From mharmsen at redhat.com Wed May 1 03:38:10 2013 From: mharmsen at redhat.com (Matthew Harmsen) Date: Tue, 30 Apr 2013 20:38:10 -0700 Subject: [Pki-devel] Dogtag 10.0.2 'pki-core' packages test scenarios Message-ID: <51808E22.4060406@redhat.com> The following test scenarios have been run successfully on Dogtag 10.0.2: * Default installation and REST configuration of CA, KRA, OCSP, and TKS instances within a single Tomcat 7 PKI instance: o *pkispawn -s CA -f ca.cfg* + where 'ca.cfg' contains: [DEFAULT] pki_admin_password=XXXXXXXX pki_client_pkcs12_password=XXXXXXXX pki_ds_password=XXXXXXXX pki_security_domain_password=XXXXXXXX o *pkispawn -s KRA -f kra.cfg* + where 'kra.cfg' contains: [DEFAULT] pki_admin_password=XXXXXXXX pki_client_database_password=XXXXXXXX pki_client_pkcs12_password=XXXXXXXX pki_ds_password=XXXXXXXX pki_security_domain_password=XXXXXXXX o *pkispawn -s OCSP -f ocsp.cfg* + where 'ocsp.cfg' contains: [DEFAULT] pki_admin_password=XXXXXXXX pki_client_database_password=XXXXXXXX pki_client_pkcs12_password=XXXXXXXX pki_ds_password=XXXXXXXX pki_security_domain_password=XXXXXXXX o *pkispawn -s TKS -f tks.cfg* + where 'tks.cfg' contains: [DEFAULT] pki_admin_password=XXXXXXXX pki_client_database_password=XXXXXXXX pki_client_pkcs12_password=XXXXXXXX pki_ds_password=XXXXXXXX pki_security_domain_password=XXXXXXXX Since a TKS must remain FIPS-compliant, the following post-configuration steps are also necessary: * # cat /var/lib/pki/pki-tomcat/conf/password.conf** ** # tkstool -T -d /var/lib/pki/pki-tomcat/alias -n sharedSecret** ** # stty sane** ** #/bin/systemctl restart pki-tomcatd at pki-tomcat.service* * Default installation and legacy GUI browser configuration of CA, KRA, OCSP, and TKS instances within separate Tomcat 7 PKI instances: o *pkispawn -s CA -f ca.cfg* + where 'ca.cfg' contains: [DEFAULT] pki_admin_password=XXXXXXXX pki_client_pkcs12_password=XXXXXXXX pki_ds_password=XXXXXXXX pki_security_domain_password=XXXXXXXX pki_skip_configuration=True o CA instance is configured via the legacy GUI browser configuration For a CA instance which has been configured via the legacy GUI browser interface, the following post-configuration steps are necessary: *# /bin/systemctl restart pki-tomcatd at pki-tomcat.service* o *pkispawn -s KRA -f kra.cfg* + where 'kra.cfg' contains: [DEFAULT] pki_admin_password=XXXXXXXX pki_client_database_password=XXXXXXXX pki_client_pkcs12_password=XXXXXXXX pki_ds_password=XXXXXXXX pki_http_port=28080 pki_https_port=28443 pki_instance_name=pki-tomcat-kra pki_security_domain_password=XXXXXXXX pki_skip_configuration=True [Tomcat] pki_ajp_port=28009 pki_tomcat_server_port=28005 [KRA] pki_import_admin_cert=False o KRA instance is configured via the legacy GUI browser configuration For a KRA instance which has been configured via the legacy GUI browser interface, the following post-configuration steps are necessary: *# /bin/systemctl restart pki-tomcatd at pki-tomcat-kra.service* o *pkispawn -s OCSP -f ocsp.cfg* + where 'ocsp.cfg' contains: [DEFAULT] pki_admin_password=XXXXXXXX pki_client_database_password=XXXXXXXX pki_client_pkcs12_password=XXXXXXXX pki_ds_password=XXXXXXXX pki_http_port=29080 pki_https_port=29443 pki_instance_name=pki-tomcat-ocsp pki_security_domain_password=XXXXXXXX pki_skip_configuration=True [Tomcat] pki_ajp_port=29009 pki_tomcat_server_port=29005 [OCSP] pki_import_admin_cert=False o OCSP instance is configured via the legacy GUI browser configuration For an OCSP instance which has been configured via the legacy GUI browser interface, the following post-configuration steps are necessary: *# /bin/systemctl restart pki-tomcatd at pki-tomcat-ocsp.service* Additionally, whenever an OCSP instance is installed as a standalone PKI Tomcat instance that is separate from the CA instance, the CA instance needs to reset publishing in the CA so that the OCSP will obtain the updates. Therefore, the following additional post-configuration steps are necessary (restart the CA): *# /bin/systemctl restart pki-tomcatd at pki-tomcat.service* By default, since the REST configuration process restarts the PKI Tomcat instance at the end of its configuration, both the CA instance and the OCSP instance will be restarted since they are the same instance. o *pkispawn -s TKS -f tks.cfg* + where 'tks.cfg' contains: [DEFAULT] pki_admin_password=XXXXXXXX pki_client_database_password=XXXXXXXX pki_client_pkcs12_password=XXXXXXXX pki_ds_password=XXXXXXXX pki_http_port=30080 pki_https_port=30443 pki_instance_name=pki-tomcat-tks pki_security_domain_password=XXXXXXXX pki_skip_configuration=True [Tomcat] pki_ajp_port=30009 pki_tomcat_server_port=30005 [TKS] pki_import_admin_cert=False o TKS instance is configured via the legacy GUI browser configuration For a TKS instance which has been configured via the legacy GUI browser interface, the following post-configuration steps are necessary: *# /bin/systemctl restart pki-tomcatd at pki-tomcat-tks.service* Additionally, since a TKS must remain FIPS-compliant, the following post-configuration steps are also necessary: * # cat /var/lib/pki/pki-tomcat-tks/conf/password.conf** ** # tkstool -T -d /var/lib/pki/pki-tomcat-tks/alias -n sharedSecret** ** # stty sane** ** #/bin/systemctl restart pki-tomcatd at pki-tomcat-tks.service* ADDITIONAL TEST NOTES for legacy GUI browser configurations: * For KRA, OCSP, and TKS, the 'pki_import_admin_cert=False' parameter was specified so that a single browser profile could be utilized to configure and test all four PKI subsystems (CA, KRA, OCSP, and TKS) * When selecting ports for KRA, OCSP, and TKS, it was discovered that an SELinux conflict occurred if ports were selected higher than 32768 since these are of type 'ephemeral_port_t' and cannot be re-labeled without an additional procedure: *# semanage -l port | grep ephemeral* ephemeral_port_t tcp 32768-61000 ephemeral_port_t udp 32768-61000 * When configuring the KRA, OCSP, and TKS, in order to obtain the CA security domain URL required by the 'Join an Existing Security Domain' option on the 'Security Domain' panel, the following command was utilized: *# pkidaemon status tomcat pki-tomcat* * Unlike the default 'pki_security_domain_user=caadmin' utilized by the REST configuration, the KRA, OCSP, and TKS legacy GUI browser configurations utilized 'admin' rather than 'caadmin' as the 'Uid:' entry on the 'Security Domain ( Domain) Login' panel. * For convenience, when configuring the CA, KRA, OCSP, and TKS the 'Remove the existing data from the Base DN shown above.' checkbox option was checked on the 'Internal Database' panel. -------------- next part -------------- An HTML attachment was scrubbed... URL: From cfu at redhat.com Wed May 1 18:50:56 2013 From: cfu at redhat.com (Christina Fu) Date: Wed, 01 May 2013 11:50:56 -0700 Subject: [Pki-devel] Request for review: Bug 952500 - CMCAuth fails with error "CMCAuth: java.security.NoSuchAlgorithmException" when using NetHSM token Message-ID: <51816410.20709@redhat.com> The following are the patches for fixing: *Bug 952500* -CMCAuth fails with error "CMCAuth: java.security.NoSuchAlgorithmException" when using NetHSM token * https://bugzilla.redhat.com/attachment.cgi?id=742274&action=diff&context=patch&collapsed=&headers=1&format=raw * https://bugzilla.redhat.com/attachment.cgi?id=742316&action=diff&context=patch&collapsed=&headers=1&format=raw Please review. thanks, Christina -------------- next part -------------- An HTML attachment was scrubbed... URL: From jmagne at redhat.com Wed May 1 20:46:04 2013 From: jmagne at redhat.com (John Magne) Date: Wed, 1 May 2013 16:46:04 -0400 (EDT) Subject: [Pki-devel] Request for review: Bug 952500 - CMCAuth fails with error "CMCAuth: java.security.NoSuchAlgorithmException" when using NetHSM token In-Reply-To: <51816410.20709@redhat.com> References: <51816410.20709@redhat.com> Message-ID: <52848590.4718726.1367441164106.JavaMail.root@redhat.com> Conditional ACK , minor comment below: Comments for patch #1 // if thread token has been set, use it CryptoToken token = CryptoManager.getInstance() - .getInternalCryptoToken(); + .getThreadToken(); + if (token.getName().equals( CryptoManager.getInstance() + .getInternalKeyStorageToken().getName())) { + token = + CryptoManager.getInstance().getInternalCryptoToken(); + } Signature sig = token.getSignatureContext(sigAlg); This same piece of code is added in 4 places identically. I fully realize it is a pretty small block, but I think it could benefit from being a small method. Patch #2 is fine. ----- Original Message ----- From: "Christina Fu" To: "pki-devel" Sent: Wednesday, May 1, 2013 11:50:56 AM Subject: [Pki-devel] Request for review: Bug 952500 - CMCAuth fails with error "CMCAuth: java.security.NoSuchAlgorithmException" when using NetHSM token The following are the patches for fixing: Bug 952500 - CMCAuth fails with error "CMCAuth: java.security.NoSuchAlgorithmException" when using NetHSM token * https://bugzilla.redhat.com/attachment.cgi?id=742274&action=diff&context=patch&collapsed=&headers=1&format=raw * https://bugzilla.redhat.com/attachment.cgi?id=742316&action=diff&context=patch&collapsed=&headers=1&format=raw Please review. thanks, Christina _______________________________________________ Pki-devel mailing list Pki-devel at redhat.com https://www.redhat.com/mailman/listinfo/pki-devel From mharmsen at redhat.com Thu May 2 18:21:18 2013 From: mharmsen at redhat.com (Matthew Harmsen) Date: Thu, 02 May 2013 11:21:18 -0700 Subject: [Pki-devel] [PATCH] Fix 'pkiconsole' to work on Fedora 19 Message-ID: <5182AE9E.4040900@redhat.com> Please review the attached patch which addresses 'pkiconsole' not working on Fedora 19: * TRAC Ticket #602 - pkiconsole cannot find 'jss4.jar' on Fedora 19 This patch has been tested on both Fedora 18 (to avoid any regressions) and on Fedora 19 Alpha. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 20130502-Fixed-pkiconsole-to-work-on-Fedora-19.patch Type: text/x-patch Size: 993 bytes Desc: not available URL: From alee at redhat.com Fri May 3 02:09:29 2013 From: alee at redhat.com (Ade Lee) Date: Thu, 02 May 2013 22:09:29 -0400 Subject: [Pki-devel] Announcing the release of Dogtag 10.0.2 Message-ID: <1367546969.7810.35.camel@aleeredhat.laptop> The Dogtag team is proud to announce the second errata build for Dogtag v10.0.0. Builds are available for Fedora 18 and Fedora 19 in the updates-testing repo. Please try it out and provide karma to move them to the F18 and F19 stable repos. Daily developer builds for Fedora 17, 18 and 19 are available at http://nkinder.fedorapeople.org/dogtag-devel/fedora/ == Build Versions == pki-core-10.0.2-2 pki-ra-10.0.2-2 pki-tps-10.0.2-2 dogtag-pki-10.0.2-1 dogtag-pki-theme-10.0.2-1 pki-console-10.0.2-2 == Highlights since Dogtag v. 10.0.1 == * A new Python client framework has been written to connect to the restful interface on the java subsystems. This interface was used for some installation functionality and will continue to be expanded. * pkispawn and pkidestroy were modified to use the new Python client framework and the dependency on jython was eliminated. * The installation interfaces were changed so that most of the installation interactions take place over the admin interface. * New command line parameters have been added to pkidestroy to provide the username and password of the security domain administrator to update the security domain. Formerly, no credentials were required because we used the subsystem certificate of the subsystem for authentication. The new method provides better auditing as to exactly who is de-registering and removing a subsystem. As such, use of the new options is recommended, and will be made mandatory in a future release. * Although it is possible to run Dogtag 9 style instances on Dogtag 10, these instances do not have the required configuration to expose the RESTful interface. A new servlet has been added to return 501 (Not implemented) on these instances when the REST URLs are accessed. This is only applicable on Fedora 18 (See Fedora 19 note below). * A new interactive mode has been added to pkispawn and pkidestroy. In this mode, users are prompted for details in order to set up the most basic servers. Any customizations would still need to be done through configuration files. Interactive mode is an excellent way for users to set up a server and become familiar with Dogtag. * Support has been added for the random generation of serial numbers for certificates issued. More details about this feature and how to enable it can be found here: http://pki.fedoraproject.org/wiki/Random_Certificate_Serial_Numbers * Nonces are used in Dogtag to prevent cross-site request forgery and replay attack, but they were stored in a global list. To prevent possible collisions with other user's nonces, they are now stored in each user's session. * Previously, session IDs were generated using /dev/random, which may block under certain circumstances, making server startup slow. To avoid this, the server configuration has been changed to use PKCS11PRNG provided by JSS. * A new upgrade framework has been added to allow instances to be automatically upgraded when new packages are installed. This framework will be used to eventually remove the need for migrations between releases. The upgrade scripts are invoked by postinstall scriptlets in the pki-base and pki-server packages. On completing an upgrade, users should check the upgrade logs in /var/log/pki/pki-upgrade-*.log and /var/log/pki/pki-server-upgrade-*.log for any errors. The upgrade scripts (pki-upgrade and pki-server-upgrade) can also be run manually. Additional troubleshooting information can be found at: http://pki.fedoraproject.org/wiki/Upgrade * New CLI has been added to simplify client certificate management including importing and trusting CA certificates. * Previously, the pki CLI tool used the same parameter (-w) to specify both user and client certificate database passwords. The CLI has been modified to use a new parameter (-c) for the database password, and -w for the user password. * Multiple additional fixes to pkispawn, pkidestroy, pki and their man pages. == Notes on Fedora 19 == Fedora 19 does not provide tomcat 6. Dogtag 9 style instances will therefore no longer work on Fedora 19. These instances need to be migrated to Dogtag 10. To prevent inadvertently disabling Dogtag instances, code has been added to prevent upgrades to Fedora 19 if Dogtag 9 instances exist. Details on how to upgrade Dogtag 9 instances and workarounds can be found at: http://pki.fedoraproject.org/wiki/Migrating_Dogtag_9_Instances_to_Dogtag_10 == Detailed Changes since Dogtag v. 10.0.1 == akoneru (23): #191 Map REST exceptions to HTTP status codes #217 CLI should display message on operations that complete with error #290 Add hints to option descriptions for cert-find cli command #383 Extend coverity tests to scan other subsystems (TPS, etc.) #452 Dogtag 10: Fix minor RA and TPS Configuration Wizard Panel issues #465 Verify 'pki_backup_keys=True' if 'pki_backup_password'is set #470 Prevent concurrent execution of pkispawn/pkidestroy #471 Update man pages for interactive pkispawn/pkidestroy #493 interpolation in pkispawn scripts should not apply to passwords #502 Change pkidestroy "-w" option to require a password file #507 Mark pki.conf as configuration file in RPM spec #509 man page for pkispawn should be modified to specify pki_ca_signing_subject_dn when setting up subordinate CA #514 Clean up pkispawn output #521 Separate python deployment engine from python deployment scriptlets source code #525 Incorrect info in pkispawn man page #536 Catch keyboard interrupt #542 Remove all "respawn()" logic from "pkispawn" #543 Incorrect user-show usage. #549 PKCS10Client tool throws java exception NoClassDefFoundError #563 Use timeout in configuration script #566 Mask sensitive parameters in archived config #592 pkispawn not reporting the error message when exceptions are thrown #593 Error caused by JSON Configuration result decoding when installing CA clone alee (9): #232 add python binding for pkispawn/ pkidestroy #419 REST interface for cert requests #532 refactor pkispawn to use new python client #546 Upgrade script for clone installation #564 Rename base/deploy to base/server #589 dependency needed for java-atk-wrapper in f19 #578 Rest API does not work on d9 -> d10 upgrade instances #590 pki-base needs to deliver /var/log/pki #597 Create 10.0.2 builds awnuk (7): #569 Port support for random certificate serial numbers to Dogtag 10 #570 Port patch allowing to support random certificate serial numbers for system certificates to Dogtag 10 #579 Port patch allowing to clone CA with random serial number enabled. #580 Port patch allowing to restart CA clone during configuration change to random serial numbers. #584 Port patch including system certificates with random serial numbers in the certificate counter. BZ 955784 - Correct Javascript inability to handle big numbers BZ 951501 - Coorects key IDs miscalculated by Javascript cfu (6): BZ 929043 - serverCert.profile with SAN results in SubjectAltNameException BZ 927545 - Transport Cert signing Algorithm doesn't show ECC Signing Algorithm BZ 904289 - Add ECC Support to Certificate Profiles BZ 902952 - RFE: Revocation routing with TPS and multiple non-cloned CAs BZ 903401 - TMS: RSA token enrollment failed : public key decode error #362 CMC ECC edewata (24) #190 REST interface for user-group membership. #291 Fix forma of validityUnit option in cert-find command #380 default install: part 2 #472 pkispawn should test DS info #473 pkispawn should test security domain info #474 Session-based nonces #476 Limit username & password authentication #477 Annotation for authentication methods #491 Prompt CLI user on certificate warnings. #497 Date format for cert-find #498 [RFE] Add dates to cert-find output #500 validityCount option returns 500 error #501 Add cert status option to cert-find #503 Dogtag 10: Security Domain Issues #511 Add cert-request-show command. #520 CLI returns 0 on error #523 Add CLI option to capture HTTP data #524 Tomcat blocks during startup #535 python-requests compatibility problem #541 Use FQDN instead of localhost in CLI #544 Implement upgrade framework #545 Upgrade script for random number generator #553 pki.conf needs to be delivered by pki-base #598 Upgrade script for JNI_JAR_DIR jmagne (1): #587 ipa-server-install crashes due to sslget error mharmsen (7): #409 Add pkispawn option to not copy the UI pieces (gifs, templates). #488 Dogtag 10: Fix cli 'cert-find' clientAuth issue #517 Clean up theme dependencies #518 Remove UI dependencies from pkispawn #602 pkiconsole cannot find 'jss4.jar' on Fedora 19 BZ 947524 - Clone installation does not work over NAT BZ 919476 - pkispawn crashes due to dangling symlink to jss4.jar From jdennis at redhat.com Fri May 3 13:49:19 2013 From: jdennis at redhat.com (John Dennis) Date: Fri, 03 May 2013 09:49:19 -0400 Subject: [Pki-devel] [Pki-announce] Announcing the release of Dogtag 10.0.2 In-Reply-To: <1367546969.7810.35.camel@aleeredhat.laptop> References: <1367546969.7810.35.camel@aleeredhat.laptop> Message-ID: <5183C05F.1070300@redhat.com> On 05/02/2013 10:09 PM, Ade Lee wrote: > The Dogtag team is proud to announce the second errata build for > Dogtag v10.0.0. Just wanted to say the CS team is doing great work. Thanks for all these improvements! John -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From alee at redhat.com Sat May 4 07:45:43 2013 From: alee at redhat.com (Ade Lee) Date: Sat, 04 May 2013 03:45:43 -0400 Subject: [Pki-devel] [PATCH] 131 - Fix tests in pkispawn to use legacy URLs. Message-ID: <1367653543.28606.36.camel@aleeredhat.laptop> Here's the changelog: When setting up clones or non-CA subsystems, pkispawn checks if the security domain is accessible and if the user can log in. These calls invoke REST URIs, which are not available on older subsystems. To support these subsystems, we need to attempt the older legacy servlets if the REST APIs are not available. Ticket #604 This is breaking IPA replica installs because the new URLs are not exposed through the proxy config. Even if this is fixed, it will be broken for old servers. The output of getDomainXML is pretty messed up and I'll open a ticket to fix it, but given that it appears to be parsed correctly wherever its being used, we can fix it later when we have time to test everything. Please review, Ade -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-vakwetu-0131-Fix-tests-in-pkispawn-to-use-legacy-URLs-as-fallback.patch Type: text/x-patch Size: 3437 bytes Desc: not available URL: From edewata at redhat.com Sat May 4 14:16:52 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Sat, 04 May 2013 09:16:52 -0500 Subject: [Pki-devel] [PATCH] 131 - Fix tests in pkispawn to use legacy URLs. In-Reply-To: <1367653543.28606.36.camel@aleeredhat.laptop> References: <1367653543.28606.36.camel@aleeredhat.laptop> Message-ID: <51851854.20702@redhat.com> On 5/4/2013 2:45 AM, Ade Lee wrote: > Here's the changelog: > > When setting up clones or non-CA subsystems, pkispawn checks if > the security domain is accessible and if the user can log in. > These calls invoke REST URIs, which are not available on older > subsystems. To support these subsystems, we need to attempt the > older legacy servlets if the REST APIs are not available. > > Ticket #604 > > This is breaking IPA replica installs because the new URLs are not > exposed through the proxy config. Even if this is fixed, it will be > broken for old servers. > > The output of getDomainXML is pretty messed up and I'll open a ticket to > fix it, but given that it appears to be parsed correctly wherever its > being used, we can fix it later when we have time to test everything. Question, on Dogtag 9 instance wouldn't all REST calls return 501 (Not Implemented)? So when calling the login() should we check for 501 instead of 404? Or are we dealing with 2 possible Dogtag 9 instances: upgraded and not? Another possible solution is to return the server version in the DomainInfo, then if it's not version 10 we skip the login() call. Everything else looks fine. If this turns out to be not an issue, ACK. -- Endi S. Dewata From alee at redhat.com Sat May 4 18:55:26 2013 From: alee at redhat.com (Ade Lee) Date: Sat, 04 May 2013 14:55:26 -0400 Subject: [Pki-devel] [PATCH] 131 - Fix tests in pkispawn to use legacy URLs. In-Reply-To: <51851854.20702@redhat.com> References: <1367653543.28606.36.camel@aleeredhat.laptop> <51851854.20702@redhat.com> Message-ID: <1367693726.2084.2.camel@aleeredhat.laptop> On Sat, 2013-05-04 at 09:16 -0500, Endi Sukma Dewata wrote: > On 5/4/2013 2:45 AM, Ade Lee wrote: > > Here's the changelog: > > > > When setting up clones or non-CA subsystems, pkispawn checks if > > the security domain is accessible and if the user can log in. > > These calls invoke REST URIs, which are not available on older > > subsystems. To support these subsystems, we need to attempt the > > older legacy servlets if the REST APIs are not available. > > > > Ticket #604 > > > > This is breaking IPA replica installs because the new URLs are not > > exposed through the proxy config. Even if this is fixed, it will be > > broken for old servers. > > > > The output of getDomainXML is pretty messed up and I'll open a ticket to > > fix it, but given that it appears to be parsed correctly wherever its > > being used, we can fix it later when we have time to test everything. > > Question, on Dogtag 9 instance wouldn't all REST calls return 501 (Not > Implemented)? So when calling the login() should we check for 501 > instead of 404? Or are we dealing with 2 possible Dogtag 9 instances: > upgraded and not? > Good catch. We have two possible choices here - upgraded or not upgraded - so I changed the check to look for either 404 or 501. In this case of IPA, it will always be 404 because older systems will not have had their proxy config updated. Pushed to master. Now doing build of 10.0.2-3. > Another possible solution is to return the server version in the > DomainInfo, then if it's not version 10 we skip the login() call. > > Everything else looks fine. If this turns out to be not an issue, ACK. > From alee at redhat.com Sat May 4 20:45:21 2013 From: alee at redhat.com (Ade Lee) Date: Sat, 04 May 2013 16:45:21 -0400 Subject: [Pki-devel] [PATCH] 132 -- Junit internal class used in TestRunner breaks F19 build Message-ID: <1367700321.22295.2.camel@aleeredhat.laptop> runMain() has been changed to private access in latest junit(), breaking the 19 build. We should not have been using this class in the first place. Replaced it with the implementation of runMain() which uses run(classes). Already pushed to master so that build could proceed, but please review in case there are changes required. Ade -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-vakwetu-0132-JUnit-internal-class-used-in-TestRunner.patch Type: text/x-patch Size: 3212 bytes Desc: not available URL: From edewata at redhat.com Tue May 7 01:44:38 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 06 May 2013 20:44:38 -0500 Subject: [Pki-devel] [PATCH] 249 Fixed incorrect JNI_JAR_DIR. Message-ID: <51885C86.3010302@redhat.com> The JNI_JAR_DIR is supposed to be architecture-specific but the pki-base package is architecture-neutral. So, to ensure it has the correct value, the variable will be set at post installation. Also, to simplify the upgrade process, the variable has been moved from /etc/pki/pki.conf into /usr/share/pki/etc/pki.conf. The build, deployment, startup, and upgrade scripts have been modified accordingly. I've tested this on 64-bit F18. I'm stilling having some issues with F19 so I can't test it there yet. Please help test on other platforms. Thanks! -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0249-Fixed-incorrect-JNI_JAR_DIR.patch Type: text/x-patch Size: 7160 bytes Desc: not available URL: From edewata at redhat.com Tue May 7 04:48:42 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 06 May 2013 23:48:42 -0500 Subject: [Pki-devel] [PATCH] 249 Fixed incorrect JNI_JAR_DIR. In-Reply-To: <51885C86.3010302@redhat.com> References: <51885C86.3010302@redhat.com> Message-ID: <518887AA.5050308@redhat.com> On 5/6/2013 8:44 PM, Endi Sukma Dewata wrote: > The JNI_JAR_DIR is supposed to be architecture-specific but the > pki-base package is architecture-neutral. So, to ensure it has the > correct value, the variable will be set at post installation. > Also, to simplify the upgrade process, the variable has been moved > from /etc/pki/pki.conf into /usr/share/pki/etc/pki.conf. The build, > deployment, startup, and upgrade scripts have been modified > accordingly. > > I've tested this on 64-bit F18. I'm stilling having some issues with F19 > so I can't test it there yet. Please help test on other platforms. Thanks! New patch attached. Replaced macro with shell script to check the actual architecture at post install. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0249-1-Fixed-incorrect-JNI_JAR_DIR.patch Type: text/x-patch Size: 7179 bytes Desc: not available URL: From edewata at redhat.com Tue May 7 05:47:20 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 07 May 2013 00:47:20 -0500 Subject: [Pki-devel] [PATCH] 249 Fixed incorrect JNI_JAR_DIR. In-Reply-To: <518887AA.5050308@redhat.com> References: <51885C86.3010302@redhat.com> <518887AA.5050308@redhat.com> Message-ID: <51889568.6040809@redhat.com> On 5/6/2013 11:48 PM, Endi Sukma Dewata wrote: > On 5/6/2013 8:44 PM, Endi Sukma Dewata wrote: >> The JNI_JAR_DIR is supposed to be architecture-specific but the >> pki-base package is architecture-neutral. So, to ensure it has the >> correct value, the variable will be set at post installation. >> Also, to simplify the upgrade process, the variable has been moved >> from /etc/pki/pki.conf into /usr/share/pki/etc/pki.conf. The build, >> deployment, startup, and upgrade scripts have been modified >> accordingly. >> >> I've tested this on 64-bit F18. I'm stilling having some issues with F19 >> so I can't test it there yet. Please help test on other platforms. >> Thanks! > > New patch attached. Replaced macro with shell script to check the actual > architecture at post install. ACKed by Ade. Pushed to master. -- Endi S. Dewata From alee at redhat.com Tue May 7 17:01:26 2013 From: alee at redhat.com (Ade Lee) Date: Tue, 07 May 2013 13:01:26 -0400 Subject: [Pki-devel] Announcement: Branch DOGTAG_10_0_BRANCH has been created Message-ID: <1367946086.21309.17.camel@aleeredhat.laptop> In preparation for the new work to be done for Dogtag 10.1, Dogtag 10.0 has now been branched onto a maintenance branch called DOGTAG_10_0_BRANCH. All future work going into Dogtag 10.0 should be checked into the DOGTAG_10_0_BRANCH maintenance branch. We anticipate that this will include critical and small bug fixes, security fixes etc. We will release maintenance releases 10.0.X from this branch. All Dogtag 10.1 feature work should be checked into master. Thanks, Ade From edewata at redhat.com Thu May 9 15:20:13 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 09 May 2013 10:20:13 -0500 Subject: [Pki-devel] [PATCH] 250 Added support for backup/restore on upgrade. Message-ID: <518BBEAD.8080300@redhat.com> The upgrade framework has been modified to support backup and restore functionality. A new method backup(filename) has been added to save a file into a backup folder. The CLI's have been modified to accept a --revert parameter which will restore the backup files one version at a time. Ticket #583 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0250-Added-support-for-backup-restore-on-upgrade.patch Type: text/x-patch Size: 24736 bytes Desc: not available URL: From edewata at redhat.com Thu May 9 15:27:08 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 09 May 2013 10:27:08 -0500 Subject: [Pki-devel] [PATCH] 251 Removing JNI_JAR_DIR from /etc/pki/pki.conf. Message-ID: <518BC04C.1020200@redhat.com> Recently the JNI_JAR_DIR was moved into /usr/share/pki/etc/pki.conf. A new upgrade script has been added to remove the unused JNI_JAR_DIR from /etc/pki/pki.conf. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0251-Removing-JNI_JAR_DIR-from-etc-pki-pki.conf.patch Type: text/x-patch Size: 3294 bytes Desc: not available URL: From cfu at redhat.com Fri May 10 18:16:57 2013 From: cfu at redhat.com (Christina Fu) Date: Fri, 10 May 2013 11:16:57 -0700 Subject: [Pki-devel] Request for review: Bug 952500 - CMCAuth fails with error "CMCAuth: java.security.NoSuchAlgorithmException" when using NetHSM token In-Reply-To: <51816410.20709@redhat.com> References: <51816410.20709@redhat.com> Message-ID: <518D3999.9000304@redhat.com> Added a small patch to remove the Eclipse warning. Already ack'd by Ade. Christina On 05/01/2013 11:50 AM, Christina Fu wrote: > The following are the patches for fixing: *Bug 952500* > -CMCAuth fails > with error "CMCAuth: java.security.NoSuchAlgorithmException" when > using NetHSM token > > * > https://bugzilla.redhat.com/attachment.cgi?id=742274&action=diff&context=patch&collapsed=&headers=1&format=raw > * > https://bugzilla.redhat.com/attachment.cgi?id=742316&action=diff&context=patch&collapsed=&headers=1&format=raw > > Please review. > > thanks, > Christina > > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Bug-952500-CMCAuth-fails-with-error-CMCAuth-java.sec.patch URL: From edewata at redhat.com Wed May 15 19:52:00 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 15 May 2013 14:52:00 -0500 Subject: [Pki-devel] [PATCH] 250 Added support for backup/restore on upgrade. In-Reply-To: <518BBEAD.8080300@redhat.com> References: <518BBEAD.8080300@redhat.com> Message-ID: <5193E760.4010408@redhat.com> On 5/9/2013 10:20 AM, Endi Sukma Dewata wrote: > The upgrade framework has been modified to support backup and restore > functionality. A new method backup(filename) has been added to save > a file into a backup folder. The CLI's have been modified to accept > a --revert parameter which will restore the backup files one version > at a time. > > Ticket #583 ACKed by Ade. Renamed the backup file/folders into 'newfiles' & 'oldfiles'. Pushed to master. The followings will be done in additional patches: 1. Support for reverting individual instances/subsystems. 2. Support for backing up folders including the ownerships, permissions, and contents. -- Endi S. Dewata From edewata at redhat.com Wed May 15 19:52:33 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 15 May 2013 14:52:33 -0500 Subject: [Pki-devel] [PATCH] 251 Removing JNI_JAR_DIR from /etc/pki/pki.conf. In-Reply-To: <518BC04C.1020200@redhat.com> References: <518BC04C.1020200@redhat.com> Message-ID: <5193E781.2020606@redhat.com> On 5/9/2013 10:27 AM, Endi Sukma Dewata wrote: > Recently the JNI_JAR_DIR was moved into /usr/share/pki/etc/pki.conf. > A new upgrade script has been added to remove the unused JNI_JAR_DIR > from /etc/pki/pki.conf. ACKed by Ade. Pushed to master. -- Endi S. Dewata From akoneru at redhat.com Thu May 16 19:05:50 2013 From: akoneru at redhat.com (Abhishek Koneru) Date: Thu, 16 May 2013 15:05:50 -0400 Subject: [Pki-devel] [PATCH] 57 On error, raise an Exception rather than use sys.exit - #562 Message-ID: <1368731150.2210.4.camel@akoneru.redhat.com> Please review the patch which replaces all sys.exits() calls with raise Exception statements, so that the caller can handle the exception. Ticket #562 --Abhishek -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-akoneru-0057-Do-not-use-sys.exit-after-an-error.patch Type: text/x-patch Size: 174853 bytes Desc: not available URL: From cfu at redhat.com Fri May 17 01:41:49 2013 From: cfu at redhat.com (Christina Fu) Date: Thu, 16 May 2013 18:41:49 -0700 Subject: [Pki-devel] Preliminary Design - TPS - New Recovery Option: External Registration DS Message-ID: <51958ADD.5030008@redhat.com> http://pki.fedoraproject.org/wiki/TPS_-_New_Recovery_Option:_External_Registration_DS It will be hashed out within the next week. All comments welcome. thanks, Christina From cfu at redhat.com Fri May 17 20:34:29 2013 From: cfu at redhat.com (Christina Fu) Date: Fri, 17 May 2013 13:34:29 -0700 Subject: [Pki-devel] Design: TPS Revocation Routing Message-ID: <51969455.2030201@redhat.com> I have published the following design doc on Dogtag. Comments welcome. http://pki.fedoraproject.org/wiki/TPS_-_Revocation_Routing thanks, Christina From edewata at redhat.com Tue May 21 01:16:38 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 20 May 2013 20:16:38 -0500 Subject: [Pki-devel] [PATCH] 57 On error, raise an Exception rather than use sys.exit - #562 In-Reply-To: <1368731150.2210.4.camel@akoneru.redhat.com> References: <1368731150.2210.4.camel@akoneru.redhat.com> Message-ID: <519ACAF6.3040505@redhat.com> On 5/16/2013 2:05 PM, Abhishek Koneru wrote: > Please review the patch which replaces all sys.exits() calls with raise > Exception statements, so that the caller can handle the exception. Just one thing, in pkimanifest.py and pkiparser.py the original exception is discarded and new exception is raised. In general it would be better to re-throw the original exception, unless there's a specific reason (e.g. to hide low level details). ACK with above issue fixed. This is for future enhancement. In places where the sys.exit() was removed, the code logs an error message, then it throws an exception containing the same error message. It would be better to remove the logging code from these locations, then log the error in the main program. -- Endi S. Dewata From akoneru at redhat.com Tue May 21 16:33:11 2013 From: akoneru at redhat.com (Abhishek Koneru) Date: Tue, 21 May 2013 12:33:11 -0400 Subject: [Pki-devel] [PATCH] 57 On error, raise an Exception rather than use sys.exit - #562 In-Reply-To: <519ACAF6.3040505@redhat.com> References: <1368731150.2210.4.camel@akoneru.redhat.com> <519ACAF6.3040505@redhat.com> Message-ID: <1369153991.2783.0.camel@akoneru.redhat.com> On Mon, 2013-05-20 at 20:16 -0500, Endi Sukma Dewata wrote: > On 5/16/2013 2:05 PM, Abhishek Koneru wrote: > > Please review the patch which replaces all sys.exits() calls with raise > > Exception statements, so that the caller can handle the exception. > > Just one thing, in pkimanifest.py and pkiparser.py the original > exception is discarded and new exception is raised. In general it would > be better to re-throw the original exception, unless there's a specific > reason (e.g. to hide low level details). > raising the same error. > ACK with above issue fixed. > Pushed to master. > This is for future enhancement. In places where the sys.exit() was > removed, the code logs an error message, then it throws an exception > containing the same error message. It would be better to remove the > logging code from these locations, then log the error in the main program. > --Abhishek From akoneru at redhat.com Tue May 21 17:02:52 2013 From: akoneru at redhat.com (Abhishek Koneru) Date: Tue, 21 May 2013 13:02:52 -0400 Subject: [Pki-devel] [PATCH] 58 Use 'with' construct for file handling (Also added finally block when an exception is to be handled) #Ticket 562 Message-ID: <1369155772.8356.2.camel@akoneru.redhat.com> Please review he attached patch with a minor modification in code - to use the with construct for handling files. --Abhishek -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-akoneru-0058-Use-with-construct-for-file-operations.patch Type: text/x-patch Size: 9887 bytes Desc: not available URL: From mharmsen at redhat.com Thu May 23 00:07:11 2013 From: mharmsen at redhat.com (Matthew Harmsen) Date: Wed, 22 May 2013 17:07:11 -0700 Subject: [Pki-devel] [PATCH] Fixes for pki-silent in RHCS 8.1 ECC Errata Message-ID: <519D5DAF.3070605@redhat.com> Please review the attached patch which addresses the following two 'pki-silent' issues in RHCS 8.1: * *Bugzilla Bug #951891* -'silent_ra_to_ip_port.template' fails to configure an RA successfully * *Bugzilla Bug #952392* -Allow RA and TPS URLs to be specified by pkisilent and utilized by the RA and TPS servers This patch has been tested extensively on an IP Port Separated x86_64 machine running RHEL 5.9. Testing utilized the following deployment scenario: * CA (security domain) o Subordinate CA (no security domain) + KRA + TKS + RA + TPS The KRA, RA, and TPS were tested both by signing the subsystems certificates with the CA and again with the Subordinate CA; this testing led to the filing of "TRAC Ticket #620 - Ability of a non-security domain CA to store an "Administration" cert in the NSS client security database". -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- Index: base/silent/src/tks/ConfigureTKS.java =================================================================== --- base/silent/src/tks/ConfigureTKS.java (revision 2598) +++ base/silent/src/tks/ConfigureTKS.java (working copy) @@ -152,6 +152,9 @@ public static String subsystem_name = null; public static String tks_audit_signing_cert_subject_name = null; + // Name Panel - CertSubjectPanel() + public static String ca_domain_url = null; + public ConfigureTKS () { // do nothing :) @@ -470,7 +473,17 @@ ArrayList cert_list = null; ArrayList dn_list = null; - String domain_url = "https://" + ca_hostname + ":" + ca_ssl_port ; + String domain_url = null; + if ( ( ca_domain_url != null ) && + ( !ca_domain_url.equals( "" ) ) && + ( !ca_domain_url.equals( "empty" ) ) ) { + domain_url = ca_domain_url; + } else { + // Use the CA EE hostname and the CA EE port + domain_url = "https://" + ca_hostname + ":" + ca_ssl_port; + } + System.out.println("CertSubjectPanel() domain_url='" + + domain_url + "'."); String query_string = "p=9" + "&op=next" + "&xml=true" + "&subsystem=" + @@ -990,6 +1003,9 @@ // subsystemName StringHolder x_subsystem_name = new StringHolder(); + // Name Panel - CertSubjectPanel() + StringHolder x_ca_domain_url = new StringHolder(); + // parse the args ArgParser parser = new ArgParser("ConfigureTKS"); @@ -1104,6 +1120,10 @@ "-subsystem_name %s #CA subsystem name", x_subsystem_name); + parser.addOption ( + "-ca_domain_url %s #URL to CA used to Issue Certificates for TKS Instance Creation", + x_ca_domain_url); + parser.addOption( "-tks_audit_signing_cert_subject_name %s #TKS audit signing cert subject name", x_tks_audit_signing_cert_subject_name); @@ -1189,6 +1209,8 @@ subsystem_name = x_subsystem_name.value ; tks_audit_signing_cert_subject_name = x_tks_audit_signing_cert_subject_name.value; + ca_domain_url = x_ca_domain_url.value; + boolean st = ca.ConfigureTKSInstance(); if (!st) { Index: base/silent/src/drm/ConfigureDRM.java =================================================================== --- base/silent/src/drm/ConfigureDRM.java (revision 2598) +++ base/silent/src/drm/ConfigureDRM.java (working copy) @@ -179,6 +179,9 @@ public static String subsystem_name = null; + // Name Panel - CertSubjectPanel() + public static String ca_domain_url = null; + // cloning public static boolean clone = false; public static String clone_uri = null; @@ -576,7 +579,17 @@ ArrayList dn_list = null; String query_string = null; - String domain_url = "https://" + ca_hostname + ":" + ca_ssl_port ; + String domain_url = null; + if ( ( ca_domain_url != null ) && + ( !ca_domain_url.equals( "" ) ) && + ( !ca_domain_url.equals( "empty" ) ) ) { + domain_url = ca_domain_url; + } else { + // Use the CA EE hostname and the CA EE port + domain_url = "https://" + ca_hostname + ":" + ca_ssl_port; + } + System.out.println("CertSubjectPanel() domain_url='" + + domain_url + "'."); if (!clone) { query_string = "p=9" + "&op=next" + "&xml=true" + @@ -1143,6 +1156,9 @@ // subsystemName StringHolder x_subsystem_name = new StringHolder(); + // Name Panel - CertSubjectPanel() + StringHolder x_ca_domain_url = new StringHolder(); + //clone parameters StringHolder x_clone = new StringHolder(); StringHolder x_clone_uri = new StringHolder(); @@ -1281,6 +1297,10 @@ "-subsystem_name %s #CA subsystem name", x_subsystem_name); + parser.addOption ( + "-ca_domain_url %s #URL to CA used to Issue Certificates for DRM Instance Creation", + x_ca_domain_url); + parser.addOption( "-drm_audit_signing_cert_subject_name %s #DRM audit signing cert subject name", x_drm_audit_signing_cert_subject_name); @@ -1387,6 +1407,8 @@ subsystem_name = x_subsystem_name.value; + ca_domain_url = x_ca_domain_url.value; + if ((x_clone.value != null) && (x_clone.value.equalsIgnoreCase("true"))) { clone = true; } else { Index: base/silent/src/ra/ConfigureRA.java =================================================================== --- base/silent/src/ra/ConfigureRA.java (revision 2598) +++ base/silent/src/ra/ConfigureRA.java (working copy) @@ -125,6 +125,12 @@ // Admin Certificate Request Panel public static String requestor_name = null; + // CA Info Panel - SubsystemPanel() + public static String ca_issuance_url = null; + + // Name Panel - CertSubjectPanel() + public static String ca_domain_url = null; + public ConfigureRA () { // do nothing :) @@ -298,13 +304,23 @@ px.prettyprintxml(); sleep_time(); - // 'ca_url' is not used, but refers to - // the CA EE hostname and the CA EE port - String ca_url = "https://" + ca_hostname + ":" + ca_ssl_port ; + String ca_url = null; + if ( ( ca_issuance_url != null ) && + ( !ca_issuance_url.equals( "" ) ) && + ( !ca_issuance_url.equals( "empty" ) ) ) { + ca_url = ca_issuance_url; + } else { + // Use the CA EE hostname and the CA EE port + ca_url = "https://" + ca_hostname + ":" + ca_ssl_port; + } + System.out.println("SubsystemPanel() ca_url='" + + ca_url + "'."); + // CA choice panel query_string = "p=4" + - "&urls=0" + + "&urls=" + + URLEncoder.encode(ca_url) + "&op=next" + "&xml=true" ; @@ -442,9 +458,17 @@ ArrayList cert_list = null; ArrayList dn_list = null; - // 'ca_url' is not used, but refers to - // the CA EE hostname and the CA EE port - String ca_url = "https://" + ca_hostname + ":" + ca_ssl_port ; + String ca_url = null; + if ( ( ca_domain_url != null ) && + ( !ca_domain_url.equals( "" ) ) && + ( !ca_domain_url.equals( "empty" ) ) ) { + ca_url = ca_domain_url; + } else { + // Use the CA EE hostname and the CA EE port + ca_url = "https://" + ca_hostname + ":" + ca_ssl_port; + } + System.out.println("CertSubjectPanel() ca_url='" + + ca_url + "'."); String query_string = "p=9" + "&sslserver=" + @@ -455,7 +479,8 @@ URLEncoder.encode(ra_subsystem_cert_subject_name) + "&subsystem_nick=" + URLEncoder.encode(ra_subsystem_cert_nickname) + - "&urls=0" + + "&urls=" + + URLEncoder.encode(ca_url) + "&op=next" + "&xml=true" ; @@ -830,7 +855,13 @@ // subsystemName StringHolder x_subsystem_name = new StringHolder(); + // CA Info Panel - SubsystemPanel() + StringHolder x_ca_issuance_url = new StringHolder(); + // Name Panel - CertSubjectPanel() + StringHolder x_ca_domain_url = new StringHolder(); + + // parse the args ArgParser parser = new ArgParser("ConfigureRA"); @@ -915,6 +946,14 @@ "-subsystem_name %s #RA subsystem name", x_subsystem_name); + parser.addOption ( + "-ca_issuance_url %s #URL to CA used to Issue Certificates", + x_ca_issuance_url); + + parser.addOption ( + "-ca_domain_url %s #URL to CA used to Issue Certificates for RA Instance Creation", + x_ca_domain_url); + // and then match the arguments String [] unmatched = null; unmatched = parser.matchAllArgs (args,0,parser.EXIT_ON_UNMATCHED); @@ -973,8 +1012,12 @@ subsystem_name = x_subsystem_name.value ; + ca_issuance_url = x_ca_issuance_url.value; + ca_domain_url = x_ca_domain_url.value; + + boolean st = ca.ConfigureRAInstance(); if (!st) Index: base/silent/src/ca/ConfigureCA.java =================================================================== --- base/silent/src/ca/ConfigureCA.java (revision 2598) +++ base/silent/src/ca/ConfigureCA.java (working copy) @@ -177,6 +177,9 @@ public static String subsystem_name = null; + // Name Panel - CertSubjectPanel() + public static String ca_domain_url = null; + public static String external_ca= null; public static String ext_ca_cert_file = null; public static String ext_ca_cert_chain_file = null; @@ -643,6 +646,17 @@ ArrayList dn_list = null; String query_string = null; + String domain_url = null; + if ( ( ca_domain_url != null ) && + ( !ca_domain_url.equals( "" ) ) && + ( !ca_domain_url.equals( "empty" ) ) ) { + domain_url = "&urls=" + URLEncoder.encode(ca_domain_url); + } else { + domain_url = "&urls=0" + ""; + } + System.out.println("CertSubjectPanel() domain_url='" + + domain_url + "'."); + // use subject names provided as input if (!clone) { @@ -652,12 +666,12 @@ + URLEncoder.encode(ca_ocsp_cert_subject_name) + "&signing=" + URLEncoder.encode(ca_sign_cert_subject_name) + "&sslserver=" + URLEncoder.encode(ca_server_cert_subject_name) + "&audit_signing=" - + URLEncoder.encode(ca_audit_signing_cert_subject_name) + "&urls=0" - + ""; + + URLEncoder.encode(ca_audit_signing_cert_subject_name) + + domain_url; } else { query_string = "p=11" + "&op=next" + "&xml=true" + "&sslserver=" - + URLEncoder.encode(ca_server_cert_subject_name) + "&urls=0" - + ""; + + URLEncoder.encode(ca_server_cert_subject_name) + + domain_url; } hr = hc.sslConnect(cs_hostname, cs_port, wizard_uri, query_string); @@ -1517,6 +1531,9 @@ // subsystemName StringHolder x_subsystem_name = new StringHolder(); + // Name Panel - CertSubjectPanel() + StringHolder x_ca_domain_url = new StringHolder(); + // external CA cert StringHolder x_external_ca = new StringHolder(); StringHolder x_ext_ca_cert_file = new StringHolder(); @@ -1633,6 +1650,10 @@ parser.addOption("-subsystem_name %s #CA subsystem name", x_subsystem_name); + + parser.addOption ( + "-ca_domain_url %s #URL to CA used to Issue Certificates for CA Instance Creation", + x_ca_domain_url); parser.addOption("-external %s #Subordinate to external CA [true,false] (optional, default false)", x_external_ca); @@ -1741,6 +1762,8 @@ ca_audit_signing_cert_subject_name = x_ca_audit_signing_cert_subject_name.value; subsystem_name = x_subsystem_name.value; + + ca_domain_url = x_ca_domain_url.value; external_ca = set_default(x_external_ca.value, "false"); ext_ca_cert_file = x_ext_ca_cert_file.value; Index: base/silent/src/ocsp/ConfigureOCSP.java =================================================================== --- base/silent/src/ocsp/ConfigureOCSP.java (revision 2598) +++ base/silent/src/ocsp/ConfigureOCSP.java (working copy) @@ -165,6 +165,10 @@ public static String ocsp_audit_signing_cert_subject_name = null; public static String subsystem_name = null; + + // Name Panel - CertSubjectPanel() + public static String ca_domain_url = null; + public ConfigureOCSP () { // do nothing :) @@ -494,7 +498,17 @@ ArrayList cert_list = null; ArrayList dn_list = null; - String domain_url = "https://" + ca_hostname + ":" + ca_ssl_port ; + String domain_url = null; + if ( ( ca_domain_url != null ) && + ( !ca_domain_url.equals( "" ) ) && + ( !ca_domain_url.equals( "empty" ) ) ) { + domain_url = ca_domain_url; + } else { + // Use the CA EE hostname and the CA EE port + domain_url = "https://" + ca_hostname + ":" + ca_ssl_port; + } + System.out.println("CertSubjectPanel() domain_url='" + + domain_url + "'."); String query_string = "p=9" + "&op=next" + "&xml=true" + "&subsystem=" + @@ -1028,6 +1042,9 @@ // subsystemName StringHolder x_subsystem_name = new StringHolder(); + // Name Panel - CertSubjectPanel() + StringHolder x_ca_domain_url = new StringHolder(); + // parse the args ArgParser parser = new ArgParser("ConfigureOCSP"); @@ -1152,6 +1169,10 @@ "-subsystem_name %s #OCSP subsystem name", x_subsystem_name); + parser.addOption ( + "-ca_domain_url %s #URL to CA used to Issue Certificates for OCSP Instance Creation", + x_ca_domain_url); + parser.addOption( "-ocsp_audit_signing_cert_subject_name %s #OCSP audit signing cert subject name", x_ocsp_audit_signing_cert_subject_name); @@ -1247,6 +1268,7 @@ subsystem_name = x_subsystem_name.value ; + ca_domain_url = x_ca_domain_url.value; boolean st = ca.ConfigureOCSPInstance(); Index: base/silent/src/tps/ConfigureTPS.java =================================================================== --- base/silent/src/tps/ConfigureTPS.java (revision 2598) +++ base/silent/src/tps/ConfigureTPS.java (working copy) @@ -79,11 +79,15 @@ public static String ca_ssl_port = null; public static String ca_admin_port = null; - public static String drm_hostname = null; - public static String drm_ssl_port = null; + public static String drm_agent_hostname = null; + public static String drm_agent_port = null; + public static String drm_admin_hostname = null; + public static String drm_admin_port = null; - public static String tks_hostname = null; - public static String tks_ssl_port = null; + public static String tks_agent_hostname = null; + public static String tks_agent_port = null; + public static String tks_admin_hostname = null; + public static String tks_admin_port = null; public static String client_certdb_dir = null; public static String client_token_name = null; @@ -171,6 +175,18 @@ // Admin Certificate Request Panel public static String requestor_name = null; + // CA Info Panel - SubsystemPanel() + public static String ca_issuance_url = null; + + // TKS Info Panel - SubsystemPanel() + public static String tks_key_management_url = null; + + // DRM Info Panel - SubsystemPanel() + public static String drm_server_side_keygen_url = null; + + // Name Panel - CertSubjectPanel() + public static String ca_domain_url = null; + public ConfigureTPS () { // do nothing :) @@ -344,13 +360,23 @@ px.prettyprintxml(); sleep_time(); - // 'ca_url' is not used, but refers to - // the CA EE hostname and the CA EE port - String ca_url = "https://" + ca_hostname + ":" + ca_ssl_port ; // CA choice panel + String ca_url = null; + if ( ( ca_issuance_url != null ) && + ( !ca_issuance_url.equals( "" ) ) && + ( !ca_issuance_url.equals( "empty" ) ) ) { + ca_url = ca_issuance_url; + } else { + // Use the CA EE hostname and the CA EE port + ca_url = "https://" + ca_hostname + ":" + ca_ssl_port; + } + System.out.println("SubsystemPanel() ca_url='" + + ca_url + "'."); + query_string = "p=6" + - "&urls=0" + + "&urls=" + + URLEncoder.encode(ca_url) + "&op=next" + "&xml=true" ; @@ -361,13 +387,27 @@ px.prettyprintxml(); sleep_time(); + // TKS choice panel - // - // 'tks_url' is not used, but refers to - // the TKS Agent hostname and the TKS Agent port - String tks_url = "https://" + tks_hostname + ":" + tks_ssl_port ; + String tks_url = null; + if ( ( tks_key_management_url != null ) && + ( !tks_key_management_url.equals( "" ) ) && + ( !tks_key_management_url.equals( "empty" ) ) ) { + tks_url = tks_key_management_url; + } else { + // Use the TKS Agent hostname and the TKS Agent port + tks_url = "https://" + tks_agent_hostname + ":" + tks_agent_port; + } + System.out.println("SubsystemPanel() tks_url='" + + tks_url + "'."); + query_string = "p=7" + - "&urls=0" + + "&urls=" + + URLEncoder.encode(tks_url) + + "&adminhost=" + + URLEncoder.encode(tks_admin_hostname) + + "&adminport=" + + tks_admin_port + "&op=next" + "&xml=true" ; @@ -377,21 +417,34 @@ px.parse(bais); px.prettyprintxml(); + sleep_time(); + // DRM / server side keygen panel - - sleep_time(); if(ss_keygen.equalsIgnoreCase("true")) { ss_keygen = "keygen"; } - // 'drm_url' is not used, but refers to - // the DRM Agent hostname and the DRM Agent port - String drm_url = "https://" + drm_hostname + ":" + drm_ssl_port ; + String drm_url = null; + if ( ( drm_server_side_keygen_url != null ) && + ( !drm_server_side_keygen_url.equals( "" ) ) && + ( !drm_server_side_keygen_url.equals( "empty" ) ) ) { + drm_url = drm_server_side_keygen_url; + } else { + // Use the DRM Agent hostname and the DRM Agent port + drm_url = "https://" + drm_agent_hostname + ":" + drm_agent_port; + } + System.out.println("SubsystemPanel() drm_url='" + + drm_url + "'."); query_string = "p=8" + "&choice=" + ss_keygen + - "&urls=0" + + "&urls=" + + URLEncoder.encode(drm_url) + + "&adminhost=" + + URLEncoder.encode(drm_admin_hostname) + + "&adminport=" + + drm_admin_port + "&op=next" + "&xml=true" ; @@ -578,9 +631,17 @@ ArrayList dn_list = null; ArrayList friendly_list = null; - // 'ca_url' is not used, but refers to - // the CA EE hostname and the CA EE port - String ca_url = "https://" + ca_hostname + ":" + ca_ssl_port ; + String ca_url = null; + if ( ( ca_domain_url != null ) && + ( !ca_domain_url.equals( "" ) ) && + ( !ca_domain_url.equals( "empty" ) ) ) { + ca_url = ca_domain_url; + } else { + // Use the CA EE hostname and the CA EE port + ca_url = "https://" + ca_hostname + ":" + ca_ssl_port; + } + System.out.println("CertSubjectPanel() ca_url='" + + ca_url + "'."); String query_string = "p=12" + "&sslserver=" + @@ -595,7 +656,8 @@ URLEncoder.encode(tps_audit_signing_cert_subject_name) + "&audit_signing_nick=" + URLEncoder.encode(tps_audit_signing_cert_nickname) + - "&urls=0" + + "&urls=" + + URLEncoder.encode(ca_url) + "&op=next" + "&xml=true" ; @@ -959,11 +1021,15 @@ StringHolder x_ca_ssl_port = new StringHolder(); StringHolder x_ca_admin_port = new StringHolder(); - StringHolder x_drm_hostname = new StringHolder(); - StringHolder x_drm_ssl_port = new StringHolder(); + StringHolder x_drm_agent_hostname = new StringHolder(); + StringHolder x_drm_agent_port = new StringHolder(); + StringHolder x_drm_admin_hostname = new StringHolder(); + StringHolder x_drm_admin_port = new StringHolder(); - StringHolder x_tks_hostname = new StringHolder(); - StringHolder x_tks_ssl_port = new StringHolder(); + StringHolder x_tks_agent_hostname = new StringHolder(); + StringHolder x_tks_agent_port = new StringHolder(); + StringHolder x_tks_admin_hostname = new StringHolder(); + StringHolder x_tks_admin_port = new StringHolder(); StringHolder x_client_certdb_dir = new StringHolder(); StringHolder x_client_token_name = new StringHolder(); @@ -1023,7 +1089,19 @@ // subsystemName StringHolder x_subsystem_name = new StringHolder(); + // CA Info Panel - SubsystemPanel() + StringHolder x_ca_issuance_url = new StringHolder(); + // TKS Info Panel - SubsystemPanel() + StringHolder x_tks_key_management_url = new StringHolder(); + + // DRM Info Panel - SubsystemPanel() + StringHolder x_drm_server_side_keygen_url = new StringHolder(); + + // Name Panel - CertSubjectPanel() + StringHolder x_ca_domain_url = new StringHolder(); + + // parse the args ArgParser parser = new ArgParser("ConfigureTPS"); @@ -1058,17 +1136,25 @@ parser.addOption ("-ca_admin_port %s #CA SSL Admin port", x_ca_admin_port); - parser.addOption ("-drm_hostname %s #DRM Hostname", - x_drm_hostname); - parser.addOption ("-drm_ssl_port %s #DRM SSL port", - x_drm_ssl_port); + parser.addOption ("-drm_agent_hostname %s #DRM Agent Hostname", + x_drm_agent_hostname); + parser.addOption ("-drm_agent_port %s #DRM Agent SSL port", + x_drm_agent_port); parser.addOption ("-ss_keygen %s #Enable Server Side Keygen [true,false]", x_ss_keygen); + parser.addOption ("-drm_admin_hostname %s #DRM Admin Hostname", + x_drm_admin_hostname); + parser.addOption ("-drm_admin_port %s #DRM SSL Admin port", + x_drm_admin_port); - parser.addOption ("-tks_hostname %s #TKS Hostname", - x_tks_hostname); - parser.addOption ("-tks_ssl_port %s #TKS SSL port", - x_tks_ssl_port); + parser.addOption ("-tks_agent_hostname %s #TKS Agent Hostname", + x_tks_agent_hostname); + parser.addOption ("-tks_agent_port %s #TKS Agent SSL port", + x_tks_agent_port); + parser.addOption ("-tks_admin_hostname %s #TKS Admin Hostname", + x_tks_admin_hostname); + parser.addOption ("-tks_admin_port %s #TKS SSL Admin port", + x_tks_admin_port); parser.addOption ("-client_certdb_dir %s #Client CertDB dir", x_client_certdb_dir); @@ -1158,7 +1244,23 @@ "-subsystem_name %s #CA subsystem name", x_subsystem_name); + parser.addOption ( + "-ca_issuance_url %s #URL to CA used to Issue Certificates", + x_ca_issuance_url); + parser.addOption ( + "-tks_key_management_url %s #URL to TKS used for Key Management", + x_tks_key_management_url); + + parser.addOption ( + "-drm_server_side_keygen_url %s #URL to DRM used for Server-Side Keygen", + x_drm_server_side_keygen_url); + + parser.addOption ( + "-ca_domain_url %s #URL to CA used to Issue Certificates for TPS Instance Creation", + x_ca_domain_url); + + // and then match the arguments String [] unmatched = null; unmatched = parser.matchAllArgs (args,0,parser.EXIT_ON_UNMATCHED); @@ -1189,11 +1291,15 @@ ca_ssl_port = x_ca_ssl_port.value; ca_admin_port = x_ca_admin_port.value; - tks_hostname = x_tks_hostname.value; - tks_ssl_port = x_tks_ssl_port.value; + tks_agent_hostname = x_tks_agent_hostname.value; + tks_agent_port = x_tks_agent_port.value; + tks_admin_hostname = x_tks_admin_hostname.value; + tks_admin_port = x_tks_admin_port.value; - drm_hostname = x_drm_hostname.value; - drm_ssl_port = x_drm_ssl_port.value; + drm_agent_hostname = x_drm_agent_hostname.value; + drm_agent_port = x_drm_agent_port.value; + drm_admin_hostname = x_drm_admin_hostname.value; + drm_admin_port = x_drm_admin_port.value; client_certdb_dir = x_client_certdb_dir.value; client_token_name = x_client_token_name.value; @@ -1252,8 +1358,16 @@ subsystem_name = x_subsystem_name.value ; + ca_issuance_url = x_ca_issuance_url.value; + tks_key_management_url = x_tks_key_management_url.value; + drm_server_side_keygen_url = x_drm_server_side_keygen_url.value; + + ca_domain_url = x_ca_domain_url.value; + + + boolean st = ca.ConfigureTPSInstance(); if (!st) Index: base/silent/src/subca/ConfigureSubCA.java =================================================================== --- base/silent/src/subca/ConfigureSubCA.java (revision 2598) +++ base/silent/src/subca/ConfigureSubCA.java (working copy) @@ -172,6 +172,9 @@ public static String subsystem_name = null; + // Name Panel - CertSubjectPanel() + public static String ca_domain_url = null; + // names public static String subca_sign_cert_subject_name = null; public static String subca_subsystem_cert_subject_name = null; @@ -534,7 +537,17 @@ ArrayList cert_list = null; ArrayList dn_list = null; - String domain_url = "https://" + ca_hostname + ":" + ca_ssl_port ; + String domain_url = null; + if ( ( ca_domain_url != null ) && + ( !ca_domain_url.equals( "" ) ) && + ( !ca_domain_url.equals( "empty" ) ) ) { + domain_url = ca_domain_url; + } else { + // Use the CA EE hostname and the CA EE port + domain_url = "https://" + ca_hostname + ":" + ca_ssl_port; + } + System.out.println("CertSubjectPanel() domain_url='" + + domain_url + "'."); String query_string = "p=11" + "&op=next" + "&xml=true" + @@ -548,8 +561,8 @@ URLEncoder.encode(subca_subsystem_cert_subject_name) + "&audit_signing=" + URLEncoder.encode(subca_audit_signing_cert_subject_name) + - "&urls=0" + - ""; + "&urls=" + + URLEncoder.encode(domain_url); hr = hc.sslConnect(cs_hostname,cs_port,wizard_uri,query_string); @@ -1078,6 +1091,9 @@ // subsystem name StringHolder x_subsystem_name = new StringHolder(); + // Name Panel - CertSubjectPanel() + StringHolder x_ca_domain_url = new StringHolder(); + // subject names StringHolder x_subca_sign_cert_subject_name = new StringHolder(); StringHolder x_subca_subsystem_cert_subject_name = new StringHolder(); @@ -1203,6 +1219,10 @@ x_subsystem_name); parser.addOption ( + "-ca_domain_url %s #URL to CA used to Issue Certificates for SubCA Instance Creation", + x_ca_domain_url); + + parser.addOption ( "-subca_sign_cert_subject_name %s #subCA cert subject name", x_subca_sign_cert_subject_name); parser.addOption ( @@ -1305,6 +1325,8 @@ save_p12 = x_save_p12.value; backup_pwd = x_backup_pwd.value; subsystem_name = x_subsystem_name.value; + + ca_domain_url = x_ca_domain_url.value; subca_sign_cert_subject_name = x_subca_sign_cert_subject_name.value ; subca_subsystem_cert_subject_name = Index: base/silent/templates/silent_subca_ip_port.template =================================================================== --- base/silent/templates/silent_subca_ip_port.template (revision 0) +++ base/silent/templates/silent_subca_ip_port.template (revision 0) @@ -0,0 +1,612 @@ +#!/bin/bash +## BEGIN COPYRIGHT BLOCK +## (C) 2009 Red Hat, Inc. +## All rights reserved. +## END COPYRIGHT BLOCK + + +## Always switch into this base directory +## prior to script execution so that all +## of its output is written to this directory + +cd `dirname $0` + + +## Disallow script to be run as the name of this template +pki_silent_script=`basename $0` +if [ "${pki_silent_script}" = "silent_subca_ip_port.template" ] ; then + printf "\n" + printf "Usage: (1) Install AND configure a directory server instance.\n\n" + printf " (2) Install AND configure a Root CA subsystem instance\n" + printf " that is its own security domain.\n\n" + printf " (3) Use 'pkicreate' to install a second CA subsystem\n" + printf " instance (this will become a Subordinate CA).\n" + printf " [Do NOT configure this CA subsystem instance!]\n\n" + printf " (4) Install the 'pki-silent' package.\n\n" + printf " (5) Copy '$0' to a new script name\n" + printf " without the '.template' extension.\n" + printf " (e .g. - 'configure_subca_ip_port_instance')\n\n" + printf " (6) Fill in all MANDATORY user-defined variables\n" + printf " in the new script.\n\n" + printf " (7) Change any OPTIONAL user-defined variables\n" + printf " in the new script as desired.\n\n" + printf " (8) Become the 'root' user, and execute the new script to\n" + printf " configure a Subordinate CA subsystem instance.\n\n" +exit 255 +fi + + +## +## This script MUST be run as root! +## + +ROOTUID=0 + +OS=`uname` +if [ "${OS}" = "Linux" ] ; then + MY_EUID=`/usr/bin/id -u` + MY_UID=`/usr/bin/id -ur` + USERNAME=`/usr/bin/id -un` +else + printf "ERROR: Unsupported operating system '${OS}'!\n" + exit 255 +fi + +if [ "${MY_UID}" != "${ROOTUID}" ] && + [ "${MY_EUID}" != "${ROOTUID}" ] ; then + printf "ERROR: The '$0' script must be run as root!\n" + exit 255 +fi + + + +############################################################################## +############################################################################## +## ## +## P K I S I L E N T - V A R I A B L E D E C L A R A T I O N ## +## ## +############################################################################## +############################################################################## + +############################################################################## +## U S E R - D E F I N E D V A R I A B L E S ( M A N D A T O R Y ) ## +############################################################################## + +## +## IMPORTANT: 'Escape' ALL spaces in EACH variable specified below! +## +## For Example: +## +## pki_security_domain_name="My\ Security\ Domain" +## + +## PKI CA Subsystem Hosts (FQDN) +pki_ca_ee_host= +pki_ca_admin_host= + +## PKI Subordinate CA Subsystem Hosts (FQDN) +pki_subca_agent_host= +pki_subca_ee_host= +pki_subca_eeca_host= +pki_subca_admin_host= + +## +## NOTE: Default PKI CA Instance Ports +## +## 9180 - non-secure port (not role specific) +## 9701 - non-secure Tomcat port +## 9443 - secure Agent port +## 9444 - secure EE port +## 9445 - secure Admin port +## 9446 - secure EE Client Auth port (not necessarily labeled) +## +## +## For Example: +## +## semanage port -l | grep pki +## +## pki_ca_port_t tcp 9180, 9701, 9443, 9444, 9445 +## pki_subca_port_t tcp 19180, 19701, 19443, 19444, 19445 +## + +## PKI CA ports (Security Domain) +pki_ca_nonssl_port= +pki_ca_agent_port= +pki_ca_ee_port= +pki_ca_admin_port= + +## PKI Alternate Subordinate CA ports (not a Security Domain) +## +## NOTE: Replace the CA EE Security Domain Host and Port to optionally use +## a Different Existing Subordinate CA to Issue Certificates for +## this Subordinate CA Instance Creation +## +pki_alternate_subca_ee_host=${pki_ca_ee_host} +pki_alternate_subca_ee_port=${pki_ca_ee_port} + +## PKI Subordinate CA ports (not a Security Domain) +pki_subca_admin_port= + +## PKI Silent Security Database Variables +## (e. g. - PKI Silent "browser" database) +pki_silent_security_database_repository="/tmp" +pki_silent_security_token_password= +pki_silent_security_token_name=internal + +## PKI Security Domain Variables +## (e. g. - Security Domain Login Panel) +pki_security_domain_name= +pki_security_domain_host="${pki_ca_admin_host}" +pki_security_domain_admin_name=admin +pki_security_domain_admin_password= + +## PKI Internal LDAP Database Variables +## (e. g. - Database Panel) +## +## If the LDAP server is located locally, specify: +## +## pki_ldap_host=localhost +## +## However, if the LDAP server is located remotely, specify the FQDN: +## +## pki_ldap_host="ds_host.example.com" (for example) +## +pki_ldap_host= +pki_ldap_port=389 +pki_bind_dn="cn=Directory\ Manager" +pki_bind_password= +## +## For first time configurations, the default case is to set: +## +## pki_remove_data=false +## +## For testing, however, it is often convenient to simply OVERWRITE any +## existing data in the LDAP database. If this is desirable, set: +## +## pki_remove_data=true +## +pki_remove_data= + +## PKI Instance-Specific Token Variables +## (e. g. - Module Panel) +pki_subca_token_name=internal +pki_subca_token_password= + +## PKI Instance-Specific Backup Variables +## (e. g. - Backup Key and Certificates Panel) +pki_subca_backup_password= + +## PKI Email Variables +## +## For example, to specify 'pkitest at example.com': +## +## pki_email_name=pkitest +## pki_email_company=example +## pki_email_domain=com +## +pki_email_name= +pki_email_company= +pki_email_domain= + +## PKI Silent Admin Variables +## (e. g. - Import Admin Certificate into PKI Silent "browser" database) +pki_silent_admin_user=admin +pki_silent_admin_password= +pki_silent_admin_email="${pki_email_name}\@${pki_email_company}\.${pki_email_domain}" + +## PKI Subsystem Names +pki_subca_subsystem_name="Certificate\ Authority" + +## PKI Subsystem Instance Names +pki_subca_instance_name="pki-subca" + +## PKI Silent Log Files +pki_silent_subca_log=/tmp/subca.log + +## URL to CA used to Issue Certificates for Subordinate CA Instance Creation +## +## * each 'hostname:port' must be a CA EE Hostname and CA EE Port +## * referenced CA does not need to be a Security Domain +## * referenced CA must reside within the same security domain +## as this Subordinate CA instance +## +## NOTE: To pass in a value of an empty string, specify the value "empty" +## instead of "" since ArgParser() throws away empty strings. +## +## This special "empty" string value may be specified for any of +## the following variables: +## +## * pki_subca_instance_ca_domain_url="empty" +## +pki_subca_instance_ca_domain_url="https://${pki_alternate_subca_ee_host}:${pki_alternate_subca_ee_port}" + + + +############################################################################## +## U S E R - D E F I N E D V A R I A B L E S ( O P T I O N A L ) ## +############################################################################## + +## +## NOTE: For comparison's sake, if the default instances were manually +## configured using a Firefox browser, the content of the corresponding +## Firefox browser's security libraries would be something similar +## to this: +## +## Certificate Nickname Trust Attributes +## SSL,S/MIME,JAR/XPI +## +## Certificate Authority 2 - ${pki_security_domain_name} ,, +## CA Administrator of Instance ${pki_subca_instance_name}'s +## ${pki_security_domain_name} ID u,u,u +## ${pki_subca_admin_host} P,, +## Certificate Authority - ${pki_security_domain_name} CT,C,C +## +## where: +## +## Nickname: "Certificate Authority 2 - " +## + "${pki_security_domain_name}" +## Subject Name: "cn=Certificate Authority 2," +## + "o=${pki_security_domain_name}" +## +## Nickname: "CA Administrator of Instance " +## + "${pki_subca_instance_name}'s " +## + "${pki_security_domain_name} ID" +## Subject Name: "cn=CA Administrator of Instance " +## + "${pki_subca_instance_name}," +## + "uid=admin," +## + "e=${pki_silent_admin_email}," +## + "o=${pki_security_domain_name}" +## +## Nickname: "${pki_subca_admin_host}" +## Subject Name: "cn=${pki_subca_admin_host}," +## + "o=${pki_security_domain_name}" +## +## Nickname: "Certificate Authority - " +## + "${pki_security_domain_name}" +## Subject Name: "cn=Certificate Authority," +## + "o=${pki_security_domain_name}" +## + + +## Miscellaneous CA Variables +## +## REMINDER: 'Escape' ALL spaces in EACH variable specified below! +## +## NOTE: For comparison's sake, if the default instances were manually +## configured using a Firefox browser, the content of the corresponding +## "/var/lib/${pki_subca_instance_name}/alias/" security libraries +## would be something similar to this: +## +## Certificate Nickname Trust Attributes +## SSL,S/MIME,JAR/XPI +## +## caSigningCert cert-${pki_subca_instance_name} CTu,Cu,Cu +## Server-Cert cert-${pki_subca_instance_name} u,u,u +## Certificate Authority - ${pki_security_domain_name} CT,c, +## ocspSigningCert cert-${pki_subca_instance_name} u,u,u +## auditSigningCert cert-${pki_subca_instance_name} u,u,u +## subsystemCert cert-${pki_subca_instance_name} u,u,u +## +## where: +## +## Nickname: "caSigningCert cert-${pki_subca_instance_name}" +## Subject Name: "cn=Certificate Authority 2," +## + "o=${pki_security_domain_name}" +## +## Nickname: "Server-Cert cert-${pki_subca_instance_name}" +## Subject Name: "cn=${pki_subca_admin_host}," +## + "o=${pki_security_domain_name}" +## +## Nickname: "Certificate Authority - " +## + "${pki_security_domain_name}" +## Subject Name: "cn=Certificate Authority," +## + "o=${pki_security_domain_name}" +## +## Nickname: "ocspSigningCert cert-${pki_subca_instance_name}" +## Subject Name: "cn=OCSP Signing Certificate 2," +## + "o=${pki_security_domain_name}" +## +## Nickname: "auditSigningCert cert-${pki_subca_instance_name}" +## Subject Name: "cn=CA Audit Signing Certificate 2," +## + "o=${pki_security_domain_name}" +## +## Nickname: "subsystemCert cert-${pki_subca_instance_name}" +## Subject Name: "cn=CA Subsystem Certificate 2," +## + "o=${pki_security_domain_name}" +## +## NOTE: The parameters for the signing algorithms have the following meaning: +## subca_signing_algorithm - signature algorithm used by +## the CA and OCSP signing certs +## to sign objects. +## subca_signing_signingalgorithm - optionally specify the +## algorithm used by the CA +## signing cert to sign objects +## subca_ocsp_signing_signingalgorithm - optionally specify the +## algorithm used by the CA ocsp +## signing cert to sign objects +## + +subca_agent_name="CA\ Administrator\ of\ Instance\ ${pki_subca_instance_name}\'s\ ${pki_security_domain_name}\ ID" +subca_agent_key_size=2048 +subca_agent_key_type=rsa +subca_agent_cert_subject="cn=CA\ Administrator\ of\ Instance\ ${pki_subca_instance_name},uid=admin,e=${pki_silent_admin_email},o=${pki_security_domain_name}" +subca_base_dn="dc=${pki_subca_admin_host}-${pki_subca_instance_name}" +subca_db_name="${pki_subca_admin_host}-${pki_subca_instance_name}" +subca_key_size=2048 +subca_key_type=rsa +subca_signing_algorithm=SHA256withRSA +subca_signing_signingalgorithm=SHA256withRSA +subca_ocsp_signing_signingalgorithm=SHA256withRSA +subca_save_p12=false +subca_sign_cert_subject_name="cn=Certificate\ Authority\ 2,o=${pki_security_domain_name}" +subca_subsystem_cert_subject_name="cn=CA\ Subsystem\ Certificate\ 2,o=${pki_security_domain_name}" +subca_ocsp_cert_subject_name="cn=OCSP\ Signing\ Certificate\ 2,o=${pki_security_domain_name}" +subca_server_cert_subject_name="cn=${pki_subca_ee_host},o=${pki_security_domain_name}" +subca_audit_signing_cert_subject_name="cn=CA\ Audit\ Signing\ Certificate\ 2,o=${pki_security_domain_name}" + + + +############################################################################## +############################################################################## +## ## +## P K I S I L E N T - S U B S Y S T E M C O N F I G U R A T I O N ## +## ## +############################################################################## +############################################################################## + +############################################################################## +## P K I S I L E N T I N I T I A L I Z A T I O N ## +############################################################################## + +## (1) Make certain that user has defined all MANDATORY user-defined variables! +usage_errors=0 +usage_error_preamble="ERROR: User MUST define a value for" + +if [ "${pki_ca_ee_host}" = "" ] ; then + printf "${usage_error_preamble} 'pki_ca_ee_host'!\n" + usage_errors=`expr ${usage_errors} + 1` +fi +if [ "${pki_ca_admin_host}" = "" ] ; then + printf "${usage_error_preamble} 'pki_ca_admin_host'!\n" + usage_errors=`expr ${usage_errors} + 1` +fi +if [ "${pki_subca_agent_host}" = "" ] ; then + printf "${usage_error_preamble} 'pki_subca_agent_host'!\n" + usage_errors=`expr ${usage_errors} + 1` +fi +if [ "${pki_subca_ee_host}" = "" ] ; then + printf "${usage_error_preamble} 'pki_subca_ee_host'!\n" + usage_errors=`expr ${usage_errors} + 1` +fi +if [ "${pki_subca_eeca_host}" = "" ] ; then + printf "${usage_error_preamble} 'pki_subca_eeca_host'!\n" + usage_errors=`expr ${usage_errors} + 1` +fi +if [ "${pki_subca_admin_host}" = "" ] ; then + printf "${usage_error_preamble} 'pki_subca_admin_host'!\n" + usage_errors=`expr ${usage_errors} + 1` +fi +if [ "${pki_ca_nonssl_port}" = "" ] ; then + printf "${usage_error_preamble} 'pki_ca_nonssl_port'!\n" + usage_errors=`expr ${usage_errors} + 1` +fi +if [ "${pki_ca_agent_port}" = "" ] ; then + printf "${usage_error_preamble} 'pki_ca_agent_port'!\n" + usage_errors=`expr ${usage_errors} + 1` +fi +if [ "${pki_ca_ee_port}" = "" ] ; then + printf "${usage_error_preamble} 'pki_ca_ee_port'!\n" + usage_errors=`expr ${usage_errors} + 1` +fi +if [ "${pki_ca_admin_port}" = "" ] ; then + printf "${usage_error_preamble} 'pki_ca_admin_port'!\n" + usage_errors=`expr ${usage_errors} + 1` +fi +if [ "${pki_subca_admin_port}" = "" ] ; then + printf "${usage_error_preamble} 'pki_subca_admin_port'!\n" + usage_errors=`expr ${usage_errors} + 1` +fi +if [ "${pki_silent_security_token_password}" = "" ] ; then + printf "${usage_error_preamble} 'pki_silent_security_token_password'!\n" + usage_errors=`expr ${usage_errors} + 1` +fi +if [ "${pki_security_domain_name}" = "" ] ; then + printf "${usage_error_preamble} 'pki_security_domain_name'!\n" + usage_errors=`expr ${usage_errors} + 1` +fi +if [ "${pki_security_domain_admin_password}" = "" ] ; then + printf "${usage_error_preamble} 'pki_security_domain_admin_password'!\n" + usage_errors=`expr ${usage_errors} + 1` +fi +if [ "${pki_ldap_host}" = "" ] ; then + printf "${usage_error_preamble} 'pki_ldap_host'!\n" + usage_errors=`expr ${usage_errors} + 1` +fi +if [ "${pki_bind_password}" = "" ] ; then + printf "${usage_error_preamble} 'pki_bind_password'!\n" + usage_errors=`expr ${usage_errors} + 1` +fi +if [ "${pki_remove_data}" = "" ] ; then + printf "${usage_error_preamble} 'pki_remove_data'!\n" + usage_errors=`expr ${usage_errors} + 1` +fi +if [ "${pki_subca_token_password}" = "" ] ; then + printf "${usage_error_preamble} 'pki_subca_token_password'!\n" + usage_errors=`expr ${usage_errors} + 1` +fi +if [ "${pki_subca_backup_password}" = "" ] ; then + printf "${usage_error_preamble} 'pki_subca_backup_password'!\n" + usage_errors=`expr ${usage_errors} + 1` +fi +if [ "${pki_email_name}" = "" ] ; then + printf "${usage_error_preamble} 'pki_email_name'!\n" + usage_errors=`expr ${usage_errors} + 1` +fi +if [ "${pki_email_company}" = "" ] ; then + printf "${usage_error_preamble} 'pki_email_company'!\n" + usage_errors=`expr ${usage_errors} + 1` +fi +if [ "${pki_email_domain}" = "" ] ; then + printf "${usage_error_preamble} 'pki_email_domain'!\n" + usage_errors=`expr ${usage_errors} + 1` +fi +if [ "${pki_silent_admin_password}" = "" ] ; then + printf "${usage_error_preamble} 'pki_silent_admin_password'!\n" + usage_errors=`expr ${usage_errors} + 1` +fi + + +## (2) Make certain that a PKI instance of the specified name EXISTS, +## but has NOT been previously CONFIGURED! +existence_errors=0 +existence_error_preamble="ERROR: No PKI Instance named" +configuration_errors=0 +configuration_error_preamble="ERROR: A PKI Instance named" +configuration_error_postamble="EXISTS,\n but has PREVIOUSLY been CONFIGURED!" + +if [ ! -f "/var/lib/${pki_subca_instance_name}/conf/CS.cfg" ] ; then + printf "${existence_error_preamble} '${pki_subca_instance_name}' EXISTS!\n" + existence_errors=`expr ${existence_errors} + 1` +else + subca_configuration_check=`grep -c preop /var/lib/${pki_subca_instance_name}/conf/CS.cfg` + if [ ${subca_configuration_check} -eq 0 ] ; then + printf "${configuration_error_preamble} '${pki_subca_instance_name}' " + printf "${configuration_error_postamble}\n" + configuration_errors=`expr ${configuration_errors} + 1` + fi +fi + + +if [ ${usage_errors} -ne 0 ] || + [ ${existence_errors} -ne 0 ] || + [ ${configuration_errors} -ne 0 ] ; then + printf "\n" + printf "Please correct ALL errors listed above and re-run\n" + printf "the '$0' script!\n\n" + exit 255 +fi + + +## (3) Make certain that 'pkisilent' exists and is executable on this system. +if [ ! -x "/usr/bin/pkisilent" ] ; then + printf "\n" + printf "ERROR: Please install the 'pki-silent' package and re-run\n" + printf "the '$0' script!\n\n" + exit 255 +fi + + +## (4) Check for old PKI Silent Security Databases, but DO NOT remove them! +## Instead, just inform the user. +if [ -f "${pki_silent_security_database_repository}/cert8.db" ] || + [ -f "${pki_silent_security_database_repository}/key3.db" ] || + [ -f "${pki_silent_security_database_repository}/secmod.db" ] ; then + printf "\n" + printf "WARNING: The existing security databases\n" + printf " (i. e. - 'cert8.db', 'key3.db', and/or 'secmod.db')\n" + printf " required by '${pki_silent_script}' at the\n" + printf " specified location '${pki_silent_security_database_repository}'\n" + printf " will be used.\n\n" +fi + + +## (5) Remove any old PKI Silent log file named '${pki_silent_subca_log}' +printf "Removing old PKI Silent log files:\n" +if [ -f ${pki_silent_subca_log} ] ; then + printf " Removing old '${pki_silent_subca_log}' . . . " + rm ${pki_silent_subca_log} + printf "done.\n" +fi +printf "Done.\n\n" + + + +############################################################################## +## C A L C U L A T E P K I I N S T A N C E P I N S ## +############################################################################## + +## PKI Subsystem Instance PINS +subca_preop_pin=`cat /var/lib/${pki_subca_instance_name}/conf/CS.cfg \ + | grep preop.pin | grep -v grep | awk -F= '{print $2}'` + + + +############################################################################## +## C E R T I F I C A T E A U T H O R I T Y ## +############################################################################## +## +## For example, upon completion, +## execute '/sbin/service ${pki_subca_instance_name} status': +## +## ${pki_subca_instance_name} (pid 7843) is running ... +## +## Unsecure Port = http://${pki_subca_ee_host}:19180/ca/ee/ca +## Secure Agent Port = https://${pki_subca_agent_host}:19443/ca/agent/ca +## Secure EE Port = https://${pki_subca_ee_host}:19444/ca/ee/ca +## Secure Admin Port = https://${pki_subca_admin_host}:19445/ca/services +## PKI Console Port = pkiconsole https://${pki_subca_admin_host}:19445/ca +## Tomcat Port = 19701 (for shutdown) +## +## +## Security Domain URL: +## ================================================================== +## https://${pki_ca_admin_host}:9445 +## ================================================================== +## + +## Configure Subordinate CA +printf "'${pki_silent_script}': Configuring '${pki_subca_instance_name}' . . .\n" +pkisilent ConfigureSubCA \ + -cs_hostname "${pki_subca_admin_host}" \ + -cs_port ${pki_subca_admin_port} \ + -sd_hostname "${pki_security_domain_host}" \ + -sd_ssl_port ${pki_ca_ee_port} \ + -sd_agent_port ${pki_ca_agent_port} \ + -sd_admin_port ${pki_ca_admin_port} \ + -sd_admin_name "${pki_security_domain_admin_name}" \ + -sd_admin_password ${pki_security_domain_admin_password} \ + -ca_hostname ${pki_ca_ee_host} \ + -ca_port ${pki_ca_nonssl_port} \ + -ca_ssl_port ${pki_ca_ee_port} \ + -client_certdb_dir ${pki_silent_security_database_repository} \ + -client_certdb_pwd ${pki_silent_security_token_password} \ + -client_token_name ${pki_silent_security_token_name} \ + -preop_pin ${subca_preop_pin} \ + -domain_name "${pki_security_domain_name}" \ + -admin_user ${pki_silent_admin_user} \ + -admin_password ${pki_silent_admin_password} \ + -admin_email "${pki_silent_admin_email}" \ + -agent_name ${subca_agent_name} \ + -ldap_host ${pki_ldap_host} \ + -ldap_port ${pki_ldap_port} \ + -bind_dn "${pki_bind_dn}" \ + -bind_password ${pki_bind_password} \ + -base_dn "${subca_base_dn}" \ + -db_name "${subca_db_name}" \ + -remove_data "${pki_remove_data}" \ + -key_size ${subca_key_size} \ + -key_type ${subca_key_type} \ + -signing_algorithm ${subca_signing_algorithm} \ + -signing_signingalgorithm ${subca_signing_signingalgorithm} \ + -ocsp_signing_signingalgorithm ${subca_ocsp_signing_signingalgorithm} \ + -token_name ${pki_subca_token_name} \ + -token_pwd ${pki_subca_token_password} \ + -agent_key_size ${subca_agent_key_size} \ + -agent_key_type ${subca_agent_key_type} \ + -agent_cert_subject "${subca_agent_cert_subject}" \ + -subsystem_name "${pki_subca_subsystem_name}" \ + -ca_domain_url "${pki_subca_instance_ca_domain_url}" \ + -save_p12 ${subca_save_p12} \ + -backup_pwd ${pki_subca_backup_password} \ + -subca_sign_cert_subject_name "${subca_sign_cert_subject_name}" \ + -subca_subsystem_cert_subject_name "${subca_subsystem_cert_subject_name}" \ + -subca_ocsp_cert_subject_name "${subca_ocsp_cert_subject_name}" \ + -subca_server_cert_subject_name "${subca_server_cert_subject_name}" \ + -subca_audit_signing_cert_subject_name \ + "${subca_audit_signing_cert_subject_name}" \ + | tee ${pki_silent_subca_log} + +## Restart Subordinate CA +/sbin/service ${pki_subca_instance_name} restart + +exit 0 Property changes on: base/silent/templates/silent_subca_ip_port.template ___________________________________________________________________ Added: svn:executable + * Index: base/silent/templates/silentEC_ca.template =================================================================== --- base/silent/templates/silentEC_ca.template (revision 2598) +++ base/silent/templates/silentEC_ca.template (working copy) @@ -174,8 +174,8 @@ ## ## *180 - non-secure port (not role specific) ## *701 - non-secure Tomcat port -## *443 - secure EE port -## *444 - secure Agent port +## *443 - secure Agent port +## *444 - secure EE port ## *445 - secure Admin port ## ## @@ -186,7 +186,7 @@ ## pki_ca_port_t tcp 9180, 9701, 9443, 9444, 9445 ## -## CA ports +## CA ports (Security Domain) ca_nonssl_port=9180 ca_agent_port=9443 ca_ee_port=9444 @@ -306,6 +306,20 @@ ca_ocsp_cert_subject_name="cn=OCSP\ Signing\ Certificate,ou=${ca_instance_name},o=${pki_security_domain_name}" ca_server_cert_subject_name="cn=${pki_host},ou=${ca_instance_name},o=${pki_security_domain_name}" ca_audit_signing_cert_subject_name="cn=CA\ Audit\ Signing\ Certificate,ou=${ca_instance_name},o=${pki_security_domain_name}" +## URL to CA used to Issue Certificates for CA Instance Creation +## +## IMPORTANT: The CA referenced by this URL must reside within the +## same security domain as this CA instance. +## +## NOTE: To pass in a value of an empty string, specify the value "empty" +## instead of "" since ArgParser() throws away empty strings. +## +## This special "empty" string value may be specified for any of +## the following variables: +## +## * ca_instance_ca_domain_url="empty" +## +ca_instance_ca_domain_url="empty" ## Optional CA Variables for creating a clone CA ## @@ -590,6 +604,7 @@ -save_p12 ${ca_save_p12} \ -backup_pwd ${ca_backup_password} \ -subsystem_name ${ca_subsystem_name} \ + -ca_domain_url "${ca_instance_ca_domain_url}" \ -token_name ${ca_token_name} \ -token_pwd ${ca_token_password} \ -ca_sign_cert_subject_name "${ca_sign_cert_subject_name}" \ Index: base/silent/templates/silent_tks_ip_port.template =================================================================== --- base/silent/templates/silent_tks_ip_port.template (revision 2598) +++ base/silent/templates/silent_tks_ip_port.template (working copy) @@ -94,8 +94,8 @@ ## ## 9180 - non-secure port (not role specific) ## 9701 - non-secure Tomcat port -## 9443 - secure EE port -## 9444 - secure Agent port +## 9443 - secure Agent port +## 9444 - secure EE port ## 9445 - secure Admin port ## 9446 - secure EE Client Auth port (not necessarily labeled) ## @@ -103,8 +103,8 @@ ## ## 13180 - non-secure port (not role specific) ## 13701 - non-secure Tomcat port -## 13443 - secure EE port -## 13444 - secure Agent port +## 13443 - secure Agent port +## 13444 - secure EE port ## 13445 - secure Admin port ## ## For Example: @@ -115,12 +115,20 @@ ## pki_tks_port_t tcp 13180, 13701, 13443, 13444, 13445 ## -## PKI CA ports +## PKI CA ports (Security Domain) pki_ca_nonssl_port= +pki_ca_agent_port= pki_ca_ee_port= -pki_ca_agent_port= pki_ca_admin_port= +## PKI Subordinate CA ports (not a Security Domain) +## +## NOTE: Replace the CA EE Security Domain Host and Port to optionally use +## a Subordinate CA to Issue Certificates for TKS Instance Creation +## +pki_subca_ee_host=${pki_ca_ee_host} +pki_subca_ee_port=${pki_ca_ee_port} + ## PKI TKS ports pki_tks_admin_port= @@ -199,8 +207,63 @@ ## PKI Silent Log Files pki_silent_tks_log=/tmp/tks.log +## URL to CA used to Issue Certificates for TKS Instance Creation +## +## * each 'hostname:port' must be a CA EE Hostname and CA EE Port +## * referenced CA does not need to be a Security Domain (see CAVEAT) +## * referenced CA must reside within the same security domain +## as this TKS instance +## +## CAVEAT: If the chosen CA is a security domain: +## +## * all TKS subsystem certificates (including the +## 'Subsystem' certificates) will be stored on this CA +## * the TKS subsystem client 'Administration' +## certificate will automatically be imported into +## the NSS client security databases associated with +## the 'pkisilent' invocation of this TKS subsystem +## * the 'pkisilent' client security databases may be +## used inside a firefox browser with no further +## changes +## +## If the chosen CA is NOT a security domain: +## +## * all TKS subsystem certificates EXCEPT the TKS +## 'Subsystem' certificate will be stored on this CA; +## the TKS 'Subsystem' certificate will be stored on +## the CA that is the security domain for this TKS +## subsystem +## * the TKS subsystem client 'Administration' +## certificate will NOT automatically be imported into +## the NSS client security databases associated with +## the 'pkisilent' invocation of this TKS subsystem; +## import will fail with something similar to the +## following message: +## +## ERROR: exception importing cert: Security +## library failed to decode certificate +## package: (-8183) security library: +## improperly formatted DER-encoded +## message. +## +## * in order to utilize the 'pkisilent' client +## security databases inside a firefox browser, +## one will need to manually import the TKS +## 'Administration' certificate for the TKS subsystem +## stored in this non-security domain CA +## +## NOTE: To pass in a value of an empty string, specify the value "empty" +## instead of "" since ArgParser() throws away empty strings. +## +## This special "empty" string value may be specified for any of +## the following variables: +## +## * pki_tks_instance_ca_domain_url="empty" +## +pki_tks_instance_ca_domain_url="https://${pki_subca_ee_host}:${pki_subca_ee_port}" + ############################################################################## ## U S E R - D E F I N E D V A R I A B L E S ( O P T I O N A L ) ## ############################################################################## @@ -536,6 +599,7 @@ -agent_key_type ${tks_agent_key_type} \ -agent_cert_subject "${tks_agent_cert_subject}" \ -subsystem_name ${pki_tks_subsystem_name} \ + -ca_domain_url "${pki_tks_instance_ca_domain_url}" \ -save_p12 ${tks_save_p12} \ -backup_pwd ${pki_tks_backup_password} \ -tks_subsystem_cert_subject_name "${tks_subsystem_cert_subject_name}" \ Index: base/silent/templates/subca_silent.template =================================================================== --- base/silent/templates/subca_silent.template (revision 2598) +++ base/silent/templates/subca_silent.template (working copy) @@ -149,8 +149,8 @@ ## ## *180 - non-secure port (not role specific) ## *701 - non-secure Tomcat port -## *443 - secure EE port -## *444 - secure Agent port +## *443 - secure Agent port +## *444 - secure EE port ## *445 - secure Admin port ## ## @@ -162,20 +162,37 @@ ## pki_ca1_port_t tcp 9580, 9801, 9543, 9544, 9545 ## -## CA ports +## CA ports (Security Domain) ca_nonssl_port=9180 ca_agent_port=9443 ca_ee_port=9444 ca_admin_port=9445 -## Subordinate CA ports +## Subordinate CA ports (not a Security Domain) subca_nonssl_port=9580 subca_agent_port=9543 subca_ee_port=9544 subca_admin_port=9545 +## URL to CA used to Issue Certificates for Subordinate CA Instance Creation +## +## * each 'hostname:port' must be a CA EE Hostname and CA EE Port +## * referenced CA does not need to be a Security Domain +## * referenced CA must reside within the same security domain +## as this Subordinate CA instance +## +## NOTE: To pass in a value of an empty string, specify the value "empty" +## instead of "" since ArgParser() throws away empty strings. +## +## This special "empty" string value may be specified for any of +## the following variables: +## +## * subca_instance_ca_domain_url="empty" +## +subca_instance_ca_domain_url="https://${pki_security_domain_host}:${ca_ee_port}" + ############################################################################## ## U S E R - D E F I N E D V A R I A B L E S ( O P T I O N A L ) ## ############################################################################## @@ -499,6 +516,7 @@ -save_p12 ${subca_save_p12} \ -backup_pwd ${subca_backup_password} \ -subsystem_name "${ca_subsystem_name}" \ + -ca_domain_url "${subca_instance_ca_domain_url}" \ -subca_sign_cert_subject_name "${subca_sign_cert_subject_name}" \ -subca_subsystem_cert_subject_name "${subca_subsystem_cert_subject_name}" \ -subca_ocsp_cert_subject_name "${subca_ocsp_cert_subject_name}" \ Index: base/silent/templates/silent_ra_to_ip_port.template =================================================================== --- base/silent/templates/silent_ra_to_ip_port.template (revision 2598) +++ base/silent/templates/silent_ra_to_ip_port.template (working copy) @@ -92,8 +92,8 @@ ## ## 9180 - non-secure port (not role specific) ## 9701 - non-secure Tomcat port -## 9443 - secure EE port -## 9444 - secure Agent port +## 9443 - secure Agent port +## 9444 - secure EE port ## 9445 - secure Admin port ## 9446 - secure EE Client Auth port (not necessarily labeled) ## @@ -111,12 +111,27 @@ ## pki_ra_port_t tcp 12890, 12888, 12889 ## -## PKI CA ports +## PKI CA ports (Security Domain) pki_ca_nonssl_port= +pki_ca_agent_port= pki_ca_ee_port= -pki_ca_agent_port= pki_ca_admin_port= +## PKI Subordinate CA ports (not a Security Domain) +## +## NOTE: Replace the CA EE Security Domain Host and Port to optionally use +## a Subordinate CA to Issue Certificates for Requests Submitted via +## this RA +## +pki_alternate_subca_ee_host=${pki_ca_ee_host} +pki_alternate_subca_ee_port=${pki_ca_ee_port} +## +## NOTE: Replace the CA EE Security Domain Host and Port to optionally use +## a Subordinate CA to Issue Certificates for RA Instance Creation +## +pki_subca_ee_host=${pki_ca_ee_host} +pki_subca_ee_port=${pki_ca_ee_port} + ## PKI RA ports pki_ra_clientauth_port= pki_ra_nonclientauth_port= @@ -168,8 +183,73 @@ ## PKI Silent Log Files pki_silent_ra_log=/tmp/ra.log +## URL to CA used to Issue Certificates for Requests Submitted via RA +## +## * each 'hostname:port' must be a CA EE Hostname and CA EE Port +## * referenced CA does not need to be a Security Domain +## * referenced CA must reside within the same security domain +## as the associated RA instance +## +## NOTE: To pass in a value of an empty string, specify the value "empty" +## instead of "" since ArgParser() throws away empty strings. +## +## This special "empty" string value may be specified for any of +## the following variables: +## +## * pki_ra_chosen_ca_issuance_url="empty" +## * pki_ra_instance_ca_domain_url="empty" +## +pki_ra_chosen_ca_issuance_url="https://${pki_alternate_subca_ee_host}:${pki_alternate_subca_ee_port}" +## URL to CA used to Issue Certificates for RA Instance Creation +## +## * each 'hostname:port' must be a CA EE Hostname and CA EE Port +## * referenced CA does not need to be a Security Domain (see CAVEAT) +## * referenced CA must reside within the same security domain +## as this RA instance +## +## CAVEAT: If the chosen CA is a security domain: +## +## * all RA subsystem certificates (including the +## 'Subsystem' certificates) will be stored on this CA +## * the RA subsystem client 'Administration' +## certificate will automatically be imported into +## the NSS client security databases associated with +## the 'pkisilent' invocation of this RA subsystem +## * the 'pkisilent' client security databases may be +## used inside a firefox browser with no further +## changes +## +## If the chosen CA is NOT a security domain: +## +## * all RA subsystem certificates EXCEPT the RA +## 'Subsystem' certificate will be stored on this CA; +## the RA 'Subsystem' certificate will be stored on +## the CA that is the security domain for this RA +## subsystem +## * the RA subsystem client 'Administration' +## certificate will NOT automatically be imported into +## the NSS client security databases associated with +## the 'pkisilent' invocation of this RA subsystem; +## import will fail with something similar to the +## following message: +## +## ERROR: exception importing cert: Security +## library failed to decode certificate +## package: (-8183) security library: +## improperly formatted DER-encoded +## message. +## +## * in order to utilize the 'pkisilent' client +## security databases inside a firefox browser, +## one will need to manually import the RA +## 'Administration' certificate for the RA subsystem +## stored in this non-security domain CA +## +pki_ra_instance_ca_domain_url="https://${pki_subca_ee_host}:${pki_subca_ee_port}" + + ############################################################################## ## U S E R - D E F I N E D V A R I A B L E S ( O P T I O N A L ) ## ############################################################################## @@ -440,6 +520,7 @@ -ca_port ${ra_chosen_ca_nonssl_port} \ -ca_ssl_port ${ra_chosen_ca_ssl_port} \ -ca_admin_port ${ra_chosen_ca_admin_port} \ + -ca_issuance_url "${pki_ra_chosen_ca_issuance_url}" \ -client_certdb_dir ${pki_silent_security_database_repository} \ -client_certdb_pwd ${pki_silent_security_token_password} \ -preop_pin ${ra_preop_pin} \ @@ -456,6 +537,7 @@ -agent_key_type ${ra_agent_key_type} \ -agent_cert_subject "${ra_agent_cert_subject}" \ -subsystem_name ${pki_ra_subsystem_name} \ + -ca_domain_url "${pki_ra_instance_ca_domain_url}" \ -ra_server_cert_nickname "${ra_server_cert_nickname}" \ -ra_server_cert_subject_name "${ra_server_cert_subject_name}" \ -ra_subsystem_cert_nickname "${ra_subsystem_cert_nickname}" \ Index: base/silent/templates/silent_ocsp_ip_port.template =================================================================== --- base/silent/templates/silent_ocsp_ip_port.template (revision 2598) +++ base/silent/templates/silent_ocsp_ip_port.template (working copy) @@ -94,8 +94,8 @@ ## ## 9180 - non-secure port (not role specific) ## 9701 - non-secure Tomcat port -## 9443 - secure EE port -## 9444 - secure Agent port +## 9443 - secure Agent port +## 9444 - secure EE port ## 9445 - secure Admin port ## 9446 - secure EE Client Auth port (not necessarily labeled) ## @@ -103,8 +103,8 @@ ## ## 11180 - non-secure port (not role specific) ## 11701 - non-secure Tomcat port -## 11443 - secure EE port -## 11444 - secure Agent port +## 11443 - secure Agent port +## 11444 - secure EE port ## 11445 - secure Admin port ## ## For Example: @@ -115,12 +115,20 @@ ## pki_ocsp_port_t tcp 11180, 11701, 11443, 11444, 11445 ## -## PKI CA ports +## PKI CA ports (Security Domain) pki_ca_nonssl_port= +pki_ca_agent_port= pki_ca_ee_port= -pki_ca_agent_port= pki_ca_admin_port= +## PKI Subordinate CA ports (not a Security Domain) +## +## NOTE: Replace the CA EE Security Domain Host and Port to optionally use +## a Subordinate CA to Issue Certificates for OCSP Instance Creation +## +pki_subca_ee_host=${pki_ca_ee_host} +pki_subca_ee_port=${pki_ca_ee_port} + ## PKI OCSP ports pki_ocsp_admin_port= @@ -200,8 +208,63 @@ ## PKI Silent Log Files pki_silent_ocsp_log=/tmp/ocsp.log +## URL to CA used to Issue Certificates for OCSP Instance Creation +## +## * each 'hostname:port' must be a CA EE Hostname and CA EE Port +## * referenced CA does not need to be a Security Domain (see CAVEAT) +## * referenced CA must reside within the same security domain +## as this OCSP instance +## +## CAVEAT: If the chosen CA is a security domain: +## +## * all OCSP subsystem certificates (including the +## 'Subsystem' certificates) will be stored on this CA +## * the OCSP subsystem client 'Administration' +## certificate will automatically be imported into +## the NSS client security databases associated with +## the 'pkisilent' invocation of this OCSP subsystem +## * the 'pkisilent' client security databases may be +## used inside a firefox browser with no further +## changes +## +## If the chosen CA is NOT a security domain: +## +## * all OCSP subsystem certificates EXCEPT the OCSP +## 'Subsystem' certificate will be stored on this CA; +## the OCSP 'Subsystem' certificate will be stored on +## the CA that is the security domain for this OCSP +## subsystem +## * the OCSP subsystem client 'Administration' +## certificate will NOT automatically be imported into +## the NSS client security databases associated with +## the 'pkisilent' invocation of this OCSP subsystem; +## import will fail with something similar to the +## following message: +## +## ERROR: exception importing cert: Security +## library failed to decode certificate +## package: (-8183) security library: +## improperly formatted DER-encoded +## message. +## +## * in order to utilize the 'pkisilent' client +## security databases inside a firefox browser, +## one will need to manually import the OCSP +## 'Administration' certificate for the OCSP subsystem +## stored in this non-security domain CA +## +## NOTE: To pass in a value of an empty string, specify the value "empty" +## instead of "" since ArgParser() throws away empty strings. +## +## This special "empty" string value may be specified for any of +## the following variables: +## +## * pki_ocsp_instance_ca_domain_url="empty" +## +pki_ocsp_instance_ca_domain_url="https://${pki_subca_ee_host}:${pki_subca_ee_port}" + ############################################################################## ## U S E R - D E F I N E D V A R I A B L E S ( O P T I O N A L ) ## ############################################################################## @@ -532,6 +595,7 @@ -agent_key_type ${ocsp_agent_key_type} \ -agent_cert_subject "${ocsp_agent_cert_subject}" \ -subsystem_name ${pki_ocsp_subsystem_name} \ + -ca_domain_url "${pki_ocsp_instance_ca_domain_url}" \ -save_p12 ${ocsp_save_p12} \ -backup_pwd ${pki_ocsp_backup_password} \ -ocsp_sign_cert_subject_name "${ocsp_sign_cert_subject_name}" \ Index: base/silent/templates/silent_tps_to_ip_port.template =================================================================== --- base/silent/templates/silent_tps_to_ip_port.template (revision 2598) +++ base/silent/templates/silent_tps_to_ip_port.template (working copy) @@ -90,9 +90,11 @@ ## PKI KRA Subsystem Hosts (FQDN) pki_kra_agent_host= +pki_kra_admin_host= ## PKI TKS Subsystem Hosts (FQDN) pki_tks_agent_host= +pki_tks_admin_host= ## PKI TPS Subsystem Host (computed by default) pki_host=`hostname` @@ -102,8 +104,8 @@ ## ## 9180 - non-secure port (not role specific) ## 9701 - non-secure Tomcat port -## 9443 - secure EE port -## 9444 - secure Agent port +## 9443 - secure Agent port +## 9444 - secure EE port ## 9445 - secure Admin port ## 9446 - secure EE Client Auth port (not necessarily labeled) ## @@ -111,16 +113,16 @@ ## ## 10180 - non-secure port (not role specific) ## 10701 - non-secure Tomcat port -## 10443 - secure EE port -## 10444 - secure Agent port +## 10443 - secure Agent port +## 10444 - secure EE port ## 10445 - secure Admin port ## ## NOTE: Default PKI TKS Instance Ports ## ## 13180 - non-secure port (not role specific) ## 13701 - non-secure Tomcat port -## 13443 - secure EE port -## 13444 - secure Agent port +## 13443 - secure Agent port +## 13444 - secure EE port ## 13445 - secure Admin port ## ## NOTE: Default PKI TPS Instance Ports @@ -140,17 +142,34 @@ ## pki_tps_port_t tcp 7890, 7888, 7889 ## -## CA ports +## PKI CA ports (Security Domain) pki_ca_nonssl_port= +pki_ca_agent_port= pki_ca_ee_port= -pki_ca_agent_port= pki_ca_admin_port= +## PKI Subordinate CA ports (not a Security Domain) +## +## NOTE: Replace the CA EE Security Domain Host and Port to optionally use +## a Subordinate CA to Issue Certificates for Requests Submitted via +## this TPS +## +pki_alternate_subca_ee_host=${pki_ca_ee_host} +pki_alternate_subca_ee_port=${pki_ca_ee_port} +## +## NOTE: Replace the CA EE Security Domain Host and Port to optionally use +## a Subordinate CA to Issue Certificates for TPS Instance Creation +## +pki_subca_ee_host=${pki_ca_ee_host} +pki_subca_ee_port=${pki_ca_ee_port} + ## DRM ports pki_kra_agent_port= +pki_kra_admin_port= ## TKS ports pki_tks_agent_port= +pki_tks_admin_port= ## TPS ports pki_tps_clientauth_port= @@ -202,6 +221,28 @@ pki_email_company= pki_email_domain= +## +## TPS Variables +## +## IMPORTANT: The 'tps_ldap_auth_base_dn' should contain individual +## comma separated 'dc=' values for each +## portion of the value returned by 'dnsdomainname' on +## the machine which hosts the LDAP server. +## +## For example, if 'dnsdomain' returns 'foo.example.com', +## then: +## +## tps_ldap_auth_base_dn="dc=foo,dc=example,dc=com" +## +## Using this example, the following command may be +## executed to test for a valid base DN: +## +## /usr/bin/ldapsearch -x -h ${pki_ldap_host} +## -p ${pki_ldap_port} -b 'dc=foo,dc=example,dc=com' +## -s base 'objectclass=*' +## +tps_ldap_auth_base_dn="dc=${pki_email_company},dc=${pki_email_domain}" + ## PKI Silent Admin Variables ## (e. g. - Import Admin Certificate into PKI Silent "browser" database) pki_silent_admin_user=admin @@ -217,8 +258,91 @@ ## PKI Silent Log Files pki_silent_tps_log=/tmp/tps.log +## URL to CA used to Issue Certificates for Requests Submitted via TPS +## +## * each 'hostname:port' must be a CA EE Hostname and CA EE Port +## * referenced CA does not need to be a Security Domain +## * referenced CA must reside within the same security domain +## as the associated TPS instance +## +## NOTE: To pass in a value of an empty string, specify the value "empty" +## instead of "" since ArgParser() throws away empty strings. +## +## This special "empty" string value may be specified for any of +## the following variables: +## +## * pki_tps_chosen_ca_issuance_url="empty" +## * pki_tps_chosen_tks_key_management_url="empty" +## * pki_tps_chosen_drm_server_side_keygen_url="empty" +## * pki_tps_instance_ca_domain_url="empty" +## +pki_tps_chosen_ca_issuance_url="https://${pki_alternate_subca_ee_host}:${pki_alternate_subca_ee_port}" +## URL to TKS used for Key Management for TPS +## +## * each 'hostname:port' must be a TKS Agent Hostname and TKS Agent Port +## * referenced TKS must reside within the same security domain +## as the associated TPS instance +## +pki_tps_chosen_tks_key_management_url="https://${pki_tks_agent_host}:${pki_tks_agent_port}" +## URL to optional DRM used for Server-Side Keygen for TPS (tps_ss_keygen=true) +## +## * each 'hostname:port' must be a DRM Agent Hostname and DRM Agent Port +## * referenced DRM must reside within the same security domain +## as the associated TPS instance +## +pki_tps_chosen_drm_server_side_keygen_url="https://${pki_kra_agent_host}:${pki_kra_agent_port}" + +## URL to CA used to Issue Certificates for TPS Instance Creation +## +## * each 'hostname:port' must be a CA EE Hostname and CA EE Port +## * referenced CA does not need to be a Security Domain (see CAVEAT) +## * referenced CA must reside within the same security domain +## as this TPS instance +## +## CAVEAT: If the chosen CA is a security domain: +## +## * all TPS subsystem certificates (including the +## 'Subsystem' certificates) will be stored on this CA +## * the TPS subsystem client 'Administration' +## certificate will automatically be imported into +## the NSS client security databases associated with +## the 'pkisilent' invocation of this TPS subsystem +## * the 'pkisilent' client security databases may be +## used inside a firefox browser with no further +## changes +## +## If the chosen CA is NOT a security domain: +## +## * all TPS subsystem certificates EXCEPT the TPS +## 'Subsystem' certificate will be stored on this CA; +## the TPS 'Subsystem' certificate will be stored on +## the CA that is the security domain for this TPS +## subsystem +## * the TPS subsystem client 'Administration' +## certificate will NOT automatically be imported into +## the NSS client security databases associated with +## the 'pkisilent' invocation of this TPS subsystem; +## import will fail with something similar to the +## following message: +## +## ERROR: exception importing cert: Security +## library failed to decode certificate +## package: (-8183) security library: +## improperly formatted DER-encoded +## message. +## +## * in order to utilize the 'pkisilent' client +## security databases inside a firefox browser, +## one will need to manually import the TPS +## 'Administration' certificate for the TPS subsystem +## stored in this non-security domain CA +## +pki_tps_instance_ca_domain_url="https://${pki_subca_ee_host}:${pki_subca_ee_port}" + + + ############################################################################## ## U S E R - D E F I N E D V A R I A B L E S ( O P T I O N A L ) ## ############################################################################## @@ -295,17 +419,20 @@ tps_chosen_ca_nonssl_port=${pki_ca_nonssl_port} tps_chosen_ca_ssl_port=${pki_ca_ee_port} tps_chosen_ca_admin_port=${pki_ca_admin_port} -tps_chosen_tks_hostname=${pki_tks_agent_host} -tps_chosen_tks_ssl_port=${pki_tks_agent_port} -tps_chosen_drm_hostname=${pki_kra_agent_host} -tps_chosen_drm_ssl_port=${pki_kra_agent_port} +tps_chosen_tks_agent_hostname=${pki_tks_agent_host} +tps_chosen_tks_agent_port=${pki_tks_agent_port} +tps_chosen_tks_admin_hostname=${pki_tks_admin_host} +tps_chosen_tks_admin_port=${pki_tks_admin_port} +tps_chosen_drm_agent_hostname=${pki_kra_agent_host} +tps_chosen_drm_agent_port=${pki_kra_agent_port} +tps_chosen_drm_admin_hostname=${pki_kra_admin_host} +tps_chosen_drm_admin_port=${pki_kra_admin_port} tps_agent_name="TPS\ Administrator\'s\ ${pki_security_domain_name}\ ID" tps_agent_key_size=2048 tps_agent_key_type=rsa tps_agent_cert_subject="cn=TPS\ Administrator,uid=admin,e=${pki_silent_admin_email},o=${pki_security_domain_name}" tps_ldap_auth_host="${pki_ldap_host}" tps_ldap_auth_port=${pki_ldap_port} -tps_ldap_auth_base_dn="dc=${pki_email_company},dc=${pki_email_domain}" tps_base_dn="dc=${pki_host}-${pki_tps_instance_name}" tps_db_name="${pki_host}-${pki_tps_instance_name}" tps_key_size=2048 @@ -348,10 +475,18 @@ printf "${usage_error_preamble} 'pki_kra_agent_host'!\n" usage_errors=`expr ${usage_errors} + 1` fi +if [ "${pki_kra_admin_host}" = "" ] ; then + printf "${usage_error_preamble} 'pki_kra_admin_host'!\n" + usage_errors=`expr ${usage_errors} + 1` +fi if [ "${pki_tks_agent_host}" = "" ] ; then printf "${usage_error_preamble} 'pki_tks_agent_host'!\n" usage_errors=`expr ${usage_errors} + 1` fi +if [ "${pki_tks_admin_host}" = "" ] ; then + printf "${usage_error_preamble} 'pki_tks_admin_host'!\n" + usage_errors=`expr ${usage_errors} + 1` +fi if [ "${pki_ca_nonssl_port}" = "" ] ; then printf "${usage_error_preamble} 'pki_ca_nonssl_port'!\n" usage_errors=`expr ${usage_errors} + 1` @@ -372,10 +507,18 @@ printf "${usage_error_preamble} 'pki_kra_agent_port'!\n" usage_errors=`expr ${usage_errors} + 1` fi +if [ "${pki_kra_admin_port}" = "" ] ; then + printf "${usage_error_preamble} 'pki_kra_admin_port'!\n" + usage_errors=`expr ${usage_errors} + 1` +fi if [ "${pki_tks_agent_port}" = "" ] ; then printf "${usage_error_preamble} 'pki_tks_agent_port'!\n" usage_errors=`expr ${usage_errors} + 1` fi +if [ "${pki_tks_admin_port}" = "" ] ; then + printf "${usage_error_preamble} 'pki_tks_admin_port'!\n" + usage_errors=`expr ${usage_errors} + 1` +fi if [ "${pki_tps_clientauth_port}" = "" ] ; then printf "${usage_error_preamble} 'pki_tps_clientauth_port'!\n" usage_errors=`expr ${usage_errors} + 1` @@ -542,11 +685,18 @@ -ca_port ${tps_chosen_ca_nonssl_port} \ -ca_ssl_port ${tps_chosen_ca_ssl_port} \ -ca_admin_port ${tps_chosen_ca_admin_port} \ - -drm_hostname ${tps_chosen_drm_hostname} \ - -drm_ssl_port ${tps_chosen_drm_ssl_port} \ + -ca_issuance_url "${pki_tps_chosen_ca_issuance_url}" \ + -drm_agent_hostname ${tps_chosen_drm_agent_hostname} \ + -drm_agent_port ${tps_chosen_drm_agent_port} \ + -drm_admin_hostname ${tps_chosen_drm_admin_hostname} \ + -drm_admin_port ${tps_chosen_drm_admin_port} \ + -drm_server_side_keygen_url "${pki_tps_chosen_drm_server_side_keygen_url}" \ -ss_keygen ${tps_ss_keygen} \ - -tks_hostname ${tps_chosen_tks_hostname} \ - -tks_ssl_port ${tps_chosen_tks_ssl_port} \ + -tks_agent_hostname ${tps_chosen_tks_agent_hostname} \ + -tks_agent_port ${tps_chosen_tks_agent_port} \ + -tks_admin_hostname ${tps_chosen_tks_admin_hostname} \ + -tks_admin_port ${tps_chosen_tks_admin_port} \ + -tks_key_management_url "${pki_tps_chosen_tks_key_management_url}" \ -client_certdb_dir ${pki_silent_security_database_repository} \ -client_certdb_pwd ${pki_silent_security_token_password} \ -client_token_name ${pki_silent_security_token_name} \ @@ -570,6 +720,7 @@ -agent_key_type ${tps_agent_key_type} \ -agent_cert_subject "${tps_agent_cert_subject}" \ -subsystem_name ${pki_tps_subsystem_name} \ + -ca_domain_url "${pki_tps_instance_ca_domain_url}" \ -ldap_auth_host ${tps_ldap_auth_host} \ -ldap_auth_port ${tps_ldap_auth_port} \ -ldap_auth_base_dn ${tps_ldap_auth_base_dn} \ Index: base/silent/templates/silentEC_subca.template =================================================================== --- base/silent/templates/silentEC_subca.template (revision 2598) +++ base/silent/templates/silentEC_subca.template (working copy) @@ -177,8 +177,8 @@ ## ## *180 - non-secure port (not role specific) ## *701 - non-secure Tomcat port -## *443 - secure EE port -## *444 - secure Agent port +## *443 - secure Agent port +## *444 - secure EE port ## *445 - secure Admin port ## ## @@ -190,18 +190,34 @@ ## pki_ca1_port_t tcp 9580, 9801, 9543, 9544, 9545 ## -## CA ports +## CA ports (Security Domain) ca_nonssl_port=9180 ca_agent_port=9443 ca_ee_port=9444 ca_admin_port=9445 -## Subordinate CA ports +## Subordinate CA ports (not a Security Domain) subca_nonssl_port=9580 subca_agent_port=9543 subca_ee_port=9544 subca_admin_port=9545 +## URL to CA used to Issue Certificates for Subordinate CA Instance Creation +## +## * each 'hostname:port' must be a CA EE Hostname and CA EE Port +## * referenced CA does not need to be a Security Domain +## * referenced CA must reside within the same security domain +## as this Subordinate CA instance +## +## NOTE: To pass in a value of an empty string, specify the value "empty" +## instead of "" since ArgParser() throws away empty strings. +## +## This special "empty" string value may be specified for any of +## the following variables: +## +## * subca_instance_ca_domain_url="empty" +## +subca_instance_ca_domain_url="https://${pki_security_domain_host}:${ca_ee_port}" ############################################################################## @@ -559,6 +575,7 @@ -save_p12 ${subca_save_p12} \ -backup_pwd ${subca_backup_password} \ -subsystem_name "${subca_subsystem_name}" \ + -ca_domain_url "${subca_instance_ca_domain_url}" \ -subca_sign_cert_subject_name "${subca_sign_cert_subject_name}" \ -subca_subsystem_cert_subject_name "${subca_subsystem_cert_subject_name}" \ -subca_ocsp_cert_subject_name "${subca_ocsp_cert_subject_name}" \ Index: base/silent/templates/silent_kra_ip_port.template =================================================================== --- base/silent/templates/silent_kra_ip_port.template (revision 2598) +++ base/silent/templates/silent_kra_ip_port.template (working copy) @@ -94,8 +94,8 @@ ## ## 9180 - non-secure port (not role specific) ## 9701 - non-secure Tomcat port -## 9443 - secure EE port -## 9444 - secure Agent port +## 9443 - secure Agent port +## 9444 - secure EE port ## 9445 - secure Admin port ## 9446 - secure EE Client Auth port (not necessarily labeled) ## @@ -103,8 +103,8 @@ ## ## 10180 - non-secure port (not role specific) ## 10701 - non-secure Tomcat port -## 10443 - secure EE port -## 10444 - secure Agent port +## 10443 - secure Agent port +## 10444 - secure EE port ## 10445 - secure Admin port ## ## For Example: @@ -115,12 +115,20 @@ ## pki_kra_port_t tcp 10180, 10701, 10443, 10444, 10445 ## -## PKI CA ports +## PKI CA ports (Security Domain) pki_ca_nonssl_port= +pki_ca_agent_port= pki_ca_ee_port= -pki_ca_agent_port= pki_ca_admin_port= +## PKI Subordinate CA ports (not a Security Domain) +## +## NOTE: Replace the CA EE Security Domain Host and Port to optionally use +## a Subordinate CA to Issue Certificates for KRA Instance Creation +## +pki_subca_ee_host=${pki_ca_ee_host} +pki_subca_ee_port=${pki_ca_ee_port} + ## PKI DRM ports pki_kra_admin_port= @@ -200,8 +208,63 @@ ## PKI Silent Log Files pki_silent_kra_log=/tmp/kra.log +## URL to CA used to Issue Certificates for KRA Instance Creation +## +## * each 'hostname:port' must be a CA EE Hostname and CA EE Port +## * referenced CA does not need to be a Security Domain (see CAVEAT) +## * referenced CA must reside within the same security domain +## as this KRA instance +## +## CAVEAT: If the chosen CA is a security domain: +## +## * all KRA subsystem certificates (including the +## 'Subsystem' certificates) will be stored on this CA +## * the KRA subsystem client 'Administration' +## certificate will automatically be imported into +## the NSS client security databases associated with +## the 'pkisilent' invocation of this KRA subsystem +## * the 'pkisilent' client security databases may be +## used inside a firefox browser with no further +## changes +## +## If the chosen CA is NOT a security domain: +## +## * all KRA subsystem certificates EXCEPT the KRA +## 'Subsystem' certificate will be stored on this CA; +## the KRA 'Subsystem' certificate will be stored on +## the CA that is the security domain for this KRA +## subsystem +## * the KRA subsystem client 'Administration' +## certificate will NOT automatically be imported into +## the NSS client security databases associated with +## the 'pkisilent' invocation of this KRA subsystem; +## import will fail with something similar to the +## following message: +## +## ERROR: exception importing cert: Security +## library failed to decode certificate +## package: (-8183) security library: +## improperly formatted DER-encoded +## message. +## +## * in order to utilize the 'pkisilent' client +## security databases inside a firefox browser, +## one will need to manually import the KRA +## 'Administration' certificate for the KRA subsystem +## stored in this non-security domain CA +## +## NOTE: To pass in a value of an empty string, specify the value "empty" +## instead of "" since ArgParser() throws away empty strings. +## +## This special "empty" string value may be specified for any of +## the following variables: +## +## * pki_kra_instance_ca_domain_url="empty" +## +pki_kra_instance_ca_domain_url="https://${pki_subca_ee_host}:${pki_subca_ee_port}" + ############################################################################## ## U S E R - D E F I N E D V A R I A B L E S ( O P T I O N A L ) ## ############################################################################## @@ -542,6 +605,7 @@ -agent_key_type ${kra_agent_key_type} \ -agent_cert_subject "${kra_agent_cert_subject}" \ -subsystem_name ${pki_kra_subsystem_name} \ + -ca_domain_url "${pki_kra_instance_ca_domain_url}" \ -save_p12 ${kra_save_p12} \ -backup_pwd ${pki_kra_backup_password} \ -drm_transport_cert_subject_name "${kra_transport_cert_subject_name}" \ Index: base/silent/templates/silentEC_tks.template =================================================================== --- base/silent/templates/silentEC_tks.template (revision 2598) +++ base/silent/templates/silentEC_tks.template (working copy) @@ -174,8 +174,8 @@ ## ## *180 - non-secure port (not role specific) ## *701 - non-secure Tomcat port -## *443 - secure EE port -## *444 - secure Agent port +## *443 - secure Agent port +## *444 - secure EE port ## *445 - secure Admin port ## ## @@ -186,7 +186,7 @@ ## pki_tks_port_t tcp 13180, 13701, 13443, 13444, 13445 ## -## CA ports +## CA ports (Security Domain) ca_nonssl_port=9180 ca_agent_port=9443 ca_ee_port=9444 @@ -198,6 +198,62 @@ tks_ee_port=14454 tks_admin_port=14455 +## URL to CA used to Issue Certificates for TKS Instance Creation +## +## * each 'hostname:port' must be a CA EE Hostname and CA EE Port +## * referenced CA does not need to be a Security Domain (see CAVEAT) +## * referenced CA must reside within the same security domain +## as this TKS instance +## +## CAVEAT: If the chosen CA is a security domain: +## +## * all TKS subsystem certificates (including the +## 'Subsystem' certificates) will be stored on this CA +## * the TKS subsystem client 'Administration' +## certificate will automatically be imported into +## the NSS client security databases associated with +## the 'pkisilent' invocation of this TKS subsystem +## * the 'pkisilent' client security databases may be +## used inside a firefox browser with no further +## changes +## +## If the chosen CA is NOT a security domain: +## +## * all TKS subsystem certificates EXCEPT the TKS +## 'Subsystem' certificate will be stored on this CA; +## the TKS 'Subsystem' certificate will be stored on +## the CA that is the security domain for this TKS +## subsystem +## * the TKS subsystem client 'Administration' +## certificate will NOT automatically be imported into +## the NSS client security databases associated with +## the 'pkisilent' invocation of this TKS subsystem; +## import will fail with something similar to the +## following message: +## +## ERROR: exception importing cert: Security +## library failed to decode certificate +## package: (-8183) security library: +## improperly formatted DER-encoded +## message. +## +## * in order to utilize the 'pkisilent' client +## security databases inside a firefox browser, +## one will need to manually import the TKS +## 'Administration' certificate for the TKS subsystem +## stored in this non-security domain CA +## +## NOTE: To pass in a value of an empty string, specify the value "empty" +## instead of "" since ArgParser() throws away empty strings. +## +## This special "empty" string value may be specified for any of +## the following variables: +## +## * tks_instance_ca_domain_url="empty" +## +tks_instance_ca_domain_url="https://${pki_security_domain_host}:${ca_ee_port}" + + ############################################################################## ## U S E R - D E F I N E D V A R I A B L E S ( O P T I O N A L ) ## ############################################################################## @@ -497,6 +553,7 @@ -agent_key_type ${tks_agent_key_type} \ -agent_cert_subject "${tks_agent_cert_subject}" \ -subsystem_name ${tks_subsystem_name} \ + -ca_domain_url "${tks_instance_ca_domain_url}" \ -tks_subsystem_cert_subject_name "${tks_subsystem_cert_subject_name}" \ -tks_server_cert_subject_name "${tks_server_cert_subject_name}" \ -tks_audit_signing_cert_subject_name \ Index: base/silent/templates/silentEC_ocsp.template =================================================================== --- base/silent/templates/silentEC_ocsp.template (revision 2598) +++ base/silent/templates/silentEC_ocsp.template (working copy) @@ -174,8 +174,8 @@ ## ## *180 - non-secure port (not role specific) ## *701 - non-secure Tomcat port -## *443 - secure EE port -## *444 - secure Agent port +## *443 - secure Agent port +## *444 - secure EE port ## *445 - secure Admin port ## ## @@ -186,7 +186,7 @@ ## pki_ocsp_port_t tcp 11180, 11701, 11443, 11444, 11445 ## -## CA ports +## CA ports (Security Domain) ca_nonssl_port=31180 ca_agent_port=31443 ca_ee_port=31444 @@ -198,7 +198,62 @@ ocsp_ee_port=12444 ocsp_admin_port=12445 +## URL to CA used to Issue Certificates for OCSP Instance Creation +## +## * each 'hostname:port' must be a CA EE Hostname and CA EE Port +## * referenced CA does not need to be a Security Domain (see CAVEAT) +## * referenced CA must reside within the same security domain +## as this OCSP instance +## +## CAVEAT: If the chosen CA is a security domain: +## +## * all OCSP subsystem certificates (including the +## 'Subsystem' certificates) will be stored on this CA +## * the OCSP subsystem client 'Administration' +## certificate will automatically be imported into +## the NSS client security databases associated with +## the 'pkisilent' invocation of this OCSP subsystem +## * the 'pkisilent' client security databases may be +## used inside a firefox browser with no further +## changes +## +## If the chosen CA is NOT a security domain: +## +## * all OCSP subsystem certificates EXCEPT the OCSP +## 'Subsystem' certificate will be stored on this CA; +## the OCSP 'Subsystem' certificate will be stored on +## the CA that is the security domain for this OCSP +## subsystem +## * the OCSP subsystem client 'Administration' +## certificate will NOT automatically be imported into +## the NSS client security databases associated with +## the 'pkisilent' invocation of this OCSP subsystem; +## import will fail with something similar to the +## following message: +## +## ERROR: exception importing cert: Security +## library failed to decode certificate +## package: (-8183) security library: +## improperly formatted DER-encoded +## message. +## +## * in order to utilize the 'pkisilent' client +## security databases inside a firefox browser, +## one will need to manually import the OCSP +## 'Administration' certificate for the OCSP subsystem +## stored in this non-security domain CA +## +## NOTE: To pass in a value of an empty string, specify the value "empty" +## instead of "" since ArgParser() throws away empty strings. +## +## This special "empty" string value may be specified for any of +## the following variables: +## +## * ocsp_instance_ca_domain_url="empty" +## +ocsp_instance_ca_domain_url="https://${pki_security_domain_host}:${ca_ee_port}" + ############################################################################## ## U S E R - D E F I N E D V A R I A B L E S ( O P T I O N A L ) ## ############################################################################## @@ -503,6 +558,7 @@ -agent_key_type ${ocsp_agent_key_type} \ -agent_cert_subject "${ocsp_agent_cert_subject}" \ -subsystem_name ${ocsp_subsystem_name} \ + -ca_domain_url "${ocsp_instance_ca_domain_url}" \ -ocsp_sign_cert_subject_name "${ocsp_sign_cert_subject_name}" \ -ocsp_subsystem_cert_subject_name "${ocsp_subsystem_cert_subject_name}" \ -ocsp_server_cert_subject_name "${ocsp_server_cert_subject_name}" \ Index: base/silent/templates/silentEC_tps.template =================================================================== --- base/silent/templates/silentEC_tps.template (revision 2598) +++ base/silent/templates/silentEC_tps.template (working copy) @@ -145,6 +145,28 @@ pki_email_company= pki_email_domain= +# +## TPS Variables +## +## IMPORTANT: The 'tps_ldap_auth_base_dn' should contain individual +## comma separated 'dc=' values for each +## portion of the value returned by 'dnsdomainname' on +## the machine which hosts the LDAP server. +## +## For example, if 'dnsdomain' returns 'foo.example.com', +## then: +## +## tps_ldap_auth_base_dn="dc=foo,dc=example,dc=com" +## +## Using this example, the following command may be +## executed to test for a valid base DN: +## +## /usr/bin/ldapsearch -x -h ${pki_ldap_host} +## -p ${pki_ldap_port} -b 'dc=foo,dc=example,dc=com' +## -s base 'objectclass=*' +## +tps_ldap_auth_base_dn="dc=${pki_email_company},dc=${pki_email_domain}" + ## PKI Silent Admin Variables ## (e. g. - Import Admin Certificate into PKI Silent "browser" database) pki_silent_admin_user=admin @@ -187,7 +209,7 @@ ## pki_tps_port_t tcp 7890, 7888, 7889 ## -## CA ports +## CA ports (Security Domain) ca_nonssl_port=31180 ca_agent_port=31443 ca_ee_port=31444 @@ -210,8 +232,91 @@ tps_clientauth_port=9089 tps_nonclientauth_port=9090 +## URL to CA used to Issue Certificates for Requests Submitted via TPS +## +## * each 'hostname:port' must be a CA EE Hostname and CA EE Port +## * referenced CA does not need to be a Security Domain +## * referenced CA must reside within the same security domain +## as the associated TPS instance +## +## NOTE: To pass in a value of an empty string, specify the value "empty" +## instead of "" since ArgParser() throws away empty strings. +## +## This special "empty" string value may be specified for any of +## the following variables: +## +## * tps_chosen_ca_issuance_url="empty" +## * tps_chosen_tks_key_management_url="empty" +## * tps_chosen_drm_server_side_keygen_url="empty" +## * tps_instance_ca_domain_url="empty" +## +tps_chosen_ca_issuance_url="https://${pki_security_domain_host}:${ca_ee_port}" +## URL to TKS used for Key Management for TPS +## +## * each 'hostname:port' must be a TKS Agent Hostname and TKS Agent Port +## * referenced TKS must reside within the same security domain +## as the associated TPS instance +## +tps_chosen_tks_key_management_url="https://${pki_security_domain_host}:${tks_agent_port}" +## URL to optional DRM used for Server-Side Keygen for TPS (tps_ss_keygen=true) +## +## * each 'hostname:port' must be a DRM Agent Hostname and DRM Agent Port +## * referenced DRM must reside within the same security domain +## as the associated TPS instance +## +tps_chosen_drm_server_side_keygen_url="https://${pki_security_domain_host}:${kra_agent_port}" + +## URL to CA used to Issue Certificates for TPS Instance Creation +## +## * each 'hostname:port' must be a CA EE Hostname and CA EE Port +## * referenced CA does not need to be a Security Domain (see CAVEAT) +## * referenced CA must reside within the same security domain +## as this TPS instance +## +## CAVEAT: If the chosen CA is a security domain: +## +## * all TPS subsystem certificates (including the +## 'Subsystem' certificates) will be stored on this CA +## * the TPS subsystem client 'Administration' +## certificate will automatically be imported into +## the NSS client security databases associated with +## the 'pkisilent' invocation of this TPS subsystem +## * the 'pkisilent' client security databases may be +## used inside a firefox browser with no further +## changes +## +## If the chosen CA is NOT a security domain: +## +## * all TPS subsystem certificates EXCEPT the TPS +## 'Subsystem' certificate will be stored on this CA; +## the TPS 'Subsystem' certificate will be stored on +## the CA that is the security domain for this TPS +## subsystem +## * the TPS subsystem client 'Administration' +## certificate will NOT automatically be imported into +## the NSS client security databases associated with +## the 'pkisilent' invocation of this TPS subsystem; +## import will fail with something similar to the +## following message: +## +## ERROR: exception importing cert: Security +## library failed to decode certificate +## package: (-8183) security library: +## improperly formatted DER-encoded +## message. +## +## * in order to utilize the 'pkisilent' client +## security databases inside a firefox browser, +## one will need to manually import the TPS +## 'Administration' certificate for the TPS subsystem +## stored in this non-security domain CA +## +tps_instance_ca_domain_url="https://${pki_security_domain_host}:${ca_ee_port}" + + + ############################################################################## ## U S E R - D E F I N E D V A R I A B L E S ( O P T I O N A L ) ## ############################################################################## @@ -292,17 +397,20 @@ tps_chosen_ca_nonssl_port=${ca_nonssl_port} tps_chosen_ca_ssl_port=${ca_ee_port} tps_chosen_ca_admin_port=${ca_admin_port} -tps_chosen_tks_hostname=${pki_host} -tps_chosen_tks_ssl_port=${tks_ee_port} -tps_chosen_drm_hostname=${pki_host} -tps_chosen_drm_ssl_port=${kra_ee_port} +tps_chosen_tks_agent_hostname=${pki_host} +tps_chosen_tks_agent_port=${tks_agent_port} +tps_chosen_tks_admin_hostname=${pki_host} +tps_chosen_tks_admin_port=${tks_admin_port} +tps_chosen_drm_agent_hostname=${pki_host} +tps_chosen_drm_agent_port=${kra_agent_port} +tps_chosen_drm_admin_hostname=${pki_host} +tps_chosen_drm_admin_port=${kra_admin_port} tps_agent_name="TPS\ Administrator\'s\ ${pki_security_domain_name}\ ID" tps_agent_key_size=nistp256 tps_agent_key_type=ecc tps_agent_cert_subject="cn=TPS\ Administrator,uid=admin,e=${pki_silent_admin_email},o=${pki_security_domain_name}" tps_ldap_auth_host=localhost tps_ldap_auth_port=389 -tps_ldap_auth_base_dn="dc=${pki_email_company},dc=${pki_email_domain}" tps_base_dn="dc=${pki_host}-${tps_instance_name}" tps_db_name="${pki_host}-${tps_instance_name}" tps_key_size=256 @@ -481,11 +589,18 @@ -ca_port ${tps_chosen_ca_nonssl_port} \ -ca_ssl_port ${tps_chosen_ca_ssl_port} \ -ca_admin_port ${tps_chosen_ca_admin_port} \ - -drm_hostname ${tps_chosen_drm_hostname} \ - -drm_ssl_port ${tps_chosen_drm_ssl_port} \ + -ca_issuance_url "${tps_chosen_ca_issuance_url}" \ + -drm_agent_hostname ${tps_chosen_drm_agent_hostname} \ + -drm_agent_port ${tps_chosen_drm_agent_port} \ + -drm_admin_hostname ${tps_chosen_drm_admin_hostname} \ + -drm_admin_port ${tps_chosen_drm_admin_port} \ + -drm_server_side_keygen_url "${tps_chosen_drm_server_side_keygen_url}" \ -ss_keygen ${tps_ss_keygen} \ - -tks_hostname ${tps_chosen_tks_hostname} \ - -tks_ssl_port ${tps_chosen_tks_ssl_port} \ + -tks_agent_hostname ${tps_chosen_tks_agent_hostname} \ + -tks_agent_port ${tps_chosen_tks_agent_port} \ + -tks_admin_hostname ${tps_chosen_tks_admin_hostname} \ + -tks_admin_port ${tps_chosen_tks_admin_port} \ + -tks_key_management_url "${tps_chosen_tks_key_management_url}" \ -client_certdb_dir ${pki_silent_security_database_repository} \ -client_certdb_pwd ${pki_silent_security_token_password} \ -client_token_name ${pki_silent_security_token_name} \ @@ -509,6 +624,7 @@ -agent_key_type ${tps_agent_key_type} \ -agent_cert_subject "${tps_agent_cert_subject}" \ -subsystem_name ${tps_subsystem_name} \ + -ca_domain_url "${tps_instance_ca_domain_url}" \ -subsystem_key_type ${tps_key_type} \ -subsystem_key_size ${tps_key_curvename} \ -audit_signing_key_size 2048 \ Index: base/silent/templates/silent_ca_ip_port.template =================================================================== --- base/silent/templates/silent_ca_ip_port.template (revision 2598) +++ base/silent/templates/silent_ca_ip_port.template (working copy) @@ -89,8 +89,8 @@ ## ## 9180 - non-secure port (not role specific) ## 9701 - non-secure Tomcat port -## 9443 - secure EE port -## 9444 - secure Agent port +## 9443 - secure Agent port +## 9444 - secure EE port ## 9445 - secure Admin port ## 9446 - secure EE Client Auth port (not necessarily labeled) ## @@ -102,7 +102,7 @@ ## pki_ca_port_t tcp 9180, 9701, 9443, 9444, 9445 ## -## PKI CA ports +## PKI CA ports (Security Domain) pki_ca_admin_port= ## PKI Silent Security Database Variables @@ -297,6 +297,20 @@ ca_ocsp_cert_subject_name="cn=OCSP\ Signing\ Certificate,o=${pki_security_domain_name}" ca_server_cert_subject_name="cn=${pki_ca_ee_host},o=${pki_security_domain_name}" ca_audit_signing_cert_subject_name="cn=CA\ Audit\ Signing\ Certificate,o=${pki_security_domain_name}" +## URL to CA used to Issue Certificates for CA Instance Creation +## +## IMPORTANT: The CA referenced by this URL must reside within the +## same security domain as this CA instance. +## +## NOTE: To pass in a value of an empty string, specify the value "empty" +## instead of "" since ArgParser() throws away empty strings. +## +## This special "empty" string value may be specified for any of +## the following variables: +## +## * ca_instance_ca_domain_url="empty" +## +ca_instance_ca_domain_url="empty" @@ -518,6 +532,7 @@ -save_p12 ${ca_save_p12} \ -backup_pwd ${pki_ca_backup_password} \ -subsystem_name ${pki_ca_subsystem_name} \ + -ca_domain_url "${ca_instance_ca_domain_url}" \ -token_name ${pki_ca_token_name} \ -token_pwd ${pki_ca_token_password} \ -ca_sign_cert_subject_name "${ca_sign_cert_subject_name}" \ Index: base/silent/templates/pki_silent.template =================================================================== --- base/silent/templates/pki_silent.template (revision 2598) +++ base/silent/templates/pki_silent.template (working copy) @@ -137,6 +137,28 @@ pki_email_company= pki_email_domain= +## +## TPS Variables +## +## IMPORTANT: The 'tps_ldap_auth_base_dn' should contain individual +## comma separated 'dc=' values for each +## portion of the value returned by 'dnsdomainname' on +## the machine which hosts the LDAP server. +## +## For example, if 'dnsdomain' returns 'foo.example.com', +## then: +## +## tps_ldap_auth_base_dn="dc=foo,dc=example,dc=com" +## +## Using this example, the following command may be +## executed to test for a valid base DN: +## +## /usr/bin/ldapsearch -x -h ${pki_ldap_host} +## -p ${pki_ldap_port} -b 'dc=foo,dc=example,dc=com' +## -s base 'objectclass=*' +## +tps_ldap_auth_base_dn="dc=${pki_email_company},dc=${pki_email_domain}" + ## PKI Silent Admin Variables ## (e. g. - Import Admin Certificate into PKI Silent "browser" database) pki_silent_admin_user=admin @@ -175,8 +197,8 @@ ## ## *180 - non-secure port (not role specific) ## *701 - non-secure Tomcat port -## *443 - secure EE port -## *444 - secure Agent port +## *443 - secure Agent port +## *444 - secure EE port ## *445 - secure Admin port ## ## RA, TPS: @@ -198,7 +220,7 @@ ## pki_tps_port_t tcp 7890, 7888, 7889 ## -## CA ports +## CA ports (Security Domain) ca_nonssl_port=9180 ca_agent_port=9443 ca_ee_port=9444 @@ -232,8 +254,107 @@ tps_clientauth_port=7889 tps_nonclientauth_port=7890 +## URL to CA used to Issue Certificates for PKI Instance Creation +## +## * each 'hostname:port' must be a CA EE Hostname and CA EE Port +## * referenced CA does not need to be a Security Domain (see CAVEAT) +## * referenced CA must reside within the same security domain +## as the associated PKI instance +## +## CAVEAT: If the chosen CA is a security domain: +## +## * all PKI subsystem certificates (including the +## 'Subsystem' certificates) will be stored on this CA +## * all PKI subsystem client 'Administration' +## certificates will automatically be imported into +## the NSS client security databases associated with +## the 'pkisilent' invocation of each PKI subsystem +## * the 'pkisilent' client security databases may be +## used inside a firefox browser with no further +## changes +## +## If the chosen CA is NOT a security domain: +## +## * all PKI subsystem certificates EXCEPT the +## 'Subsystem' certificate will be stored on this CA; +## the 'Subsystem' certificate will be stored on the +## CA that is the security domain for this PKI +## subsystem +## * no non-CA PKI subsystem client 'Administration' +## certificates will automatically be imported into +## the NSS client security databases associated with +## the 'pkisilent' invocation of each PKI subsystem; +## import will fail with something similar to the +## following message: +## +## ERROR: exception importing cert: Security +## library failed to decode certificate +## package: (-8183) security library: +## improperly formatted DER-encoded +## message. +## +## * in order to utilize the 'pkisilent' client +## security databases inside a firefox browser, one +## will need to manually import all 'Administration' +## certificates for each of the non-CA PKI subsystems +## stored in this non-security domain CA +## +## NOTE: To pass in a value of an empty string, specify the value "empty" +## instead of "" since ArgParser() throws away empty strings. +## +## This special "empty" string value may be specified for any of +## the following variables: +## +## * ca_instance_ca_domain_url="empty" +## * kra_instance_ca_domain_url="empty" +## * ocsp_instance_ca_domain_url="empty" +## * tks_instance_ca_domain_url="empty" +## * ra_chosen_ca_issuance_url="empty" +## * ra_instance_ca_domain_url="empty" +## * tps_chosen_ca_issuance_url="empty" +## * tps_chosen_tks_key_management_url="empty" +## * tps_chosen_drm_server_side_keygen_url="empty" +## * tps_instance_ca_domain_url="empty" +## +kra_instance_ca_domain_url="https://${pki_security_domain_host}:${ca_ee_port}" +ocsp_instance_ca_domain_url="https://${pki_security_domain_host}:${ca_ee_port}" +ra_instance_ca_domain_url="https://${pki_security_domain_host}:${ca_ee_port}" + +tks_instance_ca_domain_url="https://${pki_security_domain_host}:${ca_ee_port}" + +tps_instance_ca_domain_url="https://${pki_security_domain_host}:${ca_ee_port}" + +## URL to CA used to Issue Certificates for Requests Submitted via PKI instance +## +## * each 'hostname:port' must be a CA EE Hostname and CA EE Port +## * referenced CA does not need to be a Security Domain +## * referenced CA must reside within the same security domain +## as the associated PKI instance +## +ra_chosen_ca_issuance_url="https://${pki_security_domain_host}:${ca_ee_port}" + +tps_chosen_ca_issuance_url="https://${pki_security_domain_host}:${ca_ee_port}" + +## URL to TKS used for Key Management for TPS +## +## * each 'hostname:port' must be a TKS Agent Hostname and TKS Agent Port +## * referenced TKS must reside within the same security domain +## as the associated TPS instance +## +tps_chosen_tks_key_management_url="https://${pki_security_domain_host}:${tks_agent_port}" + +## URL to optional DRM used for Server-Side Keygen for TPS (tps_ss_keygen=true) +## +## * each 'hostname:port' must be a DRM Agent Hostname and DRM Agent Port +## * referenced DRM must reside within the same security domain +## as the associated TPS instance +## +tps_chosen_drm_server_side_keygen_url="https://${pki_security_domain_host}:${kra_agent_port}" + + + ############################################################################## ## U S E R - D E F I N E D V A R I A B L E S ( O P T I O N A L ) ## ############################################################################## @@ -394,6 +515,10 @@ ca_ocsp_cert_subject_name="cn=OCSP\ Signing\ Certificate,o=${pki_security_domain_name}" ca_server_cert_subject_name="cn=${pki_host},o=${pki_security_domain_name}" ca_audit_signing_cert_subject_name="cn=CA\ Audit\ Signing\ Certificate,o=${pki_security_domain_name}" +## URL to CA used to Issue Certificates for CA Instance Creation +ca_instance_ca_domain_url="empty" +## URL to External CA used to Issue Certificates for CA Instance Creation +external_ca_domain_url="External CA" ## Optional CA Variables for creating a clone CA ## @@ -766,17 +891,20 @@ tps_chosen_ca_nonssl_port=${ca_nonssl_port} tps_chosen_ca_ssl_port=${ca_ee_port} tps_chosen_ca_admin_port=${ca_admin_port} -tps_chosen_tks_hostname=${pki_host} -tps_chosen_tks_ssl_port=${tks_ee_port} -tps_chosen_drm_hostname=${pki_host} -tps_chosen_drm_ssl_port=${kra_ee_port} +tps_chosen_tks_agent_hostname=${pki_host} +tps_chosen_tks_agent_port=${tks_agent_port} +tps_chosen_tks_admin_hostname=${pki_host} +tps_chosen_tks_admin_port=${tks_admin_port} +tps_chosen_drm_agent_hostname=${pki_host} +tps_chosen_drm_agent_port=${kra_agent_port} +tps_chosen_drm_admin_hostname=${pki_host} +tps_chosen_drm_admin_port=${kra_admin_port} tps_agent_name="TPS\ Administrator\'s\ ${pki_security_domain_name}\ ID" tps_agent_key_size=2048 tps_agent_key_type=rsa tps_agent_cert_subject="cn=TPS\ Administrator,uid=admin,e=${pki_silent_admin_email},o=${pki_security_domain_name}" tps_ldap_auth_host=localhost tps_ldap_auth_port=389 -tps_ldap_auth_base_dn="dc=${pki_email_company},dc=${pki_email_domain}" tps_base_dn="dc=${pki_host}-${tps_instance_name}" tps_db_name="${pki_host}-${tps_instance_name}" tps_key_size=2048 @@ -1105,6 +1233,7 @@ -save_p12 ${ca_save_p12} \ -backup_pwd ${ca_backup_password} \ -subsystem_name ${ca_subsystem_name} \ + -ca_domain_url "${ca_instance_ca_domain_url}" \ -token_name ${ca_token_name} \ -token_pwd ${ca_token_password} \ -ca_sign_cert_subject_name "${ca_sign_cert_subject_name}" \ @@ -1173,6 +1302,7 @@ # -save_p12 ${ca_save_p12} \ # -backup_pwd ${ca_backup_password} \ # -subsystem_name ${ca_subsystem_name} \ +# -ca_domain_url "${ca_instance_ca_domain_url}" \ # -token_name ${ca_token_name} \ # -token_pwd ${ca_token_password} \ # -ca_sign_cert_subject_name "${ca_sign_cert_subject_name}" \ @@ -1239,6 +1369,7 @@ # -save_p12 ${ca_save_p12} \ # -backup_pwd ${ca_backup_password} \ # -subsystem_name ${ca_subsystem_name} \ +# -ca_domain_url "${external_ca_domain_url}" \ # -token_name ${ca_token_name} \ # -token_pwd ${ca_token_password} \ # -ca_sign_cert_subject_name "${ca_sign_cert_subject_name}" \ @@ -1311,6 +1442,7 @@ # -save_p12 ${ca_save_p12} \ # -backup_pwd ${ca_backup_password} \ # -subsystem_name ${ca_subsystem_name} \ +# -ca_domain_url "${external_ca_domain_url}" \ # -token_name ${ca_token_name} \ # -token_pwd ${ca_token_password} \ # -ca_sign_cert_subject_name "${ca_sign_cert_subject_name}" \ @@ -1381,6 +1513,7 @@ -agent_key_type ${kra_agent_key_type} \ -agent_cert_subject "${kra_agent_cert_subject}" \ -subsystem_name ${kra_subsystem_name} \ + -ca_domain_url "${kra_instance_ca_domain_url}" \ -save_p12 ${kra_save_p12} \ -backup_pwd ${kra_backup_password} \ -drm_transport_cert_subject_name "${kra_transport_cert_subject_name}" \ @@ -1451,6 +1584,7 @@ # -agent_key_type ${kra_agent_key_type} \ # -agent_cert_subject "${kra_agent_cert_subject}" \ # -subsystem_name ${kra_subsystem_name} \ +# -ca_domain_url "${kra_instance_ca_domain_url}" \ # -save_p12 ${kra_save_p12} \ # -backup_pwd ${kra_backup_password} \ # -drm_transport_cert_subject_name "${kra_transport_cert_subject_name}" \ @@ -1524,6 +1658,7 @@ -agent_key_type ${ocsp_agent_key_type} \ -agent_cert_subject "${ocsp_agent_cert_subject}" \ -subsystem_name ${ocsp_subsystem_name} \ + -ca_domain_url "${ocsp_instance_ca_domain_url}" \ -save_p12 ${ocsp_save_p12} \ -backup_pwd ${ocsp_backup_password} \ -ocsp_sign_cert_subject_name "${ocsp_sign_cert_subject_name}" \ @@ -1592,6 +1727,7 @@ -agent_key_type ${tks_agent_key_type} \ -agent_cert_subject "${tks_agent_cert_subject}" \ -subsystem_name ${tks_subsystem_name} \ + -ca_domain_url "${tks_instance_ca_domain_url}" \ -save_p12 ${tks_save_p12} \ -backup_pwd ${tks_backup_password} \ -tks_subsystem_cert_subject_name "${tks_subsystem_cert_subject_name}" \ @@ -1636,6 +1772,7 @@ -ca_port ${ra_chosen_ca_nonssl_port} \ -ca_ssl_port ${ra_chosen_ca_ssl_port} \ -ca_admin_port ${ra_chosen_ca_admin_port} \ + -ca_issuance_url ${ra_chosen_ca_issuance_url} \ -client_certdb_dir ${pki_silent_security_database_repository} \ -client_certdb_pwd ${pki_silent_security_token_password} \ -client_token_name ${pki_silent_security_token_name} \ @@ -1653,6 +1790,7 @@ -agent_key_type ${ra_agent_key_type} \ -agent_cert_subject "${ra_agent_cert_subject}" \ -subsystem_name ${ra_subsystem_name} \ + -ca_domain_url "${ra_instance_ca_domain_url}" \ -ra_server_cert_nickname "${ra_server_cert_nickname}" \ -ra_server_cert_subject_name "${ra_server_cert_subject_name}" \ -ra_subsystem_cert_nickname "${ra_subsystem_cert_nickname}" \ @@ -1704,11 +1842,18 @@ -ca_port ${tps_chosen_ca_nonssl_port} \ -ca_ssl_port ${tps_chosen_ca_ssl_port} \ -ca_admin_port ${tps_chosen_ca_admin_port} \ - -drm_hostname ${tps_chosen_drm_hostname} \ - -drm_ssl_port ${tps_chosen_drm_ssl_port} \ + -ca_issuance_url ${tps_chosen_ca_issuance_url} \ + -drm_agent_hostname ${tps_chosen_drm_agent_hostname} \ + -drm_agent_port ${tps_chosen_drm_agent_port} \ + -drm_admin_hostname ${tps_chosen_drm_admin_hostname} \ + -drm_admin_port ${tps_chosen_drm_admin_port} \ + -drm_server_side_keygen_url ${tps_chosen_drm_server_side_keygen_url} \ -ss_keygen ${tps_ss_keygen} \ - -tks_hostname ${tps_chosen_tks_hostname} \ - -tks_ssl_port ${tps_chosen_tks_ssl_port} \ + -tks_agent_hostname ${tps_chosen_tks_agent_hostname} \ + -tks_agent_port ${tps_chosen_tks_agent_port} \ + -tks_admin_hostname ${tps_chosen_tks_admin_hostname} \ + -tks_admin_port ${tps_chosen_tks_admin_port} \ + -tks_key_management_url ${tps_chosen_tks_key_management_url} \ -client_certdb_dir ${pki_silent_security_database_repository} \ -client_certdb_pwd ${pki_silent_security_token_password} \ -client_token_name ${pki_silent_security_token_name} \ @@ -1734,6 +1879,7 @@ -save_p12 ${tps_save_p12} \ -backup_pwd ${tps_backup_password} \ -subsystem_name ${tps_subsystem_name} \ + -ca_domain_url "${tps_instance_ca_domain_url}" \ -ldap_auth_host ${tps_ldap_auth_host} \ -ldap_auth_port ${tps_ldap_auth_port} \ -ldap_auth_base_dn ${tps_ldap_auth_base_dn} \ Index: base/silent/templates/silentEC_kra.template =================================================================== --- base/silent/templates/silentEC_kra.template (revision 2598) +++ base/silent/templates/silentEC_kra.template (working copy) @@ -174,8 +174,8 @@ ## ## *180 - non-secure port (not role specific) ## *701 - non-secure Tomcat port -## *443 - secure EE port -## *444 - secure Agent port +## *443 - secure Agent port +## *444 - secure EE port ## *445 - secure Admin port ## ## @@ -186,7 +186,7 @@ ## pki_kra_port_t tcp 10180, 10701, 10443, 10444, 10445 ## -## CA ports +## CA ports (Security Domain) ca_nonssl_port=9180 ca_agent_port=9443 ca_ee_port=9444 @@ -198,7 +198,62 @@ kra_ee_port=10444 kra_admin_port=10445 +## URL to CA used to Issue Certificates for KRA Instance Creation +## +## * each 'hostname:port' must be a CA EE Hostname and CA EE Port +## * referenced CA does not need to be a Security Domain (see CAVEAT) +## * referenced CA must reside within the same security domain +## as this KRA instance +## +## CAVEAT: If the chosen CA is a security domain: +## +## * all KRA subsystem certificates (including the +## 'Subsystem' certificates) will be stored on this CA +## * the KRA subsystem client 'Administration' +## certificate will automatically be imported into +## the NSS client security databases associated with +## the 'pkisilent' invocation of this KRA subsystem +## * the 'pkisilent' client security databases may be +## used inside a firefox browser with no further +## changes +## +## If the chosen CA is NOT a security domain: +## +## * all KRA subsystem certificates EXCEPT the KRA +## 'Subsystem' certificate will be stored on this CA; +## the KRA 'Subsystem' certificate will be stored on +## the CA that is the security domain for this KRA +## subsystem +## * the KRA subsystem client 'Administration' +## certificate will NOT automatically be imported into +## the NSS client security databases associated with +## the 'pkisilent' invocation of this KRA subsystem; +## import will fail with something similar to the +## following message: +## +## ERROR: exception importing cert: Security +## library failed to decode certificate +## package: (-8183) security library: +## improperly formatted DER-encoded +## message. +## +## * in order to utilize the 'pkisilent' client +## security databases inside a firefox browser, +## one will need to manually import the KRA +## 'Administration' certificate for the KRA subsystem +## stored in this non-security domain CA +## +## NOTE: To pass in a value of an empty string, specify the value "empty" +## instead of "" since ArgParser() throws away empty strings. +## +## This special "empty" string value may be specified for any of +## the following variables: +## +## * kra_instance_ca_domain_url="empty" +## +kra_instance_ca_domain_url="https://${pki_security_domain_host}:${ca_ee_port}" + ############################################################################## ## U S E R - D E F I N E D V A R I A B L E S ( O P T I O N A L ) ## ############################################################################## @@ -550,6 +605,7 @@ -agent_key_type ${kra_agent_key_type} \ -agent_cert_subject "${kra_agent_cert_subject}" \ -subsystem_name ${kra_subsystem_name} \ + -ca_domain_url "${kra_instance_ca_domain_url}" \ -drm_transport_cert_subject_name "${kra_transport_cert_subject_name}" \ -drm_subsystem_cert_subject_name "${kra_subsystem_cert_subject_name}" \ -drm_storage_cert_subject_name "${kra_storage_cert_subject_name}" \ Index: base/ra/lib/perl/PKI/RA/CAInfoPanel.pm =================================================================== --- base/ra/lib/perl/PKI/RA/CAInfoPanel.pm (revision 2598) +++ base/ra/lib/perl/PKI/RA/CAInfoPanel.pm (working copy) @@ -250,8 +250,8 @@ sub get_domain_xml { - my $ca_ee_host = $1; - my $https_ee_port = $2; + my $ca_ee_host = $_[0]; + my $https_ee_port = $_[1]; # get the domain xml # e. g. - https://water.sfbay.redhat.com:9445/ca/admin/ca/getDomainXML @@ -273,9 +273,9 @@ sub get_secure_admin_port_from_domain_xml { - my $content = $1; - my $ca_ee_host = $2; - my $https_ee_port = $3; + my $content = $_[0]; + my $ca_ee_host = $_[1]; + my $https_ee_port = $_[2]; # Retrieve the secure admin port corresponding # to the selected EE host and secure ee port. @@ -287,7 +287,7 @@ foreach my $c (@{$xml->{'CAList'}[0]->{'CA'}}) { if( ( $ca_ee_host eq $c->{'Host'}[0] ) && ( $https_ee_port eq $c->{'SecurePort'}[0] ) ) { - $https_admin_port = https_$c->{'SecureAdminPort'}[0]; + $https_admin_port = $c->{'SecureAdminPort'}[0]; last; } } @@ -297,9 +297,9 @@ sub get_secure_agent_port_from_domain_xml { - my $content = $1; - my $ca_ee_host = $2; - my $https_ee_port = $3; + my $content = $_[0]; + my $ca_ee_host = $_[1]; + my $https_ee_port = $_[2]; # Retrieve the secure agent port corresponding # to the selected EE host and secure ee port. @@ -311,7 +311,7 @@ foreach my $c (@{$xml->{'CAList'}[0]->{'CA'}}) { if( ( $ca_ee_host eq $c->{'Host'}[0] ) && ( $https_ee_port eq $c->{'SecurePort'}[0] ) ) { - $https_agent_port = https_$c->{'SecureAgentPort'}[0]; + $https_agent_port = $c->{'SecureAgentPort'}[0]; last; } } @@ -321,9 +321,9 @@ sub get_admin_host_from_domain_xml { - my $content = $1; - my $ca_ee_host = $2; - my $https_ee_port = $3; + my $content = $_[0]; + my $ca_ee_host = $_[1]; + my $https_ee_port = $_[2]; # Retrieve the admin host corresponding # to the selected EE host and secure ee port. @@ -337,10 +337,10 @@ ( $https_ee_port eq $c->{'SecurePort'}[0] ) ) { if( $c->{'AdminHost'}[0] ne "" ) { # IP Port Separation Schema - $ca_admin_host = https_$c->{'AdminHost'}[0]; + $ca_admin_host = $c->{'AdminHost'}[0]; } else { # Port Separation Schema - $ca_admin_host = https_$c->{'Host'}[0]; + $ca_admin_host = $c->{'Host'}[0]; } last; } @@ -352,9 +352,9 @@ sub get_agent_host_from_domain_xml { - my $content = $1; - my $ca_ee_host = $2; - my $https_ee_port = $3; + my $content = $_[0]; + my $ca_ee_host = $_[1]; + my $https_ee_port = $_[2]; # Retrieve the agent host corresponding # to the selected EE host and secure ee port. @@ -368,10 +368,10 @@ ( $https_ee_port eq $c->{'SecurePort'}[0] ) ) { if( $c->{'AgentHost'}[0] ne "" ) { # IP Port Separation Schema - $ca_agent_host = https_$c->{'AgentHost'}[0]; + $ca_agent_host = $c->{'AgentHost'}[0]; } else { # Port Separation Schema - $ca_agent_host = https_$c->{'Host'}[0]; + $ca_agent_host = $c->{'Host'}[0]; } last; } Index: base/ra/lib/perl/PKI/RA/NamePanel.pm =================================================================== --- base/ra/lib/perl/PKI/RA/NamePanel.pm (revision 2598) +++ base/ra/lib/perl/PKI/RA/NamePanel.pm (working copy) @@ -293,16 +293,26 @@ "auth_hostname=" . $sdom_url->host . "&" . "auth_port=" . $sdom_url->port; + # NOTE: Must save the original values of '$ca_ee_host' and + # '$https_ee_port' because if 'subsystem' is not + # the last value specifed in 'CS.cfg::preop.cert.list', + # it was discovered that the following code was + # resetting these values for every value that follows. + my $sslget_ca_ee_host = ""; + my $sslget_https_ee_port = ""; if ($certtag eq "subsystem") { - $ca_ee_host = $sdom_url->host; - $https_ee_port = $sdom_url->port; + $sslget_ca_ee_host = $sdom_url->host; + $sslget_https_ee_port = $sdom_url->port; + } else { + $sslget_ca_ee_host = $ca_ee_host; + $sslget_https_ee_port = $https_ee_port; } if ($changed eq "true") { -$req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"$token_pwd\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $ca_ee_host:$https_ee_port"; -$debug_req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"(sensitive)\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $ca_ee_host:$https_ee_port"; +$req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"$token_pwd\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $sslget_ca_ee_host:$sslget_https_ee_port"; +$debug_req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"(sensitive)\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $sslget_ca_ee_host:$sslget_https_ee_port"; } else { -$req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"$db_password\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $ca_ee_host:$https_ee_port"; -$debug_req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"(sensitive)\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $ca_ee_host:$https_ee_port"; +$req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"$db_password\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $sslget_ca_ee_host:$sslget_https_ee_port"; +$debug_req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"(sensitive)\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $sslget_ca_ee_host:$sslget_https_ee_port"; } &PKI::RA::Wizard::debug_log("debug_req = " . $debug_req); Index: base/tps/lib/perl/PKI/TPS/CAInfoPanel.pm =================================================================== --- base/tps/lib/perl/PKI/TPS/CAInfoPanel.pm (revision 2598) +++ base/tps/lib/perl/PKI/TPS/CAInfoPanel.pm (working copy) @@ -249,8 +249,8 @@ sub get_domain_xml { - my $ca_ee_host = $1; - my $https_ee_port = $2; + my $ca_ee_host = $_[0]; + my $https_ee_port = $_[1]; # get the domain xml # e. g. - https://water.sfbay.redhat.com:9445/ca/admin/ca/getDomainXML @@ -272,9 +272,9 @@ sub get_secure_admin_port_from_domain_xml { - my $content = $1; - my $ca_ee_host = $2; - my $https_ee_port = $3; + my $content = $_[0]; + my $ca_ee_host = $_[1]; + my $https_ee_port = $_[2]; # Retrieve the secure admin port corresponding # to the selected EE host and secure ee port. @@ -286,7 +286,7 @@ foreach my $c (@{$xml->{'CAList'}[0]->{'CA'}}) { if( ( $ca_ee_host eq $c->{'Host'}[0] ) && ( $https_ee_port eq $c->{'SecurePort'}[0] ) ) { - $https_admin_port = https_$c->{'SecureAdminPort'}[0]; + $https_admin_port = $c->{'SecureAdminPort'}[0]; last; } } @@ -296,9 +296,9 @@ sub get_secure_agent_port_from_domain_xml { - my $content = $1; - my $ca_ee_host = $2; - my $https_ee_port = $3; + my $content = $_[0]; + my $ca_ee_host = $_[1]; + my $https_ee_port = $_[2]; # Retrieve the secure agent port corresponding # to the selected EE host and secure ee port. @@ -310,7 +310,7 @@ foreach my $c (@{$xml->{'CAList'}[0]->{'CA'}}) { if( ( $ca_ee_host eq $c->{'Host'}[0] ) && ( $https_ee_port eq $c->{'SecurePort'}[0] ) ) { - $https_agent_port = https_$c->{'SecureAgentPort'}[0]; + $https_agent_port = $c->{'SecureAgentPort'}[0]; last; } } @@ -320,9 +320,9 @@ sub get_admin_host_from_domain_xml { - my $content = $1; - my $ca_ee_host = $2; - my $https_ee_port = $3; + my $content = $_[0]; + my $ca_ee_host = $_[1]; + my $https_ee_port = $_[2]; # Retrieve the admin host corresponding # to the selected EE host and secure ee port. @@ -336,10 +336,10 @@ ( $https_ee_port eq $c->{'SecurePort'}[0] ) ) { if( $c->{'AdminHost'}[0] ne "" ) { # IP Port Separation Schema - $ca_admin_host = https_$c->{'AdminHost'}[0]; + $ca_admin_host = $c->{'AdminHost'}[0]; } else { # Port Separation Schema - $ca_admin_host = https_$c->{'Host'}[0]; + $ca_admin_host = $c->{'Host'}[0]; } last; } @@ -350,9 +350,9 @@ sub get_agent_host_from_domain_xml { - my $content = $1; - my $ca_ee_host = $2; - my $https_ee_port = $3; + my $content = $_[0]; + my $ca_ee_host = $_[1]; + my $https_ee_port = $_[2]; # Retrieve the agent host corresponding # to the selected EE host and secure ee port. @@ -366,10 +366,10 @@ ( $https_ee_port eq $c->{'SecurePort'}[0] ) ) { if( $c->{'AgentHost'}[0] ne "" ) { # IP Port Separation Schema - $ca_agent_host = https_$c->{'AgentHost'}[0]; + $ca_agent_host = $c->{'AgentHost'}[0]; } else { # Port Separation Schema - $ca_agent_host = https_$c->{'Host'}[0]; + $ca_agent_host = $c->{'Host'}[0]; } last; } Index: base/tps/lib/perl/PKI/TPS/NamePanel.pm =================================================================== --- base/tps/lib/perl/PKI/TPS/NamePanel.pm (revision 2598) +++ base/tps/lib/perl/PKI/TPS/NamePanel.pm (working copy) @@ -301,18 +301,28 @@ "auth_hostname=" . $sdom_url->host . "&" . "auth_port=" . $sdom_url->port; + # NOTE: Must save the original values of '$ca_ee_host' and + # '$https_ee_port' because if 'subsystem' is not + # the last value specifed in 'CS.cfg::preop.cert.list', + # it was discovered that the following code was + # resetting these values for every value that follows. + my $sslget_ca_ee_host = ""; + my $sslget_https_ee_port = ""; if ($certtag eq "subsystem") { - $ca_ee_host = $sdom_url->host; - $https_ee_port = $sdom_url->port; + $sslget_ca_ee_host = $sdom_url->host; + $sslget_https_ee_port = $sdom_url->port; + } else { + $sslget_ca_ee_host = $ca_ee_host; + $sslget_https_ee_port = $https_ee_port; } if ($changed eq "true") { # nickname changed is true, using token passwd for calling sslget -$req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"$token_pwd\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $ca_ee_host:$https_ee_port"; -$debug_req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"(sensitive)\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $ca_ee_host:$https_ee_port"; +$req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"$token_pwd\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $sslget_ca_ee_host:$sslget_https_ee_port"; +$debug_req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"(sensitive)\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $sslget_ca_ee_host:$sslget_https_ee_port"; } else { # nickname changed is false, using internal passwd for calling sslget -$req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"$db_password\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $ca_ee_host:$https_ee_port"; -$debug_req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"(sensitive)\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $ca_ee_host:$https_ee_port"; +$req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"$db_password\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $sslget_ca_ee_host:$sslget_https_ee_port"; +$debug_req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"(sensitive)\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $sslget_ca_ee_host:$sslget_https_ee_port"; } &PKI::TPS::Wizard::debug_log("debug_req = " . $debug_req); From awnuk at redhat.com Fri May 24 00:35:19 2013 From: awnuk at redhat.com (Andrew Wnuk) Date: Thu, 23 May 2013 17:35:19 -0700 Subject: [Pki-devel] [PATCH] Fixes for pki-silent in RHCS 8.1 ECC Errata In-Reply-To: <519D5DAF.3070605@redhat.com> References: <519D5DAF.3070605@redhat.com> Message-ID: <519EB5C7.5000401@redhat.com> On 05/22/2013 05:07 PM, Matthew Harmsen wrote: > Please review the attached patch which addresses the following two > 'pki-silent' issues in RHCS 8.1: > > * *Bugzilla Bug #951891* > -'silent_ra_to_ip_port.template' > fails to configure an RA successfully > * *Bugzilla Bug #952392* > -Allow RA and > TPS URLs to be specified by pkisilent and utilized by the RA and > TPS servers > > This patch has been tested extensively on an IP Port Separated x86_64 > machine running RHEL 5.9. > > Testing utilized the following deployment scenario: > > * CA (security domain) > o Subordinate CA (no security domain) > + KRA > + TKS > + RA > + TPS > > The KRA, RA, and TPS were tested both by signing the subsystems > certificates with the CA and again with the Subordinate CA; this > testing led to the filing of "TRAC Ticket #620 - Ability of a > non-security domain CA to store an "Administration" cert in the NSS > client security database". > > > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel ACK, I assisted Matt in extensive test procedure, which will be provided in the bugs for QE bug verification. -------------- next part -------------- An HTML attachment was scrubbed... URL: From edewata at redhat.com Fri May 24 17:56:22 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 24 May 2013 12:56:22 -0500 Subject: [Pki-devel] [PATCH] 58 Use 'with' construct for file handling (Also added finally block when an exception is to be handled) #Ticket 562 In-Reply-To: <1369155772.8356.2.camel@akoneru.redhat.com> References: <1369155772.8356.2.camel@akoneru.redhat.com> Message-ID: <519FA9C6.8060104@redhat.com> On 5/21/2013 12:02 PM, Abhishek Koneru wrote: > Please review he attached patch with a minor modification in code - to > use the with construct for handling files. Some of the 'try-except-finally' clauses probably can be simplified because sometimes the 'except' only wraps the original exception, or logs an error, or does simple error handling. It's also possible to nest 'with' inside 'try-except' (or the other way around); one to handle the resource and the other to handle the error. 1. In drmclient.py, in http_request() and https_request() suppose the NSSConnection supports Context Manager we could use 'with' statement too. Could you check? http://docs.python.org/2/reference/compound_stmts.html#with 2. Also in http_request() and https_request(), I'm not sure if we really need to wrap the original exception, but that's a separate issue. If we can remove it we can use 'with' here, or at least nest it. 3. In kra.__init__() the self.password = '' assignment can be moved before open() so in case of error it will be blank already. This way we can use the 'with' statement. 4. In pkimanifest.py, in file.write() and read() the error logging should really be done by the caller. But here at least we can use 'with' nested inside the 'try-except'. -- Endi S. Dewata From awnuk at redhat.com Tue May 28 17:14:13 2013 From: awnuk at redhat.com (Andrew Wnuk) Date: Tue, 28 May 2013 10:14:13 -0700 Subject: [Pki-devel] New Dogtag 9 packages Message-ID: <51A4E5E5.2050604@redhat.com> Hi, New Dogtag 9 packages are available in Koji for Fedora 17: * pki-tps-9.0.11-1.fc17 * pki-kra-9.0.15-1.fc17 * pki-console-9.0.7-1.fc17 * pki-core-9.0.26-1.fc17 * dogtag-pki-theme-9.0.14-1.fc17 New packages include: * security update * random certificate serial numbers * randomized certificate validity * ECC improvements for OCSP, CMS, and pkisilent * AD authentication plug-in update * extended default CA validity * improved handling of big numbers * new option for CRL updates Please try it add some karma points if you can. Thank you, Andrew -------------- next part -------------- An HTML attachment was scrubbed... URL: From edewata at redhat.com Tue May 28 20:04:14 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 28 May 2013 15:04:14 -0500 Subject: [Pki-devel] [PATCH] 252-260 Preparation for Tomcat-based TPS Message-ID: <51A50DBE.1010209@redhat.com> In order to create Tomcat-based TPS (and possibly RA too), some files in RA and TPS need to be reorganized and some config variable names need to be changed to match the other Tomcat-based subsystems such that they can be used by pkispawn. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0260-Renamed-CA_PORT-into-PKI_CA_PORT.patch Type: text/x-patch Size: 4273 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0252-Reorganized-CS.cfg.in-in-RA-and-TPS.patch Type: text/x-patch Size: 2403 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0253-Renamed-SECURE_PORT-into-PKI_SECURE_PORT.patch Type: text/x-patch Size: 7838 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0254-Renamed-PORT-and-UNSECURE_PORT-into-PKI_UNSECURE_POR.patch Type: text/x-patch Size: 19340 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0255-Renamed-SERVER_ROOT-into-PKI_INSTANCE_PATH.patch Type: text/x-patch Size: 32821 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0256-Renamed-SERVER_NAME-and-PKI_MACHINE_NAME-into-PKI_HO.patch Type: text/x-patch Size: 54694 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0257-Renamed-PKI_INSTANCE_ID-into-PKI_INSTANCE_NAME.patch Type: text/x-patch Size: 67214 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0258-Replaced-PKI_SUBSYSTEM_DIR-with-PKI_SUBSYSTEM_TYPE.patch Type: text/x-patch Size: 49528 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0259-Renamed-CA_HOST-into-PKI_CA_HOSTNAME.patch Type: text/x-patch Size: 4326 bytes Desc: not available URL: From jmagne at redhat.com Wed May 29 17:41:18 2013 From: jmagne at redhat.com (John Magne) Date: Wed, 29 May 2013 13:41:18 -0400 (EDT) Subject: [Pki-devel] Review Request Bug 963073 - rhcs81 tps crash for CN over than 64 bytes In-Reply-To: <970085627.10469498.1369849253131.JavaMail.root@redhat.com> Message-ID: <1936222869.10469818.1369849278677.JavaMail.root@redhat.com> Please review attached patch. Fix solves a crash when a certificate to be displayed contains too many characters in one of its fields. -------------- next part -------------- A non-text attachment was scrubbed... Name: tps-ui-fix.patch Type: text/x-patch Size: 1305 bytes Desc: not available URL: From mharmsen at redhat.com Thu May 30 00:50:27 2013 From: mharmsen at redhat.com (Matthew Harmsen) Date: Wed, 29 May 2013 17:50:27 -0700 Subject: [Pki-devel] [PATCH] 252-260 Preparation for Tomcat-based TPS In-Reply-To: <51A50DBE.1010209@redhat.com> References: <51A50DBE.1010209@redhat.com> Message-ID: <51A6A253.3050405@redhat.com> On 05/28/13 13:04, Endi Sukma Dewata wrote: > In order to create Tomcat-based TPS (and possibly RA too), some files > in RA and TPS need to be reorganized and some config variable names > need to be changed to match the other Tomcat-based subsystems such > that they can be used by pkispawn. > > > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel ACK the following patches: * pki-edewata-0252-Reorganized-CS.cfg.in-in-RA-and-TPS.patch * pki-edewata-0253-Renamed-SECURE_PORT-into-PKI_SECURE_PORT.patch * pki-edewata-0254-Renamed-PORT-and-UNSECURE_PORT-into-PKI_UNSECURE_POR.patch * pki-edewata-0255-Renamed-SERVER_ROOT-into-PKI_INSTANCE_PATH.patch * pki-edewata-0256-Renamed-SERVER_NAME-and-PKI_MACHINE_NAME-into-PKI_HO.patch * pki-edewata-0257-Renamed-PKI_INSTANCE_ID-into-PKI_INSTANCE_NAME.patch * pki-edewata-0258-Replaced-PKI_SUBSYSTEM_DIR-with-PKI_SUBSYSTEM_TYPE.patch *PATCHES 0259 and 0260 were NOT tested as they immediately failed 'pkispawn' with the following error:* pkispawn : ERROR ....... KeyError: Master dictionary is missing the key called ''pki_ca_hostname''! Traceback (most recent call last): File "/sbin/pkispawn", line 420, in main(sys.argv) File "/sbin/pkispawn", line 319, in main parser.compose_pki_master_dictionary() File "/usr/lib/python2.7/site-packages/pki/deployment/pkiparser.py", line 658, in compose_pki_master_dictionary config.pki_master_dict['pki_ca_hostname'] KeyError: 'pki_ca_hostname' Consequently, these two patches were backed-out so that the other patches could be successfully tested. -------------- next part -------------- An HTML attachment was scrubbed... URL: From edewata at redhat.com Thu May 30 16:19:51 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 30 May 2013 11:19:51 -0500 Subject: [Pki-devel] [PATCH] 252-260 Preparation for Tomcat-based TPS In-Reply-To: <51A6A253.3050405@redhat.com> References: <51A50DBE.1010209@redhat.com> <51A6A253.3050405@redhat.com> Message-ID: <51A77C27.3060309@redhat.com> On 5/29/2013 7:50 PM, Matthew Harmsen wrote: > ACK the following patches: > > * pki-edewata-0252-Reorganized-CS.cfg.in-in-RA-and-TPS.patch > * pki-edewata-0253-Renamed-SECURE_PORT-into-PKI_SECURE_PORT.patch > * pki-edewata-0254-Renamed-PORT-and-UNSECURE_PORT-into-PKI_UNSECURE_POR.patch > * pki-edewata-0255-Renamed-SERVER_ROOT-into-PKI_INSTANCE_PATH.patch > * pki-edewata-0256-Renamed-SERVER_NAME-and-PKI_MACHINE_NAME-into-PKI_HO.patch > * pki-edewata-0257-Renamed-PKI_INSTANCE_ID-into-PKI_INSTANCE_NAME.patch > * pki-edewata-0258-Replaced-PKI_SUBSYSTEM_DIR-with-PKI_SUBSYSTEM_TYPE.patch Pushed to master. Thanks. > *PATCHES 0259 and 0260 were NOT tested as they immediately failed > 'pkispawn' with the following error:* > > pkispawn : ERROR ....... KeyError: Master dictionary is > missing the key called ''pki_ca_hostname''! > Traceback (most recent call last): > File "/sbin/pkispawn", line 420, in > main(sys.argv) > File "/sbin/pkispawn", line 319, in main > parser.compose_pki_master_dictionary() > File > "/usr/lib/python2.7/site-packages/pki/deployment/pkiparser.py", line > 658, in compose_pki_master_dictionary > config.pki_master_dict['pki_ca_hostname'] > KeyError: 'pki_ca_hostname' > > Consequently, these two patches were backed-out so that the other > patches could be successfully tested. New patches attached. The default parameters have been added to default.cfg. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0259-1-Renamed-CA_HOST-into-PKI_CA_HOSTNAME.patch Type: text/x-patch Size: 4966 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0260-1-Renamed-CA_PORT-into-PKI_CA_PORT.patch Type: text/x-patch Size: 4910 bytes Desc: not available URL: From edewata at redhat.com Thu May 30 16:20:25 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 30 May 2013 11:20:25 -0500 Subject: [Pki-devel] [PATCH] 261 Fixed hard-coded server certificate nickname. Message-ID: <51A77C49.8000702@redhat.com> Previously the server certificate name was partially hard-coded as "Server-Cert cert-[PKI_INSTANCE_NAME]". Now in Tomcat-based subsystems it can be fully configured using pki_ssl_server_nickname parameter. In Apache-based subsystems it's left unchanged. Unused copies of serverCertNick.conf have been removed. Ticket #631 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0261-1-Fixed-hard-coded-server-certificate-nickname.patch Type: text/x-patch Size: 10779 bytes Desc: not available URL: From edewata at redhat.com Thu May 30 18:23:03 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 30 May 2013 13:23:03 -0500 Subject: [Pki-devel] [PATCH] 262 Added Tomcat-based TPS instance. Message-ID: <51A79907.3070807@redhat.com> The build and deployment tools have been modified to support creating a basic Tomcat instance to run TPS. New configuration and template files for TPS have been copied from another Tomcat subsystem. The TPS functionality itself will be added in future patches. Ticket #526 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0262-Added-Tomcat-based-TPS-instance.patch Type: text/x-patch Size: 212189 bytes Desc: not available URL: From edewata at redhat.com Thu May 30 18:23:36 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 30 May 2013 13:23:36 -0500 Subject: [Pki-devel] [PATCH] 263 Added TPS servlet. Message-ID: <51A79928.8080609@redhat.com> A basic TPS servlet has been added to demonstrate sending and receiving TPS messages using chunked encoding. The servlet can be tested using the attached tps-test.sh. See the output in /var/log/pki//catalina.out. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0263-Added-TPS-servlet.patch Type: text/x-patch Size: 10602 bytes Desc: not available URL: -------------- next part -------------- #!/bin/sh tpsclient < References: <51A79907.3070807@redhat.com> Message-ID: <51A7C9BD.1000302@redhat.com> On 5/30/2013 1:23 PM, Endi Sukma Dewata wrote: > The build and deployment tools have been modified to support creating > a basic Tomcat instance to run TPS. New configuration and template > files for TPS have been copied from another Tomcat subsystem. The TPS > functionality itself will be added in future patches. > > Ticket #526 To set up the TPS instance you only need to create CA, no need to create TKS/KRA for now. Attached are sample configuration files. % pkispawn -f ca.cfg -s CA % pkispawn -f tps.cfg -s TPS -- Endi S. Dewata -------------- next part -------------- [DEFAULT] pki_instance_name=ca-master #pki_skip_configuration=True [CA] pki_admin_email=caadmin at example.com pki_admin_name=caadmin pki_admin_nickname=caadmin pki_admin_password=Secret123 pki_admin_uid=caadmin pki_backup_password=Secret123 pki_client_database_password=Secret123 pki_client_database_purge=False pki_client_pkcs12_password=Secret123 pki_clone_pkcs12_password=Secret123 pki_ds_base_dn=dc=ca,dc=example,dc=com pki_ds_database=ca pki_ds_password=Secret123 pki_security_domain_name=EXAMPLE pki_token_password=Secret123 -------------- next part -------------- [DEFAULT] pki_instance_name=tps-master #pki_skip_configuration=True [TPS] pki_ajp_port=16009 pki_admin_cert_file=/root/.dogtag/ca-master/ca_admin.cert pki_admin_email=tpsadmin at example.com pki_admin_name=tpsadmin pki_admin_nickname=tpsadmin pki_admin_password=Secret123 pki_admin_uid=tpsadmin pki_backup_password=Secret123 pki_ds_base_dn=dc=tps,dc=example,dc=com pki_ds_database=tps pki_client_database_password=Secret123 pki_client_database_purge=False pki_client_pkcs12_password=Secret123 pki_clone_pkcs12_password=Secret123 pki_ds_password=Secret123 pki_http_port=16080 pki_https_port=16443 pki_security_domain_name=EXAMPLE pki_security_domain_user=caadmin pki_security_domain_password=Secret123 pki_token_password=Secret123 pki_tomcat_server_port=16005 From akoneru at redhat.com Fri May 31 19:20:41 2013 From: akoneru at redhat.com (Abhishek Koneru) Date: Fri, 31 May 2013 15:20:41 -0400 Subject: [Pki-devel] [PATCH] 58-2 Minor fixes for patch 58 In-Reply-To: <519FA9C6.8060104@redhat.com> References: <1369155772.8356.2.camel@akoneru.redhat.com> <519FA9C6.8060104@redhat.com> Message-ID: <1370028041.4953.2.camel@akoneru.redhat.com> On Fri, 2013-05-24 at 12:56 -0500, Endi Sukma Dewata wrote: > On 5/21/2013 12:02 PM, Abhishek Koneru wrote: > > Please review he attached patch with a minor modification in code - to > > use the with construct for handling files. > > Some of the 'try-except-finally' clauses probably can be simplified > because sometimes the 'except' only wraps the original exception, or > logs an error, or does simple error handling. > > It's also possible to nest 'with' inside 'try-except' (or the other way > around); one to handle the resource and the other to handle the error. > > 1. In drmclient.py, in http_request() and https_request() suppose the > NSSConnection supports Context Manager we could use 'with' statement > too. Could you check? > > http://docs.python.org/2/reference/compound_stmts.html#with > > 2. Also in http_request() and https_request(), I'm not sure if we really > need to wrap the original exception, but that's a separate issue. If we > can remove it we can use 'with' here, or at least nest it. Both NSSConnection and httplib.HTTPConnection do not support Context Manager. Hence, no changes made here. > > 3. In kra.__init__() the self.password = '' assignment can be moved > before open() so in case of error it will be blank already. This way we > can use the 'with' statement. -- Nested the with in the try-except block > > 4. In pkimanifest.py, in file.write() and read() the error logging > should really be done by the caller. But here at least we can use 'with' > nested inside the 'try-except'. used with for file operations > Please review the attached patch. --Abhishek -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-akoneru-0058-2-Use-with-construct-for-file-operations.patch Type: text/x-patch Size: 9774 bytes Desc: not available URL: From akoneru at redhat.com Fri May 31 20:38:09 2013 From: akoneru at redhat.com (Abhishek Koneru) Date: Fri, 31 May 2013 16:38:09 -0400 Subject: [Pki-devel] [PATCH] 59 Fixing errors reported in Pylint Code analysis Ticket #316 - Part 1 Message-ID: <1370032689.4953.7.camel@akoneru.redhat.com> Please review the patch which fixes a few errors reported by pylint in dogtag's python code. Also find attached the remaining errors to be fixed. Will submit a detailed report in my next mail. How i used pylint: -- Installed pki packages. -- Executed the following command - cd /usr/lib/python2.7/sitepackages; pylint -E --include-ids=y pki/ pki/deployment/ pki/server/ `which pkispawn` `which pkidestroy` `which pki-upgrade` `which pki-server-upgrade` --Abhishek -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-akoneru-0059-Code-cleanup-and-fixing-Pylint-errors.patch Type: text/x-patch Size: 114295 bytes Desc: not available URL: -------------- next part -------------- [root at akoneru pki]# pylint -E --include-ids=y pki/ pki/deployment/ pki/server/ `which pkispawn` `which pkidestroy` `which pki-upgrade` `which pki-server-upgrade` ************* Module encoder E0202: 16,4:CustomTypeEncoder.default: An attribute affected in json.encoder line 157 hide this method ************* Module deployment.pkihelper E0602:117,15:pki_copytree: Undefined variable 'Error' E0602:124,11:pki_copytree: Undefined variable 'WindowsError' E0602:124,56:pki_copytree: Undefined variable 'WindowsError' E0602:130,14:pki_copytree: Undefined variable 'Error' E0602:1004,15:Instance.tomcat_instance_subsystems: Undefined variable 'OSErr' E0602:3332,28:Config_client.set_system_certs: Undefined variable 'self' ************* Module deployment.pkiparser E0602:153,16:PKIConfigParser.validate: Undefined variable 'parser' E0602:154,16:PKIConfigParser.validate: Undefined variable 'parser' E1101:185,34:PKIConfigParser.init_config: Module 'deployment.pkiconfig' has no 'pki_dns_domainname' member E1101:438,16:PKIConfigParser.compose_pki_master_dictionary: Module 'deployment.pkiconfig' has no 'pki_certificate_timestamp' member ************* Module deployment.configuration E0602:115,23:PkiScriptlet.spawn: Undefined variable 'rv' E0602:120,23:PkiScriptlet.spawn: Undefined variable 'rv' ************* Module deployment.finalization E1120: 57,8:PkiScriptlet.spawn: No value passed for parameter 'name' in function call E1120: 58,8:PkiScriptlet.spawn: No value passed for parameter 'self' in function call E0602:117,15:pki_copytree: Undefined variable 'Error' E0602:124,11:pki_copytree: Undefined variable 'WindowsError' E0602:124,56:pki_copytree: Undefined variable 'WindowsError' E0602:130,14:pki_copytree: Undefined variable 'Error' E0602:1004,15:Instance.tomcat_instance_subsystems: Undefined variable 'OSErr' E0602:3332,28:Config_client.set_system_certs: Undefined variable 'self' E0602:153,16:PKIConfigParser.validate: Undefined variable 'parser' E0602:154,16:PKIConfigParser.validate: Undefined variable 'parser' E1101:185,34:PKIConfigParser.init_config: Module 'deployment.pkiconfig' has no 'pki_dns_domainname' member E1101:438,16:PKIConfigParser.compose_pki_master_dictionary: Module 'deployment.pkiconfig' has no 'pki_certificate_timestamp' member E0602:115,23:PkiScriptlet.spawn: Undefined variable 'rv' E0602:120,23:PkiScriptlet.spawn: Undefined variable 'rv' E1120: 57,8:PkiScriptlet.spawn: No value passed for parameter 'name' in function call E1120: 58,8:PkiScriptlet.spawn: No value passed for parameter 'self' in function call From mharmsen at redhat.com Fri May 31 22:00:44 2013 From: mharmsen at redhat.com (Matthew Harmsen) Date: Fri, 31 May 2013 15:00:44 -0700 Subject: [Pki-devel] [PATCH] 252-260 Preparation for Tomcat-based TPS In-Reply-To: <51A77C27.3060309@redhat.com> References: <51A50DBE.1010209@redhat.com> <51A6A253.3050405@redhat.com> <51A77C27.3060309@redhat.com> Message-ID: <51A91D8C.9040006@redhat.com> On 05/30/13 09:19, Endi Sukma Dewata wrote: > On 5/29/2013 7:50 PM, Matthew Harmsen wrote: >> ACK the following patches: >> >> * pki-edewata-0252-Reorganized-CS.cfg.in-in-RA-and-TPS.patch >> * pki-edewata-0253-Renamed-SECURE_PORT-into-PKI_SECURE_PORT.patch >> * >> pki-edewata-0254-Renamed-PORT-and-UNSECURE_PORT-into-PKI_UNSECURE_POR.patch >> * pki-edewata-0255-Renamed-SERVER_ROOT-into-PKI_INSTANCE_PATH.patch >> * >> pki-edewata-0256-Renamed-SERVER_NAME-and-PKI_MACHINE_NAME-into-PKI_HO.patch >> * >> pki-edewata-0257-Renamed-PKI_INSTANCE_ID-into-PKI_INSTANCE_NAME.patch >> * >> pki-edewata-0258-Replaced-PKI_SUBSYSTEM_DIR-with-PKI_SUBSYSTEM_TYPE.patch > > Pushed to master. Thanks. > >> *PATCHES 0259 and 0260 were NOT tested as they immediately failed >> 'pkispawn' with the following error:* >> >> pkispawn : ERROR ....... KeyError: Master dictionary is >> missing the key called ''pki_ca_hostname''! >> Traceback (most recent call last): >> File "/sbin/pkispawn", line 420, in >> main(sys.argv) >> File "/sbin/pkispawn", line 319, in main >> parser.compose_pki_master_dictionary() >> File >> "/usr/lib/python2.7/site-packages/pki/deployment/pkiparser.py", line >> 658, in compose_pki_master_dictionary >> config.pki_master_dict['pki_ca_hostname'] >> KeyError: 'pki_ca_hostname' >> >> Consequently, these two patches were backed-out so that the other >> patches could be successfully tested. > > New patches attached. The default parameters have been added to > default.cfg. > ACK on 0259-1 and 0260-1 after retesting. From mharmsen at redhat.com Fri May 31 22:01:09 2013 From: mharmsen at redhat.com (Matthew Harmsen) Date: Fri, 31 May 2013 15:01:09 -0700 Subject: [Pki-devel] [PATCH] 261 Fixed hard-coded server certificate nickname. In-Reply-To: <51A77C49.8000702@redhat.com> References: <51A77C49.8000702@redhat.com> Message-ID: <51A91DA5.1020705@redhat.com> On 05/30/13 09:20, Endi Sukma Dewata wrote: > Previously the server certificate name was partially hard-coded as > "Server-Cert cert-[PKI_INSTANCE_NAME]". Now in Tomcat-based subsystems > it can be fully configured using pki_ssl_server_nickname parameter. > In Apache-based subsystems it's left unchanged. > > Unused copies of serverCertNick.conf have been removed. > > Ticket #631 > > > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel ACK after testing this. -------------- next part -------------- An HTML attachment was scrubbed... URL: