Previously when installing with HSM the token name has to be specified for each system certificate in the pki_<cert>_token parameters. The deployment tool has been modified such that by default it will use the token name specified in pki_token_name.
Previously issues with system certificates that happen during subsystem initialization were reported as database initialization error. Database initialization actually does not depend on subsystem initialization, so to avoid confusion and to simplify the code the reInitSubsystem() in SystemConfigService is now invoked after the initializeDatabase() is complete. https://fedorahosted.org/pki/ticket/2423 -- Endi S. Dewata
>From 14d4a22b5b847392b41b7a0a290e068d2d0f76f7 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" <edew...@redhat.com> Date: Sat, 27 Aug 2016 00:07:08 +0200 Subject: [PATCH] Moved subsystem initialization after database initialization. Previously issues with system certificates that happen during subsystem initialization were reported as database initialization error. Database initialization actually does not depend on subsystem initialization, so to avoid confusion and to simplify the code the reInitSubsystem() in SystemConfigService is now invoked after the initializeDatabase() is complete. https://fedorahosted.org/pki/ticket/2423 --- base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java index 95afa4c6a071c27cc1f52edeb742ddbf199e4d83..9d7c176ecdbf2c87cb961fa3f6eb74fb41eb8ef5 100644 --- a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java +++ b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java @@ -178,6 +178,8 @@ public class SystemConfigService extends PKIService implements SystemConfigResou } initializeDatabase(data); + ConfigurationUtils.reInitSubsystem(csType); + configureCACertChain(data, domainXML); Collection<Cert> certs = new ArrayList<Cert>(); @@ -777,7 +779,6 @@ public class SystemConfigService extends PKIService implements SystemConfigResou ConfigurationUtils.setupReplication(); } - ConfigurationUtils.reInitSubsystem(csType); ConfigurationUtils.populateDBManager(); ConfigurationUtils.populateVLVIndexes(); } -- 2.5.5
>From 2a433028d88cd52042bf1de31ba1db36488ae215 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" <edew...@redhat.com> Date: Sun, 28 Aug 2016 20:38:48 +0200 Subject: [PATCH] Fixed default token name for system certificates. Previously when installing with HSM the token name has to be specified for each system certificate in the pki_<cert>_token parameters. The deployment tool has been modified such that by default it will use the token name specified in pki_token_name. https://fedorahosted.org/pki/ticket/2423 --- base/server/etc/default.cfg | 16 +++++------ .../python/pki/server/deployment/pkiparser.py | 33 ++++++++++++++++++++-- 2 files changed, 38 insertions(+), 11 deletions(-) diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg index cfbd289cc880db3bf4ed836f7dabc5168365bfd0..f759dbac0df53ee6078027740e0aed5f107b22e7 100644 --- a/base/server/etc/default.cfg +++ b/base/server/etc/default.cfg @@ -78,7 +78,7 @@ pki_audit_signing_key_algorithm=SHA256withRSA pki_audit_signing_key_size=2048 pki_audit_signing_key_type=rsa pki_audit_signing_signing_algorithm=SHA256withRSA -pki_audit_signing_token=Internal Key Storage Token +pki_audit_signing_token= pki_backup_keys=False pki_backup_password= pki_ca_hostname=%(pki_security_domain_hostname)s @@ -125,13 +125,13 @@ pki_ssl_server_key_size=2048 pki_ssl_server_key_type=rsa pki_ssl_server_nickname=Server-Cert cert-%(pki_instance_name)s pki_ssl_server_subject_dn=cn=%(pki_hostname)s,o=%(pki_security_domain_name)s -pki_ssl_server_token=Internal Key Storage Token +pki_ssl_server_token= pki_subsystem_key_algorithm=SHA256withRSA pki_subsystem_key_size=2048 pki_subsystem_key_type=rsa pki_subsystem_nickname=subsystemCert cert-%(pki_instance_name)s pki_subsystem_subject_dn=cn=Subsystem Certificate,o=%(pki_security_domain_name)s -pki_subsystem_token=Internal Key Storage Token +pki_subsystem_token= pki_theme_enable=True pki_theme_server_dir=/usr/share/pki/common-ui pki_token_name=internal @@ -293,7 +293,7 @@ pki_ca_signing_key_type=rsa pki_ca_signing_nickname=caSigningCert cert-%(pki_instance_name)s CA pki_ca_signing_signing_algorithm=SHA256withRSA pki_ca_signing_subject_dn=cn=CA Signing Certificate,o=%(pki_security_domain_name)s -pki_ca_signing_token=Internal Key Storage Token +pki_ca_signing_token= pki_ca_signing_csr_path= pki_ca_signing_cert_path= pki_ca_starting_crl_number=0 @@ -317,7 +317,7 @@ pki_ocsp_signing_key_type=rsa pki_ocsp_signing_nickname=ocspSigningCert cert-%(pki_instance_name)s CA pki_ocsp_signing_signing_algorithm=SHA256withRSA pki_ocsp_signing_subject_dn=cn=CA OCSP Signing Certificate,o=%(pki_security_domain_name)s -pki_ocsp_signing_token=Internal Key Storage Token +pki_ocsp_signing_token= pki_profiles_in_ldap=False pki_random_serial_numbers_enable=False pki_subordinate=False @@ -405,14 +405,14 @@ pki_storage_key_type=rsa pki_storage_nickname=storageCert cert-%(pki_instance_name)s KRA pki_storage_signing_algorithm=SHA256withRSA pki_storage_subject_dn=cn=DRM Storage Certificate,o=%(pki_security_domain_name)s -pki_storage_token=Internal Key Storage Token +pki_storage_token= pki_transport_key_algorithm=SHA256withRSA pki_transport_key_size=2048 pki_transport_key_type=rsa pki_transport_nickname=transportCert cert-%(pki_instance_name)s KRA pki_transport_signing_algorithm=SHA256withRSA pki_transport_subject_dn=cn=DRM Transport Certificate,o=%(pki_security_domain_name)s -pki_transport_token=Internal Key Storage Token +pki_transport_token= pki_admin_email=%(pki_admin_name)s@%(pki_dns_domainname)s pki_admin_name=%(pki_admin_uid)s pki_admin_nickname=PKI Administrator for %(pki_dns_domainname)s @@ -474,7 +474,7 @@ pki_ocsp_signing_key_type=rsa pki_ocsp_signing_nickname=ocspSigningCert cert-%(pki_instance_name)s OCSP pki_ocsp_signing_signing_algorithm=SHA256withRSA pki_ocsp_signing_subject_dn=cn=OCSP Signing Certificate,o=%(pki_security_domain_name)s -pki_ocsp_signing_token=Internal Key Storage Token +pki_ocsp_signing_token= pki_admin_email=%(pki_admin_name)s@%(pki_dns_domainname)s pki_admin_name=%(pki_admin_uid)s pki_admin_nickname=PKI Administrator for %(pki_dns_domainname)s diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py index 115f3ca4506fec310ae1e5e88ccb0ecb0c4c609b..6e922cf6cef11aae45881658c1e2a80526bfdbc0 100644 --- a/base/server/python/pki/server/deployment/pkiparser.py +++ b/base/server/python/pki/server/deployment/pkiparser.py @@ -564,6 +564,24 @@ class PKIConfigParser: root = ET.fromstring(response) return root.findtext("Status") + def normalize_cert_token(self, name): + + # get cert token + token = self.mdict.get(name) + + # if not specified, get default token name + if not token: + token = self.mdict.get('pki_token_name') + + # normalize internal token name + if not token or \ + token.lower() == 'internal' or \ + token.lower() == 'internal key storage token': + token = 'Internal Key Storage Token' + + # update cert token + self.mdict[name] = token + def compose_pki_master_dictionary(self): """ Create a single master PKI dictionary from the @@ -595,11 +613,11 @@ class PKIConfigParser: instance = pki.server.PKIInstance(self.mdict['pki_instance_name']) instance.load() - internal_password = self.mdict['pki_self_signed_token'] + internal_token = self.mdict['pki_self_signed_token'] # if instance already exists and has password, reuse the password - if internal_password in instance.passwords: - self.mdict['pki_pin'] = instance.passwords.get(internal_password) + if internal_token in instance.passwords: + self.mdict['pki_pin'] = instance.passwords.get(internal_token) # otherwise, use user-provided password if specified elif 'pki_pin' in self.mdict: @@ -1207,6 +1225,15 @@ class PKIConfigParser: # always normalize 'default' softokn name self.mdict['pki_token_name'] = "internal" + # normalize cert tokens + self.normalize_cert_token('pki_audit_signing_token') + self.normalize_cert_token('pki_ssl_server_token') + self.normalize_cert_token('pki_subsystem_token') + self.normalize_cert_token('pki_ca_signing_token') + self.normalize_cert_token('pki_ocsp_signing_token') + self.normalize_cert_token('pki_storage_token') + self.normalize_cert_token('pki_transport_token') + # if security domain user is not defined if not len(self.mdict['pki_security_domain_user']): -- 2.5.5
_______________________________________________ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel