def execute(self, argv): try: opts, _ = getopt.gnu_getopt(argv, 'v', [ 'verbose', 'help']) except getopt.GetoptError as e: print('ERROR: %s' % e) self.print_help() sys.exit(1) for o, _ in opts: if o in ('-v', '--verbose'): self.set_verbose(True) elif o == '--help': self.print_help() sys.exit() else: print('ERROR: unknown option %s' % o) self.print_help() sys.exit(1) print(pki.generate_password())
def spawn(self, deployer): logger.info(log.PKISPAWN_BEGIN_MESSAGE_2, deployer.mdict['pki_subsystem'], deployer.mdict['pki_instance_name']) instance = pki.server.instance.PKIInstance( deployer.mdict['pki_instance_name']) instance.load() # generate random password for client database if not specified if not deployer.mdict['pki_client_database_password']: deployer.mdict[ 'pki_client_database_password'] = pki.generate_password() # ALWAYS initialize 'uid' and 'gid' deployer.identity.add_uid_and_gid(deployer.mdict['pki_user'], deployer.mdict['pki_group']) # ALWAYS establish 'uid' and 'gid' deployer.identity.set_uid(deployer.mdict['pki_user']) deployer.identity.set_gid(deployer.mdict['pki_group']) # ALWAYS initialize HSMs (when and if present) deployer.hsm.initialize() if config.str2bool(deployer.mdict['pki_skip_installation']): logger.info('Skipping initialization') return else: logger.info('Initialization') # Verify that the subsystem already exists for the following cases: # - External CA/KRA/OCSP (Step 2) # - Stand-alone PKI (Step 2) # - Two-step installation (Step 2) if (deployer.subsystem_name in ['CA', 'KRA', 'OCSP'] or config.str2bool(deployer.mdict['pki_standalone'])) and \ config.str2bool(deployer.mdict['pki_external_step_two']) or \ config.str2bool(deployer.mdict['pki_skip_installation']): deployer.instance.verify_subsystem_exists() deployer.mdict['pki_skip_installation'] = "True" else: # verify that this type of "subsystem" does NOT yet # exist for this "instance" deployer.instance.verify_subsystem_does_not_exist() # detect and avoid any namespace collisions deployer.namespace.collision_detection() # verify existence of SENSITIVE configuration file data self.verify_sensitive_data(deployer) # verify existence of MUTUALLY EXCLUSIVE configuration file data deployer.configuration_file.verify_mutually_exclusive_data() # verify existence of PREDEFINED configuration file data deployer.configuration_file.verify_predefined_configuration_file_data() # verify selinux context of selected ports deployer.configuration_file.populate_non_default_ports() deployer.configuration_file.verify_selinux_ports() # If secure DS connection is required, verify parameters deployer.configuration_file.verify_ds_secure_connection_data()
def execute(self, argv): try: opts, _ = getopt.gnu_getopt(argv, 'v', ['verbose', 'debug', 'help']) except getopt.GetoptError as e: logger.error(e) self.print_help() sys.exit(1) for o, _ in opts: if o == '--debug': logging.getLogger().setLevel(logging.DEBUG) elif o in ('-v', '--verbose'): logging.getLogger().setLevel(logging.DEBUG) elif o == '--help': self.print_help() sys.exit() else: logger.error('Unknown option: %s', o) self.print_help() sys.exit(1) print(pki.generate_password())
def init_config(self, pki_instance_name=None): self.deployer.nss_db_type = self.get_nss_db_type() java_home = self._getenv('JAVA_HOME').strip() # Check if a instance name is provided before assigning a default # instance_name if pki_instance_name: default_instance_name = pki_instance_name else: default_instance_name = 'pki-tomcat' default_http_port = '8080' default_https_port = '8443' application_version = str(pki.util.Version( pki.specification_version())) charset = string.digits + string.ascii_lowercase + string.ascii_uppercase self.deployer.main_config = configparser.SafeConfigParser({ 'application_version': application_version, 'pki_instance_name': default_instance_name, 'pki_http_port': default_http_port, 'pki_https_port': default_https_port, 'pki_dns_domainname': self.deployer.dns_domainname, 'pki_subsystem': self.deployer.subsystem_name, 'pki_subsystem_type': self.deployer.subsystem_name.lower(), 'nss_default_db_type': self.deployer.nss_db_type, 'java_home': java_home, 'home_dir': os.path.expanduser("~"), 'pki_hostname': self.deployer.hostname, 'pki_random_ajp_secret': pki.generate_password(charset, length=25) }) # Make keys case-sensitive! self.deployer.main_config.optionxform = str self.deployer.user_config = configparser.SafeConfigParser() self.deployer.user_config.optionxform = str with open(config.default_deployment_cfg) as f: self.deployer.main_config.readfp(f) self.deployer.flatten_master_dict()
def execute(self, argv): try: opts, _ = getopt.gnu_getopt(argv, 'v', ['verbose', 'help']) except getopt.GetoptError as e: print('ERROR: %s' % e) self.print_help() sys.exit(1) for o, _ in opts: if o in ('-v', '--verbose'): self.set_verbose(True) elif o == '--help': self.print_help() sys.exit() else: print('ERROR: unknown option %s' % o) self.print_help() sys.exit(1) print(pki.generate_password())
def spawn(self, deployer): logger.info(log.PKISPAWN_BEGIN_MESSAGE_2, deployer.mdict['pki_subsystem'], deployer.mdict['pki_instance_name']) instance = pki.server.PKIInstance(deployer.mdict['pki_instance_name']) instance.load() internal_token = deployer.mdict['pki_self_signed_token'] # if instance already exists and has password, reuse the password if internal_token in instance.passwords: deployer.mdict['pki_server_database_password'] = instance.passwords.get(internal_token) # otherwise, use user-provided password if specified elif deployer.mdict['pki_server_database_password']: pass # otherwise, use user-provided pin if specified elif deployer.mdict['pki_pin']: deployer.mdict['pki_server_database_password'] = deployer.mdict['pki_pin'] # otherwise, generate a random password else: deployer.mdict['pki_server_database_password'] = pki.generate_password() # generate random password for client database if not specified if not deployer.mdict['pki_client_database_password']: deployer.mdict['pki_client_database_password'] = pki.generate_password() # ALWAYS initialize 'uid' and 'gid' deployer.identity.add_uid_and_gid(deployer.mdict['pki_user'], deployer.mdict['pki_group']) # ALWAYS establish 'uid' and 'gid' deployer.identity.set_uid(deployer.mdict['pki_user']) deployer.identity.set_gid(deployer.mdict['pki_group']) # ALWAYS check FIPS mode deployer.fips.is_fips_enabled() # ALWAYS initialize HSMs (when and if present) deployer.hsm.initialize() if config.str2bool(deployer.mdict['pki_skip_installation']): logger.info('Skipping initialization') return else: logger.info('Initialization') # Verify that the subsystem already exists for the following cases: # - External CA/KRA/OCSP (Step 2) # - Stand-alone PKI (Step 2) # - Two-step installation (Step 2) if (deployer.subsystem_name in ['CA', 'KRA', 'OCSP'] or config.str2bool(deployer.mdict['pki_standalone'])) and \ config.str2bool(deployer.mdict['pki_external_step_two']) or \ config.str2bool(deployer.mdict['pki_skip_installation']): deployer.instance.verify_subsystem_exists() deployer.mdict['pki_skip_installation'] = "True" else: # verify that this type of "subsystem" does NOT yet # exist for this "instance" deployer.instance.verify_subsystem_does_not_exist() # detect and avoid any namespace collisions deployer.namespace.collision_detection() # verify existence of SENSITIVE configuration file data deployer.configuration_file.verify_sensitive_data() # verify existence of MUTUALLY EXCLUSIVE configuration file data deployer.configuration_file.verify_mutually_exclusive_data() # verify existence of PREDEFINED configuration file data deployer.configuration_file.verify_predefined_configuration_file_data() # verify selinux context of selected ports deployer.configuration_file.populate_non_default_ports() deployer.configuration_file.verify_selinux_ports() # If secure DS connection is required, verify parameters deployer.configuration_file.verify_ds_secure_connection_data()
def spawn(self, deployer): if config.str2bool(deployer.mdict['pki_skip_installation']): logger.info('Skipping instance creation') return logger.info('Preparing %s instance', deployer.mdict['pki_instance_name']) instance = self.instance instance.load() instance_conf_path = deployer.mdict['pki_instance_configuration_path'] logger.info('Creating %s', instance_conf_path) instance.makedirs(instance_conf_path, force=True) logger.info('Creating %s', deployer.mdict['pki_shared_password_conf']) # Configuring internal token password internal_token = deployer.mdict['pki_self_signed_token'] if not pki.nssdb.normalize_token(internal_token): internal_token = pki.nssdb.INTERNAL_TOKEN_NAME # If instance already exists and has password, reuse the password if internal_token in instance.passwords: logger.info('Reusing server NSS database password') deployer.mdict['pki_server_database_password'] = instance.passwords.get(internal_token) # Otherwise, use user-provided password if specified elif deployer.mdict['pki_server_database_password']: logger.info('Using specified server NSS database password') # Otherwise, use user-provided pin if specified elif deployer.mdict['pki_pin']: logger.info('Using specified PIN as server NSS database password') deployer.mdict['pki_server_database_password'] = deployer.mdict['pki_pin'] # Otherwise, generate a random password else: logger.info('Generating random server NSS database password') deployer.mdict['pki_server_database_password'] = pki.generate_password() instance.passwords[internal_token] = deployer.mdict['pki_server_database_password'] # Configuring HSM password if config.str2bool(deployer.mdict['pki_hsm_enable']): hsm_token = deployer.mdict['pki_token_name'] instance.passwords['hardware-%s' % hsm_token] = deployer.mdict['pki_token_password'] # Configuring internal database password if 'internaldb' in instance.passwords: logger.info('Reusing internal database password') deployer.mdict['pki_ds_password'] = instance.passwords.get('internaldb') else: logger.info('Using specified internal database password') instance.passwords['internaldb'] = deployer.mdict['pki_ds_password'] # Configuring replication manager password # Bug #430745 Create separate password for replication manager # Use user-provided password if specified if 'replicationdb' in instance.passwords: logger.info('Reusing replication manager password') elif deployer.mdict['pki_replication_password']: logger.info('Using specified replication manager password') instance.passwords['replicationdb'] = deployer.mdict['pki_replication_password'] else: logger.info('Generating random replication manager password') instance.passwords['replicationdb'] = pki.generate_password() instance.store_passwords() # if this is not the first subsystem, skip if len(deployer.instance.tomcat_instance_subsystems()) != 1: logger.info('Installing %s instance', deployer.mdict['pki_instance_name']) return deployer.directory.create(deployer.mdict['pki_instance_log_path']) shared_conf_path = deployer.mdict['pki_source_server_path'] # Copy /usr/share/pki/server/conf/tomcat.conf to # /var/lib/pki/<instance>/conf/tomcat.conf. deployer.file.copy_with_slot_substitution( os.path.join(shared_conf_path, 'tomcat.conf'), os.path.join(instance_conf_path, 'tomcat.conf')) # Copy /usr/share/pki/server/conf/server.xml # to /etc/pki/<instance>/server.xml. deployer.file.copy_with_slot_substitution( deployer.mdict['pki_source_server_xml'], deployer.mdict['pki_target_server_xml'], overwrite_flag=True) # Link /etc/pki/<instance>/catalina.properties # to /usr/share/pki/server/conf/catalina.properties. logger.info('Creating %s', os.path.join(instance_conf_path, 'catalina.properties')) instance.symlink( os.path.join(shared_conf_path, 'catalina.properties'), os.path.join(instance_conf_path, 'catalina.properties'), force=True) # Link /etc/pki/<instance>/context.xml # to /usr/share/tomcat/conf/context.xml. logger.info('Creating %s', instance.context_xml) context_xml = os.path.join(pki.server.Tomcat.CONF_DIR, 'context.xml') instance.symlink(context_xml, instance.context_xml, force=True) # Link /etc/pki/<instance>/logging.properties # to /usr/share/pki/server/conf/logging.properties. logger.info('Creating %s', os.path.join(instance_conf_path, 'logging.properties')) instance.symlink( os.path.join(shared_conf_path, 'logging.properties'), os.path.join(instance_conf_path, 'logging.properties'), force=True) # create /etc/sysconfig/<instance> deployer.file.copy_with_slot_substitution( deployer.mdict['pki_source_tomcat_conf'], deployer.mdict['pki_target_tomcat_conf_instance_id'], overwrite_flag=True) # create /var/lib/pki/<instance>/conf/tomcat.conf deployer.file.copy_with_slot_substitution( deployer.mdict['pki_source_tomcat_conf'], deployer.mdict['pki_target_tomcat_conf'], overwrite_flag=True) # Link /etc/pki/<instance>/web.xml # to /usr/share/tomcat/conf/web.xml. logger.info('Creating %s', instance.web_xml) web_xml = os.path.join(pki.server.Tomcat.CONF_DIR, 'web.xml') instance.symlink(web_xml, instance.web_xml, force=True) catalina_dir = os.path.join(instance_conf_path, 'Catalina') logger.info('Creating %s', catalina_dir) instance.makedirs(catalina_dir, force=True) localhost_dir = os.path.join(catalina_dir, 'localhost') logger.info('Creating %s', localhost_dir) instance.makedirs(localhost_dir, force=True) logger.info('Deploying ROOT web application') instance.deploy_webapp( "ROOT", os.path.join( shared_conf_path, "Catalina", "localhost", "ROOT.xml")) logger.info('Deploying /pki web application') # Deploy pki web application which includes themes, # admin templates, and JS libraries instance.deploy_webapp( "pki", os.path.join( shared_conf_path, "Catalina", "localhost", "pki.xml")) instance.with_maven_deps = deployer.with_maven_deps instance.create_libs(force=True) deployer.directory.create(deployer.mdict['pki_tomcat_tmpdir_path']) deployer.directory.create(deployer.mdict['pki_tomcat_work_path']) deployer.directory.create(deployer.mdict['pki_tomcat_work_catalina_path']) deployer.directory.create(deployer.mdict['pki_tomcat_work_catalina_host_path']) deployer.directory.create(deployer.mdict['pki_tomcat_work_catalina_host_run_path']) deployer.directory.create(deployer.mdict['pki_tomcat_work_catalina_host_subsystem_path']) # establish Tomcat instance logs # establish Tomcat instance registry # establish Tomcat instance convenience symbolic links deployer.symlink.create( deployer.mdict['pki_tomcat_bin_path'], deployer.mdict['pki_tomcat_bin_link']) # create systemd links deployer.symlink.create( deployer.mdict['pki_tomcat_systemd'], deployer.mdict['pki_instance_systemd_link'], uid=0, gid=0) user = deployer.mdict['pki_user'] group = deployer.mdict['pki_group'] if user != 'pkiuser' or group != 'pkiuser': deployer.systemd.set_override( 'Service', 'User', user, 'user.conf') deployer.systemd.set_override( 'Service', 'Group', group, 'user.conf') deployer.systemd.write_overrides() deployer.systemd.daemon_reload() deployer.symlink.create( instance_conf_path, deployer.mdict['pki_instance_conf_link']) deployer.symlink.create( deployer.mdict['pki_instance_log_path'], deployer.mdict['pki_instance_logs_link']) # create Tomcat instance systemd service link deployer.symlink.create(deployer.mdict['pki_systemd_service'], deployer.mdict['pki_systemd_service_link']) # create instance registry deployer.file.copy_with_slot_substitution( deployer.mdict['pki_source_registry'], os.path.join(deployer.mdict['pki_instance_registry_path'], deployer.mdict['pki_instance_name']), overwrite_flag=True)
def spawn(self, deployer): logger.info(log.PKISPAWN_BEGIN_MESSAGE_2, deployer.mdict['pki_subsystem'], deployer.mdict['pki_instance_name']) instance = pki.server.PKIInstance(deployer.mdict['pki_instance_name']) instance.load() internal_token = deployer.mdict['pki_self_signed_token'] if not pki.nssdb.normalize_token(internal_token): internal_token = pki.nssdb.INTERNAL_TOKEN_NAME # if instance already exists and has password, reuse the password if internal_token in instance.passwords: logger.info('Reusing server NSS database password') deployer.mdict[ 'pki_server_database_password'] = instance.passwords.get( internal_token) # otherwise, use user-provided password if specified elif deployer.mdict['pki_server_database_password']: logger.info('Using specified server NSS database password') # otherwise, use user-provided pin if specified elif deployer.mdict['pki_pin']: logger.info('Using specified PIN as server NSS database password') deployer.mdict['pki_server_database_password'] = deployer.mdict[ 'pki_pin'] # otherwise, generate a random password else: logger.info('Generating random server NSS database password') deployer.mdict[ 'pki_server_database_password'] = pki.generate_password() # generate random password for client database if not specified if not deployer.mdict['pki_client_database_password']: deployer.mdict[ 'pki_client_database_password'] = pki.generate_password() # ALWAYS initialize 'uid' and 'gid' deployer.identity.add_uid_and_gid(deployer.mdict['pki_user'], deployer.mdict['pki_group']) # ALWAYS establish 'uid' and 'gid' deployer.identity.set_uid(deployer.mdict['pki_user']) deployer.identity.set_gid(deployer.mdict['pki_group']) # ALWAYS check FIPS mode deployer.fips.is_fips_enabled() # ALWAYS initialize HSMs (when and if present) deployer.hsm.initialize() if config.str2bool(deployer.mdict['pki_skip_installation']): logger.info('Skipping initialization') return else: logger.info('Initialization') # Verify that the subsystem already exists for the following cases: # - External CA/KRA/OCSP (Step 2) # - Stand-alone PKI (Step 2) # - Two-step installation (Step 2) if (deployer.subsystem_name in ['CA', 'KRA', 'OCSP'] or config.str2bool(deployer.mdict['pki_standalone'])) and \ config.str2bool(deployer.mdict['pki_external_step_two']) or \ config.str2bool(deployer.mdict['pki_skip_installation']): deployer.instance.verify_subsystem_exists() deployer.mdict['pki_skip_installation'] = "True" else: # verify that this type of "subsystem" does NOT yet # exist for this "instance" deployer.instance.verify_subsystem_does_not_exist() # detect and avoid any namespace collisions deployer.namespace.collision_detection() # verify existence of SENSITIVE configuration file data deployer.configuration_file.verify_sensitive_data() # verify existence of MUTUALLY EXCLUSIVE configuration file data deployer.configuration_file.verify_mutually_exclusive_data() # verify existence of PREDEFINED configuration file data deployer.configuration_file.verify_predefined_configuration_file_data() # verify selinux context of selected ports deployer.configuration_file.populate_non_default_ports() deployer.configuration_file.verify_selinux_ports() # If secure DS connection is required, verify parameters deployer.configuration_file.verify_ds_secure_connection_data()