[Pki-devel] [PATCH] 591 Added options for internal token and replication passwords.
Endi Sukma Dewata
edewata at redhat.com
Wed May 6 20:30:42 UTC 2015
The installation code has been modified such that it provides
several options for internal token and replication passwords:
* reuse the same admin/database passwords (default)
* specify new psaswords
* generate new random passwords
https://fedorahosted.org/pki/ticket/1354
--
Endi S. Dewata
-------------- next part --------------
From 385897582fcc6d3c954528d11dce7aabf31e2c17 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata at redhat.com>
Date: Wed, 6 May 2015 16:19:19 -0400
Subject: [PATCH] Added options for internal token and replication passwords.
The installation code has been modified such that it provides
several options for internal token and replication passwords:
* reuse the same admin/database passwords (default)
* specify new psaswords
* generate new random passwords
https://fedorahosted.org/pki/ticket/1354
---
.../certsrv/system/ConfigurationRequest.java | 157 +++------------------
.../certsrv/system/SystemConfigResource.java | 10 --
.../dogtagpki/server/rest/SystemConfigService.java | 42 ++++--
base/server/etc/default.cfg | 10 ++
.../python/pki/server/deployment/pkihelper.py | 3 +
.../python/pki/server/deployment/pkiparser.py | 32 ++++-
6 files changed, 89 insertions(+), 165 deletions(-)
diff --git a/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java b/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java
index 0caa215fbd6334ad6656002470f69d6b8426c861..932745c481c6863e11960b0b60e3a10bd57a30f8 100644
--- a/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java
+++ b/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java
@@ -21,7 +21,6 @@ import java.net.URI;
import java.net.URISyntaxException;
import java.util.List;
-import javax.ws.rs.core.MultivaluedMap;
import javax.xml.bind.annotation.XmlAccessType;
import javax.xml.bind.annotation.XmlAccessorType;
import javax.xml.bind.annotation.XmlElement;
@@ -29,8 +28,6 @@ import javax.xml.bind.annotation.XmlRootElement;
import javax.xml.bind.annotation.adapters.XmlAdapter;
import javax.xml.bind.annotation.adapters.XmlJavaTypeAdapter;
-import org.apache.commons.lang.StringUtils;
-
/**
* @author alee
*
@@ -38,69 +35,6 @@ import org.apache.commons.lang.StringUtils;
@XmlRootElement(name="ConfigurationRequest")
@XmlAccessorType(XmlAccessType.FIELD)
public class ConfigurationRequest {
- private static final String PIN = "pin";
- private static final String TOKEN = "token";
- private static final String TOKEN_PASSWORD = "tokenPassword";
- private static final String SECURITY_DOMAIN_TYPE = "securityDomainType";
- private static final String SECURITY_DOMAIN_URI = "securityDomainUri";
- private static final String SECURITY_DOMAIN_NAME = "securityDomainName";
- private static final String SECURITY_DOMAIN_USER = "securityDomainUser";
- private static final String SECURITY_DOMAIN_PASSWORD = "securityDomainPassword";
- private static final String IS_CLONE = "isClone";
- private static final String CLONE_URI = "cloneUri";
- private static final String SUBSYSTEM_NAME = "subsystemName";
- private static final String P12_FILE = "p12File";
- private static final String P12_PASSWORD = "p12Password";
- private static final String HIERARCHY = "hierarchy";
- private static final String DSHOST = "dsHost";
- private static final String DSPORT = "dsPort";
- private static final String BASEDN = "basedn";
- private static final String CREATE_NEW_DB = "createNewDB";
- private static final String BINDDN = "binddn";
- private static final String DATABASE = "database";
- private static final String SECURECONN = "secureConn";
- private static final String REMOVEDATA = "removeData";
- private static final String MASTER_REPLICATION_PORT = "masterReplicationPort";
- private static final String CLONE_REPLICATION_PORT = "cloneReplicationPort";
- private static final String REPLICATE_SCHEMA = "replicateSchema";
- private static final String REPLICATION_SECURITY = "replicationSecurity";
- private static final String SETUP_REPLICATION = "setupReplication";
- private static final String ISSUING_CA = "issuingCa";
- private static final String BACKUP_KEYS = "backupKeys";
- private static final String BACKUP_FILE = "backupFile";
- private static final String BACKUP_PASSWORD = "backupPassword";
- private static final String ADMIN_UID = "adminUid";
- private static final String ADMIN_EMAIL = "adminEmail";
- private static final String ADMIN_PASSWORD = "adminPassword";
- private static final String ADMIN_CERT_REQUEST = "adminCertRequest";
- private static final String ADMIN_CERT_REQUEST_TYPE = "adminCertRequestType";
- private static final String ADMIN_SUBJECT_DN = "adminSubjectDN";
- private static final String ADMIN_NAME = "adminName";
- private static final String ADMIN_PROFILE_ID = "adminProfileID";
- private static final String IMPORT_ADMIN_CERT = "importAdminCert";
- private static final String ADMIN_CERT = "adminCert";
- private static final String STANDALONE = "standAlone";
- private static final String STEP_TWO = "stepTwo";
- private static final String GENERATE_SERVER_CERT = "generateServerCert";
- private static final String SUBORDINATE_SECURITY_DOMAIN_NAME = "subordinateSecurityDomainName";
-
- // TPS specific parameters
- private static final String AUTHDB_BASEDN = "authdbBaseDN";
- private static final String AUTHDB_HOST = "authdbHost";
- private static final String AUTHDB_PORT = "authdbPort";
- private static final String AUTHDB_SECURE_CONN = "authdbSecureConn";
- private static final String CA_URI = "caUri";
- private static final String TKS_URI = "tksUri";
- private static final String KRA_URI = "kraUri";
- private static final String ENABLE_SERVER_SIDE_KEYGEN = "enableServerSideKeygen";
-
- // TKS/TPS shared secret parameters
- private static final String IMPORT_SHARED_SECRET = "importSharedSecret";
-
- // Parameters for shared tomcat instances
- private static final String GENERATE_SUBSYSTEM_CERT="generateSubsystemCert";
- private static final String SHARED_DB = "sharedDB";
- private static final String SHARED_DBUSER_DN = "sharedDBUserDN";
//defaults
public static final String TOKEN_DEFAULT = "Internal Key Storage Token";
@@ -190,6 +124,12 @@ public class ConfigurationRequest {
protected String replicationSecurity;
@XmlElement
+ protected String replicationPasswordSource;
+
+ @XmlElement
+ protected String replicationPassword;
+
+ @XmlElement
protected String setupReplication;
@XmlElement
@@ -292,75 +232,6 @@ public class ConfigurationRequest {
// required for JAXB
}
- public ConfigurationRequest(MultivaluedMap<String, String> form) throws URISyntaxException {
- pin = form.getFirst(PIN);
- token = form.getFirst(TOKEN);
- tokenPassword = form.getFirst(TOKEN_PASSWORD);
- securityDomainType = form.getFirst(SECURITY_DOMAIN_TYPE);
- securityDomainUri = form.getFirst(SECURITY_DOMAIN_URI);
- securityDomainName = form.getFirst(SECURITY_DOMAIN_NAME);
- securityDomainUser = form.getFirst(SECURITY_DOMAIN_USER);
- securityDomainPassword = form.getFirst(SECURITY_DOMAIN_PASSWORD);
- isClone = form.getFirst(IS_CLONE);
- cloneUri = form.getFirst(CLONE_URI);
- subsystemName = form.getFirst(SUBSYSTEM_NAME);
- p12File = form.getFirst(P12_FILE);
- p12Password = form.getFirst(P12_PASSWORD);
- hierarchy = form.getFirst(HIERARCHY);
- dsHost = form.getFirst(DSHOST);
- dsPort = form.getFirst(DSPORT);
- baseDN = form.getFirst(BASEDN);
- createNewDB = form.getFirst(CREATE_NEW_DB);
- bindDN = form.getFirst(BINDDN);
- database = form.getFirst(DATABASE);
- secureConn = form.getFirst(SECURECONN);
- removeData = form.getFirst(REMOVEDATA);
- masterReplicationPort = form.getFirst(MASTER_REPLICATION_PORT);
- cloneReplicationPort = form.getFirst(CLONE_REPLICATION_PORT);
- replicateSchema = form.getFirst(REPLICATE_SCHEMA);
- replicationSecurity = form.getFirst(REPLICATION_SECURITY);
- setupReplication = form.getFirst(SETUP_REPLICATION);
- //TODO - figure out how to get the cert requests
- issuingCA = form.getFirst(ISSUING_CA);
- backupFile = form.getFirst(BACKUP_FILE);
- backupPassword = form.getFirst(BACKUP_PASSWORD);
- backupKeys = form.getFirst(BACKUP_KEYS);
- adminUID = form.getFirst(ADMIN_UID);
- adminEmail = form.getFirst(ADMIN_EMAIL);
- adminPassword = form.getFirst(ADMIN_PASSWORD);
- adminCertRequest = form.getFirst(ADMIN_CERT_REQUEST);
- adminCertRequestType = form.getFirst(ADMIN_CERT_REQUEST_TYPE);
- adminSubjectDN = form.getFirst(ADMIN_SUBJECT_DN);
- adminName = form.getFirst(ADMIN_NAME);
- adminProfileID = form.getFirst(ADMIN_PROFILE_ID);
- adminCert = form.getFirst(ADMIN_CERT);
- importAdminCert = form.getFirst(IMPORT_ADMIN_CERT);
- standAlone = form.getFirst(STANDALONE);
- stepTwo = form.getFirst(STEP_TWO);
- generateServerCert = form.getFirst(GENERATE_SERVER_CERT);
- authdbBaseDN = form.getFirst(AUTHDB_BASEDN);
- authdbHost = form.getFirst(AUTHDB_HOST);
- authdbPort = form.getFirst(AUTHDB_PORT);
- authdbSecureConn = form.getFirst(AUTHDB_SECURE_CONN);
- subordinateSecurityDomainName = form.getFirst(SUBORDINATE_SECURITY_DOMAIN_NAME);
-
- String value = form.getFirst(CA_URI);
- if (!StringUtils.isEmpty(value)) setCaUri(new URI(value));
-
- value = form.getFirst(TKS_URI);
- if (!StringUtils.isEmpty(value)) setTksUri(new URI(value));
-
- value = form.getFirst(KRA_URI);
- if (!StringUtils.isEmpty(value)) setKraUri(new URI(value));
-
- enableServerSideKeyGen = form.getFirst(ENABLE_SERVER_SIDE_KEYGEN);
- importSharedSecret = form.getFirst(IMPORT_SHARED_SECRET);
-
- generateSubsystemCert = form.getFirst(GENERATE_SUBSYSTEM_CERT);
- sharedDB = form.getFirst(SHARED_DB);
- sharedDBUserDN = form.getFirst(SHARED_DBUSER_DN);
- }
-
public String getSubsystemName() {
return subsystemName;
}
@@ -637,6 +508,22 @@ public class ConfigurationRequest {
this.replicationSecurity = replicationSecurity;
}
+ public String getReplicationPasswordSource() {
+ return replicationPasswordSource;
+ }
+
+ public void setReplicationPasswordSource(String replicationPasswordSource) {
+ this.replicationPasswordSource = replicationPasswordSource;
+ }
+
+ public String getReplicationPassword() {
+ return replicationPassword;
+ }
+
+ public void setReplicationPassword(String replicationPassword) {
+ this.replicationPassword = replicationPassword;
+ }
+
public boolean getSetupReplication() {
// default to true
if (setupReplication == null) {
diff --git a/base/common/src/com/netscape/certsrv/system/SystemConfigResource.java b/base/common/src/com/netscape/certsrv/system/SystemConfigResource.java
index 2a490805dbfb3f3a94771fa03be7865d36153d4a..0cebb607433aea8571ff524df42872e9ae781c43 100644
--- a/base/common/src/com/netscape/certsrv/system/SystemConfigResource.java
+++ b/base/common/src/com/netscape/certsrv/system/SystemConfigResource.java
@@ -17,13 +17,8 @@
// --- END COPYRIGHT BLOCK ---
package com.netscape.certsrv.system;
-import java.net.URISyntaxException;
-
-import javax.ws.rs.Consumes;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
-import javax.ws.rs.core.MediaType;
-import javax.ws.rs.core.MultivaluedMap;
/**
@@ -34,10 +29,5 @@ public interface SystemConfigResource {
@POST
@Path("configure")
- @Consumes({ MediaType.APPLICATION_FORM_URLENCODED })
- public ConfigurationResponse configure(MultivaluedMap<String, String> form) throws URISyntaxException;
-
- @POST
- @Path("configure")
public ConfigurationResponse configure(ConfigurationRequest data);
}
diff --git a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
index 12dd54dac37f9677ca9cddfefc9c870a53ca671b..d074cd4af0926160f8df1bb6030c054ade0c9f0a 100644
--- a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
+++ b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
@@ -19,7 +19,6 @@ package org.dogtagpki.server.rest;
import java.math.BigInteger;
import java.net.MalformedURLException;
-import java.net.URISyntaxException;
import java.net.URL;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
@@ -31,7 +30,6 @@ import java.util.Random;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.HttpHeaders;
-import javax.ws.rs.core.MultivaluedMap;
import javax.ws.rs.core.Request;
import javax.ws.rs.core.UriInfo;
@@ -110,15 +108,6 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
}
/* (non-Javadoc)
- * @see com.netscape.cms.servlet.csadmin.SystemConfigurationResource#configure(javax.ws.rs.core.MultivaluedMap)
- */
- @Override
- public ConfigurationResponse configure(MultivaluedMap<String, String> form) throws URISyntaxException {
- ConfigurationRequest data = new ConfigurationRequest(form);
- return configure(data);
- }
-
- /* (non-Javadoc)
* @see com.netscape.cms.servlet.csadmin.SystemConfigurationResource#configure(com.netscape.cms.servlet.csadmin.data.ConfigurationData)
*/
@Override
@@ -697,7 +686,32 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
try {
/* BZ 430745 create password for replication manager */
- String replicationpwd = Integer.toString(new Random().nextInt());
+ String replicationPasswordSource = data.getReplicationPasswordSource();
+ if (StringUtils.isEmpty(replicationPasswordSource)) {
+ replicationPasswordSource = "default";
+ }
+ CMS.debug("Replication password source: " + replicationPasswordSource);
+
+ String replicationPassword;
+
+ if ("default".equals(replicationPasswordSource)) {
+
+ // use user-provided password if specified
+ replicationPassword = data.getReplicationPassword();
+
+ if (StringUtils.isEmpty(replicationPassword)) {
+ // otherwise use internal database password
+ replicationPassword = data.getBindpwd();
+ }
+
+ } else if ("random".equals(replicationPasswordSource)) {
+ // generate random password
+ replicationPassword = Integer.toString(new Random().nextInt());
+
+ } else {
+ CMS.debug("Invalid replication password source: " + replicationPasswordSource);
+ throw new BadRequestException("Invalid replication password source: " + replicationPasswordSource);
+ }
IConfigStore psStore = null;
String passwordFile = null;
@@ -705,14 +719,14 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
psStore = CMS.createFileConfigStore(passwordFile);
psStore.putString("internaldb", data.getBindpwd());
if (data.getSetupReplication()) {
- psStore.putString("replicationdb", replicationpwd);
+ psStore.putString("replicationdb", replicationPassword);
}
psStore.commit(false);
if (!data.getStepTwo()) {
ConfigurationUtils.populateDB();
- cs.putString("preop.internaldb.replicationpwd", replicationpwd);
+ cs.putString("preop.internaldb.replicationpwd", replicationPassword);
cs.putString("preop.database.removeData", "false");
if (data.getSharedDB()) {
cs.putString("preop.internaldb.dbuser", data.getSharedDBUserDN());
diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg
index 3b082020d055bd4a46cfbefc36c81ae46d4d6c4b..e6d7512e9dc04b1ff4a634908c2182ab3c580fd6 100644
--- a/base/server/etc/default.cfg
+++ b/base/server/etc/default.cfg
@@ -24,6 +24,7 @@ sensitive_parameters=
pki_ds_password
pki_one_time_pin
pki_pin
+ pki_replication_password
pki_security_domain_password
pki_token_password
@@ -98,6 +99,15 @@ pki_issuing_ca_hostname=%(pki_security_domain_hostname)s
pki_issuing_ca_https_port=%(pki_security_domain_https_port)s
pki_issuing_ca_uri=https://%(pki_issuing_ca_hostname)s:%(pki_issuing_ca_https_port)s
pki_issuing_ca=%(pki_issuing_ca_uri)s
+
+# Valid values: default, random
+pki_pin_source=
+pki_pin=
+
+# Valid values: default, random
+pki_replication_password_source=
+pki_replication_password=
+
pki_restart_configured_instance=True
pki_security_domain_hostname=%(pki_hostname)s
pki_security_domain_https_port=8443
diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py
index b9d48eea3d9f3ce89766b93fecb16195fada67e1..239ae3788e32704595645b8b922555c7c481a67e 100644
--- a/base/server/python/pki/server/deployment/pkihelper.py
+++ b/base/server/python/pki/server/deployment/pkihelper.py
@@ -3873,6 +3873,9 @@ class ConfigClient:
if not self.clone:
self.set_admin_parameters(data)
+ data.replicationPasswordSource = self.mdict['pki_replication_password_source']
+ data.replicationPassword = self.mdict['pki_replication_password']
+
# Issuing CA Information
self.set_issuing_ca_parameters(data)
diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py
index 39cef9413171f6a22bb2292edc1f7a18d07257fc..2899bcde9ea9d8bbd4627e621d427350138a8efa 100644
--- a/base/server/python/pki/server/deployment/pkiparser.py
+++ b/base/server/python/pki/server/deployment/pkiparser.py
@@ -327,10 +327,14 @@ class PKIConfigParser:
# means that we need to deal with escaping '%' characters
# that might be present.
no_interpolation = (
- 'pki_admin_password', 'pki_backup_password',
+ 'pki_admin_password',
+ 'pki_backup_password',
'pki_client_database_password',
'pki_client_pkcs12_password',
- 'pki_ds_password', 'pki_security_domain_password')
+ 'pki_ds_password',
+ 'pki_pin',
+ 'pki_replicationdb_password',
+ 'pki_security_domain_password')
print 'Loading deployment configuration from ' + \
config.user_deployment_cfg + '.'
@@ -552,18 +556,34 @@ class PKIConfigParser:
self.mdict['pki_user_deployment_cfg'] = config.user_deployment_cfg
self.mdict['pki_deployed_instance_name'] = \
config.pki_deployed_instance_name
+
+ self.flatten_master_dict()
+
# Generate random 'pin's for use as security database passwords
# and add these to the "sensitive" key value pairs read in from
# the configuration file
pin_low = 100000000000
pin_high = 999999999999
- self.mdict['pki_pin'] = \
- random.randint(pin_low, pin_high)
+
+ pin_source = self.mdict['pki_pin_source']
+ if not pin_source:
+ pin_source = 'default'
+
+ if pin_source == 'default':
+ # use user-provided PIN if specified
+ if not self.mdict['pki_pin']:
+ # otherwise use the admin password
+ self.mdict['pki_pin'] = self.mdict['pki_admin_password']
+
+ elif pin_source == 'random':
+ self.mdict['pki_pin'] = \
+ random.randint(pin_low, pin_high)
+ else:
+ raise Exception('Invalid security database PIN source: %s' % pin_source)
+
self.mdict['pki_client_pin'] = \
random.randint(pin_low, pin_high)
- self.flatten_master_dict()
-
pkilogging.sensitive_parameters = \
self.mdict['sensitive_parameters'].split()
--
1.9.3
More information about the Pki-devel
mailing list