[Pki-devel] DRM connector protection
Andrew Wnuk
awnuk at redhat.com
Fri Aug 17 23:23:20 UTC 2012
This patch prevents DRM connector to be overwritten by subsequent DRM
installations.
Bug 804179.
-------------- next part --------------
Index: pki/redhat/common-ui/shared/admin/console/config/donepanel.vm
===================================================================
--- pki/redhat/common-ui/shared/admin/console/config/donepanel.vm (revision 16021)
+++ pki/redhat/common-ui/shared/admin/console/config/donepanel.vm (working copy)
@@ -58,7 +58,17 @@
#end
<br/>
To create additional instances, type "/usr/bin/pkicreate" on the command line.
+#if ($systemType != "tps")
<br>
-#if ($systemType != "tps")
To start the administration console, type "/usr/bin/pkiconsole" on the command line.
+<br/>
#end
+#if (($systemType == "kra") && ($info != ""))
+<hr>
+<br>
+<b>Important warning</b> reported by Certificate Authority:<br> <b>$info</b>
+<br/>
+<br>
+This instance of Data Recovery Manager (DRM) is not connected to any Certificate Authority (CA). Please consult the product documentation for the manual procedure of connecting a DRM to a CA.
+<br/>
+#end
Index: pki/base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java
===================================================================
--- pki/base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java (revision 2439)
+++ pki/base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java (working copy)
@@ -417,13 +417,18 @@
// need to push connector information to the CA
if (type.equals("KRA") && !ca_host.equals("")) {
+ boolean connectorUpdated = true;
try {
updateConnectorInfo(ownagenthost, ownagentsport);
+ CMS.debug("DonePanel: connector information updated.");
} catch (IOException e) {
context.put("errorString", "Failed to update connector information.");
- return;
+ context.put("info", "Failed to update connector information. "+e.getMessage());
+ connectorUpdated = false;
+ CMS.debug("DonePanel: exception in updating connector information. "+e.getMessage());
+ //return;
}
- setupClientAuthUser();
+ if (connectorUpdated) setupClientAuthUser();
} // if KRA
// import the CA certificate into the OCSP
Index: pki/base/common/src/com/netscape/cms/servlet/csadmin/UpdateConnector.java
===================================================================
--- pki/base/common/src/com/netscape/cms/servlet/csadmin/UpdateConnector.java (revision 2439)
+++ pki/base/common/src/com/netscape/cms/servlet/csadmin/UpdateConnector.java (working copy)
@@ -122,41 +122,46 @@
return;
}
- IConfigStore cs = CMS.getConfigStore();
+ // check if connector exists
+ ICertificateAuthority ca = (ICertificateAuthority)CMS.getSubsystem("ca");
+ ICAService caService = (ICAService)ca.getCAService();
+ boolean connectorExists = (caService.getKRAConnector() != null)? true:false;
+ if (connectorExists) {
+ CMS.debug("UpdateConnector: KRA connector already exists");
+ } else {
+ IConfigStore cs = CMS.getConfigStore();
- Enumeration list = httpReq.getParameterNames();
- while (list.hasMoreElements()) {
- String name = (String)list.nextElement();
- String val = httpReq.getParameter(name);
- if (name != null && name.startsWith("ca.connector")) {
- CMS.debug("Adding connector update name=" + name + " val=" + val);
- cs.putString(name, val);
- } else {
- CMS.debug("Skipping connector update name=" + name + " val=" + val);
+ Enumeration list = httpReq.getParameterNames();
+ while (list.hasMoreElements()) {
+ String name = (String)list.nextElement();
+ String val = httpReq.getParameter(name);
+ if (name != null && name.startsWith("ca.connector")) {
+ CMS.debug("Adding connector update name=" + name + " val=" + val);
+ cs.putString(name, val);
+ } else {
+ CMS.debug("Skipping connector update name=" + name + " val=" + val);
+ }
}
- }
- try {
- String nickname = cs.getString("ca.subsystem.nickname", "");
- String tokenname = cs.getString("ca.subsystem.tokenname", "");
- if (!tokenname.equals("Internal Key Storage Token"))
- nickname = tokenname+":"+nickname;
- cs.putString("ca.connector.KRA.nickName", nickname);
- cs.commit(false);
- } catch (Exception e) {
- }
+ try {
+ String nickname = cs.getString("ca.subsystem.nickname", "");
+ String tokenname = cs.getString("ca.subsystem.tokenname", "");
+ if (!tokenname.equals("Internal Key Storage Token"))
+ nickname = tokenname+":"+nickname;
+ cs.putString("ca.connector.KRA.nickName", nickname);
+ cs.commit(false);
+ } catch (Exception e) {
+ }
- // start the connector
- try {
- ICertificateAuthority ca = (ICertificateAuthority)
- CMS.getSubsystem("ca");
- ICAService caService = (ICAService)ca.getCAService();
- IConnector kraConnector = caService.getConnector(
- cs.getSubStore("ca.connector.KRA"));
- caService.setKRAConnector(kraConnector);
- kraConnector.start();
- } catch (Exception e) {
- CMS.debug("Failed to start connector " + e);
+ // start the connector
+ try {
+ IConnector kraConnector = caService.getConnector(
+ cs.getSubStore("ca.connector.KRA"));
+ caService.setKRAConnector(kraConnector);
+ kraConnector.start();
+ } catch (Exception e) {
+ CMS.debug("Failed to start connector " + e);
+ }
}
// send success status back to the requestor
@@ -165,7 +170,12 @@
XMLObject xmlObj = new XMLObject();
Node root = xmlObj.createRoot("XMLResponse");
- xmlObj.addItemToContainer(root, "Status", SUCCESS);
+ if (connectorExists) {
+ xmlObj.addItemToContainer(root, "Status", FAILED);
+ xmlObj.addItemToContainer(root, "Error", "DRM connector already exists.");
+ } else {
+ xmlObj.addItemToContainer(root, "Status", SUCCESS);
+ }
byte[] cb = xmlObj.toByteArray();
outputResult(httpResp, "application/xml", cb);
More information about the Pki-devel
mailing list