[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[Pki-devel] [PATCH] 591 Added options for internal token and replication passwords.



The installation code has been modified such that it provides
several options for internal token and replication passwords:
* reuse the same admin/database passwords (default)
* specify new psaswords
* generate new random passwords

https://fedorahosted.org/pki/ticket/1354

--
Endi S. Dewata
From 385897582fcc6d3c954528d11dce7aabf31e2c17 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata redhat com>
Date: Wed, 6 May 2015 16:19:19 -0400
Subject: [PATCH] Added options for internal token and replication passwords.

The installation code has been modified such that it provides
several options for internal token and replication passwords:
* reuse the same admin/database passwords (default)
* specify new psaswords
* generate new random passwords

https://fedorahosted.org/pki/ticket/1354
---
 .../certsrv/system/ConfigurationRequest.java       | 157 +++------------------
 .../certsrv/system/SystemConfigResource.java       |  10 --
 .../dogtagpki/server/rest/SystemConfigService.java |  42 ++++--
 base/server/etc/default.cfg                        |  10 ++
 .../python/pki/server/deployment/pkihelper.py      |   3 +
 .../python/pki/server/deployment/pkiparser.py      |  32 ++++-
 6 files changed, 89 insertions(+), 165 deletions(-)

diff --git a/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java b/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java
index 0caa215fbd6334ad6656002470f69d6b8426c861..932745c481c6863e11960b0b60e3a10bd57a30f8 100644
--- a/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java
+++ b/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java
@@ -21,7 +21,6 @@ import java.net.URI;
 import java.net.URISyntaxException;
 import java.util.List;
 
-import javax.ws.rs.core.MultivaluedMap;
 import javax.xml.bind.annotation.XmlAccessType;
 import javax.xml.bind.annotation.XmlAccessorType;
 import javax.xml.bind.annotation.XmlElement;
@@ -29,8 +28,6 @@ import javax.xml.bind.annotation.XmlRootElement;
 import javax.xml.bind.annotation.adapters.XmlAdapter;
 import javax.xml.bind.annotation.adapters.XmlJavaTypeAdapter;
 
-import org.apache.commons.lang.StringUtils;
-
 /**
  * @author alee
  *
@@ -38,69 +35,6 @@ import org.apache.commons.lang.StringUtils;
 @XmlRootElement(name="ConfigurationRequest")
 @XmlAccessorType(XmlAccessType.FIELD)
 public class ConfigurationRequest {
-    private static final String PIN = "pin";
-    private static final String TOKEN = "token";
-    private static final String TOKEN_PASSWORD = "tokenPassword";
-    private static final String SECURITY_DOMAIN_TYPE = "securityDomainType";
-    private static final String SECURITY_DOMAIN_URI = "securityDomainUri";
-    private static final String SECURITY_DOMAIN_NAME = "securityDomainName";
-    private static final String SECURITY_DOMAIN_USER = "securityDomainUser";
-    private static final String SECURITY_DOMAIN_PASSWORD = "securityDomainPassword";
-    private static final String IS_CLONE = "isClone";
-    private static final String CLONE_URI = "cloneUri";
-    private static final String SUBSYSTEM_NAME = "subsystemName";
-    private static final String P12_FILE = "p12File";
-    private static final String P12_PASSWORD = "p12Password";
-    private static final String HIERARCHY = "hierarchy";
-    private static final String DSHOST = "dsHost";
-    private static final String DSPORT = "dsPort";
-    private static final String BASEDN = "basedn";
-    private static final String CREATE_NEW_DB = "createNewDB";
-    private static final String BINDDN = "binddn";
-    private static final String DATABASE = "database";
-    private static final String SECURECONN = "secureConn";
-    private static final String REMOVEDATA = "removeData";
-    private static final String MASTER_REPLICATION_PORT = "masterReplicationPort";
-    private static final String CLONE_REPLICATION_PORT = "cloneReplicationPort";
-    private static final String REPLICATE_SCHEMA = "replicateSchema";
-    private static final String REPLICATION_SECURITY = "replicationSecurity";
-    private static final String SETUP_REPLICATION = "setupReplication";
-    private static final String ISSUING_CA = "issuingCa";
-    private static final String BACKUP_KEYS = "backupKeys";
-    private static final String BACKUP_FILE = "backupFile";
-    private static final String BACKUP_PASSWORD = "backupPassword";
-    private static final String ADMIN_UID = "adminUid";
-    private static final String ADMIN_EMAIL = "adminEmail";
-    private static final String ADMIN_PASSWORD = "adminPassword";
-    private static final String ADMIN_CERT_REQUEST = "adminCertRequest";
-    private static final String ADMIN_CERT_REQUEST_TYPE = "adminCertRequestType";
-    private static final String ADMIN_SUBJECT_DN = "adminSubjectDN";
-    private static final String ADMIN_NAME = "adminName";
-    private static final String ADMIN_PROFILE_ID = "adminProfileID";
-    private static final String IMPORT_ADMIN_CERT = "importAdminCert";
-    private static final String ADMIN_CERT = "adminCert";
-    private static final String STANDALONE = "standAlone";
-    private static final String STEP_TWO = "stepTwo";
-    private static final String GENERATE_SERVER_CERT = "generateServerCert";
-    private static final String SUBORDINATE_SECURITY_DOMAIN_NAME = "subordinateSecurityDomainName";
-
-    // TPS specific parameters
-    private static final String AUTHDB_BASEDN = "authdbBaseDN";
-    private static final String AUTHDB_HOST = "authdbHost";
-    private static final String AUTHDB_PORT = "authdbPort";
-    private static final String AUTHDB_SECURE_CONN = "authdbSecureConn";
-    private static final String CA_URI = "caUri";
-    private static final String TKS_URI = "tksUri";
-    private static final String KRA_URI = "kraUri";
-    private static final String ENABLE_SERVER_SIDE_KEYGEN = "enableServerSideKeygen";
-
-    // TKS/TPS shared secret parameters
-    private static final String IMPORT_SHARED_SECRET = "importSharedSecret";
-
-    // Parameters for shared tomcat instances
-    private static final String GENERATE_SUBSYSTEM_CERT="generateSubsystemCert";
-    private static final String SHARED_DB = "sharedDB";
-    private static final String SHARED_DBUSER_DN = "sharedDBUserDN";
 
     //defaults
     public static final String TOKEN_DEFAULT = "Internal Key Storage Token";
@@ -190,6 +124,12 @@ public class ConfigurationRequest {
     protected String replicationSecurity;
 
     @XmlElement
+    protected String replicationPasswordSource;
+
+    @XmlElement
+    protected String replicationPassword;
+
+    @XmlElement
     protected String setupReplication;
 
     @XmlElement
@@ -292,75 +232,6 @@ public class ConfigurationRequest {
         // required for JAXB
     }
 
-    public ConfigurationRequest(MultivaluedMap<String, String> form) throws URISyntaxException {
-        pin = form.getFirst(PIN);
-        token = form.getFirst(TOKEN);
-        tokenPassword = form.getFirst(TOKEN_PASSWORD);
-        securityDomainType = form.getFirst(SECURITY_DOMAIN_TYPE);
-        securityDomainUri = form.getFirst(SECURITY_DOMAIN_URI);
-        securityDomainName = form.getFirst(SECURITY_DOMAIN_NAME);
-        securityDomainUser = form.getFirst(SECURITY_DOMAIN_USER);
-        securityDomainPassword = form.getFirst(SECURITY_DOMAIN_PASSWORD);
-        isClone = form.getFirst(IS_CLONE);
-        cloneUri = form.getFirst(CLONE_URI);
-        subsystemName = form.getFirst(SUBSYSTEM_NAME);
-        p12File = form.getFirst(P12_FILE);
-        p12Password = form.getFirst(P12_PASSWORD);
-        hierarchy = form.getFirst(HIERARCHY);
-        dsHost = form.getFirst(DSHOST);
-        dsPort = form.getFirst(DSPORT);
-        baseDN = form.getFirst(BASEDN);
-        createNewDB = form.getFirst(CREATE_NEW_DB);
-        bindDN = form.getFirst(BINDDN);
-        database = form.getFirst(DATABASE);
-        secureConn = form.getFirst(SECURECONN);
-        removeData = form.getFirst(REMOVEDATA);
-        masterReplicationPort = form.getFirst(MASTER_REPLICATION_PORT);
-        cloneReplicationPort = form.getFirst(CLONE_REPLICATION_PORT);
-        replicateSchema = form.getFirst(REPLICATE_SCHEMA);
-        replicationSecurity = form.getFirst(REPLICATION_SECURITY);
-        setupReplication = form.getFirst(SETUP_REPLICATION);
-        //TODO - figure out how to get the cert requests
-        issuingCA = form.getFirst(ISSUING_CA);
-        backupFile = form.getFirst(BACKUP_FILE);
-        backupPassword = form.getFirst(BACKUP_PASSWORD);
-        backupKeys = form.getFirst(BACKUP_KEYS);
-        adminUID = form.getFirst(ADMIN_UID);
-        adminEmail = form.getFirst(ADMIN_EMAIL);
-        adminPassword = form.getFirst(ADMIN_PASSWORD);
-        adminCertRequest = form.getFirst(ADMIN_CERT_REQUEST);
-        adminCertRequestType = form.getFirst(ADMIN_CERT_REQUEST_TYPE);
-        adminSubjectDN = form.getFirst(ADMIN_SUBJECT_DN);
-        adminName = form.getFirst(ADMIN_NAME);
-        adminProfileID = form.getFirst(ADMIN_PROFILE_ID);
-        adminCert = form.getFirst(ADMIN_CERT);
-        importAdminCert = form.getFirst(IMPORT_ADMIN_CERT);
-        standAlone = form.getFirst(STANDALONE);
-        stepTwo = form.getFirst(STEP_TWO);
-        generateServerCert = form.getFirst(GENERATE_SERVER_CERT);
-        authdbBaseDN = form.getFirst(AUTHDB_BASEDN);
-        authdbHost = form.getFirst(AUTHDB_HOST);
-        authdbPort = form.getFirst(AUTHDB_PORT);
-        authdbSecureConn = form.getFirst(AUTHDB_SECURE_CONN);
-        subordinateSecurityDomainName = form.getFirst(SUBORDINATE_SECURITY_DOMAIN_NAME);
-
-        String value = form.getFirst(CA_URI);
-        if (!StringUtils.isEmpty(value)) setCaUri(new URI(value));
-
-        value = form.getFirst(TKS_URI);
-        if (!StringUtils.isEmpty(value)) setTksUri(new URI(value));
-
-        value = form.getFirst(KRA_URI);
-        if (!StringUtils.isEmpty(value)) setKraUri(new URI(value));
-
-        enableServerSideKeyGen = form.getFirst(ENABLE_SERVER_SIDE_KEYGEN);
-        importSharedSecret = form.getFirst(IMPORT_SHARED_SECRET);
-
-        generateSubsystemCert = form.getFirst(GENERATE_SUBSYSTEM_CERT);
-        sharedDB = form.getFirst(SHARED_DB);
-        sharedDBUserDN = form.getFirst(SHARED_DBUSER_DN);
-    }
-
     public String getSubsystemName() {
         return subsystemName;
     }
@@ -637,6 +508,22 @@ public class ConfigurationRequest {
         this.replicationSecurity = replicationSecurity;
     }
 
+    public String getReplicationPasswordSource() {
+        return replicationPasswordSource;
+    }
+
+    public void setReplicationPasswordSource(String replicationPasswordSource) {
+        this.replicationPasswordSource = replicationPasswordSource;
+    }
+
+    public String getReplicationPassword() {
+        return replicationPassword;
+    }
+
+    public void setReplicationPassword(String replicationPassword) {
+        this.replicationPassword = replicationPassword;
+    }
+
     public boolean getSetupReplication() {
         // default to true
         if (setupReplication == null) {
diff --git a/base/common/src/com/netscape/certsrv/system/SystemConfigResource.java b/base/common/src/com/netscape/certsrv/system/SystemConfigResource.java
index 2a490805dbfb3f3a94771fa03be7865d36153d4a..0cebb607433aea8571ff524df42872e9ae781c43 100644
--- a/base/common/src/com/netscape/certsrv/system/SystemConfigResource.java
+++ b/base/common/src/com/netscape/certsrv/system/SystemConfigResource.java
@@ -17,13 +17,8 @@
 // --- END COPYRIGHT BLOCK ---
 package com.netscape.certsrv.system;
 
-import java.net.URISyntaxException;
-
-import javax.ws.rs.Consumes;
 import javax.ws.rs.POST;
 import javax.ws.rs.Path;
-import javax.ws.rs.core.MediaType;
-import javax.ws.rs.core.MultivaluedMap;
 
 
 /**
@@ -34,10 +29,5 @@ public interface SystemConfigResource {
 
     @POST
     @Path("configure")
-    @Consumes({ MediaType.APPLICATION_FORM_URLENCODED })
-    public ConfigurationResponse configure(MultivaluedMap<String, String> form) throws URISyntaxException;
-
-    @POST
-    @Path("configure")
     public ConfigurationResponse configure(ConfigurationRequest data);
 }
diff --git a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
index 12dd54dac37f9677ca9cddfefc9c870a53ca671b..d074cd4af0926160f8df1bb6030c054ade0c9f0a 100644
--- a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
+++ b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
@@ -19,7 +19,6 @@ package org.dogtagpki.server.rest;
 
 import java.math.BigInteger;
 import java.net.MalformedURLException;
-import java.net.URISyntaxException;
 import java.net.URL;
 import java.security.NoSuchAlgorithmException;
 import java.security.PublicKey;
@@ -31,7 +30,6 @@ import java.util.Random;
 import javax.servlet.http.HttpServletRequest;
 import javax.ws.rs.core.Context;
 import javax.ws.rs.core.HttpHeaders;
-import javax.ws.rs.core.MultivaluedMap;
 import javax.ws.rs.core.Request;
 import javax.ws.rs.core.UriInfo;
 
@@ -110,15 +108,6 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
     }
 
     /* (non-Javadoc)
-     * @see com.netscape.cms.servlet.csadmin.SystemConfigurationResource#configure(javax.ws.rs.core.MultivaluedMap)
-     */
-    @Override
-    public ConfigurationResponse configure(MultivaluedMap<String, String> form) throws URISyntaxException {
-        ConfigurationRequest data = new ConfigurationRequest(form);
-        return configure(data);
-    }
-
-    /* (non-Javadoc)
      * @see com.netscape.cms.servlet.csadmin.SystemConfigurationResource#configure(com.netscape.cms.servlet.csadmin.data.ConfigurationData)
      */
     @Override
@@ -697,7 +686,32 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
 
         try {
             /* BZ 430745 create password for replication manager */
-            String replicationpwd = Integer.toString(new Random().nextInt());
+            String replicationPasswordSource = data.getReplicationPasswordSource();
+            if (StringUtils.isEmpty(replicationPasswordSource)) {
+                replicationPasswordSource = "default";
+            }
+            CMS.debug("Replication password source: " + replicationPasswordSource);
+
+            String replicationPassword;
+
+            if ("default".equals(replicationPasswordSource)) {
+
+                // use user-provided password if specified
+                replicationPassword = data.getReplicationPassword();
+
+                if (StringUtils.isEmpty(replicationPassword)) {
+                    // otherwise use internal database password
+                    replicationPassword = data.getBindpwd();
+                }
+
+            } else if ("random".equals(replicationPasswordSource)) {
+                // generate random password
+                replicationPassword = Integer.toString(new Random().nextInt());
+
+            } else {
+                CMS.debug("Invalid replication password source: " + replicationPasswordSource);
+                throw new BadRequestException("Invalid replication password source: " + replicationPasswordSource);
+            }
 
             IConfigStore psStore = null;
             String passwordFile = null;
@@ -705,14 +719,14 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
             psStore = CMS.createFileConfigStore(passwordFile);
             psStore.putString("internaldb", data.getBindpwd());
             if (data.getSetupReplication()) {
-                psStore.putString("replicationdb", replicationpwd);
+                psStore.putString("replicationdb", replicationPassword);
             }
             psStore.commit(false);
 
             if (!data.getStepTwo()) {
                 ConfigurationUtils.populateDB();
 
-                cs.putString("preop.internaldb.replicationpwd", replicationpwd);
+                cs.putString("preop.internaldb.replicationpwd", replicationPassword);
                 cs.putString("preop.database.removeData", "false");
                 if (data.getSharedDB()) {
                     cs.putString("preop.internaldb.dbuser", data.getSharedDBUserDN());
diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg
index 3b082020d055bd4a46cfbefc36c81ae46d4d6c4b..e6d7512e9dc04b1ff4a634908c2182ab3c580fd6 100644
--- a/base/server/etc/default.cfg
+++ b/base/server/etc/default.cfg
@@ -24,6 +24,7 @@ sensitive_parameters=
     pki_ds_password
     pki_one_time_pin
     pki_pin
+    pki_replication_password
     pki_security_domain_password
     pki_token_password
 
@@ -98,6 +99,15 @@ pki_issuing_ca_hostname=%(pki_security_domain_hostname)s
 pki_issuing_ca_https_port=%(pki_security_domain_https_port)s
 pki_issuing_ca_uri=https://%(pki_issuing_ca_hostname)s:%(pki_issuing_ca_https_port)s
 pki_issuing_ca=%(pki_issuing_ca_uri)s
+
+# Valid values: default, random
+pki_pin_source=
+pki_pin=
+
+# Valid values: default, random
+pki_replication_password_source=
+pki_replication_password=
+
 pki_restart_configured_instance=True
 pki_security_domain_hostname=%(pki_hostname)s
 pki_security_domain_https_port=8443
diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py
index b9d48eea3d9f3ce89766b93fecb16195fada67e1..239ae3788e32704595645b8b922555c7c481a67e 100644
--- a/base/server/python/pki/server/deployment/pkihelper.py
+++ b/base/server/python/pki/server/deployment/pkihelper.py
@@ -3873,6 +3873,9 @@ class ConfigClient:
         if not self.clone:
             self.set_admin_parameters(data)
 
+        data.replicationPasswordSource = self.mdict['pki_replication_password_source']
+        data.replicationPassword = self.mdict['pki_replication_password']
+
         # Issuing CA Information
         self.set_issuing_ca_parameters(data)
 
diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py
index 39cef9413171f6a22bb2292edc1f7a18d07257fc..2899bcde9ea9d8bbd4627e621d427350138a8efa 100644
--- a/base/server/python/pki/server/deployment/pkiparser.py
+++ b/base/server/python/pki/server/deployment/pkiparser.py
@@ -327,10 +327,14 @@ class PKIConfigParser:
                 # means that we need to deal with escaping '%' characters
                 # that might be present.
                 no_interpolation = (
-                    'pki_admin_password', 'pki_backup_password',
+                    'pki_admin_password',
+                    'pki_backup_password',
                     'pki_client_database_password',
                     'pki_client_pkcs12_password',
-                    'pki_ds_password', 'pki_security_domain_password')
+                    'pki_ds_password',
+                    'pki_pin',
+                    'pki_replicationdb_password',
+                    'pki_security_domain_password')
 
                 print 'Loading deployment configuration from ' + \
                       config.user_deployment_cfg + '.'
@@ -552,18 +556,34 @@ class PKIConfigParser:
             self.mdict['pki_user_deployment_cfg'] = config.user_deployment_cfg
             self.mdict['pki_deployed_instance_name'] = \
                 config.pki_deployed_instance_name
+
+            self.flatten_master_dict()
+
             # Generate random 'pin's for use as security database passwords
             # and add these to the "sensitive" key value pairs read in from
             # the configuration file
             pin_low = 100000000000
             pin_high = 999999999999
-            self.mdict['pki_pin'] = \
-                random.randint(pin_low, pin_high)
+
+            pin_source = self.mdict['pki_pin_source']
+            if not pin_source:
+                pin_source = 'default'
+
+            if pin_source == 'default':
+                # use user-provided PIN if specified
+                if not self.mdict['pki_pin']:
+                    # otherwise use the admin password
+                    self.mdict['pki_pin'] = self.mdict['pki_admin_password']
+
+            elif pin_source == 'random':
+                self.mdict['pki_pin'] = \
+                    random.randint(pin_low, pin_high)
+            else:
+                raise Exception('Invalid security database PIN source: %s' % pin_source)
+
             self.mdict['pki_client_pin'] = \
                 random.randint(pin_low, pin_high)
 
-            self.flatten_master_dict()
-
             pkilogging.sensitive_parameters = \
                 self.mdict['sensitive_parameters'].split()
 
-- 
1.9.3


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]