def execute(self, argv):
try:
opts, _ = getopt.gnu_getopt(argv, 'v', [
'verbose', 'help'])
except getopt.GetoptError as e:
print('ERROR: %s' % e)
self.print_help()
sys.exit(1)
for o, _ in opts:
if o in ('-v', '--verbose'):
self.set_verbose(True)
elif o == '--help':
self.print_help()
sys.exit()
else:
print('ERROR: unknown option %s' % o)
self.print_help()
sys.exit(1)
print(pki.generate_password())
def spawn(self, deployer):
logger.info(log.PKISPAWN_BEGIN_MESSAGE_2,
deployer.mdict['pki_subsystem'],
deployer.mdict['pki_instance_name'])
instance = pki.server.instance.PKIInstance(
deployer.mdict['pki_instance_name'])
instance.load()
# generate random password for client database if not specified
if not deployer.mdict['pki_client_database_password']:
deployer.mdict[
'pki_client_database_password'] = pki.generate_password()
# ALWAYS initialize 'uid' and 'gid'
deployer.identity.add_uid_and_gid(deployer.mdict['pki_user'],
deployer.mdict['pki_group'])
# ALWAYS establish 'uid' and 'gid'
deployer.identity.set_uid(deployer.mdict['pki_user'])
deployer.identity.set_gid(deployer.mdict['pki_group'])
# ALWAYS initialize HSMs (when and if present)
deployer.hsm.initialize()
if config.str2bool(deployer.mdict['pki_skip_installation']):
logger.info('Skipping initialization')
return
else:
logger.info('Initialization')
# Verify that the subsystem already exists for the following cases:
# - External CA/KRA/OCSP (Step 2)
# - Stand-alone PKI (Step 2)
# - Two-step installation (Step 2)
if (deployer.subsystem_name in ['CA', 'KRA', 'OCSP'] or
config.str2bool(deployer.mdict['pki_standalone'])) and \
config.str2bool(deployer.mdict['pki_external_step_two']) or \
config.str2bool(deployer.mdict['pki_skip_installation']):
deployer.instance.verify_subsystem_exists()
deployer.mdict['pki_skip_installation'] = "True"
else:
# verify that this type of "subsystem" does NOT yet
# exist for this "instance"
deployer.instance.verify_subsystem_does_not_exist()
# detect and avoid any namespace collisions
deployer.namespace.collision_detection()
# verify existence of SENSITIVE configuration file data
self.verify_sensitive_data(deployer)
# verify existence of MUTUALLY EXCLUSIVE configuration file data
deployer.configuration_file.verify_mutually_exclusive_data()
# verify existence of PREDEFINED configuration file data
deployer.configuration_file.verify_predefined_configuration_file_data()
# verify selinux context of selected ports
deployer.configuration_file.populate_non_default_ports()
deployer.configuration_file.verify_selinux_ports()
# If secure DS connection is required, verify parameters
deployer.configuration_file.verify_ds_secure_connection_data()
def execute(self, argv):
try:
opts, _ = getopt.gnu_getopt(argv, 'v',
['verbose', 'debug', 'help'])
except getopt.GetoptError as e:
logger.error(e)
self.print_help()
sys.exit(1)
for o, _ in opts:
if o == '--debug':
logging.getLogger().setLevel(logging.DEBUG)
elif o in ('-v', '--verbose'):
logging.getLogger().setLevel(logging.DEBUG)
elif o == '--help':
self.print_help()
sys.exit()
else:
logger.error('Unknown option: %s', o)
self.print_help()
sys.exit(1)
print(pki.generate_password())
def init_config(self, pki_instance_name=None):
self.deployer.nss_db_type = self.get_nss_db_type()
java_home = self._getenv('JAVA_HOME').strip()
# Check if a instance name is provided before assigning a default
# instance_name
if pki_instance_name:
default_instance_name = pki_instance_name
else:
default_instance_name = 'pki-tomcat'
default_http_port = '8080'
default_https_port = '8443'
application_version = str(pki.util.Version(
pki.specification_version()))
charset = string.digits + string.ascii_lowercase + string.ascii_uppercase
self.deployer.main_config = configparser.SafeConfigParser({
'application_version':
application_version,
'pki_instance_name':
default_instance_name,
'pki_http_port':
default_http_port,
'pki_https_port':
default_https_port,
'pki_dns_domainname':
self.deployer.dns_domainname,
'pki_subsystem':
self.deployer.subsystem_name,
'pki_subsystem_type':
self.deployer.subsystem_name.lower(),
'nss_default_db_type':
self.deployer.nss_db_type,
'java_home':
java_home,
'home_dir':
os.path.expanduser("~"),
'pki_hostname':
self.deployer.hostname,
'pki_random_ajp_secret':
pki.generate_password(charset, length=25)
})
# Make keys case-sensitive!
self.deployer.main_config.optionxform = str
self.deployer.user_config = configparser.SafeConfigParser()
self.deployer.user_config.optionxform = str
with open(config.default_deployment_cfg) as f:
self.deployer.main_config.readfp(f)
self.deployer.flatten_master_dict()
def execute(self, argv):
try:
opts, _ = getopt.gnu_getopt(argv, 'v', ['verbose', 'help'])
except getopt.GetoptError as e:
print('ERROR: %s' % e)
self.print_help()
sys.exit(1)
for o, _ in opts:
if o in ('-v', '--verbose'):
self.set_verbose(True)
elif o == '--help':
self.print_help()
sys.exit()
else:
print('ERROR: unknown option %s' % o)
self.print_help()
sys.exit(1)
print(pki.generate_password())
def spawn(self, deployer):
logger.info(log.PKISPAWN_BEGIN_MESSAGE_2,
deployer.mdict['pki_subsystem'],
deployer.mdict['pki_instance_name'])
instance = pki.server.PKIInstance(deployer.mdict['pki_instance_name'])
instance.load()
internal_token = deployer.mdict['pki_self_signed_token']
# if instance already exists and has password, reuse the password
if internal_token in instance.passwords:
deployer.mdict['pki_server_database_password'] = instance.passwords.get(internal_token)
# otherwise, use user-provided password if specified
elif deployer.mdict['pki_server_database_password']:
pass
# otherwise, use user-provided pin if specified
elif deployer.mdict['pki_pin']:
deployer.mdict['pki_server_database_password'] = deployer.mdict['pki_pin']
# otherwise, generate a random password
else:
deployer.mdict['pki_server_database_password'] = pki.generate_password()
# generate random password for client database if not specified
if not deployer.mdict['pki_client_database_password']:
deployer.mdict['pki_client_database_password'] = pki.generate_password()
# ALWAYS initialize 'uid' and 'gid'
deployer.identity.add_uid_and_gid(deployer.mdict['pki_user'],
deployer.mdict['pki_group'])
# ALWAYS establish 'uid' and 'gid'
deployer.identity.set_uid(deployer.mdict['pki_user'])
deployer.identity.set_gid(deployer.mdict['pki_group'])
# ALWAYS check FIPS mode
deployer.fips.is_fips_enabled()
# ALWAYS initialize HSMs (when and if present)
deployer.hsm.initialize()
if config.str2bool(deployer.mdict['pki_skip_installation']):
logger.info('Skipping initialization')
return
else:
logger.info('Initialization')
# Verify that the subsystem already exists for the following cases:
# - External CA/KRA/OCSP (Step 2)
# - Stand-alone PKI (Step 2)
# - Two-step installation (Step 2)
if (deployer.subsystem_name in ['CA', 'KRA', 'OCSP'] or
config.str2bool(deployer.mdict['pki_standalone'])) and \
config.str2bool(deployer.mdict['pki_external_step_two']) or \
config.str2bool(deployer.mdict['pki_skip_installation']):
deployer.instance.verify_subsystem_exists()
deployer.mdict['pki_skip_installation'] = "True"
else:
# verify that this type of "subsystem" does NOT yet
# exist for this "instance"
deployer.instance.verify_subsystem_does_not_exist()
# detect and avoid any namespace collisions
deployer.namespace.collision_detection()
# verify existence of SENSITIVE configuration file data
deployer.configuration_file.verify_sensitive_data()
# verify existence of MUTUALLY EXCLUSIVE configuration file data
deployer.configuration_file.verify_mutually_exclusive_data()
# verify existence of PREDEFINED configuration file data
deployer.configuration_file.verify_predefined_configuration_file_data()
# verify selinux context of selected ports
deployer.configuration_file.populate_non_default_ports()
deployer.configuration_file.verify_selinux_ports()
# If secure DS connection is required, verify parameters
deployer.configuration_file.verify_ds_secure_connection_data()
def spawn(self, deployer):
if config.str2bool(deployer.mdict['pki_skip_installation']):
logger.info('Skipping instance creation')
return
logger.info('Preparing %s instance', deployer.mdict['pki_instance_name'])
instance = self.instance
instance.load()
instance_conf_path = deployer.mdict['pki_instance_configuration_path']
logger.info('Creating %s', instance_conf_path)
instance.makedirs(instance_conf_path, force=True)
logger.info('Creating %s', deployer.mdict['pki_shared_password_conf'])
# Configuring internal token password
internal_token = deployer.mdict['pki_self_signed_token']
if not pki.nssdb.normalize_token(internal_token):
internal_token = pki.nssdb.INTERNAL_TOKEN_NAME
# If instance already exists and has password, reuse the password
if internal_token in instance.passwords:
logger.info('Reusing server NSS database password')
deployer.mdict['pki_server_database_password'] = instance.passwords.get(internal_token)
# Otherwise, use user-provided password if specified
elif deployer.mdict['pki_server_database_password']:
logger.info('Using specified server NSS database password')
# Otherwise, use user-provided pin if specified
elif deployer.mdict['pki_pin']:
logger.info('Using specified PIN as server NSS database password')
deployer.mdict['pki_server_database_password'] = deployer.mdict['pki_pin']
# Otherwise, generate a random password
else:
logger.info('Generating random server NSS database password')
deployer.mdict['pki_server_database_password'] = pki.generate_password()
instance.passwords[internal_token] = deployer.mdict['pki_server_database_password']
# Configuring HSM password
if config.str2bool(deployer.mdict['pki_hsm_enable']):
hsm_token = deployer.mdict['pki_token_name']
instance.passwords['hardware-%s' % hsm_token] = deployer.mdict['pki_token_password']
# Configuring internal database password
if 'internaldb' in instance.passwords:
logger.info('Reusing internal database password')
deployer.mdict['pki_ds_password'] = instance.passwords.get('internaldb')
else:
logger.info('Using specified internal database password')
instance.passwords['internaldb'] = deployer.mdict['pki_ds_password']
# Configuring replication manager password
# Bug #430745 Create separate password for replication manager
# Use user-provided password if specified
if 'replicationdb' in instance.passwords:
logger.info('Reusing replication manager password')
elif deployer.mdict['pki_replication_password']:
logger.info('Using specified replication manager password')
instance.passwords['replicationdb'] = deployer.mdict['pki_replication_password']
else:
logger.info('Generating random replication manager password')
instance.passwords['replicationdb'] = pki.generate_password()
instance.store_passwords()
# if this is not the first subsystem, skip
if len(deployer.instance.tomcat_instance_subsystems()) != 1:
logger.info('Installing %s instance', deployer.mdict['pki_instance_name'])
return
deployer.directory.create(deployer.mdict['pki_instance_log_path'])
shared_conf_path = deployer.mdict['pki_source_server_path']
# Copy /usr/share/pki/server/conf/tomcat.conf to
# /var/lib/pki/<instance>/conf/tomcat.conf.
deployer.file.copy_with_slot_substitution(
os.path.join(shared_conf_path, 'tomcat.conf'),
os.path.join(instance_conf_path, 'tomcat.conf'))
# Copy /usr/share/pki/server/conf/server.xml
# to /etc/pki/<instance>/server.xml.
deployer.file.copy_with_slot_substitution(
deployer.mdict['pki_source_server_xml'],
deployer.mdict['pki_target_server_xml'],
overwrite_flag=True)
# Link /etc/pki/<instance>/catalina.properties
# to /usr/share/pki/server/conf/catalina.properties.
logger.info('Creating %s', os.path.join(instance_conf_path, 'catalina.properties'))
instance.symlink(
os.path.join(shared_conf_path, 'catalina.properties'),
os.path.join(instance_conf_path, 'catalina.properties'),
force=True)
# Link /etc/pki/<instance>/context.xml
# to /usr/share/tomcat/conf/context.xml.
logger.info('Creating %s', instance.context_xml)
context_xml = os.path.join(pki.server.Tomcat.CONF_DIR, 'context.xml')
instance.symlink(context_xml, instance.context_xml, force=True)
# Link /etc/pki/<instance>/logging.properties
# to /usr/share/pki/server/conf/logging.properties.
logger.info('Creating %s', os.path.join(instance_conf_path, 'logging.properties'))
instance.symlink(
os.path.join(shared_conf_path, 'logging.properties'),
os.path.join(instance_conf_path, 'logging.properties'),
force=True)
# create /etc/sysconfig/<instance>
deployer.file.copy_with_slot_substitution(
deployer.mdict['pki_source_tomcat_conf'],
deployer.mdict['pki_target_tomcat_conf_instance_id'],
overwrite_flag=True)
# create /var/lib/pki/<instance>/conf/tomcat.conf
deployer.file.copy_with_slot_substitution(
deployer.mdict['pki_source_tomcat_conf'],
deployer.mdict['pki_target_tomcat_conf'],
overwrite_flag=True)
# Link /etc/pki/<instance>/web.xml
# to /usr/share/tomcat/conf/web.xml.
logger.info('Creating %s', instance.web_xml)
web_xml = os.path.join(pki.server.Tomcat.CONF_DIR, 'web.xml')
instance.symlink(web_xml, instance.web_xml, force=True)
catalina_dir = os.path.join(instance_conf_path, 'Catalina')
logger.info('Creating %s', catalina_dir)
instance.makedirs(catalina_dir, force=True)
localhost_dir = os.path.join(catalina_dir, 'localhost')
logger.info('Creating %s', localhost_dir)
instance.makedirs(localhost_dir, force=True)
logger.info('Deploying ROOT web application')
instance.deploy_webapp(
"ROOT",
os.path.join(
shared_conf_path,
"Catalina",
"localhost",
"ROOT.xml"))
logger.info('Deploying /pki web application')
# Deploy pki web application which includes themes,
# admin templates, and JS libraries
instance.deploy_webapp(
"pki",
os.path.join(
shared_conf_path,
"Catalina",
"localhost",
"pki.xml"))
instance.with_maven_deps = deployer.with_maven_deps
instance.create_libs(force=True)
deployer.directory.create(deployer.mdict['pki_tomcat_tmpdir_path'])
deployer.directory.create(deployer.mdict['pki_tomcat_work_path'])
deployer.directory.create(deployer.mdict['pki_tomcat_work_catalina_path'])
deployer.directory.create(deployer.mdict['pki_tomcat_work_catalina_host_path'])
deployer.directory.create(deployer.mdict['pki_tomcat_work_catalina_host_run_path'])
deployer.directory.create(deployer.mdict['pki_tomcat_work_catalina_host_subsystem_path'])
# establish Tomcat instance logs
# establish Tomcat instance registry
# establish Tomcat instance convenience symbolic links
deployer.symlink.create(
deployer.mdict['pki_tomcat_bin_path'],
deployer.mdict['pki_tomcat_bin_link'])
# create systemd links
deployer.symlink.create(
deployer.mdict['pki_tomcat_systemd'],
deployer.mdict['pki_instance_systemd_link'],
uid=0, gid=0)
user = deployer.mdict['pki_user']
group = deployer.mdict['pki_group']
if user != 'pkiuser' or group != 'pkiuser':
deployer.systemd.set_override(
'Service', 'User', user, 'user.conf')
deployer.systemd.set_override(
'Service', 'Group', group, 'user.conf')
deployer.systemd.write_overrides()
deployer.systemd.daemon_reload()
deployer.symlink.create(
instance_conf_path,
deployer.mdict['pki_instance_conf_link'])
deployer.symlink.create(
deployer.mdict['pki_instance_log_path'],
deployer.mdict['pki_instance_logs_link'])
# create Tomcat instance systemd service link
deployer.symlink.create(deployer.mdict['pki_systemd_service'],
deployer.mdict['pki_systemd_service_link'])
# create instance registry
deployer.file.copy_with_slot_substitution(
deployer.mdict['pki_source_registry'],
os.path.join(deployer.mdict['pki_instance_registry_path'],
deployer.mdict['pki_instance_name']),
overwrite_flag=True)
def spawn(self, deployer):
logger.info(log.PKISPAWN_BEGIN_MESSAGE_2,
deployer.mdict['pki_subsystem'],
deployer.mdict['pki_instance_name'])
instance = pki.server.PKIInstance(deployer.mdict['pki_instance_name'])
instance.load()
internal_token = deployer.mdict['pki_self_signed_token']
if not pki.nssdb.normalize_token(internal_token):
internal_token = pki.nssdb.INTERNAL_TOKEN_NAME
# if instance already exists and has password, reuse the password
if internal_token in instance.passwords:
logger.info('Reusing server NSS database password')
deployer.mdict[
'pki_server_database_password'] = instance.passwords.get(
internal_token)
# otherwise, use user-provided password if specified
elif deployer.mdict['pki_server_database_password']:
logger.info('Using specified server NSS database password')
# otherwise, use user-provided pin if specified
elif deployer.mdict['pki_pin']:
logger.info('Using specified PIN as server NSS database password')
deployer.mdict['pki_server_database_password'] = deployer.mdict[
'pki_pin']
# otherwise, generate a random password
else:
logger.info('Generating random server NSS database password')
deployer.mdict[
'pki_server_database_password'] = pki.generate_password()
# generate random password for client database if not specified
if not deployer.mdict['pki_client_database_password']:
deployer.mdict[
'pki_client_database_password'] = pki.generate_password()
# ALWAYS initialize 'uid' and 'gid'
deployer.identity.add_uid_and_gid(deployer.mdict['pki_user'],
deployer.mdict['pki_group'])
# ALWAYS establish 'uid' and 'gid'
deployer.identity.set_uid(deployer.mdict['pki_user'])
deployer.identity.set_gid(deployer.mdict['pki_group'])
# ALWAYS check FIPS mode
deployer.fips.is_fips_enabled()
# ALWAYS initialize HSMs (when and if present)
deployer.hsm.initialize()
if config.str2bool(deployer.mdict['pki_skip_installation']):
logger.info('Skipping initialization')
return
else:
logger.info('Initialization')
# Verify that the subsystem already exists for the following cases:
# - External CA/KRA/OCSP (Step 2)
# - Stand-alone PKI (Step 2)
# - Two-step installation (Step 2)
if (deployer.subsystem_name in ['CA', 'KRA', 'OCSP'] or
config.str2bool(deployer.mdict['pki_standalone'])) and \
config.str2bool(deployer.mdict['pki_external_step_two']) or \
config.str2bool(deployer.mdict['pki_skip_installation']):
deployer.instance.verify_subsystem_exists()
deployer.mdict['pki_skip_installation'] = "True"
else:
# verify that this type of "subsystem" does NOT yet
# exist for this "instance"
deployer.instance.verify_subsystem_does_not_exist()
# detect and avoid any namespace collisions
deployer.namespace.collision_detection()
# verify existence of SENSITIVE configuration file data
deployer.configuration_file.verify_sensitive_data()
# verify existence of MUTUALLY EXCLUSIVE configuration file data
deployer.configuration_file.verify_mutually_exclusive_data()
# verify existence of PREDEFINED configuration file data
deployer.configuration_file.verify_predefined_configuration_file_data()
# verify selinux context of selected ports
deployer.configuration_file.populate_non_default_ports()
deployer.configuration_file.verify_selinux_ports()
# If secure DS connection is required, verify parameters
deployer.configuration_file.verify_ds_secure_connection_data()
