def execute(self, argv): try: opts, args = getopt.gnu_getopt( argv, 'i:v', ['instance=', 'show-all', 'verbose', 'debug', 'help']) except getopt.GetoptError as e: logger.error(e) self.usage() sys.exit(1) instance_name = 'pki-tomcat' show_all = False for o, a in opts: if o in ('-i', '--instance'): instance_name = a elif o == '--show-all': show_all = True elif o == '--debug': logging.getLogger().setLevel(logging.DEBUG) elif o in ('-v', '--verbose'): logging.getLogger().setLevel(logging.INFO) elif o == '--help': self.usage() sys.exit() else: logger.error('Unknown option: %s', o) self.usage() sys.exit(1) if len(args) < 1: logger.error('Missing subsystem ID') self.usage() sys.exit(1) if len(args) < 2: logger.error('Missing cert ID') self.usage() sys.exit(1) subsystem_name = args[0] cert_id = args[1] instance = pki.server.instance.PKIInstance(instance_name) if not instance.exists(): logger.error('Invalid instance %s.', instance_name) sys.exit(1) instance.load() subsystem = instance.get_subsystem(subsystem_name) if not subsystem: logger.error('ERROR: No %s subsystem in instance %s.', subsystem_name, instance_name) sys.exit(1) cert = subsystem.get_subsystem_cert(cert_id) self.print_message('"{}" subsystem "{}" certificate'.format( subsystem_name, cert_id)) SubsystemCertCLI.print_subsystem_cert(cert, show_all)
def execute(self, argv): try: opts, args = getopt.gnu_getopt(argv, 'i:v', [ 'instance=', 'cert-file=', 'csr-file=', 'pkcs12-file=', 'pkcs12-password='******'pkcs12-password-file=', 'friendly-name=', 'cert-encryption=', 'key-encryption=', 'append', 'no-trust-flags', 'no-key', 'no-chain', 'verbose', 'debug', 'help']) except getopt.GetoptError as e: logger.error(e) self.print_help() sys.exit(1) instance_name = 'pki-tomcat' cert_file = None csr_file = None pkcs12_file = None pkcs12_password = None pkcs12_password_file = None friendly_name = None cert_encryption = None key_encryption = None append = False include_trust_flags = True include_key = True include_chain = True for o, a in opts: if o in ('-i', '--instance'): instance_name = a elif o == '--cert-file': cert_file = a elif o == '--csr-file': csr_file = a elif o == '--pkcs12-file': pkcs12_file = a elif o == '--pkcs12-password': pkcs12_password = a elif o == '--pkcs12-password-file': pkcs12_password_file = a elif o == '--friendly-name': friendly_name = a elif o == '--cert-encryption': cert_encryption = a elif o == '--key-encryption': key_encryption = a elif o == '--append': append = True elif o == '--no-trust-flags': include_trust_flags = False elif o == '--no-key': include_key = False elif o == '--no-chain': include_chain = False elif o == '--debug': logging.getLogger().setLevel(logging.DEBUG) elif o in ('-v', '--verbose'): logging.getLogger().setLevel(logging.INFO) elif o == '--help': self.print_help() sys.exit() else: logger.error('option %s not recognized', o) self.print_help() sys.exit(1) if len(args) < 1: logger.error('Missing cert ID.') self.print_help() sys.exit(1) cert_id = args[0] if not (cert_file or csr_file or pkcs12_file): logger.error('missing output file') self.print_help() sys.exit(1) instance = pki.server.instance.PKIInstance(instance_name) if not instance.exists(): logger.error('Invalid instance %s.', instance_name) sys.exit(1) instance.load() subsystem_name, cert_tag = pki.server.PKIServer.split_cert_id(cert_id) # If cert ID is instance specific, get it from first subsystem if not subsystem_name: subsystem_name = instance.get_subsystems()[0].name subsystem = instance.get_subsystem(subsystem_name) if not subsystem: logger.error( 'No %s subsystem in instance %s.', subsystem_name, instance_name) sys.exit(1) cert = subsystem.get_subsystem_cert(cert_tag) if not cert: logger.error('missing %s certificate', cert_id) self.print_help() sys.exit(1) if cert_id == 'sslserver': full_name = instance.get_sslserver_cert_nickname() i = full_name.find(':') if i < 0: nickname = full_name token = None else: nickname = full_name[i + 1:] token = full_name[:i] else: # get nickname and token from CS.cfg nickname = cert['nickname'] token = cert['token'] logger.info('Nickname: %s', nickname) logger.info('Token: %s', token) nssdb = instance.open_nssdb(token) try: if cert_file: logger.info('Exporting %s certificate into %s.', cert_id, cert_file) cert_data = cert.get('data') if cert_data is None: logger.error('Unable to find certificate data for %s', cert_id) sys.exit(1) cert_data = pki.nssdb.convert_cert(cert_data, 'base64', 'pem') with open(cert_file, 'w') as f: f.write(cert_data) if csr_file: logger.info('Exporting %s CSR into %s.', cert_id, csr_file) cert_request = cert.get('request') if cert_request is None: logger.error('Unable to find certificate request for %s', cert_id) sys.exit(1) csr_data = pki.nssdb.convert_csr(cert_request, 'base64', 'pem') with open(csr_file, 'w') as f: f.write(csr_data) if pkcs12_file: logger.info('Exporting %s certificate and key into %s.', cert_id, pkcs12_file) if not pkcs12_password and not pkcs12_password_file: pkcs12_password = getpass.getpass(prompt='Enter password for PKCS #12 file: ') logger.info('Friendly name: %s', friendly_name) nssdb.export_cert( nickname=nickname, pkcs12_file=pkcs12_file, pkcs12_password=pkcs12_password, pkcs12_password_file=pkcs12_password_file, friendly_name=friendly_name, cert_encryption=cert_encryption, key_encryption=key_encryption, append=append, include_trust_flags=include_trust_flags, include_key=include_key, include_chain=include_chain) finally: nssdb.close()
def execute(self, argv): try: opts, args = getopt.gnu_getopt(argv, 'i:v', [ 'instance=', 'show-all', 'pretty-print', 'verbose', 'debug', 'help']) except getopt.GetoptError as e: logger.error(e) self.print_help() sys.exit(1) instance_name = 'pki-tomcat' show_all = False pretty_print = False for o, a in opts: if o in ('-i', '--instance'): instance_name = a elif o == '--show-all': show_all = True elif o == '--pretty-print': pretty_print = True elif o == '--debug': logging.getLogger().setLevel(logging.DEBUG) elif o in ('-v', '--verbose'): logging.getLogger().setLevel(logging.INFO) elif o == '--help': self.print_help() sys.exit() else: logger.error('option %s not recognized', o) self.print_help() sys.exit(1) if len(args) < 1: logger.error('Missing cert ID.') self.print_help() sys.exit(1) cert_id = args[0] instance = pki.server.instance.PKIServerFactory.create(instance_name) if not instance.exists(): logger.error('Invalid instance %s.', instance_name) sys.exit(1) instance.load() subsystem_name, cert_tag = pki.server.PKIServer.split_cert_id(cert_id) # If cert ID is instance specific, get it from first subsystem if not subsystem_name: subsystem_name = instance.get_subsystems()[0].name subsystem = instance.get_subsystem(subsystem_name) if not subsystem: logger.error( 'No %s subsystem in instance %s.', subsystem_name, instance_name) sys.exit(1) cert = subsystem.get_subsystem_cert(cert_tag) CertCLI.print_system_cert(cert, show_all) if pretty_print: print() nssdb = instance.open_nssdb() try: nssdb.show_cert( nickname=cert['nickname'], token=cert['token']) finally: nssdb.close()
def execute(self, argv): try: opts, args = getopt.gnu_getopt(argv, 'i:v', [ 'instance=', 'cert=', 'format=', 'verbose', 'debug', 'help']) except getopt.GetoptError as e: logger.error(e) self.print_help() sys.exit(1) instance_name = 'pki-tomcat' subsystem_name = self.parent.parent.parent.name cert_path = None cert_format = 'PEM' for o, a in opts: if o in ('-i', '--instance'): instance_name = a elif o == '--cert': cert_path = a elif o == '--format': cert_format = a elif o in ('-v', '--verbose'): logging.getLogger().setLevel(logging.INFO) elif o == '--debug': logging.getLogger().setLevel(logging.DEBUG) elif o == '--help': self.print_help() sys.exit() else: logger.error('Invalid option: %s', o) self.print_help() sys.exit(1) if len(args) < 1: logger.error('Missing user ID') self.print_help() sys.exit(1) user_id = args[0] instance = pki.server.instance.PKIServerFactory.create(instance_name) if not instance.exists(): logger.error('Invalid instance: %s', instance_name) sys.exit(1) instance.load() subsystem = instance.get_subsystem(subsystem_name) if not subsystem: logger.error('No %s subsystem in instance %s', subsystem_name.upper(), instance_name) sys.exit(1) subsystem.add_user_cert(user_id, cert_path=cert_path, cert_format=cert_format)
def execute(self, argv): try: opts, _ = getopt.gnu_getopt(argv, 'i:v', [ 'hostname=', 'port=', 'secure=', 'auth=', 'bindDN=', 'bindPWPrompt=', 'nickname=', 'database=', 'baseDN=', 'multiSuffix=', 'maxConns=', 'minConns=', 'verbose', 'debug', 'help' ]) except getopt.GetoptError as e: logger.error(e) self.print_help() sys.exit(1) instance_name = 'pki-tomcat' hostname = None port = None secure = None auth = None bindDN = None bindPWPrompt = None nickname = None database = None baseDN = None multiSuffix = None maxConns = None minConns = None for o, a in opts: if o in ('-i', '--instance'): instance_name = a elif o == '--hostname': hostname = a elif o == '--port': if not a.isdigit(): raise ValueError('Invalid input: %s accepts a number' % o) port = a elif o == '--secure': if a.lower() not in ['true', 'false']: raise ValueError( 'Invalid input: %s accepts True or False' % o) secure = a.lower() == 'true' elif o == '--auth': if a not in ['BasicAuth', 'SslClientAuth']: raise ValueError('Invalid input: %s' % a) auth = a elif o == '--bindDN': bindDN = a elif o == '--bindPWPrompt': bindPWPrompt = a elif o == '--nickname': nickname = a elif o == '--database': database = a elif o == '--baseDN': baseDN = a elif o == '--multiSuffix': if a.lower() not in ['true', 'false']: raise ValueError( 'Invalid input: %s accepts True or False' % o) multiSuffix = a.lower() == 'true' elif o == '--maxConns': if not a.isdigit(): raise ValueError('Invalid input: %s accepts a number' % o) maxConns = a elif o == '--minConns': if not a.isdigit(): raise ValueError('Invalid input: %s accepts a number' % o) minConns = a elif o in ('-v', '--verbose'): logging.getLogger().setLevel(logging.INFO) elif o == '--debug': logging.getLogger().setLevel(logging.DEBUG) elif o == '--help': self.print_help() sys.exit() else: logger.error('Invalid option: %s', o) self.print_help() sys.exit(1) instance = pki.server.instance.PKIServerFactory.create(instance_name) if not instance.exists(): logger.error('Invalid instance: %s', instance_name) sys.exit(1) instance.load() subsystem_name = self.parent.parent.parent.name subsystem = instance.get_subsystem(subsystem_name) if not subsystem: logger.error('No %s subsystem in instance %s', subsystem_name.upper(), instance_name) sys.exit(1) name = 'internaldb.%s' if hostname: subsystem.config[name % 'ldapconn.host'] = hostname if port: subsystem.config[name % 'ldapconn.port'] = port if secure is not None: if secure: subsystem.config[name % 'ldapconn.secureConn'] = 'true' else: subsystem.config[name % 'ldapconn.secureConn'] = 'false' if auth: subsystem.config[name % 'ldapauth.authtype'] = auth if bindDN: subsystem.config[name % 'ldapauth.bindDN'] = bindDN if bindPWPrompt: subsystem.config[name % 'ldapauth.bindPWPrompt'] = bindPWPrompt if nickname: subsystem.config[name % 'ldapauth.clientCertNickname'] = nickname if database: subsystem.config[name % 'database'] = database if baseDN: subsystem.config[name % 'basedn'] = baseDN if multiSuffix is not None: if multiSuffix: subsystem.config[name % 'multipleSuffix.enable'] = 'true' else: subsystem.config[name % 'multipleSuffix.enable'] = 'false' if maxConns: subsystem.config[name % 'maxConns'] = maxConns if minConns: subsystem.config[name % 'minConns'] = minConns subsystem.save() SubsystemDBCLI.print_config(subsystem)
def execute(self, argv): try: opts, _ = getopt.gnu_getopt(argv, 'i:D:w:x:g:v', [ 'instance=', 'bind-dn=', 'bind-password='******'generate-ldif=', 'verbose', 'debug', 'help' ]) except getopt.GetoptError as e: logger.error(e) self.print_help() sys.exit(1) instance_name = 'pki-tomcat' bind_dn = None bind_password = None for o, a in opts: if o in ('-i', '--instance'): instance_name = a elif o in ('-D', '--bind-dn'): bind_dn = a elif o in ('-w', '--bind-password'): bind_password = a elif o in ('-g', '--generate-ldif'): self.out_file = a elif o == '--debug': logging.getLogger().setLevel(logging.DEBUG) elif o in ('-v', '--verbose'): logging.getLogger().setLevel(logging.INFO) elif o == '--help': self.print_help() sys.exit() else: logger.error('Unknown option: %s', o) self.print_help() sys.exit(1) instance = pki.server.instance.PKIInstance(instance_name) if not instance.is_valid(): logger.error('Invalid instance %s.', instance_name) sys.exit(1) instance.load() subsystem = instance.get_subsystem('kra') if not subsystem: logger.error('No KRA subsystem in instance %s.', instance_name) sys.exit(1) self.delete_vlv(subsystem, bind_dn, bind_password) print('KRA VLVs deleted from the database for ' + instance_name)
def spawn(self, deployer): external = deployer.configuration_file.external standalone = deployer.configuration_file.standalone subordinate = deployer.configuration_file.subordinate clone = deployer.configuration_file.clone if config.str2bool(deployer.mdict['pki_skip_installation']): logger.info('Skipping subsystem creation') return logger.info('Creating %s subsystem', deployer.mdict['pki_subsystem']) # If pki_one_time_pin is not specified, generate a new one if 'pki_one_time_pin' not in deployer.mdict: pin = ''.join( random.choice(string.ascii_letters + string.digits) for x in range(20)) deployer.mdict['pki_one_time_pin'] = pin deployer.mdict['PKI_RANDOM_NUMBER_SLOT'] = pin instance = self.instance # Create /var/log/pki/<instance>/<subsystem> instance.makedirs(deployer.mdict['pki_subsystem_log_path'], exist_ok=True) # Create /var/log/pki/<instance>/<subsystem>/archive instance.makedirs(deployer.mdict['pki_subsystem_archive_log_path'], exist_ok=True) # Create /var/log/pki/<instance>/<subsystem>/signedAudit instance.makedirs( deployer.mdict['pki_subsystem_signed_audit_log_path'], exist_ok=True) # Create /etc/pki/<instance>/<subsystem> instance.makedirs(deployer.mdict['pki_subsystem_configuration_path'], exist_ok=True) # Copy /usr/share/pki/<subsystem>/conf/CS.cfg # to /etc/pki/<instance>/<subsystem>/CS.cfg instance.copyfile(deployer.mdict['pki_source_cs_cfg'], deployer.mdict['pki_target_cs_cfg'], slots=deployer.slots, params=deployer.mdict) # Copy /usr/share/pki/<subsystem>/conf/registry.cfg # to /etc/pki/<instance>/<subsystem>/registry.cfg instance.copy(deployer.mdict['pki_source_registry_cfg'], deployer.mdict['pki_target_registry_cfg']) if deployer.mdict['pki_subsystem'] == "CA": # Copy /usr/share/pki/ca/emails # to /etc/pki/<instance>/ca/emails instance.copy(deployer.mdict['pki_source_emails'], deployer.mdict['pki_subsystem_emails_path']) # Link /var/lib/pki/<instance>/ca/emails # to /etc/pki/<instance>/ca/emails emails_path = os.path.join(instance.conf_dir, 'ca', 'emails') emails_link = os.path.join(instance.base_dir, 'ca', 'emails') instance.symlink(emails_path, emails_link) # Copy /usr/share/pki/ca/profiles # to /etc/pki/<instance>/ca/profiles instance.copy(deployer.mdict['pki_source_profiles'], deployer.mdict['pki_subsystem_profiles_path']) # Link /var/lib/pki/<instance>/ca/profiles # to /etc/pki/<instance>/ca/profiles profiles_path = os.path.join(instance.conf_dir, 'ca', 'profiles') profiles_link = os.path.join(instance.base_dir, 'ca', 'profiles') instance.symlink(profiles_path, profiles_link) # Copy /usr/share/pki/<subsystem>/conf/flatfile.txt # to /etc/pki/<instance>/<subsystem>/flatfile.txt instance.copy(deployer.mdict['pki_source_flatfile_txt'], deployer.mdict['pki_target_flatfile_txt']) # Copy /usr/share/pki/<subsystem>/conf/<type>AdminCert.profile # to /etc/pki/<instance>/<subsystem>/adminCert.profile instance.copy(deployer.mdict['pki_source_admincert_profile'], deployer.mdict['pki_target_admincert_profile']) # Copy /usr/share/pki/<subsystem>/conf/caAuditSigningCert.profile # to /etc/pki/<instance>/<subsystem>/caAuditSigningCert.profile instance.copy( deployer.mdict['pki_source_caauditsigningcert_profile'], deployer.mdict['pki_target_caauditsigningcert_profile']) # Copy /usr/share/pki/<subsystem>/conf/caCert.profile # to /etc/pki/<instance>/<subsystem>/caCert.profile instance.copy(deployer.mdict['pki_source_cacert_profile'], deployer.mdict['pki_target_cacert_profile']) # Copy /usr/share/pki/<subsystem>/conf/caOCSPCert.profile # to /etc/pki/<instance>/<subsystem>/caOCSPCert.profile instance.copy(deployer.mdict['pki_source_caocspcert_profile'], deployer.mdict['pki_target_caocspcert_profile']) # Copy /usr/share/pki/<subsystem>/conf/<type>ServerCert.profile # to /etc/pki/<instance>/<subsystem>/serverCert.profile instance.copy(deployer.mdict['pki_source_servercert_profile'], deployer.mdict['pki_target_servercert_profile']) # Copy /usr/share/pki/<subsystem>/conf/<type>SubsystemCert.profile # to /etc/pki/<instance>/<subsystem>/subsystemCert.profile instance.copy(deployer.mdict['pki_source_subsystemcert_profile'], deployer.mdict['pki_target_subsystemcert_profile']) # Copy /usr/share/pki/<subsystem>/conf/proxy.conf # to /etc/pki/<instance>/<subsystem>/proxy.conf instance.copyfile(deployer.mdict['pki_source_proxy_conf'], deployer.mdict['pki_target_proxy_conf'], slots=deployer.slots, params=deployer.mdict) elif deployer.mdict['pki_subsystem'] == "TPS": # Copy /usr/share/pki/<subsystem>/conf/registry.cfg # to /etc/pki/<instance>/<subsystem>/registry.cfg instance.copy(deployer.mdict['pki_source_registry_cfg'], deployer.mdict['pki_target_registry_cfg']) # Copy /usr/share/pki/<subsystem>/conf/phoneHome.xml # to /etc/pki/<instance>/<subsystem>/phoneHome.xml instance.copyfile(deployer.mdict['pki_source_phone_home_xml'], deployer.mdict['pki_target_phone_home_xml'], slots=deployer.slots, params=deployer.mdict) # Link /var/lib/pki/<instance>/<subsystem>/conf # to /etc/pki/<instance>/<subsystem> instance.symlink(deployer.mdict['pki_subsystem_configuration_path'], deployer.mdict['pki_subsystem_conf_link']) # Link /var/lib/pki/<instance>/<subsystem>/logs # to /var/log/pki/<instance>/<subsystem> instance.symlink(deployer.mdict['pki_subsystem_log_path'], deployer.mdict['pki_subsystem_logs_link']) # Link /var/lib/pki/<instance>/<subsystem>/registry # to /etc/sysconfig/pki/tomcat/<instance> instance.symlink(deployer.mdict['pki_instance_registry_path'], deployer.mdict['pki_subsystem_registry_link']) instance = self.instance instance.load() subsystem = instance.get_subsystem( deployer.mdict['pki_subsystem'].lower()) subsystem.config['preop.subsystem.name'] = deployer.mdict[ 'pki_subsystem_name'] certs = subsystem.find_system_certs() for cert in certs: # get CS.cfg tag and pkispawn tag config_tag = cert['id'] deploy_tag = config_tag if config_tag == 'signing': # for CA and OCSP deploy_tag = subsystem.name + '_signing' keytype = deployer.mdict['pki_%s_key_type' % deploy_tag] subsystem.config['preop.cert.%s.keytype' % config_tag] = keytype # configure SSL server cert if subsystem.type == 'CA' and clone or subsystem.type != 'CA': subsystem.config['preop.cert.sslserver.type'] = 'remote' keytype = subsystem.config['preop.cert.sslserver.keytype'] if keytype.lower() == 'ecc': subsystem.config[ 'preop.cert.sslserver.profile'] = 'caECInternalAuthServerCert' elif keytype.lower() == 'rsa': subsystem.config[ 'preop.cert.sslserver.profile'] = 'caInternalAuthServerCert' # configure subsystem cert if deployer.mdict['pki_security_domain_type'] == 'new': subsystem.config['preop.cert.subsystem.type'] = 'local' subsystem.config[ 'preop.cert.subsystem.profile'] = 'subsystemCert.profile' else: # deployer.mdict['pki_security_domain_type'] == 'existing': subsystem.config['preop.cert.subsystem.type'] = 'remote' keytype = subsystem.config['preop.cert.subsystem.keytype'] if keytype.lower() == 'ecc': subsystem.config[ 'preop.cert.subsystem.profile'] = 'caECInternalAuthSubsystemCert' elif keytype.lower() == 'rsa': subsystem.config[ 'preop.cert.subsystem.profile'] = 'caInternalAuthSubsystemCert' if external or standalone: # This is needed by IPA to detect step 1 completion. # See is_step_one_done() in ipaserver/install/cainstance.py. subsystem.config['preop.ca.type'] = 'otherca' elif subsystem.type != 'CA' or subordinate: subsystem.config['preop.ca.type'] = 'sdca' # configure cloning if config.str2bool(deployer.mdict['pki_clone']): subsystem.config['subsystem.select'] = 'Clone' else: subsystem.config['subsystem.select'] = 'New' # configure CA if subsystem.type == 'CA': if external or subordinate: subsystem.config['hierarchy.select'] = 'Subordinate' else: subsystem.config['hierarchy.select'] = 'Root' if subordinate: subsystem.config['preop.cert.signing.type'] = 'remote' subsystem.config[ 'preop.cert.signing.profile'] = 'caInstallCACert' # configure OCSP if subsystem.type == 'OCSP': if clone: subsystem.config['ocsp.store.defStore.refreshInSec'] = '14400' # configure TPS if subsystem.type == 'TPS': subsystem.config['auths.instance.ldap1.ldap.basedn'] = \ deployer.mdict['pki_authdb_basedn'] subsystem.config['auths.instance.ldap1.ldap.ldapconn.host'] = \ deployer.mdict['pki_authdb_hostname'] subsystem.config['auths.instance.ldap1.ldap.ldapconn.port'] = \ deployer.mdict['pki_authdb_port'] subsystem.config['auths.instance.ldap1.ldap.ldapconn.secureConn'] = \ deployer.mdict['pki_authdb_secure_conn'] subsystem.save()
def execute(self, argv): try: opts, _ = getopt.gnu_getopt(argv, 'i:v', [ 'instance=', 'pkcs12-file=', 'pkcs12-password='******'pkcs12-password-file=', 'verbose', 'debug', 'help' ]) except getopt.GetoptError as e: logger.error(e) self.print_help() sys.exit(1) instance_name = 'pki-tomcat' pkcs12_file = None pkcs12_password = None for o, a in opts: if o in ('-i', '--instance'): instance_name = a elif o == '--pkcs12-file': pkcs12_file = a elif o == '--pkcs12-password': pkcs12_password = a.encode() elif o == '--pkcs12-password-file': with io.open(a, 'rb') as f: pkcs12_password = f.read() elif o in ('-v', '--verbose'): logging.getLogger().setLevel(logging.INFO) elif o == '--debug': logging.getLogger().setLevel(logging.DEBUG) elif o == '--help': self.print_help() sys.exit() else: logger.error('Invalid option: %s', o) self.print_help() sys.exit(1) if not pkcs12_file: logger.error('Missing PKCS #12 file') self.print_help() sys.exit(1) if not pkcs12_password: logger.error('Missing PKCS #12 password') self.print_help() sys.exit(1) instance = pki.server.instance.PKIInstance(instance_name) if not instance.is_valid(): logger.error('Invalid instance: %s', instance_name) sys.exit(1) instance.load() subsystem = instance.get_subsystem('ca') if not subsystem: logger.error('No CA subsystem in instance %s', instance_name) sys.exit(1) tmpdir = tempfile.mkdtemp() try: pkcs12_password_file = os.path.join(tmpdir, 'pkcs12_password.txt') with open(pkcs12_password_file, 'wb') as f: f.write(pkcs12_password) subsystem.export_cert_chain(pkcs12_file, pkcs12_password_file) finally: shutil.rmtree(tmpdir)
def execute(self, argv): try: opts, args = getopt.gnu_getopt(argv, 'i:', ['subsystem=', 'instance=', 'help']) except getopt.GetoptError as e: print('ERROR: ' + str(e)) self.print_help() sys.exit(1) # To hold the subsystem names subsystems = [] test = None instance_name = 'pki-tomcat' if len(args) == 1: test = args[0] for o, a in opts: if o in ('-i', '--instance'): instance_name = a elif o == '--subsystem': subsystems.append(a) elif o == '--help': self.print_help() sys.exit() else: print('ERROR: unknown option ' + o) self.print_help() sys.exit(1) # Load instance instance = pki.server.instance.PKIInstance(instance_name) if not instance.is_valid(): print('ERROR: Invalid instance %s.' % instance_name) sys.exit(1) instance.load() # To hold the instance of the loaded subsystems target_subsystems = [] # Load subsystem or subsystems if not subsystems: for subsys in instance.subsystems: target_subsystems.append(subsys) else: for subsys in subsystems: target_subsystems.append(instance.get_subsystem(subsys)) try: # Enable critical tests for all subsystems listed in target_subsystems for subsys in target_subsystems: subsys.set_startup_test_criticality(test=test, critical=True) # Save the updated CS.cfg to disk subsys.save() except pki.server.PKIServerException as e: logging.error(str(e)) sys.exit(1)
def execute(self, argv): try: opts, _ = getopt.gnu_getopt(argv, 'i:v', [ 'instance=', 'cert=', 'cert-file=', 'verbose', 'debug', 'help' ]) except getopt.GetoptError as e: logger.error(e) self.print_help() sys.exit(1) instance_name = 'pki-tomcat' cert = None for o, a in opts: if o in ('-i', '--instance'): instance_name = a elif o == '--cert': cert = a elif o == '--cert-file': with io.open(a, 'rb') as f: cert = f.read() elif o in ('-v', '--verbose'): logging.getLogger().setLevel(logging.INFO) elif o == '--debug': logging.getLogger().setLevel(logging.DEBUG) elif o == '--help': self.print_help() sys.exit() else: logger.error('Invalid option: %s', o) self.print_help() sys.exit(1) instance = pki.server.instance.PKIInstance(instance_name) if not instance.is_valid(): logger.error('Invalid instance: %s', instance_name) sys.exit(1) instance.load() subsystem = instance.get_subsystem('ca') if not subsystem: logger.error('No CA subsystem in instance %s', instance_name) sys.exit(1) results = subsystem.find_cert_requests(cert=cert) self.print_message('%s entries matched' % len(results)) first = True for request in results: if first: first = False else: print() CACertRequestCLI.print_request(request)
def execute(self, argv): try: opts, args = getopt.gnu_getopt( argv, 'i:v', ['instance=', 'output-file=', 'verbose', 'debug', 'help']) except getopt.GetoptError as e: logger.error(e) self.print_help() sys.exit(1) if len(args) != 1: logger.error('Missing request ID') self.print_help() sys.exit(1) request_id = args[0] instance_name = 'pki-tomcat' output_file = None for o, a in opts: if o in ('-i', '--instance'): instance_name = a elif o == '--output-file': output_file = a elif o in ('-v', '--verbose'): logging.getLogger().setLevel(logging.INFO) elif o == '--debug': logging.getLogger().setLevel(logging.DEBUG) elif o == '--help': self.print_help() sys.exit() else: logger.error('Invalid option: %s', o) self.print_help() sys.exit(1) instance = pki.server.instance.PKIInstance(instance_name) if not instance.is_valid(): logger.error('Invalid instance: %s', instance_name) sys.exit(1) instance.load() subsystem = instance.get_subsystem('ca') if not subsystem: logger.error('No CA subsystem in instance %s', instance_name) sys.exit(1) request = subsystem.get_cert_requests(request_id) if output_file: with io.open(output_file, 'wb') as f: f.write(request['request']) else: CACertRequestCLI.print_request(request, details=True)
def execute(self, argv): try: opts, args = getopt.gnu_getopt( argv, 'i:v', ['instance=', 'verbose', 'debug', 'help']) except getopt.GetoptError as e: logger.error(e) self.usage() sys.exit(1) instance_name = 'pki-tomcat' for o, a in opts: if o in ('-i', '--instance'): instance_name = a elif o == '--debug': logging.getLogger().setLevel(logging.DEBUG) elif o in ('-v', '--verbose'): logging.getLogger().setLevel(logging.INFO) elif o == '--help': self.usage() sys.exit() else: logger.error('Unknown option: %s', o) self.usage() sys.exit(1) if len(args) < 1: logger.error('Missing subsystem ID') self.usage() sys.exit(1) subsystem_name = args[0] if len(args) >= 2: cert_id = args[1] else: cert_id = None instance = pki.server.instance.PKIInstance(instance_name) if not instance.exists(): logger.error('Invalid instance %s.', instance_name) sys.exit(1) instance.load() subsystem = instance.get_subsystem(subsystem_name) if not subsystem: logger.error('No %s subsystem in instance %s.', subsystem_name, instance_name) sys.exit(1) if cert_id is not None: certs = [subsystem.get_subsystem_cert(cert_id)] else: certs = subsystem.find_system_certs() first = True certs_valid = True for cert in certs: if first: first = False else: print() certs_valid &= self.validate_certificate(instance, cert) if certs_valid: self.print_message("Validation succeeded") sys.exit(0) else: self.print_message("Validation failed") sys.exit(1)
def execute(self, argv): try: opts, args = getopt.gnu_getopt( argv, 'i:v', ['instance=', 'cert=', 'verbose', 'debug', 'help']) except getopt.GetoptError as e: logger.error(e) self.usage() sys.exit(1) instance_name = 'pki-tomcat' cert_file = None for o, a in opts: if o in ('-i', '--instance'): instance_name = a elif o == '--debug': logging.getLogger().setLevel(logging.DEBUG) elif o in ('-v', '--verbose'): logging.getLogger().setLevel(logging.INFO) elif o == '--help': self.usage() sys.exit() elif o == '--cert': cert_file = a else: logger.error('Unknown option: %s', o) self.usage() sys.exit(1) if len(args) < 1: logger.error('Missing subsystem ID') self.usage() sys.exit(1) if len(args) < 2: logger.error('Missing cert ID') self.usage() sys.exit(1) subsystem_name = args[0] cert_id = args[1] instance = pki.server.instance.PKIInstance(instance_name) if not instance.exists(): logger.error('Invalid instance %s.', instance_name) sys.exit(1) instance.load() subsystem = instance.get_subsystem(subsystem_name) if not subsystem: logger.error('No %s subsystem in instance %s.', subsystem_name, instance_name) sys.exit(1) subsystem_cert = subsystem.get_subsystem_cert(cert_id) logger.info('Retrieving certificate %s from %s', subsystem_cert['nickname'], subsystem_cert['token']) token = subsystem_cert['token'] nssdb = instance.open_nssdb(token) if cert_file: if not os.path.isfile(cert_file): logger.error('%s certificate does not exist.', cert_file) self.usage() sys.exit(1) data = nssdb.get_cert(nickname=subsystem_cert['nickname'], output_format='base64') if data: logger.info('Removing old %s certificate from database.', subsystem_cert['nickname']) nssdb.remove_cert(nickname=subsystem_cert['nickname']) logger.info('Adding new %s certificate into database.', subsystem_cert['nickname']) nssdb.add_cert(nickname=subsystem_cert['nickname'], cert_file=cert_file) # Retrieve the cert info from NSSDB # Note: This reloads `data` object if --cert option is provided data = nssdb.get_cert(nickname=subsystem_cert['nickname'], output_format='base64') subsystem_cert['data'] = data # format cert data for LDAP database lines = [data[i:i + 64] for i in range(0, len(data), 64)] data = '\r\n'.join(lines) + '\r\n' logger.info('Retrieving certificate request from CA database') # TODO: add support for remote CA ca = instance.get_subsystem('ca') if not ca: logger.error('No CA subsystem in instance %s.', instance_name) sys.exit(1) results = ca.find_cert_requests(cert=data) if results: cert_request = results[-1] request = cert_request['request'] # format cert request for CS.cfg lines = request.splitlines() if lines[0] == '-----BEGIN CERTIFICATE REQUEST-----': lines = lines[1:] if lines[-1] == '-----END CERTIFICATE REQUEST-----': lines = lines[:-1] request = ''.join(lines) subsystem_cert['request'] = request else: logger.warning('Certificate request not found') # store cert data and request in CS.cfg subsystem.update_subsystem_cert(subsystem_cert) subsystem.save() self.print_message('Updated "%s" subsystem certificate' % cert_id)
def execute(self, argv): try: opts, args = getopt.gnu_getopt(argv, 'i:v', [ 'instance=', 'cert-file=', 'csr-file=', 'pkcs12-file=', 'pkcs12-password='******'pkcs12-password-file=', 'append', 'no-trust-flags', 'no-key', 'no-chain', 'verbose', 'debug', 'help' ]) except getopt.GetoptError as e: logger.error(e) self.print_help() sys.exit(1) instance_name = 'pki-tomcat' cert_file = None csr_file = None pkcs12_file = None pkcs12_password = None pkcs12_password_file = None append = False include_trust_flags = True include_key = True include_chain = True for o, a in opts: if o in ('-i', '--instance'): instance_name = a elif o == '--cert-file': cert_file = a elif o == '--csr-file': csr_file = a elif o == '--pkcs12-file': pkcs12_file = a elif o == '--pkcs12-password': pkcs12_password = a elif o == '--pkcs12-password-file': pkcs12_password_file = a elif o == '--append': append = True elif o == '--no-trust-flags': include_trust_flags = False elif o == '--no-key': include_key = False elif o == '--no-chain': include_chain = False elif o == '--debug': logging.getLogger().setLevel(logging.DEBUG) elif o in ('-v', '--verbose'): logging.getLogger().setLevel(logging.INFO) elif o == '--help': self.print_help() sys.exit() else: logger.error('Unknown option: %s', o) self.print_help() sys.exit(1) if len(args) < 1: logger.error('Missing subsystem ID') self.print_help() sys.exit(1) subsystem_name = args[0] if not (cert_file or csr_file or pkcs12_file): logger.error('Missing output file') self.print_help() sys.exit(1) instance = pki.server.instance.PKIInstance(instance_name) if not instance.exists(): logger.error('Invalid instance %s.', instance_name) sys.exit(1) instance.load() subsystem = instance.get_subsystem(subsystem_name) if not subsystem: logger.error('No %s subsystem in instance %s.', subsystem_name, instance_name) sys.exit(1) subsystem_cert = None if len(args) >= 2: cert_id = args[1] subsystem_cert = subsystem.get_subsystem_cert(cert_id) if (cert_file or csr_file) and not subsystem_cert: logger.error('Missing cert ID') self.print_help() sys.exit(1) if cert_file: cert_data = subsystem_cert.get('data') if cert_data is None: logger.error("Unable to find certificate data for %s", cert_id) sys.exit(1) cert_data = pki.nssdb.convert_cert(cert_data, 'base64', 'pem') with open(cert_file, 'w') as f: f.write(cert_data) if csr_file: cert_request = subsystem_cert.get('request') if cert_request is None: logger.error('Unable to find certificate request for %s', cert_id) sys.exit(1) csr_data = pki.nssdb.convert_csr(cert_request, 'base64', 'pem') with open(csr_file, 'w') as f: f.write(csr_data) if pkcs12_file: if not pkcs12_password and not pkcs12_password_file: pkcs12_password = getpass.getpass( prompt='Enter password for PKCS #12 file: ') nicknames = [] if subsystem_cert: nicknames.append(subsystem_cert['nickname']) else: subsystem_certs = subsystem.find_system_certs() for subsystem_cert in subsystem_certs: nicknames.append(subsystem_cert['nickname']) nssdb = instance.open_nssdb() try: nssdb.export_pkcs12(pkcs12_file=pkcs12_file, pkcs12_password=pkcs12_password, pkcs12_password_file=pkcs12_password_file, nicknames=nicknames, append=append, include_trust_flags=include_trust_flags, include_key=include_key, include_chain=include_chain) finally: nssdb.close()
def execute(self, argv): try: opts, _ = getopt.gnu_getopt(argv, 'i:v', [ 'instance=', 'master=', 'session=', 'install-token=', 'verbose', 'debug', 'help' ]) except getopt.GetoptError as e: logger.error(e) self.print_help() sys.exit(1) instance_name = 'pki-tomcat' subsystem_name = self.parent.parent.name master_url = None session_id = None install_token = None for o, a in opts: if o in ('-i', '--instance'): instance_name = a elif o == '--master': master_url = a elif o == '--session': session_id = a elif o == '--install-token': install_token = a elif o in ('-v', '--verbose'): logging.getLogger().setLevel(logging.INFO) elif o == '--debug': logging.getLogger().setLevel(logging.DEBUG) elif o == '--help': self.print_help() sys.exit() else: logger.error('Invalid option: %s', o) self.print_help() sys.exit(1) if not master_url: raise Exception('Missing master URL') if not session_id and not install_token: raise Exception('Missing session ID or install token') instance = pki.server.instance.PKIServerFactory.create(instance_name) if not instance.exists(): logger.error('Invalid instance: %s', instance_name) sys.exit(1) instance.load() subsystem = instance.get_subsystem(subsystem_name) if not subsystem: logger.error('No %s subsystem in instance %s', subsystem_name.upper(), instance_name) sys.exit(1) subsystem.request_ranges(master_url, session_id=session_id, install_token=install_token)
def spawn(self, deployer): external = deployer.configuration_file.external standalone = deployer.configuration_file.standalone step_one = deployer.configuration_file.external_step_one skip_configuration = deployer.configuration_file.skip_configuration if (external or standalone) and step_one or skip_configuration: logger.info('Skipping configuration') return logger.info('Configuring subsystem') try: PKISPAWN_STARTUP_TIMEOUT_SECONDS = \ int(os.environ['PKISPAWN_STARTUP_TIMEOUT_SECONDS']) except (KeyError, ValueError): PKISPAWN_STARTUP_TIMEOUT_SECONDS = 60 if PKISPAWN_STARTUP_TIMEOUT_SECONDS <= 0: PKISPAWN_STARTUP_TIMEOUT_SECONDS = 60 instance = self.instance instance.load() subsystem = instance.get_subsystem( deployer.mdict['pki_subsystem'].lower()) # configure internal database subsystem.config['internaldb.ldapconn.host'] = deployer.mdict[ 'pki_ds_hostname'] if config.str2bool(deployer.mdict['pki_ds_secure_connection']): subsystem.config['internaldb.ldapconn.secureConn'] = 'true' subsystem.config['internaldb.ldapconn.port'] = deployer.mdict[ 'pki_ds_ldaps_port'] else: subsystem.config['internaldb.ldapconn.secureConn'] = 'false' subsystem.config['internaldb.ldapconn.port'] = deployer.mdict[ 'pki_ds_ldap_port'] subsystem.config['internaldb.ldapauth.bindDN'] = deployer.mdict[ 'pki_ds_bind_dn'] subsystem.config['internaldb.basedn'] = deployer.mdict[ 'pki_ds_base_dn'] subsystem.config['internaldb.database'] = deployer.mdict[ 'pki_ds_database'] if config.str2bool(deployer.mdict['pki_share_db']): subsystem.config['preop.internaldb.dbuser'] = deployer.mdict[ 'pki_share_dbuser_dn'] ocsp_uri = deployer.mdict.get('pki_default_ocsp_uri') if ocsp_uri: subsystem.config['ca.defaultOcspUri'] = ocsp_uri if subsystem.name == 'ca': serial_number_range_start = deployer.mdict.get( 'pki_serial_number_range_start') if serial_number_range_start: subsystem.config[ 'dbs.beginSerialNumber'] = serial_number_range_start serial_number_range_end = deployer.mdict.get( 'pki_serial_number_range_end') if serial_number_range_end: subsystem.config[ 'dbs.endSerialNumber'] = serial_number_range_end request_number_range_start = deployer.mdict.get( 'pki_request_number_range_start') if request_number_range_start: subsystem.config[ 'dbs.beginRequestNumber'] = request_number_range_start request_number_range_end = deployer.mdict.get( 'pki_request_number_range_end') if request_number_range_end: subsystem.config[ 'dbs.endRequestNumber'] = request_number_range_end replica_number_range_start = deployer.mdict.get( 'pki_replica_number_range_start') if replica_number_range_start: subsystem.config[ 'dbs.beginReplicaNumber'] = replica_number_range_start replica_number_range_end = deployer.mdict.get( 'pki_replica_number_range_end') if replica_number_range_end: subsystem.config[ 'dbs.endReplicaNumber'] = replica_number_range_end if subsystem.name == 'kra': if config.str2bool(deployer.mdict['pki_kra_ephemeral_requests']): logger.debug('Setting ephemeral requests to true') subsystem.config['kra.ephemeralRequests'] = 'true' if subsystem.name == 'tps': baseDN = subsystem.config['internaldb.basedn'] dsHost = subsystem.config['internaldb.ldapconn.host'] dsPort = subsystem.config['internaldb.ldapconn.port'] subsystem.config[ 'tokendb.activityBaseDN'] = 'ou=Activities,' + baseDN subsystem.config['tokendb.baseDN'] = 'ou=Tokens,' + baseDN subsystem.config[ 'tokendb.certBaseDN'] = 'ou=Certificates,' + baseDN subsystem.config['tokendb.userBaseDN'] = baseDN subsystem.config['tokendb.hostport'] = dsHost + ':' + dsPort subsystem.save() token = pki.nssdb.normalize_token(deployer.mdict['pki_token_name']) nssdb = instance.open_nssdb() existing = deployer.configuration_file.existing step_two = deployer.configuration_file.external_step_two clone = deployer.configuration_file.clone master_url = deployer.mdict['pki_clone_uri'] try: if existing or (external or standalone) and step_two: self.import_system_cert_requests(deployer, subsystem) self.import_system_certs(deployer, nssdb, subsystem) self.configure_system_certs(deployer, subsystem) self.update_system_certs(deployer, nssdb, subsystem) subsystem.save() self.validate_system_certs(deployer, nssdb, subsystem) else: # self-signed CA # To be implemented in ticket #1692. # Generate CA cert request. # Self sign CA cert. # Import self-signed CA cert into NSS database. pass finally: nssdb.close() create_temp_sslserver_cert = self.create_temp_sslserver_cert( deployer, instance) server_config = instance.get_server_config() unsecurePort = server_config.get_unsecure_port() securePort = server_config.get_secure_port() if deployer.mdict['pki_security_domain_type'] == 'existing': logger.info('Joining existing domain') deployer.join_domain() subsystem.config['securitydomain.name'] = deployer.domain_info.id subsystem.config['securitydomain.select'] = 'existing' # hostname and ports point to security domain subsystem.config['securitydomain.host'] = deployer.sd_host.Hostname subsystem.config['securitydomain.httpport'] = deployer.sd_host.Port subsystem.config[ 'securitydomain.httpseeport'] = deployer.sd_host.SecurePort subsystem.config[ 'securitydomain.httpsadminport'] = deployer.sd_host.SecureAdminPort subsystem.config[ 'securitydomain.httpsagentport'] = deployer.sd_host.SecureAgentPort elif config.str2bool(deployer.mdict['pki_subordinate']) and \ config.str2bool(deployer.mdict['pki_subordinate_create_new_security_domain']): logger.info('Creating new security subdomain') deployer.join_domain() sd_name = deployer.mdict['pki_subordinate_security_domain_name'] subsystem.config['securitydomain.name'] = sd_name subsystem.config['securitydomain.select'] = 'new' # hostname and ports point to current host subsystem.config['securitydomain.host'] = deployer.mdict[ 'pki_hostname'] subsystem.config['securitydomain.httpport'] = unsecurePort subsystem.config['securitydomain.httpsagentport'] = securePort subsystem.config['securitydomain.httpseeport'] = securePort subsystem.config['securitydomain.httpsadminport'] = securePort else: logger.info('Creating new security domain') sd_name = deployer.mdict['pki_security_domain_name'] subsystem.config['securitydomain.name'] = sd_name subsystem.config['securitydomain.select'] = 'new' # hostname and ports point to current host subsystem.config['securitydomain.host'] = deployer.mdict[ 'pki_hostname'] subsystem.config['securitydomain.httpport'] = unsecurePort subsystem.config['securitydomain.httpsagentport'] = securePort subsystem.config['securitydomain.httpseeport'] = securePort subsystem.config['securitydomain.httpsadminport'] = securePort subsystem.config['service.securityDomainPort'] = securePort hierarchy = subsystem.config.get('hierarchy.select') issuing_ca = deployer.mdict['pki_issuing_ca'] if not (subsystem.type == 'CA' and hierarchy == 'Root'): if not external and not standalone: logger.info('Using CA at %s', issuing_ca) url = urllib.parse.urlparse(issuing_ca) subsystem.config['preop.ca.url'] = issuing_ca subsystem.config['preop.ca.hostname'] = url.hostname subsystem.config['preop.ca.httpsport'] = str(url.port) subsystem.config['preop.ca.httpsadminport'] = str(url.port) system_certs_imported = \ deployer.mdict['pki_server_pkcs12_path'] != '' or \ deployer.mdict['pki_clone_pkcs12_path'] != '' if not (subsystem.type == 'CA' and hierarchy == 'Root'): if external or standalone: subsystem.config['preop.ca.pkcs7'] = '' elif not clone and not system_certs_imported: logger.info('Retrieving CA certificate chain from %s', issuing_ca) pem_chain = self.get_cert_chain(instance, issuing_ca) base64_chain = pki.nssdb.convert_pkcs7(pem_chain, 'pem', 'base64') subsystem.config['preop.ca.pkcs7'] = base64_chain logger.info('Importing CA certificate chain') nssdb = instance.open_nssdb() try: nssdb.import_pkcs7(pkcs7_data=pem_chain, trust_attributes='CT,C,C') finally: nssdb.close() if subsystem.type == 'CA' and clone and not system_certs_imported: logger.info('Retrieving CA certificate chain from %s', master_url) pem_chain = self.get_cert_chain(instance, master_url) base64_chain = pki.nssdb.convert_pkcs7(pem_chain, 'pem', 'base64') subsystem.config['preop.clone.pkcs7'] = base64_chain logger.info('Importing CA certificate chain') nssdb = instance.open_nssdb() try: nssdb.import_pkcs7(pkcs7_data=pem_chain, trust_attributes='CT,C,C') finally: nssdb.close() subsystem.save() if config.str2bool(deployer.mdict['pki_ds_remove_data']): if config.str2bool(deployer.mdict['pki_ds_create_new_db']): logger.info('Removing existing database') subsystem.remove_database(force=True) elif not config.str2bool(deployer.mdict['pki_clone']) or \ config.str2bool(deployer.mdict['pki_clone_setup_replication']): logger.info('Emptying existing database') subsystem.empty_database(force=True) else: logger.info('Reusing replicated database') logger.info('Initializing database') # In most cases, we want to replicate the schema and therefore not add it here. # We provide this option though in case the clone already has schema # and we want to replicate back to the master. # On the other hand, if we are not setting up replication, # then we are assuming that replication is already taken care of, # and schema has already been replicated. setup_schema = not config.str2bool(deployer.mdict['pki_clone']) or \ not config.str2bool(deployer.mdict['pki_clone_setup_replication']) or \ not config.str2bool(deployer.mdict['pki_clone_replicate_schema']) create_database = config.str2bool( deployer.mdict['pki_ds_create_new_db']) # When cloning a subsystem without setting up the replication agreements, # the database is a subtree of an existing tree and is already replicated, # so there is no need to set up the base entry. create_base = config.str2bool(deployer.mdict['pki_ds_create_new_db']) or \ not config.str2bool(deployer.mdict['pki_clone']) or \ config.str2bool(deployer.mdict['pki_clone_setup_replication']) create_containers = not config.str2bool(deployer.mdict['pki_clone']) # If the database is already replicated but not yet indexed, rebuild the indexes. rebuild_indexes = config.str2bool(deployer.mdict['pki_clone']) and \ not config.str2bool(deployer.mdict['pki_clone_setup_replication']) and \ config.str2bool(deployer.mdict['pki_clone_reindex_data']) setup_db_manager = not config.str2bool(deployer.mdict['pki_clone']) or \ not config.str2bool(deployer.mdict['pki_clone_setup_replication']) # If setting up replication, set up VLV indexes after replication. setup_vlv_indexes = not config.str2bool(deployer.mdict['pki_clone']) or \ not config.str2bool(deployer.mdict['pki_clone_setup_replication']) subsystem.init_database(setup_schema=setup_schema, create_database=create_database, create_base=create_base, create_containers=create_containers, rebuild_indexes=rebuild_indexes, setup_db_manager=setup_db_manager, setup_vlv_indexes=setup_vlv_indexes) if clone: if subsystem.type in ['CA', 'KRA']: logger.info('Updating ranges for %s clone', subsystem.type) subsystem.update_ranges(master_url, deployer.install_token) logger.info('Updating configuration for %s clone', subsystem.type) subsystem.update_config(master_url, deployer.install_token) # Start/Restart this Tomcat PKI Process # Optionally prepare to enable a java debugger # (e. g. - 'eclipse'): if config.str2bool(deployer.mdict['pki_enable_java_debugger']): config.prepare_for_an_external_java_debugger( deployer.mdict['pki_target_tomcat_conf_instance_id']) tomcat_instance_subsystems = \ len(deployer.instance.tomcat_instance_subsystems()) if tomcat_instance_subsystems == 1: logger.info('Starting server') instance.start() elif tomcat_instance_subsystems > 1: logger.info('Restarting server') instance.restart() # Configure status request timeout. This is used for each # status request in wait_for_startup value = deployer.mdict['pki_status_request_timeout'] if len(value) == 0: status_request_timeout = None else: status_request_timeout = int(value) if status_request_timeout <= 0: raise ValueError("timeout must be greater than zero") deployer.instance.wait_for_startup( subsystem, PKISPAWN_STARTUP_TIMEOUT_SECONDS, request_timeout=status_request_timeout, ) # Optionally wait for debugger to attach (e. g. - 'eclipse'): if config.str2bool(deployer.mdict['pki_enable_java_debugger']): config.wait_to_attach_an_external_java_debugger() ca_cert = os.path.join(instance.nssdb_dir, "ca.crt") connection = pki.client.PKIConnection( protocol='https', hostname=deployer.mdict['pki_hostname'], port=deployer.mdict['pki_https_port'], trust_env=False, cert_paths=ca_cert) client = pki.system.SystemConfigClient( connection, subsystem=deployer.mdict['pki_subsystem_type']) # If pki_one_time_pin is not already defined, load from CS.cfg if 'pki_one_time_pin' not in deployer.mdict: deployer.mdict['pki_one_time_pin'] = subsystem.config['preop.pin'] logger.info('Configuring %s subsystem', subsystem.type) if clone: logger.info('Setting up clone') clone_setup_request = deployer.config_client.create_clone_setup_request( subsystem) clone_setup_request.domainInfo = deployer.domain_info clone_setup_request.installToken = deployer.install_token client.setupClone(clone_setup_request) logger.info('Setting up database') database_setup_request = deployer.config_client.create_database_setup_request( ) client.setupDatabase(database_setup_request) sslserver = subsystem.get_subsystem_cert('sslserver') for tag in subsystem.config['preop.cert.list'].split(','): logger.info('Setting up %s certificate', tag) cert = deployer.setup_cert(client, tag) if not cert: continue logger.debug('- cert: %s', cert['cert']) logger.debug('- request: %s', cert['request']) if tag == 'sslserver': sslserver['data'] = cert['cert'] sslserver['request'] = cert['request'] sslserver['token'] = cert['token'] if not clone: logger.info('Setting up admin user') deployer.setup_admin(client) if config.str2bool(deployer.mdict['pki_backup_keys']): # by default store the backup file in the NSS databases directory if not deployer.mdict['pki_backup_file']: deployer.mdict['pki_backup_file'] = \ deployer.mdict['pki_server_database_path'] + '/' + \ deployer.mdict['pki_subsystem'].lower() + '_backup_keys.p12' logger.info('Backing up keys into %s', deployer.mdict['pki_backup_file']) deployer.backup_keys(instance, subsystem) logger.info('Setting up security domain') sd_setup_request = deployer.config_client.create_security_domain_setup_request( ) sd_setup_request.domainInfo = deployer.domain_info sd_setup_request.installToken = deployer.install_token client.setupSecurityDomain(sd_setup_request) if not config.str2bool(deployer.mdict['pki_share_db']): logger.info('Setting up database user') db_user_setup_request = deployer.config_client.create_database_user_setup_request( ) client.setupDatabaseUser(db_user_setup_request) logger.info('Finalizing %s configuration', subsystem.type) finalize_config_request = deployer.config_client.create_finalize_config_request( ) finalize_config_request.domainInfo = deployer.domain_info finalize_config_request.installToken = deployer.install_token client.finalizeConfiguration(finalize_config_request) if subsystem.type == 'TPS': logger.info('Setting up shared secret') deployer.setup_shared_secret(instance, subsystem) logger.info('%s configuration complete', subsystem.type) # Create an empty file that designates the fact that although # this server instance has been configured, it has NOT yet # been restarted! restart_server = os.path.join(instance.conf_dir, 'restart_server_after_configuration') logger.debug('Creating %s', restart_server) open(restart_server, 'a').close() os.chown(restart_server, instance.uid, instance.gid) os.chmod(restart_server, 0o660) # If temp SSL server cert was created and there's a new perm cert, # replace it with the perm cert. if create_temp_sslserver_cert and sslserver and sslserver['data']: logger.info('Stopping server') instance.stop() # Remove temp SSL server cert. self.remove_temp_sslserver_cert(instance, sslserver) # Import perm SSL server cert unless it's already imported # earlier in external/standalone installation. if not (standalone or external and subsystem.name in ['kra', 'ocsp']): nickname = sslserver['nickname'] token = pki.nssdb.normalize_token(sslserver['token']) if not token: token = deployer.mdict['pki_token_name'] instance.set_sslserver_cert_nickname(nickname, token) self.import_perm_sslserver_cert(deployer, instance, sslserver) logger.info('Starting server') instance.start() elif config.str2bool( deployer.mdict['pki_restart_configured_instance']): logger.info('Restarting server') instance.restart() deployer.instance.wait_for_startup( subsystem, PKISPAWN_STARTUP_TIMEOUT_SECONDS, request_timeout=status_request_timeout, )
def execute(self, argv): try: opts, _ = getopt.gnu_getopt( argv, 'i:v', ['instance=', 'verbose', 'debug', 'help']) except getopt.GetoptError as e: logger.error(e) self.print_help() sys.exit(1) instance_name = 'pki-tomcat' subsystem_name = self.parent.parent.name for o, a in opts: if o in ('-i', '--instance'): instance_name = a elif o in ('-v', '--verbose'): logging.getLogger().setLevel(logging.INFO) elif o == '--debug': logging.getLogger().setLevel(logging.DEBUG) elif o == '--help': self.print_help() sys.exit() else: logger.error('Invalid option: %s', o) self.print_help() sys.exit(1) instance = pki.server.instance.PKIServerFactory.create(instance_name) if not instance.exists(): logger.error('Invalid instance: %s', instance_name) sys.exit(1) instance.load() subsystem = instance.get_subsystem(subsystem_name) if not subsystem: logger.error('No %s subsystem in instance %s', subsystem_name.upper(), instance_name) sys.exit(1) print(' Begin request ID: %s' % subsystem.config.get('dbs.beginRequestNumber')) print(' End request ID: %s' % subsystem.config.get('dbs.endRequestNumber')) print(' Begin serial number: %s' % subsystem.config.get('dbs.beginSerialNumber')) print(' End serial number: %s' % subsystem.config.get('dbs.endSerialNumber')) print(' Begin replica ID: %s' % subsystem.config.get('dbs.beginReplicaNumber')) print(' End replica ID: %s' % subsystem.config.get('dbs.endReplicaNumber')) print(' Enable serial management: %s' % subsystem.config.get('dbs.enableSerialManagement'))
def execute(self, argv): try: opts, _ = getopt.gnu_getopt(argv, 'i:v', [ 'instance=', 'enabled=', 'logFile=', 'bufferSize=', 'flushInterval=', 'maxFileSize=', 'rolloverInterval=', 'expirationTime=', 'logSigning=', 'signingCert=', 'verbose', 'debug', 'help' ]) except getopt.GetoptError as e: logger.error(e) self.print_help() sys.exit(1) instance_name = 'pki-tomcat' enabled = None logFile = None bufferSize = None flushInterval = None maxFileSize = None rolloverInterval = None expirationTime = None logSigning = None signingCert = None for o, a in opts: if o in ('-i', '--instance'): instance_name = a elif o == '--enabled': if a.lower().title() not in ['True', 'False']: raise ValueError( "Invalid input: Enabled must be True or False") enabled = a.lower() == 'true' elif o == '--logFile': logFile = a elif o == '--bufferSize': if not a.isdigit(): raise ValueError( "Invalid input: Buffer size must be a number") bufferSize = a elif o == '--flushInterval': if not a.isdigit(): raise ValueError( "Invalid input: Flush interval must be a number") flushInterval = a elif o == '--maxFileSize': if not a.isdigit(): raise ValueError( "Invalid input: Max file size must be a number") maxFileSize = a elif o == '--rolloverInterval': if not a.isdigit(): raise ValueError( "Invalid input: Rollover interval must be a number") rolloverInterval = a elif o == '--expirationTime': if not a.isdigit(): raise ValueError( "Invalid input: Expiration time must be a number") expirationTime = a elif o == '--logSigning': if a.lower().title() not in ['True', 'False']: raise ValueError( "Invalid input: Log signing must be True or False") logSigning = a.lower() == 'true' elif o == '--signingCert': signingCert = a elif o == '--debug': logging.getLogger().setLevel(logging.DEBUG) elif o in ('-v', '--verbose'): logging.getLogger().setLevel(logging.INFO) elif o == '--help': self.print_help() sys.exit() else: logger.error('Unknown option: %s', o) self.print_help() sys.exit(1) instance = pki.server.instance.PKIServerFactory.create(instance_name) if not instance.exists(): logger.error('Invalid instance %s.', instance_name) sys.exit(1) instance.load() subsystem_name = self.parent.parent.name subsystem = instance.get_subsystem(subsystem_name) if not subsystem: logger.error('No %s subsystem in instance %s.', subsystem_name.upper(), instance_name) sys.exit(1) name = 'log.instance.SignedAudit.%s' if enabled is None: pass elif enabled: subsystem.config[name % 'enable'] = 'true' else: subsystem.config[name % 'enable'] = 'false' if logFile: subsystem.config[name % 'fileName'] = logFile if bufferSize: subsystem.config[name % 'bufferSize'] = bufferSize if flushInterval: subsystem.config[name % 'flushInterval'] = flushInterval if maxFileSize: subsystem.config[name % 'maxFileSize'] = maxFileSize if rolloverInterval: subsystem.config[name % 'rolloverInterval'] = rolloverInterval if expirationTime: subsystem.config[name % 'expirationTime'] = expirationTime if logSigning is None: pass elif logSigning: subsystem.config[name % 'logSigning'] = 'true' else: subsystem.config[name % 'logSigning'] = 'false' if signingCert: subsystem.config[name % 'signedAuditCertNickname'] = signingCert subsystem.save() AuditCLI.print_audit_config(subsystem)
def execute(self, argv): try: opts, _ = getopt.gnu_getopt(argv, 'i:D:w:x:g:v', [ 'instance=', 'bind-dn=', 'bind-password='******'generate-ldif=', 'verbose', 'debug', 'help' ]) except getopt.GetoptError as e: logger.error(e) self.print_help() sys.exit(1) instance_name = 'pki-tomcat' bind_dn = 'cn=Directory Manager' bind_password = None for o, a in opts: if o in ('-i', '--instance'): instance_name = a elif o in ('-D', '--bind-dn'): bind_dn = a elif o in ('-w', '--bind-password'): bind_password = a elif o in ('-g', '--generate-ldif'): self.out_file = a elif o == '--debug': logging.getLogger().setLevel(logging.DEBUG) elif o in ('-v', '--verbose'): logging.getLogger().setLevel(logging.INFO) elif o == '--help': self.print_help() sys.exit() else: logger.error('Unknown option: %s', o) self.print_help() sys.exit(1) instance = pki.server.instance.PKIInstance(instance_name) if not instance.is_valid(): logger.error('Invalid instance %s.', instance_name) sys.exit(1) instance.load() subsystem = instance.get_subsystem('kra') if not subsystem: logger.error('No KRA subsystem in instance %s.', instance_name) sys.exit(1) if self.out_file: subsystem.customize_file(KRA_VLV_TASKS_PATH, self.out_file) print('KRA VLV reindex task written to ' + self.out_file) return self.reindex_vlv(subsystem, bind_dn, bind_password) print('KRA VLV reindex completed for ' + instance_name)
def execute(self, argv): try: opts, _ = getopt.gnu_getopt(argv, 'i:v', [ 'instance=', 'enabled=', 'enabledByDefault=', 'verbose', 'debug', 'help' ]) except getopt.GetoptError as e: logger.error(e) self.print_help() sys.exit(1) instance_name = 'pki-tomcat' enabled = None enabled_by_default = None for o, a in opts: if o in ('-i', '--instance'): instance_name = a elif o == '--enabled': enabled = a == 'True' elif o == '--enabledByDefault': enabled_by_default = a == 'True' elif o == '--debug': logging.getLogger().setLevel(logging.DEBUG) elif o in ('-v', '--verbose'): logging.getLogger().setLevel(logging.INFO) elif o == '--help': self.print_help() sys.exit() else: logger.error('Unknown option: %s', o) self.print_help() sys.exit(1) instance = pki.server.instance.PKIServerFactory.create(instance_name) if not instance.exists(): logger.error('Invalid instance %s.', instance_name) sys.exit(1) instance.load() subsystem_name = self.parent.parent.name subsystem = instance.get_subsystem(subsystem_name) if not subsystem: logger.error('No %s subsystem in instance %s.', subsystem_name.upper(), instance_name) sys.exit(1) events = subsystem.find_audit_event_configs(enabled, enabled_by_default) self.print_message('%s entries matched' % len(events)) first = True for event in events: if first: first = False else: print() print(' Event Name: %s' % event.get('name')) print(' Enabled: %s' % event.get('enabled')) print(' Filter: %s' % event.get('filter'))
def execute(self, argv): try: opts, args = getopt.gnu_getopt(argv, 'i:v', [ 'instance=', 'verbose', 'debug', 'help']) except getopt.GetoptError as e: logger.error(e) self.print_help() sys.exit(1) instance_name = 'pki-tomcat' subsystem_name = self.parent.parent.name for o, a in opts: if o in ('-i', '--instance'): instance_name = a elif o in ('-v', '--verbose'): logging.getLogger().setLevel(logging.INFO) elif o == '--debug': logging.getLogger().setLevel(logging.DEBUG) elif o == '--help': self.print_help() sys.exit() else: logger.error('Invalid option: %s', o) self.print_help() sys.exit(1) if len(args) < 1: logger.error('Missing user ID') self.print_help() sys.exit(1) user_id = args[0] instance = pki.server.instance.PKIServerFactory.create(instance_name) if not instance.exists(): logger.error('Invalid instance: %s', instance_name) sys.exit(1) instance.load() subsystem = instance.get_subsystem(subsystem_name) if not subsystem: logger.error('No %s subsystem in instance %s', subsystem_name.upper(), instance_name) sys.exit(1) user = subsystem.get_user(user_id) print(' User ID: {}'.format(user['id'])) full_name = user.get('fullName') if full_name: print(' Full Name: {}'.format(full_name)) email = user.get('email') if email: print(' Email: {} '.format(email)) phone = user.get('phone') if phone: print(' Phone: {} '.format(phone)) user_type = user.get('type') if user_type: print(' Type: {} '.format(user_type)) state = user.get('state') if state: print(' State: {} '.format(state))
def execute(self, argv): try: opts, args = getopt.gnu_getopt( argv, 'i:f:v', ['instance=', 'filter=', 'verbose', 'debug', 'help']) except getopt.GetoptError as e: logger.error(e) self.print_help() sys.exit(1) instance_name = 'pki-tomcat' event_filter = None for o, a in opts: if o in ('-i', '--instance'): instance_name = a elif o in ('-f', '--filter'): event_filter = a elif o == '--debug': logging.getLogger().setLevel(logging.DEBUG) elif o in ('-v', '--verbose'): logging.getLogger().setLevel(logging.INFO) elif o == '--help': self.print_help() sys.exit() else: logger.error('Unknown option: %s', o) self.print_help() sys.exit(1) if len(args) == 0: raise getopt.GetoptError("Missing event name.") if len(args) > 1: raise getopt.GetoptError("Too many arguments specified.") event_name = args[0] instance = pki.server.instance.PKIServerFactory.create(instance_name) if not instance.exists(): logger.error('Invalid instance %s.', instance_name) sys.exit(1) instance.load() subsystem_name = self.parent.parent.name subsystem = instance.get_subsystem(subsystem_name) if not subsystem: logger.error('No %s subsystem in instance %s.', subsystem_name.upper(), instance_name) sys.exit(1) subsystem.update_audit_event_filter(event_name, event_filter) subsystem.save() event = subsystem.get_audit_event_config(event_name) AuditCLI.print_audit_event_config(event)
def execute(self, argv): try: opts, args = getopt.gnu_getopt(argv, 'i:v', [ 'instance=', 'full-name=', 'email=', 'password='******'password-file=', 'phone=', 'type=', 'state=', 'tps-profiles=', 'verbose', 'debug', 'help']) except getopt.GetoptError as e: logger.error(e) self.print_help() sys.exit(1) instance_name = 'pki-tomcat' subsystem_name = self.parent.parent.name full_name = None email = None password = None password_file = None phone = None user_type = None state = None tps_profiles = None for o, a in opts: if o in ('-i', '--instance'): instance_name = a elif o == '--full-name': full_name = a elif o == '--email': email = a elif o == '--password': password = a elif o == '--password-file': password_file = a elif o == '--phone': phone = a elif o == '--type': user_type = a elif o == '--state': state = a elif o == '--tps-profiles': tps_profiles = [x.strip() for x in a.split(',')] elif o in ('-v', '--verbose'): logging.getLogger().setLevel(logging.INFO) elif o == '--debug': logging.getLogger().setLevel(logging.DEBUG) elif o == '--help': self.print_help() sys.exit() else: logger.error('Invalid option: %s', o) self.print_help() sys.exit(1) if len(args) < 1: logger.error('Missing user ID') self.print_help() sys.exit(1) user_id = args[0] if not full_name: logger.error('Missing full name') self.print_help() sys.exit(1) instance = pki.server.instance.PKIServerFactory.create(instance_name) if not instance.exists(): logger.error('Invalid instance: %s', instance_name) sys.exit(1) instance.load() subsystem = instance.get_subsystem(subsystem_name) if not subsystem: logger.error('No %s subsystem in instance %s', subsystem_name.upper(), instance_name) sys.exit(1) subsystem.add_user( user_id, full_name=full_name, email=email, password=password, password_file=password_file, phone=phone, user_type=user_type, tps_profiles=tps_profiles, state=state)
def execute(self, argv): try: opts, args = getopt.gnu_getopt( argv, 'i:v', ['instance=', 'verbose', 'debug', 'help']) except getopt.GetoptError as e: logger.error(e) self.print_help() sys.exit(1) instance_name = 'pki-tomcat' for o, a in opts: if o in ('-i', '--instance'): instance_name = a elif o == '--debug': logging.getLogger().setLevel(logging.DEBUG) elif o in ('-v', '--verbose'): logging.getLogger().setLevel(logging.INFO) elif o == '--help': self.print_help() sys.exit() else: logger.error('Unknown option: %s', o) self.print_help() sys.exit(1) if len(args) == 0: raise getopt.GetoptError("Missing event name.") if len(args) > 1: raise getopt.GetoptError("Too many arguments specified.") event_name = args[0] instance = pki.server.instance.PKIServerFactory.create(instance_name) if not instance.exists(): logger.error('Invalid instance %s.', instance_name) sys.exit(1) instance.load() subsystem_name = self.parent.parent.name subsystem = instance.get_subsystem(subsystem_name) if not subsystem: logger.error('No %s subsystem in instance %s.', subsystem_name.upper(), instance_name) sys.exit(1) disable = subsystem.disable_audit_event(event_name) subsystem.save() msg = None if disable: msg = 'Audit event "{}" disabled. You may need to restart the ' \ 'instance.'.format(event_name) else: msg = 'Audit event "{}" already disabled.'.format(event_name) print(len(msg) * '-') print(msg) print(len(msg) * '-') event = subsystem.get_audit_event_config(event_name) AuditCLI.print_audit_event_config(event)
def execute(self, argv): try: opts, _ = getopt.gnu_getopt(argv, 'i:v', [ 'instance=', 'pkcs12-file=', 'pkcs12-password='******'pkcs12-password-file=', 'no-key', 'verbose', 'debug', 'help' ]) except getopt.GetoptError as e: print('ERROR: ' + str(e)) self.print_help() sys.exit(1) instance_name = 'pki-tomcat' pkcs12_file = None pkcs12_password = None no_key = False for o, a in opts: if o in ('-i', '--instance'): instance_name = a elif o == '--pkcs12-file': pkcs12_file = a elif o == '--pkcs12-password': pkcs12_password = a.encode() elif o == '--pkcs12-password-file': with io.open(a, 'rb') as f: pkcs12_password = f.read() elif o == '--no-key': no_key = True elif o == '--debug': logging.getLogger().setLevel(logging.DEBUG) elif o in ('-v', '--verbose'): logging.getLogger().setLevel(logging.INFO) elif o == '--help': self.print_help() sys.exit() else: logger.error('Unknown option: %s', o) self.print_help() sys.exit(1) if not pkcs12_file: logger.error('Missing PKCS #12 file') self.print_help() sys.exit(1) if not pkcs12_password: logger.error('Missing PKCS #12 password') self.print_help() sys.exit(1) instance = pki.server.instance.PKIServerFactory.create(instance_name) if not instance.exists(): logger.error('Invalid instance %s.', instance_name) sys.exit(1) instance.load() subsystem = instance.get_subsystem('tks') if not subsystem: logger.error('No TKS subsystem in instance %s.', instance_name) sys.exit(1) tmpdir = tempfile.mkdtemp() try: pkcs12_password_file = os.path.join(tmpdir, 'pkcs12_password.txt') with open(pkcs12_password_file, 'wb') as f: f.write(pkcs12_password) subsystem.export_system_cert('subsystem', pkcs12_file, pkcs12_password_file, no_key=no_key) subsystem.export_system_cert('audit_signing', pkcs12_file, pkcs12_password_file, no_key=no_key, append=True) instance.export_external_certs(pkcs12_file, pkcs12_password_file, append=True) finally: shutil.rmtree(tmpdir)
def execute(self, argv): try: opts, _ = getopt.gnu_getopt( argv, 'i:v', ['instance=', 'verbose', 'debug', 'help']) except getopt.GetoptError as e: logger.error(e) self.print_help() sys.exit(1) instance_name = 'pki-tomcat' for o, a in opts: if o in ('-i', '--instance'): instance_name = a elif o == '--debug': logging.getLogger().setLevel(logging.DEBUG) elif o in ('-v', '--verbose'): logging.getLogger().setLevel(logging.INFO) elif o == '--help': self.print_help() sys.exit() else: logger.error('Unknown option: %s', o) self.print_help() sys.exit(1) instance = pki.server.instance.PKIServerFactory.create(instance_name) if not instance.exists(): logger.error('Invalid instance %s.', instance_name) sys.exit(1) instance.load() subsystem_name = self.parent.parent.name subsystem = instance.get_subsystem(subsystem_name) if not subsystem: logger.error('No %s subsystem in instance %s.', subsystem_name.upper(), instance_name) sys.exit(1) log_dir = subsystem.get_audit_log_dir() log_files = subsystem.get_audit_log_files() signing_cert = subsystem.get_subsystem_cert('audit_signing') tmpdir = tempfile.mkdtemp() try: file_list = os.path.join(tmpdir, 'audit.txt') with open(file_list, 'w', encoding='utf-8') as f: for filename in log_files: f.write(os.path.join(log_dir, filename) + '\n') cmd = ['AuditVerify'] if logger.isEnabledFor(logging.INFO): cmd.append('-v') cmd.extend([ '-d', instance.nssdb_dir, '-n', signing_cert['nickname'], '-a', file_list ]) if logger.isEnabledFor(logging.INFO): print('Command: %s' % ' '.join(cmd)) subprocess.call(cmd) finally: shutil.rmtree(tmpdir)
def execute(self, argv): logging.getLogger().setLevel(logging.INFO) try: opts, _ = getopt.gnu_getopt(argv, 'i:p:v', [ 'instance=', 'cert=', 'extra-cert=', 'agent-uid=', 'ldapi-socket=', 'ldap-url=', 'port=', 'verbose', 'debug', 'help', ]) except getopt.GetoptError as e: logger.error(e) self.print_help() sys.exit(1) instance_name = 'pki-tomcat' all_certs = True fix_certs = [] extra_certs = [] agent_uid = None ldap_url = None use_ldapi = False port = '8443' for o, a in opts: if o in ('-i', '--instance'): instance_name = a elif o == '--cert': all_certs = False fix_certs.append(a) elif o == '--extra-cert': try: int(a) except ValueError: logger.error('--extra-cert requires serial number as integer') sys.exit(1) all_certs = False extra_certs.append(a) elif o == '--agent-uid': agent_uid = a elif o == '--ldapi-socket': if ldap_url is not None: logger.error('--ldapi-socket cannot be used with --ldap-url') sys.exit(1) use_ldapi = True ldap_url = 'ldapi://{}'.format(quote(a, safe='')) elif o == '--ldap-url': if use_ldapi: logger.error('--ldap-url cannot be used with --ldapi-socket') sys.exit(1) ldap_url = a elif o in ('-p', '--port'): port = a try: n = int(port) if n < 1 or n > 65535: raise ValueError except ValueError: logger.error('-p, --port requires a valid port number as integer') sys.exit(1) elif o == '--debug': logging.getLogger().setLevel(logging.DEBUG) elif o in ('-v', '--verbose'): logging.getLogger().setLevel(logging.INFO) elif o == '--help': self.print_help() sys.exit() else: logger.error('option %s not recognized', o) self.print_help() sys.exit(1) instance = pki.server.instance.PKIServerFactory.create(instance_name) if not instance.exists(): logger.error('Invalid instance %s.', instance_name) sys.exit(1) if not agent_uid: logger.error('Must specify --agent-uid') sys.exit(1) if agent_uid == "pkidbuser": logger.error('\'pkidbuser\' cannot be used.') sys.exit(1) instance.load() # 1. Make a list of certs to fix OR use the list provided through CLI options if all_certs: # TODO: Identify only certs that are EXPIRED or ALMOST EXPIRED for subsystem in instance.get_subsystems(): # Retrieve the subsystem's system certificate certs = subsystem.find_system_certs() # Iterate on all subsystem's system certificate to prepend # subsystem name to the ID for cert in certs: if cert['id'] != 'sslserver' and cert['id'] != 'subsystem': cert['id'] = subsystem.name + '_' + cert['id'] # Append only unique certificates to other subsystem certificate list # ca_signing isn't supported yet if cert['id'] in fix_certs or cert['id'] == 'ca_signing': continue fix_certs.append(cert['id']) logger.info('Fixing the following system certs: %s', fix_certs) logger.info('Renewing the following additional certs: %s', extra_certs) # Get the CA subsystem and find out Base DN. ca_subsystem = instance.get_subsystem('ca') basedn = ca_subsystem.get_db_config()['internaldb.basedn'] dbuser_dn = 'uid=pkidbuser,ou=people,{}'.format(basedn) agent_dn = 'uid={},ou=people,{}'.format(agent_uid, basedn) dm_pass = '' if not use_ldapi: # Prompt for DM password dm_pass = getpass.getpass(prompt='Enter Directory Manager password: '******'s up logger.info('Stopping the instance to proceed with system cert renewal') instance.stop() # 3. Find the subsystem and disable Self-tests try: # Placeholder used to hold subsystems whose selftest have been turned off # Note: This is initialized as a set to avoid duplicates # Example of duplicates: # fix_certs = [ca_ocsp_signing, ca_audit_signing] -> will add 'ca' entry twice target_subsys = set() if 'sslserver' in fix_certs or 'subsystem' in fix_certs: # If the cert is either sslserver/subsystem, disable selftest for all # subsystems since all subsystems use these 2 certs. target_subsys = set(instance.get_subsystems()) else: for cert_id in fix_certs: # Since we already filtered sslserver/subsystem, we can be quite sure # that this split will definitely be of form: <subsys>_<cert_tag> subsystem_name = cert_id.split('_', 1)[0] subsystem = instance.get_subsystem(subsystem_name) # If the subsystem is wrong, stop the process if not subsystem: logger.error('No %s subsystem in instance %s.', subsystem_name, instance_name) sys.exit(1) target_subsys.add(subsystem) if len(extra_certs) > 0: target_subsys.add(ca_subsystem) # Generate new password for agent account agent_pass = gen_random_password() with write_temp_file(agent_pass.encode('utf8')) as agent_pass_file, \ write_temp_file(dm_pass.encode('utf8')) as dm_pass_file, \ ldap_password_authn( instance, target_subsys, dbuser_dn, ldap_url, use_ldapi, dm_pass_file), \ suppress_selftest(target_subsys): # Verify LDAP connection and DM password cmd = ['ldapsearch'] + \ ldap_conn_args(ldap_url, use_ldapi, dm_pass_file) + \ ['-s', 'base', '-b', basedn, '1.1'] try: subprocess.check_output(cmd) except subprocess.CalledProcessError: logger.error("Failed to connect/authenticate to LDAP at '%s'", ldap_url) sys.exit(1) # Reset agent password logger.info('Resetting password for %s', agent_dn) ldappasswd(ldap_url, use_ldapi, dm_pass_file, agent_dn, agent_pass_file) # 4. Bring up the server using a temp SSL cert if the sslcert is expired if 'sslserver' in fix_certs: # 4a. Create temp SSL cert logger.info('Creating a temporary sslserver cert') instance.cert_create(cert_id='sslserver', temp_cert=True) # 4b. Delete the existing SSL Cert logger.debug('Removing sslserver cert from instance') instance.cert_del('sslserver') # 4d. Import the temp sslcert into the instance logger.debug('Importing temp sslserver cert') instance.cert_import('sslserver') with start_stop(instance): # Place renewal request for all certs in fix_certs for cert_id in fix_certs: logger.info('Requesting new cert for %s', cert_id) instance.cert_create( cert_id=cert_id, renew=True, username=agent_uid, password=agent_pass, secure_port=port, client_nssdb=instance.nssdb_dir) for serial in extra_certs: output = instance.cert_file('{}-renewed'.format(serial)) logger.info( 'Requesting new cert for %s; writing to %s', serial, output) try: instance.cert_create( serial=serial, renew=True, output=output, username=agent_uid, password=agent_pass, secure_port=port, client_nssdb=instance.nssdb_dir) except pki.PKIException as e: logger.error("Failed to renew certificate %s: %s", serial, e) # 8. Delete existing certs and then import the renewed system cert(s) for cert_id in fix_certs: # Delete the existing cert from the instance logger.debug('Removing old %s cert from instance %s', cert_id, instance_name) instance.cert_del(cert_id) # Import this new cert into the instance logger.debug('Importing new %s cert into instance %s', cert_id, instance_name) instance.cert_import(cert_id) # If subsystem cert was renewed and server was using # TLS auth, add the cert to pkidbuser entry if dbuser_dn and 'subsystem' in fix_certs: logger.info('Importing new subsystem cert into %s', dbuser_dn) with NamedTemporaryFile(mode='w+b') as der_file: # convert subsystem cert to DER subprocess.check_call([ 'openssl', 'x509', '-inform', 'PEM', '-outform', 'DER', '-in', instance.cert_file('subsystem'), '-out', der_file.name, ]) with write_temp_file( self.PKIDBUSER_LDIF_TEMPLATE .format(dn=dbuser_dn, der_file=der_file.name) .encode('utf-8') ) as ldif_file: # ldapmodify cmd = ['ldapmodify'] + \ ldap_conn_args(ldap_url, use_ldapi, dm_pass_file) + \ ['-f', ldif_file] subprocess.check_call(cmd) # 10. Bring up the server logger.info('Starting the instance with renewed certs') instance.start() except pki.server.PKIServerException as e: logger.error(str(e)) sys.exit(1)
def spawn(self, deployer): if config.str2bool(deployer.mdict['pki_skip_installation']): logger.info('Skipping NSS database creation') return logger.info('Creating NSS database') instance = pki.server.instance.PKIInstance( deployer.mdict['pki_instance_name']) instance.load() subsystem = instance.get_subsystem( deployer.mdict['pki_subsystem'].lower()) if config.str2bool(deployer.mdict['pki_hsm_enable']): hsm_token = deployer.mdict['pki_token_name'] subsystem.config['preop.module.token'] = hsm_token # Since 'certutil' does NOT strip the 'token=' portion of # the 'token=password' entries, create a temporary server 'pfile' # which ONLY contains the 'password' for the purposes of # allowing 'certutil' to generate the security databases logger.info('Creating password file: %s', deployer.mdict['pki_shared_pfile']) deployer.password.create_password_conf( deployer.mdict['pki_shared_pfile'], deployer.mdict['pki_server_database_password'], pin_sans_token=True) deployer.file.modify(deployer.mdict['pki_shared_password_conf']) if not os.path.isdir(deployer.mdict['pki_server_database_path']): instance.makedirs(deployer.mdict['pki_server_database_path'], force=True) nssdb = pki.nssdb.NSSDatabase( directory=deployer.mdict['pki_server_database_path'], password_file=deployer.mdict['pki_shared_pfile']) try: if not nssdb.exists(): nssdb.create() finally: nssdb.close() if not os.path.islink(deployer.mdict['pki_instance_database_link']): instance.symlink(deployer.mdict['pki_server_database_path'], deployer.mdict['pki_instance_database_link'], force=True) instance.symlink(deployer.mdict['pki_instance_database_link'], deployer.mdict['pki_subsystem_database_link'], force=True) if config.str2bool(deployer.mdict['pki_hsm_enable']) and \ not nssdb.module_exists(deployer.mdict['pki_hsm_modulename']): nssdb.add_module(deployer.mdict['pki_hsm_modulename'], deployer.mdict['pki_hsm_libfile']) pki.util.chown(deployer.mdict['pki_server_database_path'], deployer.mdict['pki_uid'], deployer.mdict['pki_uid']) pki.util.chmod( deployer.mdict['pki_server_database_path'], config.PKI_DEPLOYMENT_DEFAULT_SECURITY_DATABASE_PERMISSIONS) os.chmod(deployer.mdict['pki_server_database_path'], config.PKI_DEPLOYMENT_DEFAULT_DIR_PERMISSIONS) # import system certificates before starting the server pki_server_pkcs12_path = deployer.mdict['pki_server_pkcs12_path'] if pki_server_pkcs12_path: pki_server_pkcs12_password = deployer.mdict[ 'pki_server_pkcs12_password'] if not pki_server_pkcs12_password: raise Exception('Missing pki_server_pkcs12_password property.') nssdb = pki.nssdb.NSSDatabase( directory=deployer.mdict['pki_server_database_path'], password_file=deployer.mdict['pki_shared_pfile']) try: nssdb.import_pkcs12(pkcs12_file=pki_server_pkcs12_path, pkcs12_password=pki_server_pkcs12_password) finally: nssdb.close() # update external CA file (if needed) external_certs_path = deployer.mdict[ 'pki_server_external_certs_path'] if external_certs_path is not None: self.update_external_certs_conf(external_certs_path, deployer) # import CA certificates from PKCS #12 file for cloning pki_clone_pkcs12_path = deployer.mdict['pki_clone_pkcs12_path'] if pki_clone_pkcs12_path: pki_clone_pkcs12_password = deployer.mdict[ 'pki_clone_pkcs12_password'] if not pki_clone_pkcs12_password: raise Exception('Missing pki_clone_pkcs12_password property.') nssdb = pki.nssdb.NSSDatabase( directory=deployer.mdict['pki_server_database_path'], password_file=deployer.mdict['pki_shared_pfile']) try: print('Importing certificates from %s:' % pki_clone_pkcs12_path) # The PKCS12 class requires an NSS database to run. For simplicity # it uses the NSS database that has just been created. pkcs12 = pki.pkcs12.PKCS12(path=pki_clone_pkcs12_path, password=pki_clone_pkcs12_password, nssdb=nssdb) try: pkcs12.show_certs() finally: pkcs12.close() # Import certificates nssdb.import_pkcs12(pkcs12_file=pki_clone_pkcs12_path, pkcs12_password=pki_clone_pkcs12_password) # Set certificate trust flags if subsystem.type == 'CA': nssdb.modify_cert( nickname=deployer.mdict['pki_ca_signing_nickname'], trust_attributes='CTu,Cu,Cu') nssdb.modify_cert( nickname=deployer.mdict['pki_audit_signing_nickname'], trust_attributes='u,u,Pu') print('Imported certificates into %s:' % deployer.mdict['pki_server_database_path']) nssdb.show_certs() finally: nssdb.close() if len(deployer.instance.tomcat_instance_subsystems()) < 2: # Check to see if a secure connection is being used for the DS if config.str2bool(deployer.mdict['pki_ds_secure_connection']): # Check to see if a directory server CA certificate # using the same nickname already exists # # NOTE: ALWAYS use the software DB regardless of whether # the instance will utilize 'softokn' or an HSM # rv = deployer.certutil.verify_certificate_exists( path=deployer.mdict['pki_server_database_path'], token=deployer.mdict['pki_self_signed_token'], nickname=deployer. mdict['pki_ds_secure_connection_ca_nickname'], password_file=deployer.mdict['pki_shared_pfile']) if not rv: # Import the directory server CA certificate rv = deployer.certutil.import_cert( deployer.mdict['pki_ds_secure_connection_ca_nickname'], deployer. mdict['pki_ds_secure_connection_ca_trustargs'], deployer.mdict['pki_ds_secure_connection_ca_pem_file'], password_file=deployer.mdict['pki_shared_pfile'], path=deployer.mdict['pki_server_database_path'], token=deployer.mdict['pki_self_signed_token']) # Always delete the temporary 'pfile' deployer.file.delete(deployer.mdict['pki_shared_pfile']) # Store system cert parameters in installation step to guarantee the # parameters exist during configuration step and to allow customization. certs = subsystem.find_system_certs() for cert in certs: # get CS.cfg tag and pkispawn tag config_tag = cert['id'] deploy_tag = config_tag if config_tag == 'signing': # for CA and OCSP deploy_tag = subsystem.name + '_signing' # store nickname nickname = deployer.mdict['pki_%s_nickname' % deploy_tag] subsystem.config['%s.%s.nickname' % (subsystem.name, config_tag)] = nickname subsystem.config['preop.cert.%s.nickname' % config_tag] = nickname # store tokenname tokenname = deployer.mdict['pki_%s_token' % deploy_tag] subsystem.config['%s.%s.tokenname' % (subsystem.name, config_tag)] = tokenname fullname = nickname if pki.nssdb.normalize_token(tokenname): fullname = tokenname + ':' + nickname subsystem.config['%s.cert.%s.nickname' % (subsystem.name, config_tag)] = fullname # store subject DN subject_dn = deployer.mdict['pki_%s_subject_dn' % deploy_tag] subsystem.config['preop.cert.%s.dn' % config_tag] = subject_dn keytype = deployer.mdict['pki_%s_key_type' % deploy_tag] subsystem.config['preop.cert.%s.keytype' % config_tag] = keytype keyalgorithm = deployer.mdict['pki_%s_key_algorithm' % deploy_tag] subsystem.config['preop.cert.%s.keyalgorithm' % config_tag] = keyalgorithm signingalgorithm = deployer.mdict.get( 'pki_%s_signing_algorithm' % deploy_tag, keyalgorithm) subsystem.config['preop.cert.%s.signingalgorithm' % config_tag] = signingalgorithm if subsystem.name == 'ca': if config_tag == 'signing': subsystem.config[ 'ca.signing.defaultSigningAlgorithm'] = signingalgorithm subsystem.config[ 'ca.crl.MasterCRL.signingAlgorithm'] = signingalgorithm elif config_tag == 'ocsp_signing': subsystem.config[ 'ca.ocsp_signing.defaultSigningAlgorithm'] = signingalgorithm elif subsystem.name == 'ocsp': if config_tag == 'signing': subsystem.config[ 'ocsp.signing.defaultSigningAlgorithm'] = signingalgorithm elif subsystem.name == 'kra': if config_tag == 'transport': subsystem.config[ 'kra.transportUnit.signingAlgorithm'] = signingalgorithm # TODO: move more system cert params here admin_dn = deployer.mdict['pki_admin_subject_dn'] subsystem.config['preop.cert.admin.dn'] = admin_dn # If specified in the deployment parameter, add generic CA signing cert # extension parameters into the CS.cfg. Generic extension for other # system certs can be added directly into CS.cfg after before the # configuration step. if subsystem.type == 'CA': signing_nickname = subsystem.config['ca.signing.nickname'] subsystem.config['ca.signing.certnickname'] = signing_nickname subsystem.config['ca.signing.cacertnickname'] = signing_nickname ocsp_signing_nickname = subsystem.config[ 'ca.ocsp_signing.nickname'] subsystem.config[ 'ca.ocsp_signing.certnickname'] = ocsp_signing_nickname subsystem.config[ 'ca.ocsp_signing.cacertnickname'] = ocsp_signing_nickname if deployer.configuration_file.add_req_ext: subsystem.config['preop.cert.signing.ext.oid'] = \ deployer.configuration_file.req_ext_oid subsystem.config['preop.cert.signing.ext.data'] = \ deployer.configuration_file.req_ext_data subsystem.config['preop.cert.signing.ext.critical'] = \ deployer.configuration_file.req_ext_critical.lower() if deployer.configuration_file.req_ski: subsystem.config['preop.cert.signing.subject_key_id'] = \ deployer.configuration_file.req_ski if subsystem.type == 'KRA': storage_nickname = subsystem.config['kra.storage.nickname'] storage_token = subsystem.config['kra.storage.tokenname'] if pki.nssdb.normalize_token(storage_token): subsystem.config['kra.storageUnit.hardware'] = storage_token subsystem.config['kra.storageUnit.nickName'] = \ storage_token + ':' + storage_nickname else: subsystem.config['kra.storageUnit.nickName'] = \ storage_nickname transport_nickname = subsystem.config['kra.transport.nickname'] transport_token = subsystem.config['kra.transport.tokenname'] if pki.nssdb.normalize_token(transport_token): subsystem.config['kra.transportUnit.nickName'] = \ transport_token + ':' + transport_nickname else: subsystem.config['kra.transportUnit.nickName'] = \ transport_nickname if subsystem.type == 'OCSP': signing_nickname = subsystem.config['ocsp.signing.nickname'] subsystem.config['ocsp.signing.certnickname'] = signing_nickname subsystem.config['ocsp.signing.cacertnickname'] = signing_nickname audit_nickname = subsystem.config['%s.audit_signing.nickname' % subsystem.name] audit_token = subsystem.config['%s.audit_signing.tokenname' % subsystem.name] if pki.nssdb.normalize_token(audit_token): audit_nickname = audit_token + ':' + audit_nickname subsystem.config[ 'log.instance.SignedAudit.signedAuditCertNickname'] = audit_nickname subsystem.save() # Place 'slightly' less restrictive permissions on # the top-level client directory ONLY deployer.directory.create( deployer.mdict['pki_client_subsystem_dir'], uid=0, gid=0, perms=config.PKI_DEPLOYMENT_DEFAULT_CLIENT_DIR_PERMISSIONS) # Since 'certutil' does NOT strip the 'token=' portion of # the 'token=password' entries, create a client password file # which ONLY contains the 'password' for the purposes of # allowing 'certutil' to generate the security databases logger.info('Creating password file: %s', deployer.mdict['pki_client_password_conf']) deployer.password.create_password_conf( deployer.mdict['pki_client_password_conf'], deployer.mdict['pki_client_database_password'], pin_sans_token=True) deployer.file.modify(deployer.mdict['pki_client_password_conf'], uid=0, gid=0) # Similarly, create a simple password file containing the # PKCS #12 password used when exporting the 'Admin Certificate' # into a PKCS #12 file deployer.password.create_client_pkcs12_password_conf( deployer.mdict['pki_client_pkcs12_password_conf']) deployer.file.modify(deployer.mdict['pki_client_pkcs12_password_conf']) pki.util.makedirs(deployer.mdict['pki_client_database_dir'], force=True) nssdb = pki.nssdb.NSSDatabase( directory=deployer.mdict['pki_client_database_dir'], password_file=deployer.mdict['pki_client_password_conf']) try: if not nssdb.exists(): nssdb.create() finally: nssdb.close()
def execute(self, argv): try: opts, args = getopt.gnu_getopt(argv, 'i:v', [ 'instance=', 'verbose', 'debug', 'help']) except getopt.GetoptError as e: logger.error(e) self.print_help() sys.exit(1) instance_name = 'pki-tomcat' for o, a in opts: if o in ('-i', '--instance'): instance_name = a elif o == '--debug': logging.getLogger().setLevel(logging.DEBUG) elif o in ('-v', '--verbose'): logging.getLogger().setLevel(logging.INFO) elif o == '--help': self.print_help() sys.exit() else: logger.error('option %s not recognized', o) self.print_help() sys.exit(1) if len(args) < 1: logger.error('Missing cert ID.') self.print_help() sys.exit(1) cert_id = args[0] instance = pki.server.instance.PKIServerFactory.create(instance_name) if not instance.exists(): logger.error('Invalid instance %s.', instance_name) sys.exit(1) instance.load() subsystem_name, cert_tag = pki.server.PKIServer.split_cert_id(cert_id) # If cert ID is instance specific, get it from first subsystem if not subsystem_name: subsystem_name = instance.get_subsystems()[0].name subsystem = instance.get_subsystem(subsystem_name) if not subsystem: logger.error( 'No %s subsystem in instance %s.', subsystem_name, instance_name) sys.exit(1) subsystem_cert = subsystem.get_subsystem_cert(cert_tag) logger.info( 'Retrieving certificate %s from %s', subsystem_cert['nickname'], subsystem_cert['token']) token = subsystem_cert['token'] nssdb = instance.open_nssdb(token) # Get the cert data from NSS DB data = nssdb.get_cert( nickname=subsystem_cert['nickname'], output_format='base64') subsystem_cert['data'] = data # format cert data for LDAP database lines = [data[i:i + 64] for i in range(0, len(data), 64)] data = '\r\n'.join(lines) + '\r\n' # Get the cert request from LDAP database logger.info('Retrieving certificate request from CA database') # TODO: add support for remote CA ca = instance.get_subsystem('ca') if not ca: logger.error('No CA subsystem in instance %s.', instance_name) sys.exit(1) results = ca.find_cert_requests(cert=data) if results: cert_request = results[-1] request = cert_request['request'] # format cert request for CS.cfg lines = request.splitlines() if lines[0] == '-----BEGIN CERTIFICATE REQUEST-----': lines = lines[1:] if lines[-1] == '-----END CERTIFICATE REQUEST-----': lines = lines[:-1] request = ''.join(lines) subsystem_cert['request'] = request else: logger.warning('Certificate request not found') instance.cert_update_config(cert_id, subsystem_cert) self.print_message('Updated "%s" system certificate' % cert_id)
def execute(self, argv): try: opts, args = getopt.gnu_getopt( argv, 'i:v', ['instance=', 'show-all', 'verbose', 'debug', 'help']) except getopt.GetoptError as e: logger.error(e) self.print_help() sys.exit(1) instance_name = 'pki-tomcat' show_all = False for o, a in opts: if o in ('-i', '--instance'): instance_name = a elif o == '--show-all': show_all = True elif o == '--debug': logging.getLogger().setLevel(logging.DEBUG) elif o in ('-v', '--verbose'): logging.getLogger().setLevel(logging.INFO) elif o == '--help': self.print_help() sys.exit() else: logger.error('Unknown option: %s', o) self.print_help() sys.exit(1) if len(args) != 1: logger.error('Missing subsystem ID') self.print_help() sys.exit(1) subsystem_name = args[0] instance = pki.server.instance.PKIInstance(instance_name) if not instance.exists(): logger.error('Invalid instance %s.', instance_name) sys.exit(1) instance.load() subsystem = instance.get_subsystem(subsystem_name) if not subsystem: logger.error('No %s subsystem in instance %s.', subsystem_name, instance_name) sys.exit(1) certs = subsystem.get_cert_infos() self.print_message('%s entries matched' % len(certs)) first = True for cert in certs: if first: first = False else: print() if cert['nickname']: cert_info = subsystem.get_nssdb_cert_info(cert['id']) if cert_info: cert.update(cert_info) SubsystemCertCLI.print_subsystem_cert(cert, show_all)