[Pki-devel] [PATCH] cloning issues in 8.1
Matthew Harmsen
mharmsen at redhat.com
Fri Jul 19 18:39:43 UTC 2013
I have attached a revised patch which includes the code from your original patch + the stuff that we worked on together + my most recent attempt at the new add_attributes() method.
ACK on your original code and the code that we worked on together.
Please review the code in UpdateDomainXML.java that was discussed earlier.
Thanks,
-- Matt
On 07/10/13 13:26, Ade Lee wrote:
> Opps - bug this time too:
> https://bugzilla.redhat.com/show_bug.cgi?id=982320
>
> On Wed, 2013-07-10 at 16:25 -0400, Ade Lee wrote:
>> This is in response to
>>
>> Basically, there are two issues.
>>
>> 1. We want to use the selected CA to generate the SSL server cert. In
>> the code though, for a clone, the code that sets the relevant preop
>> parameter used to determine the right CA to go to - is only run after we
>> issue the sslserver cert request. That means it always goes to the
>> security domain CA. This code is now reversed.
>>
>> 2. Due to a DS bug (which has been fixed), the attributes on the
>> pkiSubsystem entry in the clone CA security domain database we in lower
>> case, rather than the existing case. Thats actually ok from an ldap
>> point of view. We create some XML from those attributes -- just in
>> case, we should make the XML matches in this case case insensitive.
>>
>> Please review.
>>
>> Thanks,
>> Ade
>>
>
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel
-------------- next part --------------
Index: base/common/src/com/netscape/cms/authentication/TokenAuthentication.java
===================================================================
--- base/common/src/com/netscape/cms/authentication/TokenAuthentication.java (revision 2619)
+++ base/common/src/com/netscape/cms/authentication/TokenAuthentication.java (working copy)
@@ -140,8 +140,14 @@
String sessionId = (String)authCred.get(CRED_SESSION_ID);
String givenHost = (String)authCred.get("clientHost");
- String authAdminHost = sconfig.getString("securitydomain.adminhost");
- String authEEHost = sconfig.getString("securitydomain.eehost");
+ String authAdminHost = sconfig.getString("securitydomain.adminhost","");
+ if( authAdminHost.isEmpty() ) {
+ authAdminHost = sconfig.getString("securitydomain.host");
+ }
+ String authEEHost = sconfig.getString("securitydomain.eehost","");
+ if( authEEHost.isEmpty() ) {
+ authEEHost = sconfig.getString("securitydomain.host");
+ }
int authAdminPort = sconfig.getInteger("securitydomain.httpsadminport");
int authEEPort = sconfig.getInteger("securitydomain.httpseeport");
String authAdminURL = "/ca/admin/ca/tokenAuthenticate";
Index: base/common/src/com/netscape/cms/servlet/csadmin/WizardPanelBase.java
===================================================================
--- base/common/src/com/netscape/cms/servlet/csadmin/WizardPanelBase.java (revision 2619)
+++ base/common/src/com/netscape/cms/servlet/csadmin/WizardPanelBase.java (working copy)
@@ -986,20 +986,23 @@
// is using an IP Port Separation Schema:
Vector v_hostname =
parser.getValuesFromContainer( nodeList.item(i),
- "AdminHost" );
+ "AdminHost",
+ true );
if ( v_hostname.isEmpty()) {
// No, the Security Domain is using a Port Separation Schema
v_hostname = parser.getValuesFromContainer(
- nodeList.item(i), "Host" );
+ nodeList.item(i), "Host", true );
}
Vector v_https_admin_port =
parser.getValuesFromContainer( nodeList.item(i),
- "SecureAdminPort" );
+ "SecureAdminPort",
+ true );
Vector v_domain_mgr =
parser.getValuesFromContainer( nodeList.item(i),
- "DomainManager" );
+ "DomainManager",
+ true );
if( v_hostname.elementAt( 0 ).equals( hostname ) &&
v_https_admin_port.elementAt( 0 ).equals( Integer.toString(httpsadminport) ) ) {
@@ -1064,38 +1067,44 @@
CMS.debug("Len " + len);
for (int i = 0; i < len; i++) {
Vector v_clone = parser.getValuesFromContainer(nodeList.item(i),
- "Clone");
+ "Clone", true);
String clone = (String)v_clone.elementAt(0);
if (clone.equalsIgnoreCase("true"))
continue;
Vector v_name = parser.getValuesFromContainer(nodeList.item(i),
- "SubsystemName");
+ "SubsystemName", true);
// First, check to see if the Security Domain
// is using an IP Port Separation Schema:
Vector v_host = null;
if( portType.equals( "UnSecurePort" ) ) {
v_host = parser.getValuesFromContainer( nodeList.item(i),
- "EEHost" );
+ "EEHost",
+ true );
} else if( portType.equals( "SecureAgentPort" ) ) {
v_host = parser.getValuesFromContainer( nodeList.item(i),
- "AgentHost" );
+ "AgentHost",
+ true );
} else if( portType.equals( "SecurePort" ) ) {
v_host = parser.getValuesFromContainer( nodeList.item(i),
- "EEHost" );
+ "EEHost",
+ true );
} else if( portType.equals( "SecureAdminPort" ) ) {
v_host = parser.getValuesFromContainer( nodeList.item(i),
- "AdminHost" );
+ "AdminHost",
+ true );
} else if( portType.equals( "SecureEEClientAuthPort" ) ) {
v_host = parser.getValuesFromContainer( nodeList.item(i),
- "EEClientAuthHost" );
+ "EEClientAuthHost",
+ true );
}
if (v_host.isEmpty()) {
// No, the Security Domain is using a Port Separation Schema
v_host = parser.getValuesFromContainer( nodeList.item(i),
- "Host" );
+ "Host",
+ true );
}
Vector v_port = parser.getValuesFromContainer(nodeList.item(i),
- portType);
+ portType, true);
v.addElement( v_name.elementAt(0)
+ " - https://"
@@ -1161,41 +1170,47 @@
CMS.debug("Len " + len);
for (int i = 0; i < len; i++) {
Vector v_name = parser.getValuesFromContainer(nodeList.item(i),
- "SubsystemName");
+ "SubsystemName", true);
// First, check to see if the Security Domain
// is using an IP Port Separation Schema:
Vector v_host = null;
if( portType.equals( "UnSecurePort" ) ) {
v_host = parser.getValuesFromContainer( nodeList.item(i),
- "EEHost" );
+ "EEHost",
+ true );
} else if( portType.equals( "SecureAgentPort" ) ) {
v_host = parser.getValuesFromContainer( nodeList.item(i),
- "AgentHost" );
+ "AgentHost",
+ true );
} else if( portType.equals( "SecurePort" ) ) {
v_host = parser.getValuesFromContainer( nodeList.item(i),
- "EEHost" );
+ "EEHost",
+ true );
} else if( portType.equals( "SecureAdminPort" ) ) {
v_host = parser.getValuesFromContainer( nodeList.item(i),
- "AdminHost" );
+ "AdminHost",
+ true );
} else if( portType.equals( "SecureEEClientAuthPort" ) ) {
v_host = parser.getValuesFromContainer( nodeList.item(i),
- "EEClientAuthHost" );
+ "EEClientAuthHost",
+ true );
}
if (v_host.isEmpty()) {
// No, the Security Domain is using a Port Separation Schema
v_host = parser.getValuesFromContainer( nodeList.item(i),
- "Host" );
+ "Host",
+ true );
}
Vector v_port = parser.getValuesFromContainer(nodeList.item(i),
- portType);
+ portType, true);
Vector v_admin_host = parser.getValuesFromContainer( nodeList.item(i),
- "AdminHost");
+ "AdminHost", true);
if (v_admin_host.isEmpty()) {
v_admin_host = v_host;
}
Vector v_admin_port = parser.getValuesFromContainer(nodeList.item(i),
- "SecureAdminPort");
+ "SecureAdminPort", true);
if( ( v_admin_host.elementAt( 0 ).equals( hostname ) ) &&
( v_admin_port.elementAt( 0 ).equals(
@@ -1252,20 +1267,23 @@
// is using an IP Port Separation Schema:
Vector v_hostname =
parser.getValuesFromContainer( nodeList.item(i),
- "EEHost" );
+ "EEHost",
+ true );
if ( v_hostname.isEmpty()) {
// No, the Security Domain is using a Port Separation Schema
v_hostname = parser.getValuesFromContainer(
- nodeList.item(i), "Host" );
+ nodeList.item(i), "Host", true );
}
Vector v_https_ee_port =
parser.getValuesFromContainer( nodeList.item(i),
- "SecurePort" );
+ "SecurePort",
+ true );
Vector v_https_admin_port =
parser.getValuesFromContainer( nodeList.item(i),
- "SecureAdminPort" );
+ "SecureAdminPort",
+ true );
if( v_hostname.elementAt( 0 ).equals( hostname ) &&
v_https_ee_port.elementAt( 0 ).equals( https_ee_port ) ) {
@@ -1311,14 +1329,16 @@
// is using an IP Port Separation Schema:
Vector v_hostname =
parser.getValuesFromContainer( nodeList.item(i),
- "EEHost" );
+ "EEHost",
+ true );
Vector v_https_admin_host =
parser.getValuesFromContainer( nodeList.item(i),
- "AdminHost" );
+ "AdminHost",
+ true );
if (v_hostname.isEmpty()) {
// No, the Security Domain is using a Port Separation Schema
v_hostname = parser.getValuesFromContainer(
- nodeList.item(i), "Host" );
+ nodeList.item(i), "Host", true );
}
if (v_https_admin_host.isEmpty()) {
// No, the Security Domain is using a Port Separation Schema
@@ -1327,7 +1347,8 @@
Vector v_https_ee_port =
parser.getValuesFromContainer( nodeList.item(i),
- "SecurePort" );
+ "SecurePort",
+ true );
if( v_hostname.elementAt( 0 ).equals( hostname ) &&
v_https_ee_port.elementAt( 0 ).equals( https_ee_port ) ) {
@@ -1375,24 +1396,30 @@
for( int i = 0; i < len; i++ ) {
Vector v_admin_port =
parser.getValuesFromContainer( nodeList.item(i),
- "SecureAdminPort" );
+ "SecureAdminPort",
+ true );
Vector v_port = null;
if( portType.equals( "UnSecurePort" ) ) {
v_port = parser.getValuesFromContainer( nodeList.item(i),
- "UnSecurePort" );
+ "UnSecurePort",
+ true );
} else if( portType.equals( "SecureAgentPort" ) ) {
v_port = parser.getValuesFromContainer( nodeList.item(i),
- "SecureAgentPort" );
+ "SecureAgentPort",
+ true );
} else if( portType.equals( "SecurePort" ) ) {
v_port = parser.getValuesFromContainer( nodeList.item(i),
- "SecurePort" );
+ "SecurePort",
+ true );
} else if( portType.equals( "SecureAdminPort" ) ) {
v_port = parser.getValuesFromContainer( nodeList.item(i),
- "SecureAdminPort" );
+ "SecureAdminPort",
+ true );
} else if( portType.equals( "SecureEEClientAuthPort" ) ) {
v_port = parser.getValuesFromContainer( nodeList.item(i),
- "SecureEEClientAuthPort" );
+ "SecureEEClientAuthPort",
+ true );
}
if( ( v_port != null ) &&
@@ -1441,33 +1468,41 @@
for( int i = 0; i < len; i++ ) {
Vector v_admin_host =
parser.getValuesFromContainer( nodeList.item(i),
- "AdminHost" );
+ "AdminHost",
+ true );
if(v_admin_host.isEmpty()) {
v_admin_host =
parser.getValuesFromContainer( nodeList.item(i),
- "Host" );
+ "Host",
+ true );
}
Vector v_admin_port =
parser.getValuesFromContainer( nodeList.item(i),
- "SecureAdminPort" );
+ "SecureAdminPort",
+ true );
Vector v_host = null;
if( hostType.equals( "Host" ) ) {
v_host = parser.getValuesFromContainer( nodeList.item(i),
- "Host" );
+ "Host",
+ true );
} else if( hostType.equals( "AgentHost" ) ) {
v_host = parser.getValuesFromContainer( nodeList.item(i),
- "AgentHost" );
+ "AgentHost",
+ true );
} else if( hostType.equals( "EEHost" ) ) {
v_host = parser.getValuesFromContainer( nodeList.item(i),
- "EEHost" );
+ "EEHost",
+ true );
} else if( hostType.equals( "AdminHost" ) ) {
v_host = parser.getValuesFromContainer( nodeList.item(i),
- "AdminHost" );
+ "AdminHost",
+ true );
} else if( hostType.equals( "EEClientAuthHost" ) ) {
v_host = parser.getValuesFromContainer( nodeList.item(i),
- "EEClientAuthHost" );
+ "EEClientAuthHost",
+ true );
}
if( ( v_admin_host.elementAt( 0 ).equals( hostname ) ) &&
Index: base/common/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java
===================================================================
--- base/common/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java (revision 2619)
+++ base/common/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java (working copy)
@@ -107,6 +107,34 @@
return status;
}
+ private void add_attributes(String dn, LDAPModificationSet attrs)
+ throws LDAPException, Exception {
+ ILdapConnFactory connFactory = null;
+ LDAPConnection conn = null;
+ IConfigStore cs = CMS.getConfigStore();
+ try {
+ CMS.debug("UpdateDomainXML: add_attributes - " +
+ "establishing ldap connection to DN '" + dn + "'");
+ IConfigStore ldapConfig = cs.getSubStore("internaldb");
+ connFactory = CMS.getLdapBoundConnFactory();
+ connFactory.init(ldapConfig);
+ conn = connFactory.getConn();
+ conn.modify(dn, attrs);
+ } finally {
+ try {
+ if ((conn != null) && (connFactory!= null)) {
+ CMS.debug("UpdateDomainXML: add_attributes - " +
+ "releasing ldap connection to DN '" + dn + "'");
+ connFactory.returnConn(conn);
+ }
+ } catch (Exception e) {
+ CMS.debug("UpdateDomainXML: add_attributes - " +
+ "error releasing ldap connection to DN '" +
+ dn + "' - Exception " + e.toString());
+ }
+ }
+ }
+
private String remove_attribute(String dn, LDAPModification mod) {
CMS.debug("UpdateDomainXML: remove_attribute: starting dn: " + dn);
String status = SUCCESS;
@@ -127,6 +155,7 @@
CMS.debug("Failed to modify entry" + e.toString());
}
} catch (Exception e) {
+ status = FAILED;
CMS.debug("Failed to modify entry" + e.toString());
} finally {
try {
@@ -350,18 +379,6 @@
if ((eecaport != null) && (!eecaport.equals(""))) {
attrs.add(new LDAPAttribute("SecureEEClientAuthPort", eecaport));
}
- if ((agenthost != null) && (!agenthost.equals(""))) {
- attrs.add(new LDAPAttribute("AgentHost", agenthost));
- }
- if ((eehost != null) && (!eehost.equals(""))) {
- attrs.add(new LDAPAttribute("EEHost", eehost));
- }
- if ((adminhost != null) && (!adminhost.equals(""))) {
- attrs.add(new LDAPAttribute("AdminHost", adminhost));
- }
- if ((eecahost != null) && (!eecahost.equals(""))) {
- attrs.add(new LDAPAttribute("EEClientAuthHost", eecahost));
- }
if ((domainmgr != null) && (!domainmgr.equals(""))) {
attrs.add(new LDAPAttribute("DomainManager", domainmgr.toUpperCase()));
}
@@ -422,7 +439,73 @@
}
}
} else {
- status = add_to_ldap(entry, dn);
+ status = add_to_ldap(entry, dn);
+
+ if (status.equals(SUCCESS)) {
+ CMS.debug("UpdateDomainXML: " +
+ "Successfully added PKI Security Domain " +
+ "attributes to DN '" + dn + "'");
+
+ // Attempt to modify this LDAP entry by
+ // trying to add IP Port Separation attributes
+ LDAPModificationSet mods = null;
+ mods = new LDAPModificationSet();
+ if ((agenthost != null) && (!agenthost.equals(""))) {
+ mods.add(LDAPModification.ADD,
+ new LDAPAttribute("AgentHost", agenthost));
+ }
+ if ((eehost != null) && (!eehost.equals(""))) {
+ mods.add(LDAPModification.ADD,
+ new LDAPAttribute("EEHost", eehost));
+ }
+ if ((adminhost != null) && (!adminhost.equals(""))) {
+ mods.add(LDAPModification.ADD,
+ new LDAPAttribute("AdminHost", adminhost));
+ }
+ if ((eecahost != null) && (!eecahost.equals(""))) {
+ mods.add(LDAPModification.ADD,
+ new LDAPAttribute("EEClientAuthHost",
+ eecahost));
+ }
+
+ try {
+ if (mods.size() > 0) {
+ add_attributes(dn, mods);
+ CMS.debug("UpdateDomainXML: " +
+ "Successfully added " +
+ "IP Port Separation Security Domain " +
+ "attributes to DN '" + dn + "'");
+ }
+ } catch (LDAPException e) {
+ int errorCode = e.getLDAPResultCode();
+ if ((errorCode == LDAPException.NO_SUCH_ATTRIBUTE) ||
+ (errorCode == LDAPException.OBJECT_CLASS_VIOLATION))
+ {
+ // ignore this type of error
+ CMS.debug("UpdateDomainXML: " +
+ "Unable to add " +
+ "IP Port Separation Security Domain " +
+ "attributes to DN '" + dn +
+ "' (server contains old schema)");
+ } else {
+ e.printStackTrace();
+ CMS.debug("UpdateDomainXML: " +
+ "LDAPException - Failed to add " +
+ "IP Port Separation Security Domain " +
+ "attributes to DN '" + dn + "' - " +
+ e.toString());
+ status = FAILED;
+ }
+ } catch (Exception e) {
+ e.printStackTrace();
+ CMS.debug("UpdateDomainXML: " +
+ "Exception - Failed to add " +
+ "IP Port Separation Security Domain " +
+ "attributes to DN '" + dn + "' - " +
+ e.toString());
+ status = FAILED;
+ }
+ }
}
}
else {
@@ -447,9 +530,9 @@
for (int i = 0; i < len; i++) {
Node nn = (Node) nodeList.item(i);
- Vector v_name = parser.getValuesFromContainer(nn, "SubsystemName");
- Vector v_host = parser.getValuesFromContainer(nn, "Host");
- Vector v_adminport = parser.getValuesFromContainer(nn, "SecureAdminPort");
+ Vector v_name = parser.getValuesFromContainer(nn, "SubsystemName", true);
+ Vector v_host = parser.getValuesFromContainer(nn, "Host", true);
+ Vector v_adminport = parser.getValuesFromContainer(nn, "SecureAdminPort", true);
if ((v_name.elementAt(0).equals(name)) && (v_host.elementAt(0).equals(host))
&& (v_adminport.elementAt(0).equals(adminsport))) {
Node parent = nn.getParentNode();
Index: base/common/src/com/netscape/cms/servlet/csadmin/GetConfigEntries.java
===================================================================
--- base/common/src/com/netscape/cms/servlet/csadmin/GetConfigEntries.java (revision 2619)
+++ base/common/src/com/netscape/cms/servlet/csadmin/GetConfigEntries.java (working copy)
@@ -151,8 +151,17 @@
CMS.debug("Retrieving config name=" + name);
value = config.getString(name);
CMS.debug("Retrieving config value=" + value);
- if (value.equals("localhost"))
+ if (value.equals("localhost")) {
value = config.getString("adminMachineName", "");
+ if( value.isEmpty()) {
+ value = config.getString("machineName", "");
+ if( value.isEmpty()) {
+ CMS.debug("GetConfigEntries process: "
+ + "WARNING - sending empty string for "
+ + name);
+ }
+ }
+ }
} catch (Exception ee) {
if (name.equals("internaldb.ldapauth.password")) {
value = getLDAPPassword();
Index: base/common/src/com/netscape/cms/servlet/csadmin/NamePanel.java
===================================================================
--- base/common/src/com/netscape/cms/servlet/csadmin/NamePanel.java (revision 2619)
+++ base/common/src/com/netscape/cms/servlet/csadmin/NamePanel.java (working copy)
@@ -763,8 +763,6 @@
String cstype = config.getString("preop.subsystem.select", "");
if (cstype.equals("clone")) {
CMS.debug("NamePanel: clone configuration detected");
- // still need to handle SSL certificate
- configCertWithTag(request, response, context, "sslserver");
String url = getURL(request, config);
if (url != null && !url.equals("External CA")) {
// preop.ca.url and admin port are required for setting KRA connector
@@ -778,6 +776,9 @@
}
updateCloneConfig(config);
+
+ // still need to handle SSL certificate
+ configCertWithTag(request, response, context, "sslserver");
CMS.debug("NamePanel: clone configuration done");
return;
}
Index: base/common/src/com/netscape/cms/servlet/csadmin/DatabasePanel.java
===================================================================
--- base/common/src/com/netscape/cms/servlet/csadmin/DatabasePanel.java (revision 2619)
+++ base/common/src/com/netscape/cms/servlet/csadmin/DatabasePanel.java (working copy)
@@ -291,6 +291,11 @@
} catch (Exception e) {
}
+ if (hostname == null || hostname.length() == 0) {
+ cs.putString("preop.database.errorString", "Host is empty string");
+ throw new IOException("Host is empty string");
+ }
+
if (select.equals("clone")) {
String masterhost = "";
String masterport = "";
@@ -302,26 +307,19 @@
} catch (Exception e) {
}
- //get the real host name
- String realhostname = "";
if (hostname.equals("localhost")) {
- try {
- realhostname = cs.getString("adminMachineName", "");
- } catch (Exception ee) {
- }
+ cs.putString("preop.database.errorString",
+ "Use FQDN instead of localhost");
+ throw new IOException("Use FQDN instead of localhost");
}
- if (masterhost.equals(realhostname) && masterport.equals(portStr))
+
+ if (masterhost.equals(hostname) && masterport.equals(portStr))
throw new IOException("Master and clone must not share the same internal database");
if (!masterbasedn.equals(basedn))
throw new IOException("Master and clone should have the same base DN");
}
- if (hostname == null || hostname.length() == 0) {
- cs.putString("preop.database.errorString", "Host is empty string");
- throw new IOException("Host is empty string");
- }
-
if (portStr != null && portStr.length() > 0) {
int port = -1;
Index: base/util/src/com/netscape/cmsutil/xml/XMLObject.java
===================================================================
--- base/util/src/com/netscape/cmsutil/xml/XMLObject.java (revision 2619)
+++ base/util/src/com/netscape/cmsutil/xml/XMLObject.java (working copy)
@@ -122,12 +122,17 @@
}
public Vector getValuesFromContainer(Node container, String tagname) {
+ return getValuesFromContainer(container, tagname, false);
+ }
+
+ public Vector getValuesFromContainer(Node container, String tagname, boolean ignoreCase) {
Vector v = new Vector();
NodeList c = container.getChildNodes();
int len = c.getLength();
for (int i=0; i<len; i++) {
Node subchild = c.item(i);
- if (subchild.getNodeName().equals(tagname)) {
+ if (subchild.getNodeName().equals(tagname) ||
+ (ignoreCase && subchild.getNodeName().equalsIgnoreCase(tagname))) {
NodeList grandchildren = subchild.getChildNodes();
if (grandchildren.getLength() > 0) {
Node grandchild = grandchildren.item(0);
More information about the Pki-devel
mailing list