def execute(self, argv):
try:
opts, args = getopt.gnu_getopt(
argv, 'i:v',
['instance=', 'password='******'verbose', 'debug', 'help'])
except getopt.GetoptError as e:
print('ERROR: %s' % e)
self.print_help()
sys.exit(1)
instance_name = 'pki-tomcat'
password = None
for o, a in opts:
if o in ('-i', '--instance'):
instance_name = a
elif o == '--password':
password = a
elif o in ('-v', '--verbose'):
logging.getLogger().setLevel(logging.INFO)
elif o == '--debug':
logging.getLogger().setLevel(logging.DEBUG)
elif o == '--help':
self.print_help()
sys.exit()
else:
print('ERROR: Unknown option: %s' % o)
self.print_help()
sys.exit(1)
if len(args) < 1:
raise Exception('Missing password ID')
name = args[0]
instance = pki.server.instance.PKIServerFactory.create(instance_name)
if not instance.exists():
raise Exception('Invalid instance: %s' % instance_name)
instance.load()
if name in instance.passwords:
raise Exception('Password already exists: %s' % name)
instance.passwords[name] = password
instance.store_passwords()
def spawn(self, deployer):
if config.str2bool(deployer.mdict['pki_skip_installation']):
logger.info('Skipping instance creation')
return
logger.info('Preparing %s instance', deployer.mdict['pki_instance_name'])
instance = self.instance
instance.load()
instance_conf_path = deployer.mdict['pki_instance_configuration_path']
logger.info('Creating %s', instance_conf_path)
instance.makedirs(instance_conf_path, force=True)
logger.info('Creating %s', deployer.mdict['pki_shared_password_conf'])
# Configuring internal token password
internal_token = deployer.mdict['pki_self_signed_token']
if not pki.nssdb.normalize_token(internal_token):
internal_token = pki.nssdb.INTERNAL_TOKEN_NAME
# If instance already exists and has password, reuse the password
if internal_token in instance.passwords:
logger.info('Reusing server NSS database password')
deployer.mdict['pki_server_database_password'] = instance.passwords.get(internal_token)
# Otherwise, use user-provided password if specified
elif deployer.mdict['pki_server_database_password']:
logger.info('Using specified server NSS database password')
# Otherwise, use user-provided pin if specified
elif deployer.mdict['pki_pin']:
logger.info('Using specified PIN as server NSS database password')
deployer.mdict['pki_server_database_password'] = deployer.mdict['pki_pin']
# Otherwise, generate a random password
else:
logger.info('Generating random server NSS database password')
deployer.mdict['pki_server_database_password'] = pki.generate_password()
instance.passwords[internal_token] = deployer.mdict['pki_server_database_password']
# Configuring HSM password
if config.str2bool(deployer.mdict['pki_hsm_enable']):
hsm_token = deployer.mdict['pki_token_name']
instance.passwords['hardware-%s' % hsm_token] = deployer.mdict['pki_token_password']
# Configuring internal database password
if 'internaldb' in instance.passwords:
logger.info('Reusing internal database password')
deployer.mdict['pki_ds_password'] = instance.passwords.get('internaldb')
else:
logger.info('Using specified internal database password')
instance.passwords['internaldb'] = deployer.mdict['pki_ds_password']
# Configuring replication manager password
# Bug #430745 Create separate password for replication manager
# Use user-provided password if specified
if 'replicationdb' in instance.passwords:
logger.info('Reusing replication manager password')
elif deployer.mdict['pki_replication_password']:
logger.info('Using specified replication manager password')
instance.passwords['replicationdb'] = deployer.mdict['pki_replication_password']
else:
logger.info('Generating random replication manager password')
instance.passwords['replicationdb'] = pki.generate_password()
instance.store_passwords()
# if this is not the first subsystem, skip
if len(deployer.instance.tomcat_instance_subsystems()) != 1:
logger.info('Installing %s instance', deployer.mdict['pki_instance_name'])
return
deployer.directory.create(deployer.mdict['pki_instance_log_path'])
shared_conf_path = deployer.mdict['pki_source_server_path']
# Copy /usr/share/pki/server/conf/tomcat.conf to
# /var/lib/pki/<instance>/conf/tomcat.conf.
deployer.file.copy_with_slot_substitution(
os.path.join(shared_conf_path, 'tomcat.conf'),
os.path.join(instance_conf_path, 'tomcat.conf'))
# Copy /usr/share/pki/server/conf/server.xml
# to /etc/pki/<instance>/server.xml.
deployer.file.copy_with_slot_substitution(
deployer.mdict['pki_source_server_xml'],
deployer.mdict['pki_target_server_xml'],
overwrite_flag=True)
# Link /etc/pki/<instance>/catalina.properties
# to /usr/share/pki/server/conf/catalina.properties.
logger.info('Creating %s', os.path.join(instance_conf_path, 'catalina.properties'))
instance.symlink(
os.path.join(shared_conf_path, 'catalina.properties'),
os.path.join(instance_conf_path, 'catalina.properties'),
force=True)
# Link /etc/pki/<instance>/context.xml
# to /usr/share/tomcat/conf/context.xml.
logger.info('Creating %s', instance.context_xml)
context_xml = os.path.join(pki.server.Tomcat.CONF_DIR, 'context.xml')
instance.symlink(context_xml, instance.context_xml, force=True)
# Link /etc/pki/<instance>/logging.properties
# to /usr/share/pki/server/conf/logging.properties.
logger.info('Creating %s', os.path.join(instance_conf_path, 'logging.properties'))
instance.symlink(
os.path.join(shared_conf_path, 'logging.properties'),
os.path.join(instance_conf_path, 'logging.properties'),
force=True)
# create /etc/sysconfig/<instance>
deployer.file.copy_with_slot_substitution(
deployer.mdict['pki_source_tomcat_conf'],
deployer.mdict['pki_target_tomcat_conf_instance_id'],
overwrite_flag=True)
# create /var/lib/pki/<instance>/conf/tomcat.conf
deployer.file.copy_with_slot_substitution(
deployer.mdict['pki_source_tomcat_conf'],
deployer.mdict['pki_target_tomcat_conf'],
overwrite_flag=True)
# Link /etc/pki/<instance>/web.xml
# to /usr/share/tomcat/conf/web.xml.
logger.info('Creating %s', instance.web_xml)
web_xml = os.path.join(pki.server.Tomcat.CONF_DIR, 'web.xml')
instance.symlink(web_xml, instance.web_xml, force=True)
catalina_dir = os.path.join(instance_conf_path, 'Catalina')
logger.info('Creating %s', catalina_dir)
instance.makedirs(catalina_dir, force=True)
localhost_dir = os.path.join(catalina_dir, 'localhost')
logger.info('Creating %s', localhost_dir)
instance.makedirs(localhost_dir, force=True)
logger.info('Deploying ROOT web application')
instance.deploy_webapp(
"ROOT",
os.path.join(
shared_conf_path,
"Catalina",
"localhost",
"ROOT.xml"))
logger.info('Deploying /pki web application')
# Deploy pki web application which includes themes,
# admin templates, and JS libraries
instance.deploy_webapp(
"pki",
os.path.join(
shared_conf_path,
"Catalina",
"localhost",
"pki.xml"))
instance.with_maven_deps = deployer.with_maven_deps
instance.create_libs(force=True)
deployer.directory.create(deployer.mdict['pki_tomcat_tmpdir_path'])
deployer.directory.create(deployer.mdict['pki_tomcat_work_path'])
deployer.directory.create(deployer.mdict['pki_tomcat_work_catalina_path'])
deployer.directory.create(deployer.mdict['pki_tomcat_work_catalina_host_path'])
deployer.directory.create(deployer.mdict['pki_tomcat_work_catalina_host_run_path'])
deployer.directory.create(deployer.mdict['pki_tomcat_work_catalina_host_subsystem_path'])
# establish Tomcat instance logs
# establish Tomcat instance registry
# establish Tomcat instance convenience symbolic links
deployer.symlink.create(
deployer.mdict['pki_tomcat_bin_path'],
deployer.mdict['pki_tomcat_bin_link'])
# create systemd links
deployer.symlink.create(
deployer.mdict['pki_tomcat_systemd'],
deployer.mdict['pki_instance_systemd_link'],
uid=0, gid=0)
user = deployer.mdict['pki_user']
group = deployer.mdict['pki_group']
if user != 'pkiuser' or group != 'pkiuser':
deployer.systemd.set_override(
'Service', 'User', user, 'user.conf')
deployer.systemd.set_override(
'Service', 'Group', group, 'user.conf')
deployer.systemd.write_overrides()
deployer.systemd.daemon_reload()
deployer.symlink.create(
instance_conf_path,
deployer.mdict['pki_instance_conf_link'])
deployer.symlink.create(
deployer.mdict['pki_instance_log_path'],
deployer.mdict['pki_instance_logs_link'])
# create Tomcat instance systemd service link
deployer.symlink.create(deployer.mdict['pki_systemd_service'],
deployer.mdict['pki_systemd_service_link'])
# create instance registry
deployer.file.copy_with_slot_substitution(
deployer.mdict['pki_source_registry'],
os.path.join(deployer.mdict['pki_instance_registry_path'],
deployer.mdict['pki_instance_name']),
overwrite_flag=True)
def execute(self, argv):
try:
opts, _ = getopt.gnu_getopt(argv, 'i:d:v', [
'instance=', 'no-password', 'password='******'password-file=',
'force', 'verbose', 'debug', 'help'
])
except getopt.GetoptError as e:
print('ERROR: %s' % e)
self.print_help()
sys.exit(1)
instance_name = 'pki-tomcat'
no_password = False
password = None
password_file = None
force = False
for o, a in opts:
if o in ('-i', '--instance'):
instance_name = a
elif o == '--no-password':
no_password = True
elif o == '--password':
password = a
elif o == '--password-file':
password_file = a
elif o == '--force':
force = True
elif o in ('-v', '--verbose'):
logging.getLogger().setLevel(logging.INFO)
elif o == '--debug':
logging.getLogger().setLevel(logging.DEBUG)
elif o == '--help':
self.print_help()
sys.exit()
else:
print('ERROR: unknown option: %s' % o)
self.print_help()
sys.exit(1)
instance = pki.server.instance.PKIServerFactory.create(instance_name)
if not instance.exists():
raise Exception('Invalid instance: %s' % instance_name)
instance.load()
if no_password:
password = ''
elif password is not None:
pass
elif password_file is not None:
with open(password_file) as f:
password = f.read().splitlines()[0]
else:
password = getpass.getpass(
prompt='Enter password for NSS database: ')
instance.passwords['internal'] = password
instance.store_passwords()
instance.create_nssdb(force=force)
def ldap_password_authn(
instance, subsystems, bind_dn, ldap_url, use_ldapi, dm_pass_file):
"""LDAP password authentication context.
This context manager switches the server to password
authentication, runs the block, then restores the original
subsystem configuration.
Specifically:
- if we are already using BasicAuth, force port 389 and no TLS/STARTTLS
but leave everything else alone.
- if using TLS client cert auth, switch to BasicAuth, using pkidbuser
account, and using a randomly generated password. The DM credential
is required to set that password.
This context manager yields the pkidbuser DN, so that the new
subsystem certificate (if it was one of the renewal targets) can
be added to the entry. It is only yielded if the server was
already using TLS client cert authn, otherwise the yielded value
is ``None``.
"""
logger.info('Configuring LDAP password authentication')
orig = {}
try:
password = instance.passwords['internaldb']
except KeyError:
# generate a new password and write it to file
password = gen_random_password()
instance.passwords['internaldb'] = password
instance.store_passwords()
generated_password = True
else:
generated_password = False
# We don't perform ldappasswd unless we need to (and only once).
ldappasswd_performed = False
for subsystem in subsystems:
cfg = subsystem.get_db_config()
orig[subsystem] = cfg.copy() # copy because dict is mutable
authtype = cfg['internaldb.ldapauth.authtype']
if authtype == 'SslClientAuth':
# switch to BasicAuth
cfg['internaldb.ldapauth.authtype'] = 'BasicAuth'
cfg['internaldb.ldapconn.port'] = '389'
cfg['internaldb.ldapconn.secureConn'] = 'false'
cfg['internaldb.ldapauth.bindDN'] = bind_dn
# _now_ we can perform ldappasswd
if not ldappasswd_performed:
logger.info('Setting pkidbuser password via ldappasswd')
with write_temp_file(password.encode('utf8')) as pwdfile:
ldappasswd(ldap_url, use_ldapi, dm_pass_file, bind_dn, pwdfile)
ldappasswd_performed = True
elif authtype == 'BasicAuth':
# force port 389, no TLS / STARTTLS. Leave other settings alone.
cfg['internaldb.ldapconn.port'] = '389'
cfg['internaldb.ldapconn.secureConn'] = 'false'
subsystem.set_db_config(cfg)
subsystem.save()
try:
yield
finally:
logger.info('Restoring previous LDAP configuration')
for subsystem, cfg in orig.items():
subsystem.set_db_config(cfg)
subsystem.save()
if generated_password:
del instance.passwords['internaldb']
instance.store_passwords()
