[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[Pki-devel] [PATCH] 690 Added mechanism to import system certs via PKCS #12 file.



The installation tool has been modified to provide an optional
pki_server_pkcs12_path property to specify a PKCS #12 file
containing certificate chain, system certificates, and third-party
certificates needed by the subsystem being installed.

If the pki_server_pkcs12_path is specified the installation tool
will no longer download the certificate chain from the security
domain directly, and it will no longer import the PKCS #12
containing the entire master NSS database specified in
pki_clone_pkcs12_path.

For backward compatibility, if the pki_server_pkcs12_path is not
specified the installation tool will use the old mechanism to
import the system certificates.

The ConfigurationUtils.verifySystemCertificates() has been modified
not to catch the exception to help troubleshooting.

https://fedorahosted.org/pki/ticket/1742

Documentations:
* http://pki.fedoraproject.org/wiki/Installing_CA_Clone
* http://pki.fedoraproject.org/wiki/Installing_Remote_KRA
* http://pki.fedoraproject.org/wiki/Exporting_System_Certificates
* http://pki.fedoraproject.org/wiki/PKI_PKCS12_CLI

--
Endi S. Dewata
From 37c488cc46262941c64e732362f43e08448e6fe1 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata redhat com>
Date: Fri, 19 Feb 2016 08:42:30 +0100
Subject: [PATCH] Added mechanism to import system certs via PKCS #12 file.

The installation tool has been modified to provide an optional
pki_server_pkcs12_path property to specify a PKCS #12 file
containing certificate chain, system certificates, and third-party
certificates needed by the subsystem being installed.

If the pki_server_pkcs12_path is specified the installation tool
will no longer download the certificate chain from the security
domain directly, and it will no longer import the PKCS #12
containing the entire master NSS database specified in
pki_clone_pkcs12_path.

For backward compatibility, if the pki_server_pkcs12_path is not
specified the installation tool will use the old mechanism to
import the system certificates.

The ConfigurationUtils.verifySystemCertificates() has been modified
not to catch the exception to help troubleshooting.

https://fedorahosted.org/pki/ticket/1742
---
 base/common/python/pki/nssdb.py                    | 16 +++--
 .../certsrv/system/ConfigurationRequest.java       | 32 +++++++--
 .../cms/servlet/csadmin/ConfigurationUtils.java    | 76 +++++++++++-----------
 .../dogtagpki/server/rest/SystemConfigService.java | 55 +++++++---------
 base/server/etc/default.cfg                        |  3 +
 .../python/pki/server/deployment/pkihelper.py      | 36 ++++++++--
 .../python/pki/server/deployment/pkiparser.py      |  1 +
 .../deployment/scriptlets/security_databases.py    | 25 +++++++
 8 files changed, 158 insertions(+), 86 deletions(-)

diff --git a/base/common/python/pki/nssdb.py b/base/common/python/pki/nssdb.py
index a418cdc00aaadec6f7635dd2d2eefdf8fb8d7888..e290727bad4cee9861a39592aac0ae3695ddaee0 100644
--- a/base/common/python/pki/nssdb.py
+++ b/base/common/python/pki/nssdb.py
@@ -471,14 +471,20 @@ class NSSDatabase(object):
                 raise Exception('Missing PKCS #12 password')
 
             cmd = [
-                'pk12util',
+                'pki',
                 '-d', self.directory,
-                '-h', self.token,
-                '-k', self.password_file,
-                '-i', pkcs12_file,
-                '-w', password_file
+                '-C', self.password_file
             ]
 
+            if self.token and self.token != 'internal':
+                cmd.extend(['--token', self.token])
+
+            cmd.extend([
+                'pkcs12-import',
+                '--pkcs12', pkcs12_file,
+                '--pkcs12-password-file', password_file
+            ])
+
             subprocess.check_call(cmd)
 
         finally:
diff --git a/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java b/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java
index 8c9da6f373be192a6b5cf99a3cf8cd6ce288c3aa..890f7d01f1dd1bbd5eca0bbee5601e3073fb05cd 100644
--- a/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java
+++ b/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java
@@ -133,6 +133,9 @@ public class ConfigurationRequest {
     protected String reindexData;
 
     @XmlElement
+    protected Boolean systemCertsImported;
+
+    @XmlElement
     protected List<SystemCertData> systemCerts;
 
     @XmlElement
@@ -559,21 +562,37 @@ public class ConfigurationRequest {
 
     /**
      *
-     * @return systemCerts
+     * @return systemCertsImported
      */
-    public List<SystemCertData> getSystemCerts() {
-        return systemCerts;
+    public Boolean getSystemCertsImported() {
+        return systemCertsImported;
     }
 
     /**
      *
-     * @param systemCerts
+     * @param systemCertsImported
      */
-    public void setSystemCerts(List<SystemCertData> systemCerts) {
-        this.systemCerts = systemCerts;
+    public void setSystemCertsImported(Boolean systemCertsImported) {
+        this.systemCertsImported = systemCertsImported;
     }
 
     /**
+    *
+    * @return systemCerts
+    */
+   public List<SystemCertData> getSystemCerts() {
+       return systemCerts;
+   }
+
+   /**
+    *
+    * @param systemCerts
+    */
+   public void setSystemCerts(List<SystemCertData> systemCerts) {
+       this.systemCerts = systemCerts;
+   }
+
+   /**
      * @return the issuingCA
      */
     public String getIssuingCA() {
@@ -940,6 +959,7 @@ public class ConfigurationRequest {
                ", masterReplicationPort=" + masterReplicationPort +
                ", cloneReplicationPort=" + cloneReplicationPort +
                ", replicationSecurity=" + replicationSecurity +
+               ", systemCertsImported=" + systemCertsImported +
                ", systemCerts=" + systemCerts +
                ", issuingCA=" + issuingCA +
                ", backupKeys=" + backupKeys +
diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
index 91dad159bb39605d094c87c1958cc57772dbb732..3c69fa75ffa086d4de75f99fbf78e36e2d0e0cd8 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
@@ -252,6 +252,8 @@ public class ConfigurationUtils {
     public static void importCertChain(String host, int port, String serverPath, String tag)
             throws Exception {
 
+        CMS.debug("ConfigurationUtils.importCertChain()");
+
         IConfigStore cs = CMS.getConfigStore();
         ConfigCertApprovalCallback certApprovalCallback = new ConfigCertApprovalCallback();
         String c = get(host, port, true, serverPath, null, certApprovalCallback);
@@ -932,44 +934,42 @@ public class ConfigurationUtils {
         importKeyCert(pkeyinfo_collection, cert_collection);
     }
 
-    public static boolean isCertdbCloned() {
+    public static void verifySystemCertificates() throws Exception {
+
         IConfigStore cs = CMS.getConfigStore();
-        try {
-            CryptoManager cm = CryptoManager.getInstance();
-            String certList = cs.getString("preop.cert.list");
-            String cstype = cs.getString("cs.type").toLowerCase();
-            StringTokenizer st = new StringTokenizer(certList, ",");
-            while (st.hasMoreTokens()) {
-                String tag = st.nextToken();
-                if (tag.equals("sslserver"))
-                    continue;
-                String tokenname = cs.getString("preop.module.token", "");
-                cm.getTokenByName(tokenname); // throw exception if token doesn't exist
-                String name1 = "preop.master." + tag + ".nickname";
-                String nickname = cs.getString(name1, "");
-                if (!tokenname.equals("Internal Key Storage Token") &&
-                        !tokenname.equals("internal"))
-                    nickname = tokenname + ":" + nickname;
-
-                CMS.debug("ConfigurationUtils.isCertdbCloned(): checking system certificate " + nickname);
-
-                // TODO : remove this when we eliminate the extraneous nicknames
-                // needed for self tests
-                cs.putString(cstype + ".cert." + tag + ".nickname", nickname);
-
-                X509Certificate cert = cm.findCertByNickname(nickname);
-                if (cert == null) {
-                    CMS.debug("Missing system certificate: " + nickname);
-                    return false;
-                }
+
+        CryptoManager cm = CryptoManager.getInstance();
+        String certList = cs.getString("preop.cert.list");
+        String cstype = cs.getString("cs.type").toLowerCase();
+        StringTokenizer st = new StringTokenizer(certList, ",");
+
+        while (st.hasMoreTokens()) {
+            String tag = st.nextToken();
+            if (tag.equals("sslserver"))
+                continue;
+
+            String tokenname = cs.getString("preop.module.token", "");
+            cm.getTokenByName(tokenname); // throw exception if token doesn't exist
+
+            String name1 = "preop.master." + tag + ".nickname";
+            String nickname = cs.getString(name1, "");
+            if (!tokenname.equals("Internal Key Storage Token") &&
+                    !tokenname.equals("internal"))
+                nickname = tokenname + ":" + nickname;
+
+            CMS.debug("ConfigurationUtils.verifySystemCertificates(): checking certificate " + nickname);
+
+            // TODO : remove this when we eliminate the extraneous nicknames
+            // needed for self tests
+            cs.putString(cstype + ".cert." + tag + ".nickname", nickname);
+
+            try {
+                cm.findCertByNickname(nickname);
+
+            } catch (ObjectNotFoundException e) {
+                throw new Exception("Missing system certificate: " + nickname);
             }
-
-        } catch (Exception e) {
-            CMS.debug(e);
-            return false;
         }
-
-        return true;
     }
 
     public static void importKeyCert(
@@ -3666,10 +3666,12 @@ public class ConfigurationUtils {
             String status = parser.getValue("Status");
             CMS.debug("submitAdminXertRequest: status=" + status);
             if (status.equals(AUTH_FAILURE)) {
-                throw new EAuthException(AUTH_FAILURE);
+                throw new EAuthException("Unable to generate admin certificate: authentication failure");
+
             } else if (!status.equals(SUCCESS)) {
                 String error = parser.getValue("Error");
-                throw new IOException(error);
+                CMS.debug("Error: " + error);
+                throw new IOException("Unable to generate admin certificate: " + error);
             }
 
             IConfigStore cs = CMS.getConfigStore();
diff --git a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
index 697196a6ea6beb22210fed1f5680f7d02cea1533..f7e5a6b05d39f3fcab4f1f45f0d283c1a379bce1 100644
--- a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
+++ b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
@@ -662,7 +662,7 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
                 response.setAdminCert(admincerts[0]);
 
             } catch (Exception e) {
-                e.printStackTrace();
+                CMS.debug(e);
                 throw new PKIException("Error in creating admin user: " + e);
             }
         }
@@ -818,7 +818,7 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
                     cs.putInteger("preop.ca.httpsport", port);
                     cs.putInteger("preop.ca.httpsadminport", admin_port);
 
-                    if (!data.isClone()) {
+                    if (!data.isClone() && !data.getSystemCertsImported()) {
                         ConfigurationUtils.importCertChain(host, admin_port, "/ca/admin/ca/getCertChain", "ca");
                     }
 
@@ -855,7 +855,7 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
                     "Clone URI does not match available subsystems: " + url);
         }
 
-        if (csType.equals("CA")) {
+        if (csType.equals("CA") && !data.getSystemCertsImported()) {
             CMS.debug("SystemConfigService: import certificate chain from master");
             int masterAdminPort = ConfigurationUtils.getPortFromSecurityDomain(domainXML,
                     masterHost, masterPort, "CA", "SecurePort", "SecureAdminPort");
@@ -867,10 +867,12 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
         ConfigurationUtils.getConfigEntriesFromMaster();
 
         if (token.equals(ConfigurationRequest.TOKEN_DEFAULT)) {
-            CMS.debug("SystemConfigService: restore certificates from P12 file");
-            String p12File = data.getP12File();
-            String p12Pass = data.getP12Password();
-            ConfigurationUtils.restoreCertsFromP12(p12File, p12Pass);
+            if (!data.getSystemCertsImported()) {
+                CMS.debug("SystemConfigService: restore certificates from P12 file");
+                String p12File = data.getP12File();
+                String p12Pass = data.getP12Password();
+                ConfigurationUtils.restoreCertsFromP12(p12File, p12Pass);
+            }
 
         } else {
             CMS.debug("SystemConfigService: import certificates from HSM and set permission");
@@ -878,15 +880,10 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
         }
 
         CMS.debug("SystemConfigService: verify certificates");
-        boolean cloneReady = ConfigurationUtils.isCertdbCloned();
-
-        if (!cloneReady) {
-            CMS.debug("SystemConfigService: clone does not have all the certificates.");
-            throw new PKIException("Clone does not have all the required certificates");
-        }
+        ConfigurationUtils.verifySystemCertificates();
     }
 
-    public String configureSecurityDomain(ConfigurationRequest data) {
+    public String configureSecurityDomain(ConfigurationRequest data) throws Exception {
 
         String domainXML = null;
 
@@ -932,7 +929,7 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
         cs.putString("preop.cert.subsystem.profile", "subsystemCert.profile");
     }
 
-    private String logIntoSecurityDomain(ConfigurationRequest data, String securityDomainURL) {
+    private String logIntoSecurityDomain(ConfigurationRequest data, String securityDomainURL) throws Exception {
         URL secdomainURL;
         String host;
         int port;
@@ -948,7 +945,11 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
             throw new PKIException("Failed to resolve security domain URL", e);
         }
 
-        getCertChainFromSecurityDomain(host, port);
+        if (!data.getSystemCertsImported()) {
+            CMS.debug("Getting security domain cert chain");
+            ConfigurationUtils.importCertChain(host, port, "/ca/admin/ca/getCertChain", "securitydomain");
+        }
+
         getInstallToken(data, host, port);
 
         return getDomainXML(host, port);
@@ -967,16 +968,6 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
         return domainXML;
     }
 
-    private void getCertChainFromSecurityDomain(String host, int port) {
-        CMS.debug("Getting security domain cert chain");
-        try {
-            ConfigurationUtils.importCertChain(host, port, "/ca/admin/ca/getCertChain", "securitydomain");
-        } catch (Exception e) {
-            CMS.debug(e);
-            throw new PKIException("Failed to import certificate chain from security domain master: " + e, e);
-        }
-    }
-
     private void getInstallToken(ConfigurationRequest data, String host, int port) {
         CMS.debug("Getting install token");
         // log onto security domain and get token
@@ -1129,12 +1120,14 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
             }
 
             if (data.getToken().equals(ConfigurationRequest.TOKEN_DEFAULT)) {
-                if (data.getP12File() == null) {
-                    throw new BadRequestException("P12 filename not provided");
-                }
+                if (!data.getSystemCertsImported()) {
+                    if (data.getP12File() == null) {
+                        throw new BadRequestException("P12 filename not provided");
+                    }
 
-                if (data.getP12Password() == null) {
-                    throw new BadRequestException("P12 password not provided");
+                    if (data.getP12Password() == null) {
+                        throw new BadRequestException("P12 password not provided");
+                    }
                 }
             } else {
                 if (data.getP12File() != null) {
diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg
index 1c1ae92b323d67dc5fb810df79bbdbbb0b6c26e7..c503e63451c6bb6bc27f3ffc1d83a89647f8b290 100644
--- a/base/server/etc/default.cfg
+++ b/base/server/etc/default.cfg
@@ -27,6 +27,7 @@ sensitive_parameters=
     pki_pin
     pki_replication_password
     pki_security_domain_password
+    pki_server_pkcs12_password
     pki_token_password
 
 # The spawn_scriplets contains a list of scriplets to be executed by pkispawn.
@@ -108,6 +109,8 @@ pki_security_domain_https_port=8443
 pki_security_domain_name=%(pki_dns_domainname)s Security Domain
 pki_security_domain_password=
 pki_security_domain_user=caadmin
+pki_server_pkcs12_path=
+pki_server_pkcs12_password=
 #for supporting server cert SAN injection
 pki_san_inject=False
 pki_san_for_server_cert=
diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py
index 429e1e93e35d91d92040d751f5d4ac24864e95a9..cd4e3e26f72ad175aa13fd87d1c8344c6d9248f4 100644
--- a/base/server/python/pki/server/deployment/pkihelper.py
+++ b/base/server/python/pki/server/deployment/pkihelper.py
@@ -632,10 +632,17 @@ class ConfigurationFile:
             self.confirm_data_exists("pki_client_database_password")
         # Verify existence of Client PKCS #12 Password for Admin Cert
         self.confirm_data_exists("pki_client_pkcs12_password")
+
         if self.clone:
+
             # Verify existence of PKCS #12 Password (ONLY for non-HSM Clones)
             if not config.str2bool(self.mdict['pki_hsm_enable']):
-                self.confirm_data_exists("pki_clone_pkcs12_password")
+
+                # If system certificates are already provided via pki_server_pkcs12
+                # there's no need to provide pki_clone_pkcs12.
+                if not self.mdict['pki_server_pkcs12_path']:
+                    self.confirm_data_exists("pki_clone_pkcs12_password")
+
             # Verify absence of all PKCS #12 clone parameters for HSMs
             elif (os.path.exists(self.mdict['pki_clone_pkcs12_path']) or
                     ('pki_clone_pkcs12_password' in self.mdict and
@@ -645,6 +652,7 @@ class ConfigurationFile:
                     extra=config.PKI_INDENTATION_LEVEL_2)
                 raise Exception(
                     log.PKIHELPER_HSM_CLONES_MUST_SHARE_HSM_MASTER_PRIVATE_KEYS)
+
         # Verify existence of Security Domain Password
         # (ONLY for PKI KRA, PKI OCSP, PKI TKS, PKI TPS, Clones, or
         #  Subordinate CA that will be automatically configured and
@@ -749,11 +757,18 @@ class ConfigurationFile:
             self.confirm_data_exists("pki_http_port")
             self.confirm_data_exists("pki_https_port")
             self.confirm_data_exists("pki_tomcat_server_port")
+
+            # Check clone parameters for non-HSM clone
             if not config.str2bool(self.mdict['pki_hsm_enable']):
-                # Check clone parameters for non-HSM clone
-                self.confirm_data_exists("pki_clone_pkcs12_path")
-                self.confirm_file_exists("pki_clone_pkcs12_path")
+
+                # If system certificates are already provided via pki_server_pkcs12
+                # there's no need to provide pki_clone_pkcs12.
+                if not self.mdict['pki_server_pkcs12_path']:
+                    self.confirm_data_exists("pki_clone_pkcs12_path")
+                    self.confirm_file_exists("pki_clone_pkcs12_path")
+
             self.confirm_data_exists("pki_clone_replication_security")
+
         elif self.external:
             # External CA
             if not self.external_step_two:
@@ -4032,6 +4047,8 @@ class ConfigClient:
         # Issuing CA Information
         self.set_issuing_ca_parameters(data)
 
+        data.systemCertsImported = self.mdict['pki_server_pkcs12_path'] != ''
+
         # Create system certs
         self.set_system_certs(data)
 
@@ -4308,10 +4325,15 @@ class ConfigClient:
     def set_cloning_parameters(self, data):
         data.isClone = "true"
         data.cloneUri = self.mdict['pki_clone_uri']
+
+        # Set these clone parameters for non-HSM clones only
         if not config.str2bool(self.mdict['pki_hsm_enable']):
-            # Set these clone parameters for non-HSM clones only
-            data.p12File = self.mdict['pki_clone_pkcs12_path']
-            data.p12Password = self.mdict['pki_clone_pkcs12_password']
+            # If system certificates are already provided via pki_server_pkcs12
+            # there's no need to provide pki_clone_pkcs12.
+            if not self.mdict['pki_server_pkcs12_path']:
+                data.p12File = self.mdict['pki_clone_pkcs12_path']
+                data.p12Password = self.mdict['pki_clone_pkcs12_password']
+
         if config.str2bool(self.mdict['pki_clone_replicate_schema']):
             data.replicateSchema = "true"
         else:
diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py
index 77a1cdf2d66a907f937ef316d0896cc78ca865b2..ca9ef998f69952dc1495c9b17dd1cf45d71f16f4 100644
--- a/base/server/python/pki/server/deployment/pkiparser.py
+++ b/base/server/python/pki/server/deployment/pkiparser.py
@@ -346,6 +346,7 @@ class PKIConfigParser:
                     'pki_pin',
                     'pki_replication_password',
                     'pki_security_domain_password',
+                    'pki_server_pkcs12_password',
                     'pki_token_password')
 
                 print('Loading deployment configuration from ' +
diff --git a/base/server/python/pki/server/deployment/scriptlets/security_databases.py b/base/server/python/pki/server/deployment/scriptlets/security_databases.py
index 94ecbc2f026dbf8f48b281e9ee9def518d24a861..a723b1da96462e9b844fb5328476958d4107f707 100644
--- a/base/server/python/pki/server/deployment/scriptlets/security_databases.py
+++ b/base/server/python/pki/server/deployment/scriptlets/security_databases.py
@@ -20,6 +20,8 @@
 
 from __future__ import absolute_import
 
+import pki.nssdb
+
 # PKI Deployment Imports
 from .. import pkiconfig as config
 from .. import pkimessages as log
@@ -36,8 +38,10 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
             config.pki_log.info(log.SKIP_SECURITY_DATABASES_SPAWN_1, __name__,
                                 extra=config.PKI_INDENTATION_LEVEL_1)
             return self.rv
+
         config.pki_log.info(log.SECURITY_DATABASES_SPAWN_1, __name__,
                             extra=config.PKI_INDENTATION_LEVEL_1)
+
         if config.str2bool(deployer.mdict['pki_hsm_enable']):
             deployer.password.create_hsm_password_conf(
                 deployer.mdict['pki_shared_password_conf'],
@@ -47,6 +51,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
             deployer.password.create_password_conf(
                 deployer.mdict['pki_shared_password_conf'],
                 deployer.mdict['pki_pin'])
+
         # Since 'certutil' does NOT strip the 'token=' portion of
         # the 'token=password' entries, create a temporary server 'pfile'
         # which ONLY contains the 'password' for the purposes of
@@ -55,12 +60,14 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
             deployer.mdict['pki_shared_pfile'],
             deployer.mdict['pki_pin'], pin_sans_token=True)
         deployer.file.modify(deployer.mdict['pki_shared_password_conf'])
+
         deployer.certutil.create_security_databases(
             deployer.mdict['pki_database_path'],
             deployer.mdict['pki_cert_database'],
             deployer.mdict['pki_key_database'],
             deployer.mdict['pki_secmod_database'],
             password_file=deployer.mdict['pki_shared_pfile'])
+
         if config.str2bool(deployer.mdict['pki_hsm_enable']):
             deployer.modutil.register_security_module(
                 deployer.mdict['pki_database_path'],
@@ -76,6 +83,24 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
             deployer.mdict['pki_secmod_database'],
             perms=config.PKI_DEPLOYMENT_DEFAULT_SECURITY_DATABASE_PERMISSIONS)
 
+        pki_server_pkcs12_path = deployer.mdict['pki_server_pkcs12_path']
+
+        if pki_server_pkcs12_path:
+
+            # importing system certificates
+
+            pki_server_pkcs12_password = deployer.mdict['pki_server_pkcs12_password']
+            if not pki_server_pkcs12_password:
+                raise Exception('Missing pki_server_pkcs12_password property.')
+
+            nssdb = pki.nssdb.NSSDatabase(
+                directory=deployer.mdict['pki_database_path'],
+                password_file=deployer.mdict['pki_shared_pfile'])
+
+            nssdb.import_pkcs12(
+                pkcs12_file=pki_server_pkcs12_path,
+                pkcs12_password=pki_server_pkcs12_password)
+
         if len(deployer.instance.tomcat_instance_subsystems()) < 2:
             # only create a self signed cert for a new instance
             #
-- 
2.4.3


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]