[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[Pki-devel] [PATCH] 824-825 Fixed default token name for system certificates.



Previously when installing with HSM the token name has to be
specified for each system certificate in the pki_<cert>_token
parameters. The deployment tool has been modified such that by
default it will use the token name specified in pki_token_name.

Previously issues with system certificates that happen during
subsystem initialization were reported as database initialization
error. Database initialization actually does not depend on
subsystem initialization, so to avoid confusion and to simplify the
code the reInitSubsystem() in SystemConfigService is now invoked
after the initializeDatabase() is complete.

https://fedorahosted.org/pki/ticket/2423

--
Endi S. Dewata
>From 14d4a22b5b847392b41b7a0a290e068d2d0f76f7 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata redhat com>
Date: Sat, 27 Aug 2016 00:07:08 +0200
Subject: [PATCH] Moved subsystem initialization after database initialization.

Previously issues with system certificates that happen during
subsystem initialization were reported as database initialization
error. Database initialization actually does not depend on
subsystem initialization, so to avoid confusion and to simplify the
code the reInitSubsystem() in SystemConfigService is now invoked
after the initializeDatabase() is complete.

https://fedorahosted.org/pki/ticket/2423
---
 base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
index 95afa4c6a071c27cc1f52edeb742ddbf199e4d83..9d7c176ecdbf2c87cb961fa3f6eb74fb41eb8ef5 100644
--- a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
+++ b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
@@ -178,6 +178,8 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
         }
         initializeDatabase(data);
 
+        ConfigurationUtils.reInitSubsystem(csType);
+
         configureCACertChain(data, domainXML);
 
         Collection<Cert> certs = new ArrayList<Cert>();
@@ -777,7 +779,6 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
                     ConfigurationUtils.setupReplication();
                 }
 
-                ConfigurationUtils.reInitSubsystem(csType);
                 ConfigurationUtils.populateDBManager();
                 ConfigurationUtils.populateVLVIndexes();
             }
-- 
2.5.5

>From 2a433028d88cd52042bf1de31ba1db36488ae215 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata redhat com>
Date: Sun, 28 Aug 2016 20:38:48 +0200
Subject: [PATCH] Fixed default token name for system certificates.

Previously when installing with HSM the token name has to be
specified for each system certificate in the pki_<cert>_token
parameters. The deployment tool has been modified such that by
default it will use the token name specified in pki_token_name.

https://fedorahosted.org/pki/ticket/2423
---
 base/server/etc/default.cfg                        | 16 +++++------
 .../python/pki/server/deployment/pkiparser.py      | 33 ++++++++++++++++++++--
 2 files changed, 38 insertions(+), 11 deletions(-)

diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg
index cfbd289cc880db3bf4ed836f7dabc5168365bfd0..f759dbac0df53ee6078027740e0aed5f107b22e7 100644
--- a/base/server/etc/default.cfg
+++ b/base/server/etc/default.cfg
@@ -78,7 +78,7 @@ pki_audit_signing_key_algorithm=SHA256withRSA
 pki_audit_signing_key_size=2048
 pki_audit_signing_key_type=rsa
 pki_audit_signing_signing_algorithm=SHA256withRSA
-pki_audit_signing_token=Internal Key Storage Token
+pki_audit_signing_token=
 pki_backup_keys=False
 pki_backup_password=
 pki_ca_hostname=%(pki_security_domain_hostname)s
@@ -125,13 +125,13 @@ pki_ssl_server_key_size=2048
 pki_ssl_server_key_type=rsa
 pki_ssl_server_nickname=Server-Cert cert-%(pki_instance_name)s
 pki_ssl_server_subject_dn=cn=%(pki_hostname)s,o=%(pki_security_domain_name)s
-pki_ssl_server_token=Internal Key Storage Token
+pki_ssl_server_token=
 pki_subsystem_key_algorithm=SHA256withRSA
 pki_subsystem_key_size=2048
 pki_subsystem_key_type=rsa
 pki_subsystem_nickname=subsystemCert cert-%(pki_instance_name)s
 pki_subsystem_subject_dn=cn=Subsystem Certificate,o=%(pki_security_domain_name)s
-pki_subsystem_token=Internal Key Storage Token
+pki_subsystem_token=
 pki_theme_enable=True
 pki_theme_server_dir=/usr/share/pki/common-ui
 pki_token_name=internal
@@ -293,7 +293,7 @@ pki_ca_signing_key_type=rsa
 pki_ca_signing_nickname=caSigningCert cert-%(pki_instance_name)s CA
 pki_ca_signing_signing_algorithm=SHA256withRSA
 pki_ca_signing_subject_dn=cn=CA Signing Certificate,o=%(pki_security_domain_name)s
-pki_ca_signing_token=Internal Key Storage Token
+pki_ca_signing_token=
 pki_ca_signing_csr_path=
 pki_ca_signing_cert_path=
 pki_ca_starting_crl_number=0
@@ -317,7 +317,7 @@ pki_ocsp_signing_key_type=rsa
 pki_ocsp_signing_nickname=ocspSigningCert cert-%(pki_instance_name)s CA
 pki_ocsp_signing_signing_algorithm=SHA256withRSA
 pki_ocsp_signing_subject_dn=cn=CA OCSP Signing Certificate,o=%(pki_security_domain_name)s
-pki_ocsp_signing_token=Internal Key Storage Token
+pki_ocsp_signing_token=
 pki_profiles_in_ldap=False
 pki_random_serial_numbers_enable=False
 pki_subordinate=False
@@ -405,14 +405,14 @@ pki_storage_key_type=rsa
 pki_storage_nickname=storageCert cert-%(pki_instance_name)s KRA
 pki_storage_signing_algorithm=SHA256withRSA
 pki_storage_subject_dn=cn=DRM Storage Certificate,o=%(pki_security_domain_name)s
-pki_storage_token=Internal Key Storage Token
+pki_storage_token=
 pki_transport_key_algorithm=SHA256withRSA
 pki_transport_key_size=2048
 pki_transport_key_type=rsa
 pki_transport_nickname=transportCert cert-%(pki_instance_name)s KRA
 pki_transport_signing_algorithm=SHA256withRSA
 pki_transport_subject_dn=cn=DRM Transport Certificate,o=%(pki_security_domain_name)s
-pki_transport_token=Internal Key Storage Token
+pki_transport_token=
 pki_admin_email=%(pki_admin_name)s %(pki_dns_domainname)s
 pki_admin_name=%(pki_admin_uid)s
 pki_admin_nickname=PKI Administrator for %(pki_dns_domainname)s
@@ -474,7 +474,7 @@ pki_ocsp_signing_key_type=rsa
 pki_ocsp_signing_nickname=ocspSigningCert cert-%(pki_instance_name)s OCSP
 pki_ocsp_signing_signing_algorithm=SHA256withRSA
 pki_ocsp_signing_subject_dn=cn=OCSP Signing Certificate,o=%(pki_security_domain_name)s
-pki_ocsp_signing_token=Internal Key Storage Token
+pki_ocsp_signing_token=
 pki_admin_email=%(pki_admin_name)s %(pki_dns_domainname)s
 pki_admin_name=%(pki_admin_uid)s
 pki_admin_nickname=PKI Administrator for %(pki_dns_domainname)s
diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py
index 115f3ca4506fec310ae1e5e88ccb0ecb0c4c609b..6e922cf6cef11aae45881658c1e2a80526bfdbc0 100644
--- a/base/server/python/pki/server/deployment/pkiparser.py
+++ b/base/server/python/pki/server/deployment/pkiparser.py
@@ -564,6 +564,24 @@ class PKIConfigParser:
         root = ET.fromstring(response)
         return root.findtext("Status")
 
+    def normalize_cert_token(self, name):
+
+        # get cert token
+        token = self.mdict.get(name)
+
+        # if not specified, get default token name
+        if not token:
+            token = self.mdict.get('pki_token_name')
+
+        # normalize internal token name
+        if not token or \
+                token.lower() == 'internal' or \
+                token.lower() == 'internal key storage token':
+            token = 'Internal Key Storage Token'
+
+        # update cert token
+        self.mdict[name] = token
+
     def compose_pki_master_dictionary(self):
         """
         Create a single master PKI dictionary from the
@@ -595,11 +613,11 @@ class PKIConfigParser:
             instance = pki.server.PKIInstance(self.mdict['pki_instance_name'])
             instance.load()
 
-            internal_password = self.mdict['pki_self_signed_token']
+            internal_token = self.mdict['pki_self_signed_token']
 
             # if instance already exists and has password, reuse the password
-            if internal_password in instance.passwords:
-                self.mdict['pki_pin'] = instance.passwords.get(internal_password)
+            if internal_token in instance.passwords:
+                self.mdict['pki_pin'] = instance.passwords.get(internal_token)
 
             # otherwise, use user-provided password if specified
             elif 'pki_pin' in self.mdict:
@@ -1207,6 +1225,15 @@ class PKIConfigParser:
                 # always normalize 'default' softokn name
                 self.mdict['pki_token_name'] = "internal"
 
+            # normalize cert tokens
+            self.normalize_cert_token('pki_audit_signing_token')
+            self.normalize_cert_token('pki_ssl_server_token')
+            self.normalize_cert_token('pki_subsystem_token')
+            self.normalize_cert_token('pki_ca_signing_token')
+            self.normalize_cert_token('pki_ocsp_signing_token')
+            self.normalize_cert_token('pki_storage_token')
+            self.normalize_cert_token('pki_transport_token')
+
             # if security domain user is not defined
             if not len(self.mdict['pki_security_domain_user']):
 
-- 
2.5.5


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]