[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Pki-devel] [PATCH] 591 Added options for internal token and replication passwords.



On 5/6/2015 3:30 PM, Endi Sukma Dewata wrote:
The installation code has been modified such that it provides
several options for internal token and replication passwords:
* reuse the same admin/database passwords (default)
* specify new psaswords
* generate new random passwords

https://fedorahosted.org/pki/ticket/1354

New patch attached. To maintain the current behavior the options have been changed into:
* generate random passwords (default)
* specify custom passwords

--
Endi S. Dewata

>From f51c8c8eaa1f83bd035018c08285aa33879f4f91 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata redhat com>
Date: Wed, 6 May 2015 16:19:19 -0400
Subject: [PATCH] Added options for internal token and replication passwords.

The installation code has been modified such that the admin can
optionally specify passwords for internal token and replication.
Otherwise the code will generate random passwords like before.

https://fedorahosted.org/pki/ticket/1354
---
 .../certsrv/system/ConfigurationRequest.java       | 146 ++-------------------
 .../certsrv/system/SystemConfigResource.java       |  10 --
 .../dogtagpki/server/rest/SystemConfigService.java |  23 ++--
 base/server/etc/default.cfg                        |   3 +
 .../python/pki/server/deployment/pkihelper.py      |   2 +
 .../python/pki/server/deployment/pkiparser.py      |  22 +++-
 6 files changed, 41 insertions(+), 165 deletions(-)

diff --git a/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java b/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java
index 0caa215fbd6334ad6656002470f69d6b8426c861..0682ac98f151f5405764636e77971974a91eed8c 100644
--- a/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java
+++ b/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java
@@ -21,7 +21,6 @@ import java.net.URI;
 import java.net.URISyntaxException;
 import java.util.List;
 
-import javax.ws.rs.core.MultivaluedMap;
 import javax.xml.bind.annotation.XmlAccessType;
 import javax.xml.bind.annotation.XmlAccessorType;
 import javax.xml.bind.annotation.XmlElement;
@@ -29,8 +28,6 @@ import javax.xml.bind.annotation.XmlRootElement;
 import javax.xml.bind.annotation.adapters.XmlAdapter;
 import javax.xml.bind.annotation.adapters.XmlJavaTypeAdapter;
 
-import org.apache.commons.lang.StringUtils;
-
 /**
  * @author alee
  *
@@ -38,69 +35,6 @@ import org.apache.commons.lang.StringUtils;
 @XmlRootElement(name="ConfigurationRequest")
 @XmlAccessorType(XmlAccessType.FIELD)
 public class ConfigurationRequest {
-    private static final String PIN = "pin";
-    private static final String TOKEN = "token";
-    private static final String TOKEN_PASSWORD = "tokenPassword";
-    private static final String SECURITY_DOMAIN_TYPE = "securityDomainType";
-    private static final String SECURITY_DOMAIN_URI = "securityDomainUri";
-    private static final String SECURITY_DOMAIN_NAME = "securityDomainName";
-    private static final String SECURITY_DOMAIN_USER = "securityDomainUser";
-    private static final String SECURITY_DOMAIN_PASSWORD = "securityDomainPassword";
-    private static final String IS_CLONE = "isClone";
-    private static final String CLONE_URI = "cloneUri";
-    private static final String SUBSYSTEM_NAME = "subsystemName";
-    private static final String P12_FILE = "p12File";
-    private static final String P12_PASSWORD = "p12Password";
-    private static final String HIERARCHY = "hierarchy";
-    private static final String DSHOST = "dsHost";
-    private static final String DSPORT = "dsPort";
-    private static final String BASEDN = "basedn";
-    private static final String CREATE_NEW_DB = "createNewDB";
-    private static final String BINDDN = "binddn";
-    private static final String DATABASE = "database";
-    private static final String SECURECONN = "secureConn";
-    private static final String REMOVEDATA = "removeData";
-    private static final String MASTER_REPLICATION_PORT = "masterReplicationPort";
-    private static final String CLONE_REPLICATION_PORT = "cloneReplicationPort";
-    private static final String REPLICATE_SCHEMA = "replicateSchema";
-    private static final String REPLICATION_SECURITY = "replicationSecurity";
-    private static final String SETUP_REPLICATION = "setupReplication";
-    private static final String ISSUING_CA = "issuingCa";
-    private static final String BACKUP_KEYS = "backupKeys";
-    private static final String BACKUP_FILE = "backupFile";
-    private static final String BACKUP_PASSWORD = "backupPassword";
-    private static final String ADMIN_UID = "adminUid";
-    private static final String ADMIN_EMAIL = "adminEmail";
-    private static final String ADMIN_PASSWORD = "adminPassword";
-    private static final String ADMIN_CERT_REQUEST = "adminCertRequest";
-    private static final String ADMIN_CERT_REQUEST_TYPE = "adminCertRequestType";
-    private static final String ADMIN_SUBJECT_DN = "adminSubjectDN";
-    private static final String ADMIN_NAME = "adminName";
-    private static final String ADMIN_PROFILE_ID = "adminProfileID";
-    private static final String IMPORT_ADMIN_CERT = "importAdminCert";
-    private static final String ADMIN_CERT = "adminCert";
-    private static final String STANDALONE = "standAlone";
-    private static final String STEP_TWO = "stepTwo";
-    private static final String GENERATE_SERVER_CERT = "generateServerCert";
-    private static final String SUBORDINATE_SECURITY_DOMAIN_NAME = "subordinateSecurityDomainName";
-
-    // TPS specific parameters
-    private static final String AUTHDB_BASEDN = "authdbBaseDN";
-    private static final String AUTHDB_HOST = "authdbHost";
-    private static final String AUTHDB_PORT = "authdbPort";
-    private static final String AUTHDB_SECURE_CONN = "authdbSecureConn";
-    private static final String CA_URI = "caUri";
-    private static final String TKS_URI = "tksUri";
-    private static final String KRA_URI = "kraUri";
-    private static final String ENABLE_SERVER_SIDE_KEYGEN = "enableServerSideKeygen";
-
-    // TKS/TPS shared secret parameters
-    private static final String IMPORT_SHARED_SECRET = "importSharedSecret";
-
-    // Parameters for shared tomcat instances
-    private static final String GENERATE_SUBSYSTEM_CERT="generateSubsystemCert";
-    private static final String SHARED_DB = "sharedDB";
-    private static final String SHARED_DBUSER_DN = "sharedDBUserDN";
 
     //defaults
     public static final String TOKEN_DEFAULT = "Internal Key Storage Token";
@@ -190,6 +124,9 @@ public class ConfigurationRequest {
     protected String replicationSecurity;
 
     @XmlElement
+    protected String replicationPassword;
+
+    @XmlElement
     protected String setupReplication;
 
     @XmlElement
@@ -292,75 +229,6 @@ public class ConfigurationRequest {
         // required for JAXB
     }
 
-    public ConfigurationRequest(MultivaluedMap<String, String> form) throws URISyntaxException {
-        pin = form.getFirst(PIN);
-        token = form.getFirst(TOKEN);
-        tokenPassword = form.getFirst(TOKEN_PASSWORD);
-        securityDomainType = form.getFirst(SECURITY_DOMAIN_TYPE);
-        securityDomainUri = form.getFirst(SECURITY_DOMAIN_URI);
-        securityDomainName = form.getFirst(SECURITY_DOMAIN_NAME);
-        securityDomainUser = form.getFirst(SECURITY_DOMAIN_USER);
-        securityDomainPassword = form.getFirst(SECURITY_DOMAIN_PASSWORD);
-        isClone = form.getFirst(IS_CLONE);
-        cloneUri = form.getFirst(CLONE_URI);
-        subsystemName = form.getFirst(SUBSYSTEM_NAME);
-        p12File = form.getFirst(P12_FILE);
-        p12Password = form.getFirst(P12_PASSWORD);
-        hierarchy = form.getFirst(HIERARCHY);
-        dsHost = form.getFirst(DSHOST);
-        dsPort = form.getFirst(DSPORT);
-        baseDN = form.getFirst(BASEDN);
-        createNewDB = form.getFirst(CREATE_NEW_DB);
-        bindDN = form.getFirst(BINDDN);
-        database = form.getFirst(DATABASE);
-        secureConn = form.getFirst(SECURECONN);
-        removeData = form.getFirst(REMOVEDATA);
-        masterReplicationPort = form.getFirst(MASTER_REPLICATION_PORT);
-        cloneReplicationPort = form.getFirst(CLONE_REPLICATION_PORT);
-        replicateSchema = form.getFirst(REPLICATE_SCHEMA);
-        replicationSecurity = form.getFirst(REPLICATION_SECURITY);
-        setupReplication = form.getFirst(SETUP_REPLICATION);
-        //TODO - figure out how to get the cert requests
-        issuingCA = form.getFirst(ISSUING_CA);
-        backupFile = form.getFirst(BACKUP_FILE);
-        backupPassword = form.getFirst(BACKUP_PASSWORD);
-        backupKeys = form.getFirst(BACKUP_KEYS);
-        adminUID = form.getFirst(ADMIN_UID);
-        adminEmail = form.getFirst(ADMIN_EMAIL);
-        adminPassword = form.getFirst(ADMIN_PASSWORD);
-        adminCertRequest = form.getFirst(ADMIN_CERT_REQUEST);
-        adminCertRequestType = form.getFirst(ADMIN_CERT_REQUEST_TYPE);
-        adminSubjectDN = form.getFirst(ADMIN_SUBJECT_DN);
-        adminName = form.getFirst(ADMIN_NAME);
-        adminProfileID = form.getFirst(ADMIN_PROFILE_ID);
-        adminCert = form.getFirst(ADMIN_CERT);
-        importAdminCert = form.getFirst(IMPORT_ADMIN_CERT);
-        standAlone = form.getFirst(STANDALONE);
-        stepTwo = form.getFirst(STEP_TWO);
-        generateServerCert = form.getFirst(GENERATE_SERVER_CERT);
-        authdbBaseDN = form.getFirst(AUTHDB_BASEDN);
-        authdbHost = form.getFirst(AUTHDB_HOST);
-        authdbPort = form.getFirst(AUTHDB_PORT);
-        authdbSecureConn = form.getFirst(AUTHDB_SECURE_CONN);
-        subordinateSecurityDomainName = form.getFirst(SUBORDINATE_SECURITY_DOMAIN_NAME);
-
-        String value = form.getFirst(CA_URI);
-        if (!StringUtils.isEmpty(value)) setCaUri(new URI(value));
-
-        value = form.getFirst(TKS_URI);
-        if (!StringUtils.isEmpty(value)) setTksUri(new URI(value));
-
-        value = form.getFirst(KRA_URI);
-        if (!StringUtils.isEmpty(value)) setKraUri(new URI(value));
-
-        enableServerSideKeyGen = form.getFirst(ENABLE_SERVER_SIDE_KEYGEN);
-        importSharedSecret = form.getFirst(IMPORT_SHARED_SECRET);
-
-        generateSubsystemCert = form.getFirst(GENERATE_SUBSYSTEM_CERT);
-        sharedDB = form.getFirst(SHARED_DB);
-        sharedDBUserDN = form.getFirst(SHARED_DBUSER_DN);
-    }
-
     public String getSubsystemName() {
         return subsystemName;
     }
@@ -637,6 +505,14 @@ public class ConfigurationRequest {
         this.replicationSecurity = replicationSecurity;
     }
 
+    public String getReplicationPassword() {
+        return replicationPassword;
+    }
+
+    public void setReplicationPassword(String replicationPassword) {
+        this.replicationPassword = replicationPassword;
+    }
+
     public boolean getSetupReplication() {
         // default to true
         if (setupReplication == null) {
diff --git a/base/common/src/com/netscape/certsrv/system/SystemConfigResource.java b/base/common/src/com/netscape/certsrv/system/SystemConfigResource.java
index 2a490805dbfb3f3a94771fa03be7865d36153d4a..0cebb607433aea8571ff524df42872e9ae781c43 100644
--- a/base/common/src/com/netscape/certsrv/system/SystemConfigResource.java
+++ b/base/common/src/com/netscape/certsrv/system/SystemConfigResource.java
@@ -17,13 +17,8 @@
 // --- END COPYRIGHT BLOCK ---
 package com.netscape.certsrv.system;
 
-import java.net.URISyntaxException;
-
-import javax.ws.rs.Consumes;
 import javax.ws.rs.POST;
 import javax.ws.rs.Path;
-import javax.ws.rs.core.MediaType;
-import javax.ws.rs.core.MultivaluedMap;
 
 
 /**
@@ -34,10 +29,5 @@ public interface SystemConfigResource {
 
     @POST
     @Path("configure")
-    @Consumes({ MediaType.APPLICATION_FORM_URLENCODED })
-    public ConfigurationResponse configure(MultivaluedMap<String, String> form) throws URISyntaxException;
-
-    @POST
-    @Path("configure")
     public ConfigurationResponse configure(ConfigurationRequest data);
 }
diff --git a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
index 12dd54dac37f9677ca9cddfefc9c870a53ca671b..c341d14f7d751a9cc7c01cbb49ab45abe306fb5f 100644
--- a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
+++ b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
@@ -19,7 +19,6 @@ package org.dogtagpki.server.rest;
 
 import java.math.BigInteger;
 import java.net.MalformedURLException;
-import java.net.URISyntaxException;
 import java.net.URL;
 import java.security.NoSuchAlgorithmException;
 import java.security.PublicKey;
@@ -31,7 +30,6 @@ import java.util.Random;
 import javax.servlet.http.HttpServletRequest;
 import javax.ws.rs.core.Context;
 import javax.ws.rs.core.HttpHeaders;
-import javax.ws.rs.core.MultivaluedMap;
 import javax.ws.rs.core.Request;
 import javax.ws.rs.core.UriInfo;
 
@@ -110,15 +108,6 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
     }
 
     /* (non-Javadoc)
-     * @see com.netscape.cms.servlet.csadmin.SystemConfigurationResource#configure(javax.ws.rs.core.MultivaluedMap)
-     */
-    @Override
-    public ConfigurationResponse configure(MultivaluedMap<String, String> form) throws URISyntaxException {
-        ConfigurationRequest data = new ConfigurationRequest(form);
-        return configure(data);
-    }
-
-    /* (non-Javadoc)
      * @see com.netscape.cms.servlet.csadmin.SystemConfigurationResource#configure(com.netscape.cms.servlet.csadmin.data.ConfigurationData)
      */
     @Override
@@ -697,7 +686,13 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
 
         try {
             /* BZ 430745 create password for replication manager */
-            String replicationpwd = Integer.toString(new Random().nextInt());
+            // use user-provided password if specified
+            String replicationPassword = data.getReplicationPassword();
+
+            if (StringUtils.isEmpty(replicationPassword)) {
+                // generate random password
+                replicationPassword = Integer.toString(new Random().nextInt());
+            }
 
             IConfigStore psStore = null;
             String passwordFile = null;
@@ -705,14 +700,14 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
             psStore = CMS.createFileConfigStore(passwordFile);
             psStore.putString("internaldb", data.getBindpwd());
             if (data.getSetupReplication()) {
-                psStore.putString("replicationdb", replicationpwd);
+                psStore.putString("replicationdb", replicationPassword);
             }
             psStore.commit(false);
 
             if (!data.getStepTwo()) {
                 ConfigurationUtils.populateDB();
 
-                cs.putString("preop.internaldb.replicationpwd", replicationpwd);
+                cs.putString("preop.internaldb.replicationpwd", replicationPassword);
                 cs.putString("preop.database.removeData", "false");
                 if (data.getSharedDB()) {
                     cs.putString("preop.internaldb.dbuser", data.getSharedDBUserDN());
diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg
index 3b082020d055bd4a46cfbefc36c81ae46d4d6c4b..18b8527b201b64108230b645a5cb079fdc1435dd 100644
--- a/base/server/etc/default.cfg
+++ b/base/server/etc/default.cfg
@@ -24,6 +24,7 @@ sensitive_parameters=
     pki_ds_password
     pki_one_time_pin
     pki_pin
+    pki_replication_password
     pki_security_domain_password
     pki_token_password
 
@@ -98,6 +99,8 @@ pki_issuing_ca_hostname=%(pki_security_domain_hostname)s
 pki_issuing_ca_https_port=%(pki_security_domain_https_port)s
 pki_issuing_ca_uri=https://%(pki_issuing_ca_hostname)s:%(pki_issuing_ca_https_port)s
 pki_issuing_ca=%(pki_issuing_ca_uri)s
+pki_pin=
+pki_replication_password=
 pki_restart_configured_instance=True
 pki_security_domain_hostname=%(pki_hostname)s
 pki_security_domain_https_port=8443
diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py
index 1521ef3390c820505b2c5faf044f2c360310243c..5527d7f944fca298492d6abdccf99e2f25cc3bc2 100644
--- a/base/server/python/pki/server/deployment/pkihelper.py
+++ b/base/server/python/pki/server/deployment/pkihelper.py
@@ -3821,6 +3821,8 @@ class ConfigClient:
         if not self.clone:
             self.set_admin_parameters(data)
 
+        data.replicationPassword = self.mdict['pki_replication_password']
+
         # Issuing CA Information
         self.set_issuing_ca_parameters(data)
 
diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py
index 39cef9413171f6a22bb2292edc1f7a18d07257fc..fe1a54a3ade302a201372287cd43c9058436f917 100644
--- a/base/server/python/pki/server/deployment/pkiparser.py
+++ b/base/server/python/pki/server/deployment/pkiparser.py
@@ -327,10 +327,14 @@ class PKIConfigParser:
                 # means that we need to deal with escaping '%' characters
                 # that might be present.
                 no_interpolation = (
-                    'pki_admin_password', 'pki_backup_password',
+                    'pki_admin_password',
+                    'pki_backup_password',
                     'pki_client_database_password',
                     'pki_client_pkcs12_password',
-                    'pki_ds_password', 'pki_security_domain_password')
+                    'pki_ds_password',
+                    'pki_pin',
+                    'pki_replicationdb_password',
+                    'pki_security_domain_password')
 
                 print 'Loading deployment configuration from ' + \
                       config.user_deployment_cfg + '.'
@@ -552,18 +556,24 @@ class PKIConfigParser:
             self.mdict['pki_user_deployment_cfg'] = config.user_deployment_cfg
             self.mdict['pki_deployed_instance_name'] = \
                 config.pki_deployed_instance_name
+
+            self.flatten_master_dict()
+
             # Generate random 'pin's for use as security database passwords
             # and add these to the "sensitive" key value pairs read in from
             # the configuration file
             pin_low = 100000000000
             pin_high = 999999999999
-            self.mdict['pki_pin'] = \
-                random.randint(pin_low, pin_high)
+
+            # use user-provided PIN if specified
+            if not self.mdict['pki_pin']:
+                # otherwise generate a random password
+                self.mdict['pki_pin'] = \
+                    random.randint(pin_low, pin_high)
+
             self.mdict['pki_client_pin'] = \
                 random.randint(pin_low, pin_high)
 
-            self.flatten_master_dict()
-
             pkilogging.sensitive_parameters = \
                 self.mdict['sensitive_parameters'].split()
 
-- 
1.9.3


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]