link /var/lib/pki/<instance>/<subsystem>/conf
# to /etc/pki/<instance>/<subsystem>
logger.info('Creating %s', deployer.mdict['pki_subsystem_conf_link'])
instance.symlink(deployer.mdict['pki_subsystem_configuration_path'],
deployer.mdict['pki_subsystem_conf_link'])
# Link /var/lib/pki/<instance>/<subsystem>/logs
# to /var/log/pki/<instance>/<subsystem>
logger.info('Creating %s', deployer.mdict['pki_subsystem_logs_link'])
instance.symlink(deployer.mdict['pki_subsystem_log_path'],
deployer.mdict['pki_subsystem_logs_link'])
# Link /var/lib/pki/<instance>/<subsystem>/registry
# to /etc/sysconfig/pki/tomcat/<instance>
logger.info('Creating %s',
deployer.mdict['pki_subsystem_registry_link'])
instance.symlink(deployer.mdict['pki_instance_registry_path'],
deployer.mdict['pki_subsystem_registry_link'])
instance = self.instance
instance.load()
subsystem = instance.get_subsystem(
deployer.mdict['pki_subsystem'].lower())
subsystem.config['preop.subsystem.name'] = deployer.mdict[
'pki_subsystem_name']
# configure security domain
if deployer.mdict['pki_security_domain_type'] == 'new':
subsystem.config['preop.cert.subsystem.type'] = 'local'
subsystem.config[
'preop.cert.subsystem.profile'] = 'subsystemCert.profile'
else: # deployer.mdict['pki_security_domain_type'] == 'existing':
subsystem.config['preop.cert.subsystem.type'] = 'remote'
if subsystem.type == 'CA' and not config.str2bool(
deployer.mdict['pki_clone']):
if config.str2bool(deployer.mdict['pki_external']) or \
config.str2bool(deployer.mdict['pki_subordinate']):
subsystem.config['preop.cert.signing.type'] = 'remote'
else:
subsystem.config['preop.ca.type'] = 'sdca'
# configure cloning
if config.str2bool(deployer.mdict['pki_clone']):
subsystem.config['subsystem.select'] = 'Clone'
else:
subsystem.config['subsystem.select'] = 'New'
# configure CA hierarchy
if subsystem.type == 'CA':
if config.str2bool(deployer.mdict['pki_external']) or \
config.str2bool(deployer.mdict['pki_subordinate']):
subsystem.config['hierarchy.select'] = 'Subordinate'
else:
subsystem.config['hierarchy.select'] = 'Root'
# configure TPS
if subsystem.type == 'TPS':
subsystem.config['auths.instance.ldap1.ldap.basedn'] = \
deployer.mdict['pki_authdb_basedn']
subsystem.config['auths.instance.ldap1.ldap.ldapconn.host'] = \
deployer.mdict['pki_authdb_hostname']
subsystem.config['auths.instance.ldap1.ldap.ldapconn.port'] = \
deployer.mdict['pki_authdb_port']
subsystem.config['auths.instance.ldap1.ldap.ldapconn.secureConn'] = \
deployer.mdict['pki_authdb_secure_conn']
subsystem.save()
def spawn(self, deployer):
external = deployer.configuration_file.external
standalone = deployer.configuration_file.standalone
subordinate = deployer.configuration_file.subordinate
clone = deployer.configuration_file.clone
if config.str2bool(deployer.mdict['pki_skip_installation']):
logger.info('Skipping subsystem creation')
return
logger.info('Creating %s subsystem', deployer.mdict['pki_subsystem'])
# If pki_one_time_pin is not specified, generate a new one
if 'pki_one_time_pin' not in deployer.mdict:
pin = ''.join(
random.choice(string.ascii_letters + string.digits)
for x in range(20))
deployer.mdict['pki_one_time_pin'] = pin
deployer.mdict['PKI_RANDOM_NUMBER_SLOT'] = pin
instance = self.instance
# Create /var/log/pki/<instance>/<subsystem>
logger.info('Creating %s', deployer.mdict['pki_subsystem_log_path'])
instance.makedirs(deployer.mdict['pki_subsystem_log_path'],
exist_ok=True)
# Create /var/log/pki/<instance>/<subsystem>/archive
logger.info('Creating %s',
deployer.mdict['pki_subsystem_archive_log_path'])
instance.makedirs(deployer.mdict['pki_subsystem_archive_log_path'],
exist_ok=True)
# Create /var/log/pki/<instance>/<subsystem>/signedAudit
logger.info('Creating %s',
deployer.mdict['pki_subsystem_signed_audit_log_path'])
instance.makedirs(
deployer.mdict['pki_subsystem_signed_audit_log_path'],
exist_ok=True)
# Create /etc/pki/<instance>/<subsystem>
logger.info('Creating %s',
deployer.mdict['pki_subsystem_configuration_path'])
instance.makedirs(deployer.mdict['pki_subsystem_configuration_path'],
exist_ok=True)
# Copy /usr/share/pki/<subsystem_type>/conf
# to /etc/pki/<instance>/<subsystem>
# logger.info('Creating %s', deployer.mdict['pki_subsystem_configuration_path'])
# instance.copy(
# deployer.mdict['pki_source_conf_path'],
# deployer.mdict['pki_subsystem_configuration_path'])
# Copy /usr/share/pki/<subsystem>/conf/CS.cfg
# to /etc/pki/<instance>/<subsystem>/CS.cfg
logger.info('Creating %s', deployer.mdict['pki_target_cs_cfg'])
instance.copyfile(deployer.mdict['pki_source_cs_cfg'],
deployer.mdict['pki_target_cs_cfg'],
slots=deployer.slots,
params=deployer.mdict)
# Copy /usr/share/pki/<subsystem>/conf/registry.cfg
# to /etc/pki/<instance>/<subsystem>/registry.cfg
logger.info('Creating %s', deployer.mdict['pki_target_registry_cfg'])
instance.copy(deployer.mdict['pki_source_registry_cfg'],
deployer.mdict['pki_target_registry_cfg'])
if deployer.mdict['pki_subsystem'] == "CA":
# Copy /usr/share/pki/ca/emails
# to /var/lib/pki/<instance>/<subsystem>/emails
logger.info('Creating %s',
deployer.mdict['pki_subsystem_emails_path'])
instance.copy(deployer.mdict['pki_source_emails'],
deployer.mdict['pki_subsystem_emails_path'])
# Copy /usr/share/pki/ca/profiles/ca
# to /var/lib/pki/<instance>/<subsystem>/profiles/ca
logger.info('Creating %s',
deployer.mdict['pki_subsystem_profiles_path'])
instance.copy(deployer.mdict['pki_source_profiles'],
deployer.mdict['pki_subsystem_profiles_path'])
# Copy /usr/share/pki/<subsystem>/conf/flatfile.txt
# to /etc/pki/<instance>/<subsystem>/flatfile.txt
logger.info('Creating %s',
deployer.mdict['pki_target_flatfile_txt'])
instance.copy(deployer.mdict['pki_source_flatfile_txt'],
deployer.mdict['pki_target_flatfile_txt'])
# Copy /usr/share/pki/<subsystem>/conf/<type>AdminCert.profile
# to /etc/pki/<instance>/<subsystem>/adminCert.profile
logger.info('Creating %s',
deployer.mdict['pki_target_admincert_profile'])
instance.copy(deployer.mdict['pki_source_admincert_profile'],
deployer.mdict['pki_target_admincert_profile'])
# Copy /usr/share/pki/<subsystem>/conf/caAuditSigningCert.profile
# to /etc/pki/<instance>/<subsystem>/caAuditSigningCert.profile
logger.info(
'Creating %s',
deployer.mdict['pki_target_caauditsigningcert_profile'])
instance.copy(
deployer.mdict['pki_source_caauditsigningcert_profile'],
deployer.mdict['pki_target_caauditsigningcert_profile'])
# Copy /usr/share/pki/<subsystem>/conf/caCert.profile
# to /etc/pki/<instance>/<subsystem>/caCert.profile
logger.info('Creating %s',
deployer.mdict['pki_target_cacert_profile'])
instance.copy(deployer.mdict['pki_source_cacert_profile'],
deployer.mdict['pki_target_cacert_profile'])
# Copy /usr/share/pki/<subsystem>/conf/caOCSPCert.profile
# to /etc/pki/<instance>/<subsystem>/caOCSPCert.profile
logger.info('Creating %s',
deployer.mdict['pki_target_caocspcert_profile'])
instance.copy(deployer.mdict['pki_source_caocspcert_profile'],
deployer.mdict['pki_target_caocspcert_profile'])
# Copy /usr/share/pki/<subsystem>/conf/<type>ServerCert.profile
# to /etc/pki/<instance>/<subsystem>/serverCert.profile
logger.info('Creating %s',
deployer.mdict['pki_target_servercert_profile'])
instance.copy(deployer.mdict['pki_source_servercert_profile'],
deployer.mdict['pki_target_servercert_profile'])
# Copy /usr/share/pki/<subsystem>/conf/<type>SubsystemCert.profile
# to /etc/pki/<instance>/<subsystem>/subsystemCert.profile
logger.info('Creating %s',
deployer.mdict['pki_target_subsystemcert_profile'])
instance.copy(deployer.mdict['pki_source_subsystemcert_profile'],
deployer.mdict['pki_target_subsystemcert_profile'])
# Copy /usr/share/pki/<subsystem>/conf/proxy.conf
# to /etc/pki/<instance>/<subsystem>/proxy.conf
logger.info('Creating %s', deployer.mdict['pki_target_proxy_conf'])
instance.copyfile(deployer.mdict['pki_source_proxy_conf'],
deployer.mdict['pki_target_proxy_conf'],
slots=deployer.slots,
params=deployer.mdict)
elif deployer.mdict['pki_subsystem'] == "TPS":
# Copy /usr/share/pki/<subsystem>/conf/registry.cfg
# to /etc/pki/<instance>/<subsystem>/registry.cfg
logger.info('Creating %s',
deployer.mdict['pki_target_registry_cfg'])
instance.copy(deployer.mdict['pki_source_registry_cfg'],
deployer.mdict['pki_target_registry_cfg'])
# Copy /usr/share/pki/<subsystem>/conf/phoneHome.xml
# to /etc/pki/<instance>/<subsystem>/phoneHome.xml
logger.info('Creating %s',
deployer.mdict['pki_target_phone_home_xml'])
instance.copyfile(deployer.mdict['pki_source_phone_home_xml'],
deployer.mdict['pki_target_phone_home_xml'],
slots=deployer.slots,
params=deployer.mdict)
# Link /var/lib/pki/<instance>/<subsystem>/conf
# to /etc/pki/<instance>/<subsystem>
logger.info('Creating %s', deployer.mdict['pki_subsystem_conf_link'])
instance.symlink(deployer.mdict['pki_subsystem_configuration_path'],
deployer.mdict['pki_subsystem_conf_link'])
# Link /var/lib/pki/<instance>/<subsystem>/logs
# to /var/log/pki/<instance>/<subsystem>
logger.info('Creating %s', deployer.mdict['pki_subsystem_logs_link'])
instance.symlink(deployer.mdict['pki_subsystem_log_path'],
deployer.mdict['pki_subsystem_logs_link'])
# Link /var/lib/pki/<instance>/<subsystem>/registry
# to /etc/sysconfig/pki/tomcat/<instance>
logger.info('Creating %s',
deployer.mdict['pki_subsystem_registry_link'])
instance.symlink(deployer.mdict['pki_instance_registry_path'],
deployer.mdict['pki_subsystem_registry_link'])
instance = self.instance
instance.load()
subsystem = instance.get_subsystem(
deployer.mdict['pki_subsystem'].lower())
subsystem.config['preop.subsystem.name'] = deployer.mdict[
'pki_subsystem_name']
certs = subsystem.find_system_certs()
for cert in certs:
# get CS.cfg tag and pkispawn tag
config_tag = cert['id']
deploy_tag = config_tag
if config_tag == 'signing': # for CA and OCSP
deploy_tag = subsystem.name + '_signing'
keytype = deployer.mdict['pki_%s_key_type' % deploy_tag]
subsystem.config['preop.cert.%s.keytype' % config_tag] = keytype
# configure SSL server cert
if subsystem.type == 'CA' and clone or subsystem.type != 'CA':
subsystem.config['preop.cert.sslserver.type'] = 'remote'
keytype = subsystem.config['preop.cert.sslserver.keytype']
if keytype.lower() == 'ecc':
subsystem.config[
'preop.cert.sslserver.profile'] = 'caECInternalAuthServerCert'
elif keytype.lower() == 'rsa':
subsystem.config[
'preop.cert.sslserver.profile'] = 'caInternalAuthServerCert'
# configure subsystem cert
if deployer.mdict['pki_security_domain_type'] == 'new':
subsystem.config['preop.cert.subsystem.type'] = 'local'
subsystem.config[
'preop.cert.subsystem.profile'] = 'subsystemCert.profile'
else: # deployer.mdict['pki_security_domain_type'] == 'existing':
subsystem.config['preop.cert.subsystem.type'] = 'remote'
keytype = subsystem.config['preop.cert.subsystem.keytype']
if keytype.lower() == 'ecc':
subsystem.config[
'preop.cert.subsystem.profile'] = 'caECInternalAuthSubsystemCert'
elif keytype.lower() == 'rsa':
subsystem.config[
'preop.cert.subsystem.profile'] = 'caInternalAuthSubsystemCert'
if external or standalone:
# This is needed by IPA to detect step 1 completion.
# See is_step_one_done() in ipaserver/install/cainstance.py.
subsystem.config['preop.ca.type'] = 'otherca'
elif subsystem.type != 'CA' or subordinate:
subsystem.config['preop.ca.type'] = 'sdca'
# configure cloning
if config.str2bool(deployer.mdict['pki_clone']):
subsystem.config['subsystem.select'] = 'Clone'
else:
subsystem.config['subsystem.select'] = 'New'
# configure CA
if subsystem.type == 'CA':
if external or subordinate:
subsystem.config['hierarchy.select'] = 'Subordinate'
else:
subsystem.config['hierarchy.select'] = 'Root'
if subordinate:
subsystem.config['preop.cert.signing.type'] = 'remote'
subsystem.config[
'preop.cert.signing.profile'] = 'caInstallCACert'
# configure TPS
if subsystem.type == 'TPS':
subsystem.config['auths.instance.ldap1.ldap.basedn'] = \
deployer.mdict['pki_authdb_basedn']
subsystem.config['auths.instance.ldap1.ldap.ldapconn.host'] = \
deployer.mdict['pki_authdb_hostname']
subsystem.config['auths.instance.ldap1.ldap.ldapconn.port'] = \
deployer.mdict['pki_authdb_port']
subsystem.config['auths.instance.ldap1.ldap.ldapconn.secureConn'] = \
deployer.mdict['pki_authdb_secure_conn']
subsystem.save()
def spawn(self, deployer):
if config.str2bool(deployer.mdict['pki_skip_installation']):
logger.info('Skipping NSS database creation')
return
instance = self.instance
instance.load()
usePSSForRSASigningAlg = \
deployer.mdict['pki_use_pss_rsa_signing_algorithm']
if usePSSForRSASigningAlg == "True":
self.set_signing_algs_for_pss(deployer)
subsystem = instance.get_subsystem(deployer.mdict['pki_subsystem'].lower())
if config.str2bool(deployer.mdict['pki_hsm_enable']):
hsm_token = deployer.mdict['pki_token_name']
subsystem.config['preop.module.token'] = hsm_token
# Since 'certutil' does NOT strip the 'token=' portion of
# the 'token=password' entries, create a temporary server 'pfile'
# which ONLY contains the 'password' for the purposes of
# allowing 'certutil' to generate the security databases
logger.info('Creating password file: %s', deployer.mdict['pki_shared_pfile'])
deployer.password.create_password_conf(
deployer.mdict['pki_shared_pfile'],
deployer.mdict['pki_server_database_password'], pin_sans_token=True)
deployer.file.modify(deployer.mdict['pki_shared_password_conf'])
if not os.path.isdir(deployer.mdict['pki_server_database_path']):
instance.makedirs(deployer.mdict['pki_server_database_path'], force=True)
nssdb = pki.nssdb.NSSDatabase(
directory=deployer.mdict['pki_server_database_path'],
password_file=deployer.mdict['pki_shared_pfile'])
try:
if not nssdb.exists():
logger.info('Creating NSS database: %s',
deployer.mdict['pki_server_database_path'])
nssdb.create()
finally:
nssdb.close()
if not os.path.islink(deployer.mdict['pki_instance_database_link']):
instance.symlink(
deployer.mdict['pki_server_database_path'],
deployer.mdict['pki_instance_database_link'],
force=True)
instance.symlink(
deployer.mdict['pki_instance_database_link'],
deployer.mdict['pki_subsystem_database_link'],
force=True)
if config.str2bool(deployer.mdict['pki_hsm_enable']) and \
not nssdb.module_exists(deployer.mdict['pki_hsm_modulename']):
nssdb.add_module(
deployer.mdict['pki_hsm_modulename'],
deployer.mdict['pki_hsm_libfile'])
# Set the initial NSS database ownership and permissions.
pki.util.chown(
deployer.mdict['pki_server_database_path'],
deployer.mdict['pki_uid'],
deployer.mdict['pki_gid'])
pki.util.chmod(
deployer.mdict['pki_server_database_path'],
config.PKI_DEPLOYMENT_DEFAULT_SECURITY_DATABASE_PERMISSIONS)
os.chmod(
deployer.mdict['pki_server_database_path'],
pki.server.DEFAULT_DIR_MODE)
# import system certificates before starting the server
pki_server_pkcs12_path = deployer.mdict['pki_server_pkcs12_path']
if pki_server_pkcs12_path:
pki_server_pkcs12_password = deployer.mdict[
'pki_server_pkcs12_password']
if not pki_server_pkcs12_password:
raise Exception('Missing pki_server_pkcs12_password property.')
nssdb = pki.nssdb.NSSDatabase(
directory=deployer.mdict['pki_server_database_path'],
password_file=deployer.mdict['pki_shared_pfile'])
try:
nssdb.import_pkcs12(
pkcs12_file=pki_server_pkcs12_path,
pkcs12_password=pki_server_pkcs12_password)
finally:
nssdb.close()
# update external CA file (if needed)
external_certs_path = deployer.mdict['pki_server_external_certs_path']
if external_certs_path is not None:
self.update_external_certs_conf(external_certs_path, deployer)
# import CA certificates from PKCS #12 file for cloning
pki_clone_pkcs12_path = deployer.mdict['pki_clone_pkcs12_path']
pki_server_database_path = deployer.mdict['pki_server_database_path']
if pki_clone_pkcs12_path:
pki_clone_pkcs12_password = deployer.mdict[
'pki_clone_pkcs12_password']
if not pki_clone_pkcs12_password:
raise Exception('Missing pki_clone_pkcs12_password property.')
nssdb = pki.nssdb.NSSDatabase(
directory=pki_server_database_path,
password_file=deployer.mdict['pki_shared_pfile'])
try:
print('Importing certificates from %s:' % pki_clone_pkcs12_path)
# The PKCS12 class requires an NSS database to run. For simplicity
# it uses the NSS database that has just been created.
pkcs12 = pki.pkcs12.PKCS12(
path=pki_clone_pkcs12_path,
password=pki_clone_pkcs12_password,
nssdb=nssdb)
try:
pkcs12.show_certs()
finally:
pkcs12.close()
# Import certificates
nssdb.import_pkcs12(
pkcs12_file=pki_clone_pkcs12_path,
pkcs12_password=pki_clone_pkcs12_password)
print('Imported certificates into %s:' %
pki_server_database_path)
nssdb.show_certs()
finally:
nssdb.close()
# Export CA certificate to PEM file; same command as in
# PKIServer.setup_cert_authentication().
# openssl pkcs12 -in <p12_file_path> -out /tmp/auth.pem -nodes -nokeys
pki_ca_crt_path = os.path.join(pki_server_database_path, 'ca.crt')
cmd_export_ca = [
'openssl', 'pkcs12',
'-in', pki_clone_pkcs12_path,
'-out', pki_ca_crt_path,
'-nodes',
'-nokeys',
'-passin', 'pass:'******'utf-8')
logger.debug('Result of CA certificate export: %s', res_ca)
# At this point, we're running as root. However, the subsystem
# will eventually start up as non-root and will attempt to do a
# migration. If we don't fix the permissions now, migration will
# fail and subsystem won't start up.
pki.util.chmod(pki_ca_crt_path, 0o644)
pki.util.chown(pki_ca_crt_path, deployer.mdict['pki_uid'],
deployer.mdict['pki_gid'])
ca_cert_path = deployer.mdict.get('pki_cert_chain_path')
if ca_cert_path and os.path.exists(ca_cert_path):
destination = os.path.join(instance.nssdb_dir, "ca.crt")
if not os.path.exists(destination):
# When we're passed a CA certificate file and we don't already
# have a CA file for some reason, we need to copy the passed
# file as the root CA certificate to establish trust in the
# Python code. It doesn't import it into the NSS DB for Java
# code, but so far we haven't had any issues with certificate
# validation there. This is only usually necessary when
# installing a non-CA subsystem on a fresh system.
instance.copyfile(ca_cert_path, destination)
if len(deployer.instance.tomcat_instance_subsystems()) < 2:
# Check to see if a secure connection is being used for the DS
if config.str2bool(deployer.mdict['pki_ds_secure_connection']):
# Check to see if a directory server CA certificate
# using the same nickname already exists
#
# NOTE: ALWAYS use the software DB regardless of whether
# the instance will utilize 'softokn' or an HSM
#
rv = deployer.certutil.verify_certificate_exists(
path=deployer.mdict['pki_server_database_path'],
token=deployer.mdict['pki_self_signed_token'],
nickname=deployer.mdict[
'pki_ds_secure_connection_ca_nickname'
],
password_file=deployer.mdict['pki_shared_pfile'])
if not rv:
# Import the directory server CA certificate
rv = deployer.certutil.import_cert(
deployer.mdict['pki_ds_secure_connection_ca_nickname'],
deployer.mdict[
'pki_ds_secure_connection_ca_trustargs'],
deployer.mdict['pki_ds_secure_connection_ca_pem_file'],
password_file=deployer.mdict['pki_shared_pfile'],
path=deployer.mdict['pki_server_database_path'],
token=deployer.mdict['pki_self_signed_token'])
# Always delete the temporary 'pfile'
deployer.file.delete(deployer.mdict['pki_shared_pfile'])
# Store system cert parameters in installation step to guarantee the
# parameters exist during configuration step and to allow customization.
certs = subsystem.find_system_certs()
for cert in certs:
# get CS.cfg tag and pkispawn tag
config_tag = cert['id']
deploy_tag = config_tag
if config_tag == 'signing': # for CA and OCSP
deploy_tag = subsystem.name + '_signing'
# store nickname
nickname = deployer.mdict['pki_%s_nickname' % deploy_tag]
subsystem.config['%s.%s.nickname' % (subsystem.name, config_tag)] = nickname
subsystem.config['preop.cert.%s.nickname' % config_tag] = nickname
# store tokenname
tokenname = deployer.mdict['pki_%s_token' % deploy_tag]
subsystem.config['%s.%s.tokenname' % (subsystem.name, config_tag)] = tokenname
fullname = nickname
if pki.nssdb.normalize_token(tokenname):
fullname = tokenname + ':' + nickname
subsystem.config['%s.cert.%s.nickname' % (subsystem.name, config_tag)] = fullname
# store subject DN
subject_dn = deployer.mdict['pki_%s_subject_dn' % deploy_tag]
subsystem.config['preop.cert.%s.dn' % config_tag] = subject_dn
keyalgorithm = deployer.mdict['pki_%s_key_algorithm' % deploy_tag]
subsystem.config['preop.cert.%s.keyalgorithm' % config_tag] = keyalgorithm
signingalgorithm = deployer.mdict.get(
'pki_%s_signing_algorithm' % deploy_tag, keyalgorithm)
subsystem.config['preop.cert.%s.signingalgorithm' % config_tag] = signingalgorithm
if subsystem.name == 'ca':
if config_tag == 'signing':
subsystem.config['ca.signing.defaultSigningAlgorithm'] = signingalgorithm
subsystem.config['ca.crl.MasterCRL.signingAlgorithm'] = signingalgorithm
elif config_tag == 'ocsp_signing':
subsystem.config['ca.ocsp_signing.defaultSigningAlgorithm'] = signingalgorithm
elif subsystem.name == 'ocsp':
if config_tag == 'signing':
subsystem.config['ocsp.signing.defaultSigningAlgorithm'] = signingalgorithm
elif subsystem.name == 'kra':
if config_tag == 'transport':
subsystem.config['kra.transportUnit.signingAlgorithm'] = signingalgorithm
# TODO: move more system cert params here
admin_dn = deployer.mdict['pki_admin_subject_dn']
subsystem.config['preop.cert.admin.dn'] = admin_dn
# If specified in the deployment parameter, add generic CA signing cert
# extension parameters into the CS.cfg. Generic extension for other
# system certs can be added directly into CS.cfg after before the
# configuration step.
if subsystem.type == 'CA':
signing_nickname = subsystem.config['ca.signing.nickname']
subsystem.config['ca.signing.certnickname'] = signing_nickname
subsystem.config['ca.signing.cacertnickname'] = signing_nickname
ocsp_signing_nickname = subsystem.config['ca.ocsp_signing.nickname']
subsystem.config['ca.ocsp_signing.certnickname'] = ocsp_signing_nickname
subsystem.config['ca.ocsp_signing.cacertnickname'] = ocsp_signing_nickname
if deployer.configuration_file.add_req_ext:
subsystem.config['preop.cert.signing.ext.oid'] = \
deployer.configuration_file.req_ext_oid
subsystem.config['preop.cert.signing.ext.data'] = \
deployer.configuration_file.req_ext_data
subsystem.config['preop.cert.signing.ext.critical'] = \
deployer.configuration_file.req_ext_critical.lower()
if deployer.configuration_file.req_ski:
subsystem.config['preop.cert.signing.subject_key_id'] = \
deployer.configuration_file.req_ski
if subsystem.type == 'KRA':
storage_nickname = subsystem.config['kra.storage.nickname']
storage_token = subsystem.config['kra.storage.tokenname']
if pki.nssdb.normalize_token(storage_token):
subsystem.config['kra.storageUnit.hardware'] = storage_token
subsystem.config['kra.storageUnit.nickName'] = \
storage_token + ':' + storage_nickname
else:
subsystem.config['kra.storageUnit.nickName'] = \
storage_nickname
transport_nickname = subsystem.config['kra.transport.nickname']
transport_token = subsystem.config['kra.transport.tokenname']
if pki.nssdb.normalize_token(transport_token):
subsystem.config['kra.transportUnit.nickName'] = \
transport_token + ':' + transport_nickname
else:
subsystem.config['kra.transportUnit.nickName'] = \
transport_nickname
if subsystem.type == 'OCSP':
signing_nickname = subsystem.config['ocsp.signing.nickname']
subsystem.config['ocsp.signing.certnickname'] = signing_nickname
subsystem.config['ocsp.signing.cacertnickname'] = signing_nickname
audit_nickname = subsystem.config['%s.audit_signing.nickname' % subsystem.name]
audit_token = subsystem.config['%s.audit_signing.tokenname' % subsystem.name]
if pki.nssdb.normalize_token(audit_token):
audit_nickname = audit_token + ':' + audit_nickname
subsystem.config['log.instance.SignedAudit.signedAuditCertNickname'] = audit_nickname
san_inject = config.str2bool(deployer.mdict['pki_san_inject'])
logger.info('Injecting SAN: %s', san_inject)
san_for_server_cert = deployer.mdict.get('pki_san_for_server_cert')
logger.info('SSL server cert SAN: %s', san_for_server_cert)
if san_inject and san_for_server_cert:
subsystem.config['service.injectSAN'] = 'true'
subsystem.config['service.sslserver.san'] = san_for_server_cert
subsystem.save()
# Place 'slightly' less restrictive permissions on
# the top-level client directory ONLY
deployer.directory.create(
deployer.mdict['pki_client_subsystem_dir'],
uid=0, gid=0,
perms=config.PKI_DEPLOYMENT_DEFAULT_CLIENT_DIR_PERMISSIONS)
# Since 'certutil' does NOT strip the 'token=' portion of
# the 'token=password' entries, create a client password file
# which ONLY contains the 'password' for the purposes of
# allowing 'certutil' to generate the security databases
logger.info('Creating password file: %s', deployer.mdict['pki_client_password_conf'])
deployer.password.create_password_conf(
deployer.mdict['pki_client_password_conf'],
deployer.mdict['pki_client_database_password'], pin_sans_token=True)
deployer.file.modify(
deployer.mdict['pki_client_password_conf'],
uid=0, gid=0)
# Similarly, create a simple password file containing the
# PKCS #12 password used when exporting the 'Admin Certificate'
# into a PKCS #12 file
deployer.password.create_client_pkcs12_password_conf(
deployer.mdict['pki_client_pkcs12_password_conf'])
deployer.file.modify(deployer.mdict['pki_client_pkcs12_password_conf'])
pki.util.makedirs(deployer.mdict['pki_client_database_dir'], force=True)
nssdb = pki.nssdb.NSSDatabase(
directory=deployer.mdict['pki_client_database_dir'],
password_file=deployer.mdict['pki_client_password_conf'])
try:
if not nssdb.exists():
nssdb.create()
finally:
nssdb.close()
def spawn(self, deployer):
if config.str2bool(deployer.mdict['pki_skip_installation']):
logger.info('Skipping NSS database creation')
return
logger.info('Creating NSS database')
instance = pki.server.instance.PKIInstance(
deployer.mdict['pki_instance_name'])
instance.load()
subsystem = instance.get_subsystem(
deployer.mdict['pki_subsystem'].lower())
if config.str2bool(deployer.mdict['pki_hsm_enable']):
hsm_token = deployer.mdict['pki_token_name']
subsystem.config['preop.module.token'] = hsm_token
# Since 'certutil' does NOT strip the 'token=' portion of
# the 'token=password' entries, create a temporary server 'pfile'
# which ONLY contains the 'password' for the purposes of
# allowing 'certutil' to generate the security databases
logger.info('Creating password file: %s',
deployer.mdict['pki_shared_pfile'])
deployer.password.create_password_conf(
deployer.mdict['pki_shared_pfile'],
deployer.mdict['pki_server_database_password'],
pin_sans_token=True)
deployer.file.modify(deployer.mdict['pki_shared_password_conf'])
if not os.path.isdir(deployer.mdict['pki_server_database_path']):
instance.makedirs(deployer.mdict['pki_server_database_path'],
force=True)
nssdb = pki.nssdb.NSSDatabase(
directory=deployer.mdict['pki_server_database_path'],
password_file=deployer.mdict['pki_shared_pfile'])
try:
if not nssdb.exists():
nssdb.create()
finally:
nssdb.close()
if not os.path.islink(deployer.mdict['pki_instance_database_link']):
instance.symlink(deployer.mdict['pki_server_database_path'],
deployer.mdict['pki_instance_database_link'],
force=True)
instance.symlink(deployer.mdict['pki_instance_database_link'],
deployer.mdict['pki_subsystem_database_link'],
force=True)
if config.str2bool(deployer.mdict['pki_hsm_enable']):
deployer.modutil.register_security_module(
deployer.mdict['pki_server_database_path'],
deployer.mdict['pki_hsm_modulename'],
deployer.mdict['pki_hsm_libfile'])
pki.util.chown(deployer.mdict['pki_server_database_path'],
deployer.mdict['pki_uid'], deployer.mdict['pki_uid'])
pki.util.chmod(
deployer.mdict['pki_server_database_path'],
config.PKI_DEPLOYMENT_DEFAULT_SECURITY_DATABASE_PERMISSIONS)
os.chmod(deployer.mdict['pki_server_database_path'],
config.PKI_DEPLOYMENT_DEFAULT_DIR_PERMISSIONS)
# import system certificates before starting the server
pki_server_pkcs12_path = deployer.mdict['pki_server_pkcs12_path']
if pki_server_pkcs12_path:
pki_server_pkcs12_password = deployer.mdict[
'pki_server_pkcs12_password']
if not pki_server_pkcs12_password:
raise Exception('Missing pki_server_pkcs12_password property.')
nssdb = pki.nssdb.NSSDatabase(
directory=deployer.mdict['pki_server_database_path'],
password_file=deployer.mdict['pki_shared_pfile'])
try:
nssdb.import_pkcs12(pkcs12_file=pki_server_pkcs12_path,
pkcs12_password=pki_server_pkcs12_password)
finally:
nssdb.close()
# update external CA file (if needed)
external_certs_path = deployer.mdict[
'pki_server_external_certs_path']
if external_certs_path is not None:
self.update_external_certs_conf(external_certs_path, deployer)
# import CA certificates from PKCS #12 file for cloning
pki_clone_pkcs12_path = deployer.mdict['pki_clone_pkcs12_path']
if pki_clone_pkcs12_path:
pki_clone_pkcs12_password = deployer.mdict[
'pki_clone_pkcs12_password']
if not pki_clone_pkcs12_password:
raise Exception('Missing pki_clone_pkcs12_password property.')
nssdb = pki.nssdb.NSSDatabase(
directory=deployer.mdict['pki_server_database_path'],
password_file=deployer.mdict['pki_shared_pfile'])
try:
print('Importing certificates from %s:' %
pki_clone_pkcs12_path)
# The PKCS12 class requires an NSS database to run. For simplicity
# it uses the NSS database that has just been created.
pkcs12 = pki.pkcs12.PKCS12(path=pki_clone_pkcs12_path,
password=pki_clone_pkcs12_password,
nssdb=nssdb)
try:
pkcs12.show_certs()
finally:
pkcs12.close()
# Import certificates
nssdb.import_pkcs12(pkcs12_file=pki_clone_pkcs12_path,
pkcs12_password=pki_clone_pkcs12_password)
# Set certificate trust flags
if subsystem.type == 'CA':
nssdb.modify_cert(
nickname=deployer.mdict['pki_ca_signing_nickname'],
trust_attributes='CTu,Cu,Cu')
nssdb.modify_cert(
nickname=deployer.mdict['pki_audit_signing_nickname'],
trust_attributes='u,u,Pu')
print('Imported certificates into %s:' %
deployer.mdict['pki_server_database_path'])
nssdb.show_certs()
finally:
nssdb.close()
if len(deployer.instance.tomcat_instance_subsystems()) < 2:
# Check to see if a secure connection is being used for the DS
if config.str2bool(deployer.mdict['pki_ds_secure_connection']):
# Check to see if a directory server CA certificate
# using the same nickname already exists
#
# NOTE: ALWAYS use the software DB regardless of whether
# the instance will utilize 'softokn' or an HSM
#
rv = deployer.certutil.verify_certificate_exists(
path=deployer.mdict['pki_server_database_path'],
token=deployer.mdict['pki_self_signed_token'],
nickname=deployer.
mdict['pki_ds_secure_connection_ca_nickname'],
password_file=deployer.mdict['pki_shared_pfile'])
if not rv:
# Import the directory server CA certificate
rv = deployer.certutil.import_cert(
deployer.mdict['pki_ds_secure_connection_ca_nickname'],
deployer.
mdict['pki_ds_secure_connection_ca_trustargs'],
deployer.mdict['pki_ds_secure_connection_ca_pem_file'],
password_file=deployer.mdict['pki_shared_pfile'],
path=deployer.mdict['pki_server_database_path'],
token=deployer.mdict['pki_self_signed_token'])
# Always delete the temporary 'pfile'
deployer.file.delete(deployer.mdict['pki_shared_pfile'])
# Store system cert parameters in installation step to guarantee the
# parameters exist during configuration step and to allow customization.
certs = subsystem.find_system_certs()
for cert in certs:
# get CS.cfg tag and pkispawn tag
config_tag = cert['id']
deploy_tag = config_tag
if config_tag == 'signing': # for CA and OCSP
deploy_tag = subsystem.name + '_signing'
# store nickname
nickname = deployer.mdict['pki_%s_nickname' % deploy_tag]
subsystem.config['%s.%s.nickname' %
(subsystem.name, config_tag)] = nickname
subsystem.config['preop.cert.%s.nickname' % config_tag] = nickname
# store tokenname
tokenname = deployer.mdict['pki_%s_token' % deploy_tag]
subsystem.config['%s.%s.tokenname' %
(subsystem.name, config_tag)] = tokenname
# store subject DN
subject_dn = deployer.mdict['pki_%s_subject_dn' % deploy_tag]
subsystem.config['preop.cert.%s.dn' % config_tag] = subject_dn
keytype = deployer.mdict['pki_%s_key_type' % deploy_tag]
subsystem.config['preop.cert.%s.keytype' % config_tag] = keytype
keyalgorithm = deployer.mdict['pki_%s_key_algorithm' % deploy_tag]
subsystem.config['preop.cert.%s.keyalgorithm' %
config_tag] = keyalgorithm
signingalgorithm = deployer.mdict.get(
'pki_%s_signing_algorithm' % deploy_tag, keyalgorithm)
subsystem.config['preop.cert.%s.signingalgorithm' %
config_tag] = signingalgorithm
# TODO: move more system cert params here
# If specified in the deployment parameter, add generic CA signing cert
# extension parameters into the CS.cfg. Generic extension for other
# system certs can be added directly into CS.cfg after before the
# configuration step.
if subsystem.type == 'CA':
if deployer.configuration_file.add_req_ext:
subsystem.config['preop.cert.signing.ext.oid'] = \
deployer.configuration_file.req_ext_oid
subsystem.config['preop.cert.signing.ext.data'] = \
deployer.configuration_file.req_ext_data
subsystem.config['preop.cert.signing.ext.critical'] = \
deployer.configuration_file.req_ext_critical.lower()
if deployer.configuration_file.req_ski:
subsystem.config['preop.cert.signing.subject_key_id'] = \
deployer.configuration_file.req_ski
if subsystem.type == 'KRA':
if deployer.configuration_file.clone:
token = subsystem.config['preop.module.token']
if pki.nssdb.normalize_token(token):
storage_subsystem = subsystem.config[
'preop.cert.storage.subsystem']
storage_nickname = subsystem.config[
'preop.cert.storage.nickname']
transport_nickname = subsystem.config[
'preop.cert.transport.nickname']
subsystem.config['%s.storageUnit.hardware' %
storage_subsystem] = token
subsystem.config['%s.storageUnit.nickName' % storage_subsystem] = \
token + ':' + storage_nickname
subsystem.config['%s.transportUnit.nickName' % storage_subsystem] = \
token + ':' + transport_nickname
if deployer.configuration_file.clone:
nickname = subsystem.config['%s.audit_signing.nickname' %
subsystem.name]
token = subsystem.config['%s.audit_signing.tokenname' %
subsystem.name]
if pki.nssdb.normalize_token(token):
nickname = token + ':' + nickname
subsystem.config[
'log.instance.SignedAudit.signedAuditCertNickname'] = nickname
subsystem.save()
# Place 'slightly' less restrictive permissions on
# the top-level client directory ONLY
deployer.directory.create(
deployer.mdict['pki_client_subsystem_dir'],
uid=0,
gid=0,
perms=config.PKI_DEPLOYMENT_DEFAULT_CLIENT_DIR_PERMISSIONS)
# Since 'certutil' does NOT strip the 'token=' portion of
# the 'token=password' entries, create a client password file
# which ONLY contains the 'password' for the purposes of
# allowing 'certutil' to generate the security databases
logger.info('Creating password file: %s',
deployer.mdict['pki_client_password_conf'])
deployer.password.create_password_conf(
deployer.mdict['pki_client_password_conf'],
deployer.mdict['pki_client_database_password'],
pin_sans_token=True)
deployer.file.modify(deployer.mdict['pki_client_password_conf'],
uid=0,
gid=0)
# Similarly, create a simple password file containing the
# PKCS #12 password used when exporting the 'Admin Certificate'
# into a PKCS #12 file
deployer.password.create_client_pkcs12_password_conf(
deployer.mdict['pki_client_pkcs12_password_conf'])
deployer.file.modify(deployer.mdict['pki_client_pkcs12_password_conf'])
pki.util.makedirs(deployer.mdict['pki_client_database_dir'],
force=True)
nssdb = pki.nssdb.NSSDatabase(
directory=deployer.mdict['pki_client_database_dir'],
password_file=deployer.mdict['pki_client_password_conf'])
try:
if not nssdb.exists():
nssdb.create()
finally:
nssdb.close()
