Index: base/ca/shared/webapps/ca/WEB-INF/web.xml
===================================================================
--- base/ca/shared/webapps/ca/WEB-INF/web.xml (revision 2521)
+++ base/ca/shared/webapps/ca/WEB-INF/web.xml (working copy)
@@ -248,6 +248,25 @@
+ caUpdateDomainXML-admin
+ com.netscape.cms.servlet.csadmin.UpdateDomainXML
+ GetClientCert
+ false
+ authority
+ ca
+ ID
+ caUpdateDomainXML
+ interface
+ admin
+ AuthMgr
+ TokenAuth
+ AuthzMgr
+ BasicAclAuthz
+ resourceID
+ certServer.securitydomain.domainxml
+
+
+
caUpdateNumberRange
com.netscape.cms.servlet.csadmin.UpdateNumberRange
GetClientCert
@@ -257,7 +276,7 @@
ID
caUpdateNumberRange
interface
- ee
+ admin
AuthMgr
TokenAuth
AuthzMgr
@@ -1826,16 +1845,16 @@
- caGetTokenInfo
- com.netscape.cms.servlet.csadmin.GetTokenInfo
+ caTokenAuthenticate-admin
+ com.netscape.cms.servlet.csadmin.TokenAuthenticate
GetClientCert
false
authority
ca
ID
- caGetTokenInfo
+ caTokenAuthenticate
interface
- ee
+ admin
@@ -2045,9 +2064,14 @@
/agent/ca/updateDomainXML
+
+ caUpdateDomainXML-admin
+ /admin/ca/updateDomainXML
+
+
caUpdateNumberRange
- /ee/ca/updateNumberRange
+ /admin/ca/updateNumberRange
@@ -2496,8 +2520,8 @@
- caGetTokenInfo
- /ee/ca/getTokenInfo
+ caTokenAuthenticate-admin
+ /admin/ca/tokenAuthenticate
Index: base/ca/shared/conf/acl.ldif
===================================================================
--- base/ca/shared/conf/acl.ldif (revision 2521)
+++ base/ca/shared/conf/acl.ldif (working copy)
@@ -6,7 +6,7 @@
resourceACLS: certServer.policy.configuration:read,modify:allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Auditors";allow (modify) group="Administrators":Administrators, agents and auditors are allowed to read policy configuration but only administrators allowed to modify
resourceACLS: certServer.acl.configuration:read,modify:allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Auditors";allow (modify) group="Administrators":Administrators, agents and auditors are allowed to read ACL configuration but only administrators allowed to modify
resourceACLS: certServer.log.configuration:read,modify:allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents";allow (modify) group="Administrators":Administrators, Agents, and auditors are allowed to read the log configuration but only administrators are allowed to modify
-resourceACLS: certServer.securitydomain.domainxml:read,modify:allow (read) user="anybody";allow (modify) group="Subsystem Group":Anybody is allowed to read domain.xml but only Subsystem group is allowed to modify the domain.xml
+resourceACLS: certServer.securitydomain.domainxml:read,modify:allow (read) user="anybody";allow (modify) group="Subsystem Group" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise RA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators":Anybody is allowed to read domain.xml but only Subsystem group and Enterprise Administrators are allowed to modify the domain.xml
resourceACLS: certServer.log.configuration.fileName:read,modify:allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents" ;deny (modify) user=anybody:Nobody is allowed to modify a fileName parameter
#resourceACLS: certServer.log.configuration.signedAudit.expirationTime:read,modify:allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents";deny (modify) user=anybody:Nobody is allowed to modify an expirationTime parameter.
resourceACLS: certServer.log.content.signedAudit:read:allow (read) group="Auditors":Only auditor is allowed to read the signed audit log
Index: base/common/src/com/netscape/cms/authentication/TokenAuthentication.java
===================================================================
--- base/common/src/com/netscape/cms/authentication/TokenAuthentication.java (revision 2521)
+++ base/common/src/com/netscape/cms/authentication/TokenAuthentication.java (working copy)
@@ -132,7 +132,7 @@
// force SSL handshake
SessionContext context = SessionContext.getExistingContext();
- // retreive certificate from socket
+ // retrieve certificate from socket
AuthToken authToken = new AuthToken(this);
// get group name from configuration file
@@ -140,30 +140,35 @@
String sessionId = (String)authCred.get(CRED_SESSION_ID);
String givenHost = (String)authCred.get("clientHost");
- String auth_host = sconfig.getString("securitydomain.host");
- int auth_port = sconfig.getInteger("securitydomain.httpseeport");
+ String authHost = sconfig.getString("securitydomain.host");
+ int authAdminPort = sconfig.getInteger("securitydomain.httpsadminport");
+ int authEEPort = sconfig.getInteger("securitydomain.httpseeport");
+ String authURL = "/ca/admin/ca/tokenAuthenticate";
- HttpClient httpclient = new HttpClient();
+ String content = CRED_SESSION_ID + "=" + sessionId + "&hostname=" + givenHost;
+ CMS.debug("TokenAuthentication: content=" + content);
+
String c = null;
try {
- JssSSLSocketFactory factory = new JssSSLSocketFactory();
- httpclient = new HttpClient(factory);
- String content = CRED_SESSION_ID+"="+sessionId+"&hostname="+givenHost;
- CMS.debug("TokenAuthentication: content=" + content);
- httpclient.connect(auth_host, auth_port);
- HttpRequest httprequest = new HttpRequest();
- httprequest.setMethod(HttpRequest.POST);
- httprequest.setURI("/ca/ee/ca/tokenAuthenticate");
- httprequest.setHeader("user-agent", "HTTPTool/1.0");
- httprequest.setHeader("content-length", "" + content.length());
- httprequest.setHeader("content-type",
- "application/x-www-form-urlencoded");
- httprequest.setContent(content);
- HttpResponse httpresponse = httpclient.send(httprequest);
-
- c = httpresponse.getContent();
+ c = sendAuthRequest(authHost, authAdminPort, authURL, content);
+ // in case where the new interface does not exist, EE will return a badly
+ // formatted response which will throw an exception during parsing
+ if (c != null) {
+ @SuppressWarnings("unused")
+ XMLObject parser = new XMLObject(new ByteArrayInputStream(c.getBytes()));
+ }
} catch (Exception e) {
- CMS.debug("TokenAuthentication authenticate Exception="+e.toString());
+ CMS.debug("TokenAuthenticate: failed to contact admin host:port "
+ + authHost + ":" + authAdminPort + " " + e);
+ CMS.debug("TokenAuthenticate: attempting ee port " + authEEPort);
+ authURL = "/ca/ee/ca/tokenAuthenticate";
+ try {
+ c = sendAuthRequest(authHost, authAdminPort, authURL, content);
+ } catch (IOException e1) {
+ CMS.debug("TokenAuthenticate: failed to contact EE host:port "
+ + authHost + ":" + authAdminPort + " " + e1);
+ throw new EBaseException(e1.getMessage());
+ }
}
if (c != null) {
@@ -208,6 +213,29 @@
return authToken;
}
+ private String sendAuthRequest(String authHost, int authPort, String authUrl, String content)
+ throws IOException {
+ HttpClient httpclient = new HttpClient();
+ String c = null;
+
+ JssSSLSocketFactory factory = new JssSSLSocketFactory();
+ httpclient = new HttpClient(factory);
+ httpclient.connect(authHost, authPort);
+ HttpRequest httprequest = new HttpRequest();
+ httprequest.setMethod(HttpRequest.POST);
+ httprequest.setURI(authUrl);
+ httprequest.setHeader("user-agent", "HTTPTool/1.0");
+ httprequest.setHeader("content-length", "" + content.length());
+ httprequest.setHeader("content-type",
+ "application/x-www-form-urlencoded");
+ httprequest.setContent(content);
+
+ HttpResponse httpresponse = httpclient.send(httprequest);
+ c = httpresponse.getContent();
+
+ return c;
+ }
+
/**
* get the list of authentication credential attribute names
* required by this authentication manager. Generally used by
Index: base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java
===================================================================
--- base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java (revision 2521)
+++ base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java (working copy)
@@ -381,20 +381,30 @@
if (owneeclientauthsport != null)
eecaStr="&eeclientauthsport=" + owneeclientauthsport;
- updateDomainXML( sd_host, sd_agent_port_int, true,
- "/ca/agent/ca/updateDomainXML",
- "list=" + s
+ String url = "/ca/admin/ca/updateDomainXML";
+ String content = "list=" + s
+ "&type=" + type
+ "&host=" + ownhost
+ "&name=" + subsystemName
+ "&sport=" + ownsport
- + domainMasterStr
+ + domainMasterStr
+ cloneStr
+ "&agentsport=" + ownagentsport
+ "&adminsport=" + ownadminsport
- + eecaStr
- + "&httpport=" + ownport );
+ + eecaStr
+ + "&httpport=" + ownport;
+ try {
+ content += "&sessionID="+ CMS.getConfigSDSessionId();
+ updateDomainXML(sd_host, sd_admin_port_int, true, url, content, false);
+ } catch (Exception e) {
+ CMS.debug("DonePanel: failed to update security domain using admin port "
+ + sd_admin_port + ": " + e);
+ CMS.debug("updateSecurityDomain: now trying agent port with client auth");
+ url = "/ca/agent/ca/updateDomainXML";
+ updateDomainXML(sd_host, sd_agent_port_int, true, url, content, true);
+ }
+
// Fetch the "updated" security domain and display it
CMS.debug( "Dump contents of updated Security Domain . . ." );
String c = getDomainXML( sd_host, sd_admin_port_int, true );
Index: base/common/src/com/netscape/cms/servlet/csadmin/WizardPanelBase.java
===================================================================
--- base/common/src/com/netscape/cms/servlet/csadmin/WizardPanelBase.java (revision 2521)
+++ base/common/src/com/netscape/cms/servlet/csadmin/WizardPanelBase.java (working copy)
@@ -234,25 +234,29 @@
}
public void updateDomainXML(String hostname, int port, boolean https,
- String servlet, String uri) throws IOException {
+ String servlet, String uri, boolean useClientAuth) throws IOException {
CMS.debug("WizardPanelBase updateDomainXML start hostname=" + hostname + " port=" + port);
- IConfigStore cs = CMS.getConfigStore();
- String nickname = "";
- String tokenname = "";
- try {
- nickname = cs.getString("preop.cert.subsystem.nickname", "");
- tokenname = cs.getString("preop.module.token", "");
- } catch (Exception e) {}
+ String c = null;
+ if (useClientAuth) {
+ IConfigStore cs = CMS.getConfigStore();
+ String nickname = "";
+ String tokenname = "";
+ try {
+ nickname = cs.getString("preop.cert.subsystem.nickname", "");
+ tokenname = cs.getString("preop.module.token", "");
+ } catch (Exception e) {}
- if (!tokenname.equals("") &&
- !tokenname.equals("Internal Key Storage Token") &&
- !tokenname.equals("internal")) {
- nickname = tokenname+":"+nickname;
- }
+ if (!tokenname.equals("") &&
+ !tokenname.equals("Internal Key Storage Token") &&
+ !tokenname.equals("internal")) {
+ nickname = tokenname+":"+nickname;
+ }
- CMS.debug("WizardPanelBase updateDomainXML nickname=" + nickname);
- CMS.debug("WizardPanelBase: start sending updateDomainXML request");
- String c = getHttpResponse(hostname, port, https, servlet, uri, nickname);
+ CMS.debug("WizardPanelBase updateDomainXML nickname=" + nickname);
+ c = getHttpResponse(hostname, port, https, servlet, uri, nickname);
+ } else {
+ c = getHttpResponse(hostname, port, https, servlet, uri, null);
+ }
CMS.debug("WizardPanelBase: done sending updateDomainXML request");
if (c != null) {
@@ -616,7 +620,7 @@
config.putString("preop.internaldb.master.replicationpwd", v);
} else if (name.equals("instanceId")) {
config.putString("preop.master.instanceId", v);
- } else if (name.equals("cloning.cert.signing.nickname")) {
+ } else if (name.equals("cloning.signing.nickname")) {
config.putString("preop.master.signing.nickname", v);
config.putString("preop.cert.signing.nickname", v);
} else if (name.equals("cloning.ocsp_signing.nickname")) {
@@ -769,11 +773,11 @@
}
}
- public void updateNumberRange(String hostname, int port, boolean https,
+ public void updateNumberRange(String hostname, int eePort, int adminPort, boolean https,
String content, String type, HttpServletResponse response)
throws IOException {
CMS.debug("WizardPanelBase updateNumberRange start host=" + hostname +
- " port=" + port);
+ " adminPort=" + adminPort + " eePort=" + eePort);
IConfigStore cs = CMS.getConfigStore();
String cstype = "";
try {
@@ -782,61 +786,69 @@
}
cstype = toLowerCaseSubsystemType(cstype);
- String c = getHttpResponse(hostname, port, https,
- "/"+cstype+"/ee/"+cstype+"/updateNumberRange", content, null);
- if (c == null || c.equals("")) {
- CMS.debug("WizardPanelBase updateNumberRange: content is null.");
- throw new IOException("The server you want to contact is not available");
- } else {
- CMS.debug("content="+c);
- try {
- ByteArrayInputStream bis = new ByteArrayInputStream(c.getBytes());
- XMLObject parser = null;
+ String serverPath = "/" + cstype + "/admin/" + cstype + "/updateNumberRange";
+ String c = null;
+ XMLObject parser = null;
+ try {
+ c = getHttpResponse(hostname, adminPort, https, serverPath, content, null, null);
+ if (c == null || c.equals("")) {
+ CMS.debug("updateNumberRange: content is null.");
+ throw new IOException("The server you want to contact is not available");
+ }
+ CMS.debug("content from admin interface ="+ c);
+ // when the admin servlet is unavailable, we return a badly formatted error page
+ // in that case, this will throw an exception and be passed into the catch block.
+ parser = new XMLObject(new ByteArrayInputStream(c.getBytes()));
+ } catch (Exception e) {
+ // for backward compatibility, try the old ee interface too
+ CMS.debug("updateNumberRange: Failed to contact master using admin port" + e);
+ CMS.debug("updateNumberRange: Attempting to contact master using EE port");
+ serverPath = "/" + cstype + "/ee/" + cstype + "/updateNumberRange";
+ c = getHttpResponse(hostname, eePort, https, serverPath, content, null, null);
+ if (c == null || c.equals("")) {
+ CMS.debug("updateNumberRange: content is null.");
+ throw new IOException("The server you want to contact is not available");
+ }
+ CMS.debug("content from ee interface =" + c);
+ }
- try {
- parser = new XMLObject(bis);
- } catch (Exception e) {
- CMS.debug( "WizardPanelBase::updateNumberRange() - "
- + "Exception="+e.toString() );
- throw new IOException( e.toString() );
+ try {
+ parser = new XMLObject(new ByteArrayInputStream(c.getBytes()));
+ String status = parser.getValue("Status");
+
+ CMS.debug("WizardPanelBase updateNumberRange: status=" + status);
+ if (status.equals(SUCCESS)) {
+ String beginNum = parser.getValue("beginNumber");
+ String endNum = parser.getValue("endNumber");
+ if (type.equals("request")) {
+ cs.putString("dbs.beginRequestNumber", beginNum);
+ cs.putString("dbs.endRequestNumber", endNum);
+ } else if (type.equals("serialNo")) {
+ cs.putString("dbs.beginSerialNumber", beginNum);
+ cs.putString("dbs.endSerialNumber", endNum);
+ } else if (type.equals("replicaId")) {
+ cs.putString("dbs.beginReplicaNumber", beginNum);
+ cs.putString("dbs.endReplicaNumber", endNum);
}
+ // enable serial number management in clone
+ cs.putString("dbs.enableSerialManagement", "true");
+ cs.commit(false);
+ } else if (status.equals(AUTH_FAILURE)) {
+ reloginSecurityDomain(response);
+ return;
+ } else {
+ String error = parser.getValue("Error");
- String status = parser.getValue("Status");
-
- CMS.debug("WizardPanelBase updateNumberRange: status=" + status);
- if (status.equals(SUCCESS)) {
- String beginNum = parser.getValue("beginNumber");
- String endNum = parser.getValue("endNumber");
- if (type.equals("request")) {
- cs.putString("dbs.beginRequestNumber", beginNum);
- cs.putString("dbs.endRequestNumber", endNum);
- } else if (type.equals("serialNo")) {
- cs.putString("dbs.beginSerialNumber", beginNum);
- cs.putString("dbs.endSerialNumber", endNum);
- } else if (type.equals("replicaId")) {
- cs.putString("dbs.beginReplicaNumber", beginNum);
- cs.putString("dbs.endReplicaNumber", endNum);
- }
- // enable serial number management in clone
- cs.putString("dbs.enableSerialManagement", "true");
- cs.commit(false);
- } else if (status.equals(AUTH_FAILURE)) {
- reloginSecurityDomain(response);
- return;
- } else {
- String error = parser.getValue("Error");
-
- throw new IOException(error);
- }
- } catch (IOException e) {
- CMS.debug("WizardPanelBase: updateNumberRange: " + e.toString());
- CMS.debug(e);
- throw e;
- } catch (Exception e) {
- CMS.debug("WizardPanelBase: updateNumberRange: " + e.toString());
- CMS.debug(e);
- throw new IOException(e.toString());
- }
+ throw new IOException(error);
+ }
+ } catch (IOException e) {
+ CMS.debug("WizardPanelBase: updateNumberRange: " + e.toString());
+ CMS.debug(e);
+ throw e;
+ } catch (Exception e) {
+ CMS.debug("WizardPanelBase: updateNumberRange: " + e.toString());
+ CMS.debug(e);
+ throw new IOException(e.toString());
}
}
@@ -1305,119 +1317,6 @@
return x;
}
- public void getTokenInfo(IConfigStore config, String type, String host,
- int https_ee_port, boolean https, Context context,
- ConfigCertApprovalCallback certApprovalCallback) throws IOException {
- CMS.debug("WizardPanelBase getTokenInfo start");
- String uri = "/"+type+"/ee/"+type+"/getTokenInfo";
- CMS.debug("WizardPanelBase getTokenInfo: uri="+uri);
- String c = getHttpResponse(host, https_ee_port, https, uri, null, null,
- certApprovalCallback);
- if (c != null) {
- try {
- ByteArrayInputStream bis = new ByteArrayInputStream(c.getBytes());
- XMLObject parser = null;
-
- try {
- parser = new XMLObject(bis);
- } catch (Exception e) {
- CMS.debug( "WizardPanelBase::getTokenInfo() - "
- + "Exception="+e.toString() );
- throw new IOException( e.toString() );
- }
-
- String status = parser.getValue("Status");
-
- CMS.debug("WizardPanelBase getTokenInfo: status=" + status);
-
- if (status.equals(SUCCESS)) {
- Document doc = parser.getDocument();
- NodeList list = doc.getElementsByTagName("name");
- int len = list.getLength();
- for (int i=0; i 0)
- v = n2.item(0).getNodeValue();
- break;
- }
- }
- if (name.equals("cloning.signing.nickname")) {
- config.putString("preop.master.signing.nickname", v);
- config.putString(type + ".cert.signing.nickname", v);
- config.putString(name, v);
- } else if (name.equals("cloning.ocsp_signing.nickname")) {
- config.putString("preop.master.ocsp_signing.nickname", v);
- config.putString(type + ".cert.ocsp_signing.nickname", v);
- config.putString(name, v);
- } else if (name.equals("cloning.subsystem.nickname")) {
- config.putString("preop.master.subsystem.nickname", v);
- config.putString(type + ".cert.subsystem.nickname", v);
- config.putString(name, v);
- } else if (name.equals("cloning.transport.nickname")) {
- config.putString("preop.master.transport.nickname", v);
- config.putString("kra.transportUnit.nickName", v);
- config.putString("kra.cert.transport.nickname", v);
- config.putString(name, v);
- } else if (name.equals("cloning.storage.nickname")) {
- config.putString("preop.master.storage.nickname", v);
- config.putString("kra.storageUnit.nickName", v);
- config.putString("kra.cert.storage.nickname", v);
- config.putString(name, v);
- } else if (name.equals("cloning.audit_signing.nickname")) {
- config.putString("preop.master.audit_signing.nickname", v);
- config.putString(type + ".cert.audit_signing.nickname", v);
- config.putString(name, v);
- } else if (name.equals("cloning.module.token")) {
- config.putString("preop.module.token", v);
- } else if (name.startsWith("cloning.ca")) {
- config.putString(name.replaceFirst("cloning", "preop"), v);
- } else if (name.startsWith("cloning")) {
- config.putString(name.replaceFirst("cloning", "preop.cert"), v);
- } else {
- config.putString(name, v);
- }
- }
-
- // reset nicknames for system cert verification
- String token = config.getString("preop.module.token",
- "Internal Key Storage Token");
- if (! token.equals("Internal Key Storage Token")) {
- String certlist = config.getString("preop.cert.list");
-
- StringTokenizer t1 = new StringTokenizer(certlist, ",");
- while (t1.hasMoreTokens()) {
- String tag = t1.nextToken();
- if (tag.equals("sslserver")) continue;
- config.putString(type + ".cert." + tag + ".nickname",
- token + ":" +
- config.getString(type + ".cert." + tag + ".nickname", ""));
- }
- }
- } else {
- String error = parser.getValue("Error");
- throw new IOException(error);
- }
- } catch (IOException e) {
- CMS.debug("WizardPanelBase: getTokenInfo: " + e.toString());
- throw e;
- } catch (Exception e) {
- CMS.debug("WizardPanelBase: getTokenInfo: " + e.toString());
- throw new IOException(e.toString());
- }
- }
- }
-
public void importCertChain(String id) throws IOException {
CMS.debug("DisplayCertChainPanel importCertChain");
IConfigStore config = CMS.getConfigStore();
@@ -1443,6 +1342,7 @@
https, context, null );
}
+
public void updateCertChain(IConfigStore config, String name, String host,
int https_admin_port, boolean https, Context context,
ConfigCertApprovalCallback certApprovalCallback) throws IOException {
@@ -1488,53 +1388,6 @@
}
}
- public void updateCertChainUsingSecureEEPort( IConfigStore config,
- String name, String host,
- int https_ee_port,
- boolean https,
- Context context,
- ConfigCertApprovalCallback certApprovalCallback ) throws IOException {
- String certchain = getCertChainUsingSecureEEPort( host, https_ee_port,
- https,
- certApprovalCallback);
- config.putString("preop."+name+".pkcs7", certchain);
-
- byte[] decoded = CryptoUtil.base64Decode(certchain);
- java.security.cert.X509Certificate[] b_certchain = null;
-
- try {
- b_certchain = CryptoUtil.getX509CertificateFromPKCS7(decoded);
- } catch (Exception e) {
- context.put("errorString",
- "Failed to get the certificate chain.");
- return;
- }
-
- int size = 0;
- if (b_certchain != null) {
- size = b_certchain.length;
- }
- config.putInteger("preop."+name+".certchain.size", size);
- for (int i = 0; i < size; i++) {
- byte[] bb = null;
-
- try {
- bb = b_certchain[i].getEncoded();
- } catch (Exception e) {
- context.put("errorString",
- "Failed to get the der-encoded certificate chain.");
- return;
- }
- config.putString("preop."+name+".certchain." + i,
- CryptoUtil.normalizeCertStr(CryptoUtil.base64Encode(bb)));
- }
-
- try {
- config.commit(false);
- } catch (EBaseException e) {
- }
- }
-
public void deleteCert(String tokenname, String nickname) {
try {
CryptoManager cm = CryptoManager.getInstance();
Index: base/common/src/com/netscape/cms/servlet/csadmin/CAInfoPanel.java
===================================================================
--- base/common/src/com/netscape/cms/servlet/csadmin/CAInfoPanel.java (revision 2521)
+++ base/common/src/com/netscape/cms/servlet/csadmin/CAInfoPanel.java (working copy)
@@ -1,328 +0,0 @@
-// --- BEGIN COPYRIGHT BLOCK ---
-// This program is free software; you can redistribute it and/or modify
-// it under the terms of the GNU General Public License as published by
-// the Free Software Foundation; version 2 of the License.
-//
-// This program is distributed in the hope that it will be useful,
-// but WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-// GNU General Public License for more details.
-//
-// You should have received a copy of the GNU General Public License along
-// with this program; if not, write to the Free Software Foundation, Inc.,
-// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-//
-// (C) 2007 Red Hat, Inc.
-// All rights reserved.
-// --- END COPYRIGHT BLOCK ---
-package com.netscape.cms.servlet.csadmin;
-
-
-import org.apache.velocity.Template;
-import org.apache.velocity.servlet.VelocityServlet;
-import org.apache.velocity.app.Velocity;
-import org.apache.velocity.context.Context;
-import org.xml.sax.*;
-import com.netscape.certsrv.base.*;
-import com.netscape.certsrv.apps.*;
-import com.netscape.certsrv.property.*;
-import com.netscape.certsrv.usrgrp.*;
-import com.netscape.certsrv.template.*;
-import com.netscape.certsrv.property.*;
-import com.netscape.certsrv.ca.*;
-import com.netscape.cmsutil.xml.*;
-import com.netscape.cmsutil.crypto.*;
-import java.io.*;
-import java.util.*;
-import java.net.*;
-import javax.servlet.*;
-import javax.servlet.http.*;
-import netscape.ldap.*;
-import com.netscape.cmsutil.http.*;
-import org.mozilla.jss.*;
-import org.mozilla.jss.crypto.*;
-import org.mozilla.jss.asn1.*;
-
-import com.netscape.cms.servlet.wizard.*;
-
-public class CAInfoPanel extends WizardPanelBase {
-
- public CAInfoPanel() {}
-
- /**
- * Initializes this panel.
- */
- public void init(ServletConfig config, int panelno)
- throws ServletException {
- setPanelNo(panelno);
- setName("CA Information");
- }
-
- public void init(WizardServlet servlet, ServletConfig config, int panelno, String id)
- throws ServletException {
- setPanelNo(panelno);
- setName("CA Information");
- setId(id);
- }
-
- public void cleanUp() throws IOException {
- IConfigStore cs = CMS.getConfigStore();
- cs.putString("preop.ca.type", "");
- }
-
- public boolean shouldSkip() {
- IConfigStore cs = CMS.getConfigStore();
- try {
- String s = cs.getString("preop.subsystem.select", "");
- if (s.equals("clone"))
- return true;
- } catch (Exception e) {
- }
- return false;
- }
-
- public boolean isPanelDone() {
- IConfigStore cs = CMS.getConfigStore();
- try {
- String s = cs.getString("preop.ca.type", "");
- if (s == null || s.equals("")) {
- return false;
- } else {
- return true;
- }
- } catch (Exception e) {}
-
- return false;
- }
-
- public PropertySet getUsage() {
- PropertySet set = new PropertySet();
-
- return set;
- }
-
- /**
- * Display the panel.
- */
- public void display(HttpServletRequest request,
- HttpServletResponse response,
- Context context) {
- CMS.debug("CAInfoPanel: display");
-
- IConfigStore cs = CMS.getConfigStore();
- String hostname = "";
- String httpport = "";
- String httpsport = "";
-
- if (isPanelDone()) {
- String type = "sdca";
-
- try {
- type = cs.getString("preop.ca.type");
- } catch (Exception e) {
- CMS.debug("CAInfoPanel exception: " + e.toString());
- return;
- }
-
- try {
- hostname = cs.getString("preop.ca.hostname");
- } catch (Exception e) {}
-
- try {
- httpport = cs.getString("preop.ca.httpport");
- } catch (Exception e) {}
-
- try {
- httpsport = cs.getString("preop.ca.httpsport");
- } catch (Exception e) {}
-
- if (type.equals("sdca")) {
- context.put("check_sdca", "checked");
- context.put("check_otherca", "");
- } else if (type.equals("otherca")) {
- context.put("check_sdca", "");
- context.put("check_otherca", "checked");
- }
- } else {
- context.put("check_sdca", "checked");
- context.put("check_otherca", "");
- }
-
- String cstype = "CA";
- String portType = "SecurePort";
-
-/*
- try {
- cstype = cs.getString("cs.type", "");
- } catch (EBaseException e) {}
-*/
-
- CMS.debug("CAInfoPanel: Ready to get url");
- Vector v = getUrlListFromSecurityDomain(cs, cstype, portType);
- v.addElement("External CA");
- StringBuffer list = new StringBuffer();
- int size = v.size();
-
- for (int i = 0; i < size; i++) {
- if (i == size - 1) {
- list.append(v.elementAt(i));
- } else {
- list.append(v.elementAt(i));
- list.append(",");
- }
- }
-
- try {
- cs.putString("preop.ca.list", list.toString());
- cs.commit(false);
- } catch (Exception e) {}
-
- context.put("urls", v);
-
- context.put("sdcaHostname", hostname);
- context.put("sdcaHttpPort", httpport);
- context.put("sdcaHttpsPort", httpsport);
- context.put("title", "CA Information");
- context.put("panel", "admin/console/config/cainfopanel.vm");
- context.put("errorString", "");
- }
-
- /**
- * Checks if the given parameters are valid.
- */
- public void validate(HttpServletRequest request,
- HttpServletResponse response,
- Context context) throws IOException {
- IConfigStore config = CMS.getConfigStore();
- }
-
- /**
- * Commit parameter changes
- */
- public void update(HttpServletRequest request,
- HttpServletResponse response,
- Context context) throws IOException {
-
- /*
- String select = request.getParameter("choice");
- if (select == null) {
- CMS.debug("CAInfoPanel: choice not found");
- throw new IOException("choice not found");
- }
- */
- IConfigStore config = CMS.getConfigStore();
-
- try {
- String subsystemselect = config.getString("preop.subsystem.select", "");
- if (subsystemselect.equals("clone"))
- return;
- } catch (Exception e) {
- }
-
- String select = null;
- String index = request.getParameter("urls");
- String url = "";
- if (index.startsWith("http")) {
- // user may submit url directlry
- url = index;
- } else {
- try {
- int x = Integer.parseInt(index);
- String list = config.getString("preop.ca.list", "");
- StringTokenizer tokenizer = new StringTokenizer(list, ",");
- int counter = 0;
-
- while (tokenizer.hasMoreTokens()) {
- url = tokenizer.nextToken();
- if (counter == x) {
- break;
- }
- counter++;
- }
- } catch (Exception e) {}
- }
-
- URL urlx = null;
-
- if (url.equals("External CA")) {
- select = "otherca";
- config.putString("preop.ca.pkcs7", "");
- config.putInteger("preop.ca.certchain.size", 0);
- } else {
- select = "sdca";
-
- // parse URL (CA1 - https://...)
- url = url.substring(url.indexOf("https"));
- urlx = new URL(url);
- }
-
- ISubsystem subsystem = CMS.getSubsystem(ICertificateAuthority.ID);
-
- if (select.equals("sdca")) {
- config.putString("preop.ca.type", "sdca");
- CMS.debug("CAInfoPanel update: this is the CA in the security domain.");
- context.put("check_sdca", "checked");
- sdca(request, context, urlx.getHost(),
- Integer.toString(urlx.getPort()));
- if (subsystem != null) {
- config.putString(PCERT_PREFIX + "signing.type", "remote");
- config.putString(PCERT_PREFIX + "signing.profile",
- "caInstallCACert");
- }
- } else if (select.equals("otherca")) {
- config.putString("preop.ca.type", "otherca");
- context.put("check_otherca", "checked");
- if (subsystem != null) {
- config.putString(PCERT_PREFIX + "signing.type", "remote");
- }
- CMS.debug("CAInfoPanel update: this is the other CA.");
- }
-
- try {
- config.commit(false);
- } catch (Exception e) {}
- }
-
- private void sdca(HttpServletRequest request, Context context, String hostname, String httpsPortStr) throws IOException {
- CMS.debug("CAInfoPanel update: this is the CA in the security domain.");
- IConfigStore config = CMS.getConfigStore();
-
- context.put("sdcaHostname", hostname);
- context.put("sdcaHttpsPort", httpsPortStr);
-
- if (hostname == null || hostname.length() == 0) {
- context.put("errorString", "Hostname is null");
- throw new IOException("Hostname is null");
- }
-
- int httpsport = -1;
-
- try {
- httpsport = Integer.parseInt(httpsPortStr);
- } catch (Exception e) {
- CMS.debug(
- "CAInfoPanel update: Https port is not valid. Exception: "
- + e.toString());
- throw new IOException("Http Port is not valid.");
- }
-
- config.putString("preop.ca.hostname", hostname);
- config.putString("preop.ca.httpsport", httpsPortStr);
- ConfigCertApprovalCallback certApprovalCallback = new ConfigCertApprovalCallback();
- updateCertChainUsingSecureEEPort( config, "ca", hostname,
- httpsport, true, context,
- certApprovalCallback );
- }
-
- /**
- * If validiate() returns false, this method will be called.
- */
- public void displayError(HttpServletRequest request,
- HttpServletResponse response,
- Context context) {
-
- /* This should never be called */
- context.put("title", "CA Information");
- context.put("panel", "admin/console/config/cainfopanel.vm");
- }
-}
Index: base/common/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java
===================================================================
--- base/common/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java (revision 2521)
+++ base/common/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java (working copy)
@@ -107,8 +107,8 @@
return status;
}
- private String modify_ldap(String dn, LDAPModification mod) {
- CMS.debug("UpdateDomainXML: modify_ldap: starting dn: " + dn);
+ private String remove_attribute(String dn, LDAPModification mod) {
+ CMS.debug("UpdateDomainXML: remove_attribute: starting dn: " + dn);
String status = SUCCESS;
ILdapConnFactory connFactory = null;
LDAPConnection conn = null;
@@ -121,7 +121,8 @@
conn = connFactory.getConn();
conn.modify(dn, mod);
} catch (LDAPException e) {
- if (e.getLDAPResultCode() != LDAPException.NO_SUCH_OBJECT) {
+ int errorCode = e.getLDAPResultCode();
+ if ((errorCode != LDAPException.NO_SUCH_OBJECT)&& (errorCode != LDAPException.NO_SUCH_ATTRIBUTE)) {
status = FAILED;
CMS.debug("Failed to modify entry" + e.toString());
}
@@ -380,7 +381,7 @@
dn = "cn=Subsystem Group, ou=groups," + basedn;
LDAPModification mod = new LDAPModification(LDAPModification.DELETE,
new LDAPAttribute("uniqueMember", adminUserDN));
- status2 = modify_ldap(dn, mod);
+ status2 = remove_attribute(dn, mod);
if (status2.equals(SUCCESS)) {
auditMessage = CMS.getLogMessage(
LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
Index: base/common/src/com/netscape/cms/servlet/csadmin/GetTokenInfo.java
===================================================================
--- base/common/src/com/netscape/cms/servlet/csadmin/GetTokenInfo.java (revision 2521)
+++ base/common/src/com/netscape/cms/servlet/csadmin/GetTokenInfo.java (working copy)
@@ -1,147 +0,0 @@
-// --- BEGIN COPYRIGHT BLOCK ---
-// This program is free software; you can redistribute it and/or modify
-// it under the terms of the GNU General Public License as published by
-// the Free Software Foundation; version 2 of the License.
-//
-// This program is distributed in the hope that it will be useful,
-// but WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-// GNU General Public License for more details.
-//
-// You should have received a copy of the GNU General Public License along
-// with this program; if not, write to the Free Software Foundation, Inc.,
-// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-//
-// (C) 2007 Red Hat, Inc.
-// All rights reserved.
-// --- END COPYRIGHT BLOCK ---
-package com.netscape.cms.servlet.csadmin;
-
-import java.io.*;
-import java.util.*;
-import javax.servlet.*;
-import java.security.cert.*;
-import javax.servlet.http.*;
-import com.netscape.certsrv.base.*;
-import com.netscape.certsrv.logging.*;
-import com.netscape.certsrv.apps.CMS;
-import com.netscape.certsrv.authentication.*;
-import com.netscape.certsrv.authorization.*;
-import com.netscape.cms.servlet.*;
-import com.netscape.cms.servlet.common.*;
-import com.netscape.cms.servlet.base.*;
-import com.netscape.cmsutil.xml.*;
-import com.netscape.cmsutil.password.*;
-import org.w3c.dom.*;
-
-public class GetTokenInfo extends CMSServlet {
-
- private final static String SUCCESS = "0";
- private final static String FAILED = "1";
-
- public GetTokenInfo() {
- super();
- }
-
- /**
- * initialize the servlet.
- * @param sc servlet configuration, read from the web.xml file
- */
- public void init(ServletConfig sc) throws ServletException {
- super.init(sc);
- CMS.debug("GetTokenInfo init");
- }
-
- /**
- * Process the HTTP request.
- *
- * - http.param op 'downloadBIN' - return the binary certificate chain
- *
- http.param op 'displayIND' - display pretty-print of certificate chain components
- *
- * @param cmsReq the object holding the request and response information
- */
- protected void process(CMSRequest cmsReq) throws EBaseException {
- HttpServletRequest httpReq = cmsReq.getHttpReq();
- HttpServletResponse httpResp = cmsReq.getHttpResp();
-
- // Construct an ArgBlock
- IArgBlock args = cmsReq.getHttpParams();
-
- XMLObject xmlObj = null;
- try {
- xmlObj = new XMLObject();
- } catch (Exception e) {
- CMS.debug("GetTokenInfo process: Exception: "+e.toString());
- throw new EBaseException( e.toString() );
- }
-
- Node root = xmlObj.createRoot("XMLResponse");
-
- IConfigStore config = CMS.getConfigStore();
-
- String certlist = "";
- try {
- certlist = config.getString("cloning.list");
- } catch (Exception e) {
- }
-
- StringTokenizer t1 = new StringTokenizer(certlist, ",");
- while (t1.hasMoreTokens()) {
- String name = t1.nextToken();
- if (name.equals("sslserver"))
- continue;
- name = "cloning."+name+".nickname";
- String value = "";
-
- try {
- value = config.getString(name);
- } catch (Exception ee) {
- continue;
- }
-
- Node container = xmlObj.createContainer(root, "Config");
- xmlObj.addItemToContainer(container, "name", name);
- xmlObj.addItemToContainer(container, "value", value);
- }
-
- String value = "";
- String name = "cloning.module.token";
- try {
- value = config.getString(name);
- } catch (Exception e) {
- }
-
- Node container = xmlObj.createContainer(root, "Config");
- xmlObj.addItemToContainer(container, "name", name);
- xmlObj.addItemToContainer(container, "value", value);
-
- try {
- xmlObj.addItemToContainer(root, "Status", SUCCESS);
- byte[] cb = xmlObj.toByteArray();
-
- outputResult(httpResp, "application/xml", cb);
- } catch (Exception e) {
- CMS.debug("Failed to send the XML output");
- }
- }
-
- /**
- * Retrieves locale based on the request.
- */
- protected Locale getLocale(HttpServletRequest req) {
- Locale locale = null;
- String lang = req.getHeader("accept-language");
-
- if (lang == null) {
- // use server locale
- locale = Locale.getDefault();
- } else {
- locale = new Locale(UserInfo.getUserLanguage(lang),
- UserInfo.getUserCountry(lang));
- }
- return locale;
- }
-
- protected void renderResult(CMSRequest cmsReq) throws IOException {// do nothing, ie, it will not return the default javascript.
- }
-}
Index: base/common/src/com/netscape/cms/servlet/csadmin/NamePanel.java
===================================================================
--- base/common/src/com/netscape/cms/servlet/csadmin/NamePanel.java (revision 2521)
+++ base/common/src/com/netscape/cms/servlet/csadmin/NamePanel.java (working copy)
@@ -434,7 +434,7 @@
*/
// for system certs verification
- if (!token.equals("Internal Key Storage Token") && !token.equals("")) {
+ if (!token.equals("Internal Key Storage Token") && !token.equals("")) {
config.putString(subsystem + ".cert." + certTag + ".nickname",
token + ":" + nickname);
} else {
@@ -870,7 +870,6 @@
config.commit(false);
} catch (Exception e) {}
-
CMS.debug("NamePanel: update() done");
}
@@ -928,14 +927,11 @@
httpsPortStr,
"CA" );
- int httpsport = -1;
-
+ int admin_port = -1;
try {
- httpsport = Integer.parseInt(httpsPortStr);
+ admin_port = Integer.parseInt(https_admin_port);
} catch (Exception e) {
- CMS.debug(
- "NamePanel update: Https port is not valid. Exception: "
- + e.toString());
+ CMS.debug("NamePanel update: Https port is not valid. Exception: " + e.toString());
throw new IOException("Https Port is not valid.");
}
@@ -943,9 +939,9 @@
config.putString("preop.ca.httpsport", httpsPortStr);
config.putString("preop.ca.httpsadminport", https_admin_port);
ConfigCertApprovalCallback certApprovalCallback = new ConfigCertApprovalCallback();
- updateCertChainUsingSecureEEPort( config, "ca", hostname,
- httpsport, true, context,
- certApprovalCallback );
+ updateCertChain(config, "ca", hostname, admin_port,
+ true, context, certApprovalCallback );
+
try {
CMS.debug("Importing CA chain");
importCertChain("ca");
Index: base/common/src/com/netscape/cms/servlet/csadmin/CreateSubsystemPanel.java
===================================================================
--- base/common/src/com/netscape/cms/servlet/csadmin/CreateSubsystemPanel.java (revision 2521)
+++ base/common/src/com/netscape/cms/servlet/csadmin/CreateSubsystemPanel.java (working copy)
@@ -198,43 +198,34 @@
throw new IOException("choice not found");
}
- config.putString("preop.subsystem.name",
- HttpInput.getName(request, "subsystemName"));
- if (select.equals("newsubsystem")) {
- config.putString("preop.subsystem.select", "new");
- config.putString("subsystem.select", "New");
- } else if (select.equals("clonesubsystem")) {
- String cstype = "";
- try {
- cstype = config.getString("cs.type", "");
- } catch (Exception e) {
- }
-
- cstype = toLowerCaseSubsystemType(cstype);
+ try {
+ config.putString("preop.subsystem.name",
+ HttpInput.getName(request, "subsystemName"));
+ if (select.equals("newsubsystem")) {
+ config.putString("preop.subsystem.select", "new");
+ config.putString("subsystem.select", "New");
+ } else if (select.equals("clonesubsystem")) {
+ String cstype = config.getString("cs.type", "");
+ cstype = toLowerCaseSubsystemType(cstype);
- config.putString("preop.subsystem.select", "clone");
- config.putString("subsystem.select", "Clone");
+ config.putString("preop.subsystem.select", "clone");
+ config.putString("subsystem.select", "Clone");
- String lists = "";
- try {
- lists = config.getString("preop.cert.list", "");
- } catch (Exception ee) {
- }
+ String lists = config.getString("preop.cert.list", "");
- StringTokenizer t = new StringTokenizer(lists, ",");
- while (t.hasMoreTokens()) {
- String tag = t.nextToken();
- if (tag.equals("sslserver"))
- config.putBoolean(PCERT_PREFIX+tag+".enable", true);
- else
- config.putBoolean(PCERT_PREFIX+tag+".enable", false);
- }
+ StringTokenizer t = new StringTokenizer(lists, ",");
+ while (t.hasMoreTokens()) {
+ String tag = t.nextToken();
+ if (tag.equals("sslserver"))
+ config.putBoolean(PCERT_PREFIX+tag+".enable", true);
+ else
+ config.putBoolean(PCERT_PREFIX+tag+".enable", false);
+ }
- // get the master CA
- String index = request.getParameter("urls");
- String url = "";
+ // get the master CA
+ String index = request.getParameter("urls");
+ String url = "";
- try {
int x = Integer.parseInt(index);
String list = config.getString("preop.master.list", "");
StringTokenizer tokenizer = new StringTokenizer(list, ",");
@@ -247,44 +238,41 @@
}
counter++;
}
- } catch (Exception e) {
- }
- url = url.substring(url.indexOf("http"));
+ url = url.substring(url.indexOf("http"));
- URL u = new URL(url);
- String host = u.getHost();
- int https_ee_port = u.getPort();
+ URL u = new URL(url);
+ String host = u.getHost();
+ int https_ee_port = u.getPort();
- String https_admin_port = getSecurityDomainAdminPort( config,
- host,
- String.valueOf(https_ee_port),
- cstype );
+ String https_admin_port = getSecurityDomainAdminPort( config,
+ host,
+ String.valueOf(https_ee_port),
+ cstype );
- config.putString("preop.master.hostname", host);
- config.putInteger("preop.master.httpsport", https_ee_port);
- config.putString("preop.master.httpsadminport", https_admin_port);
+ config.putString("preop.master.hostname", host);
+ config.putInteger("preop.master.httpsport", https_ee_port);
+ config.putString("preop.master.httpsadminport", https_admin_port);
- ConfigCertApprovalCallback certApprovalCallback = new ConfigCertApprovalCallback();
- if (cstype.equals("ca")) {
- updateCertChainUsingSecureEEPort( config, "clone", host, https_ee_port,
+ ConfigCertApprovalCallback certApprovalCallback = new ConfigCertApprovalCallback();
+ if (cstype.equals("ca")) {
+ updateCertChain( config, "clone", host, Integer.parseInt(https_admin_port),
true, context, certApprovalCallback );
+ }
+ } else {
+ CMS.debug("CreateSubsystemPanel: invalid choice " + select);
+ errorString = "Invalid choice";
+ throw new IOException("invalid choice " + select);
}
- getTokenInfo(config, cstype, host, https_ee_port, true, context,
- certApprovalCallback);
- } else {
- CMS.debug("CreateSubsystemPanel: invalid choice " + select);
- errorString = "Invalid choice";
- throw new IOException("invalid choice " + select);
- }
-
- try {
config.commit(false);
- } catch (EBaseException e) {
- }
- context.put("errorString", errorString);
+ context.put("errorString", errorString);
+ } catch (Exception e) {
+ CMS.debug("CreateSubsystemPanel: Exception thrown : " + e);
+ context.put("errorString", e.toString());
+ throw new IOException(e);
+ }
}
/**
Index: base/common/src/com/netscape/cms/servlet/csadmin/RestoreKeyCertPanel.java
===================================================================
--- base/common/src/com/netscape/cms/servlet/csadmin/RestoreKeyCertPanel.java (revision 2521)
+++ base/common/src/com/netscape/cms/servlet/csadmin/RestoreKeyCertPanel.java (working copy)
@@ -17,7 +17,6 @@
// --- END COPYRIGHT BLOCK ---
package com.netscape.cms.servlet.csadmin;
-
import org.apache.velocity.Template;
import org.apache.velocity.servlet.VelocityServlet;
import org.apache.velocity.app.Velocity;
@@ -47,6 +46,10 @@
import com.netscape.cms.servlet.wizard.*;
import netscape.ldap.*;
import java.security.interfaces.*;
+import java.security.cert.CertificateException;
+import org.mozilla.jss.CryptoManager.NicknameConflictException;
+import org.mozilla.jss.CryptoManager.NotInitializedException;
+import org.mozilla.jss.CryptoManager.UserCertConflictException;
public class RestoreKeyCertPanel extends WizardPanelBase {
@@ -193,142 +196,131 @@
Context context) throws IOException
{
IConfigStore config = CMS.getConfigStore();
- String path = HttpInput.getString(request, "path");
- if (path == null || path.equals("")) {
- // skip to next panel
- config.putBoolean("preop.restorekeycert.done", true);
- try {
- config.commit(false);
- } catch (EBaseException e) {
+ try {
+ getConfigEntriesFromMaster(request, response, context);
+
+ String path = HttpInput.getString(request, "path");
+ if (path == null || path.equals("")) {
+ // skip to next panel
+ config.putBoolean("preop.restorekeycert.done", true);
+ config.commit(false);
+ return;
}
- getConfigEntriesFromMaster(request, response, context);
- return;
- }
- String pwd = HttpInput.getPassword(request, "__password");
+
+ String pwd = HttpInput.getPassword(request, "__password");
- String tokenn = "";
- String instanceRoot = "";
+ String tokenn = config.getString("preop.module.token");
+ if (tokenn.equals("Internal Key Storage Token")) {
+ String instanceRoot = config.getString("instanceRoot");
+ String p12File = instanceRoot + File.separator + "alias" +
+ File.separator + path;
+ restoreCertsFromP12(p12File, pwd);
+ }
- try {
- tokenn = config.getString("preop.module.token");
- instanceRoot = config.getString("instanceRoot");
+ String subsystemtype = config.getString("preop.subsystem.select", "");
+ if (subsystemtype.equals("clone")) {
+ CMS.debug("RestoreKeyCertPanel: this is the clone subsystem");
+ boolean cloneReady = isCertdbCloned(request, context);
+ if (!cloneReady) {
+ CMS.debug("RestoreKeyCertPanel update: clone does not have all the certificates.");
+ throw new IOException("Clone is not ready");
+ }
+ }
+
+ config.putBoolean("preop.restorekeycert.done", true);
+ config.commit(false);
} catch (Exception e) {
+ CMS.debug("RestoreKeyCertPanel update: exception thrown:" + e);
+ e.printStackTrace();
+ context.put("errorString", e.toString());
+ throw new IOException(e);
+ }
+ }
+
+ private void restoreCertsFromP12(String p12File, String p12Pass) throws EPropertyNotFound, EBaseException,
+ InvalidKeyException, CertificateException, NoSuchAlgorithmException, IllegalStateException,
+ InvalidAlgorithmParameterException, TokenException, IllegalBlockSizeException,
+ BadPaddingException, NotInitializedException, NicknameConflictException, UserCertConflictException,
+ NoSuchItemOnTokenException, InvalidBERException, IOException{
+ byte b[] = new byte[1000000];
+ FileInputStream fis = new FileInputStream(p12File);
+ while (fis.available() > 0) {
+ fis.read(b);
}
+ fis.close();
- if (tokenn.equals("Internal Key Storage Token")) {
- byte b[] = new byte[1000000];
- FileInputStream fis = new FileInputStream(instanceRoot + "/alias/" + path);
- while (fis.available() > 0)
- fis.read(b);
- fis.close();
+ ByteArrayInputStream bis = new ByteArrayInputStream(b);
+ StringBuffer reason = new StringBuffer();
+ Password password = new Password(p12Pass.toCharArray());
+ PFX pfx = null;
+ boolean verifypfx = false;
- ByteArrayInputStream bis = new ByteArrayInputStream(b);
- StringBuffer reason = new StringBuffer();
- Password password = new Password(pwd.toCharArray());
- PFX pfx = null;
- boolean verifypfx = false;
- try {
- pfx = (PFX)(new PFX.Template()).decode(bis);
- verifypfx = pfx.verifyAuthSafes(password, reason);
- } catch (Exception e) {
- CMS.debug("RestoreKeyCertPanel update: Exception="+e.toString());
- }
+ pfx = (PFX)(new PFX.Template()).decode(bis);
+ verifypfx = pfx.verifyAuthSafes(password, reason);
- if (verifypfx) {
- CMS.debug("RestoreKeyCertPanel verify the PFX.");
- AuthenticatedSafes safes = pfx.getAuthSafes();
- Vector pkeyinfo_collection = new Vector();
- Vector cert_collection = new Vector();
- for (int i=0; i masterList = getMasterCertKeyList();
for (int i=0; i 1) {
String name = (String)cert_v.elementAt(1);
+ if (! masterList.contains(name)) {
+ CMS.debug("Ignoring " + name);
+ // only import the master's system certs
+ continue;
+ }
+
// we need to delete the trusted CA certificate if it is
// the same as the ca signing certificate
if (isCASigningCert(name)) {
@@ -583,6 +593,26 @@
}
}
+ private ArrayList getMasterCertKeyList() throws EBaseException {
+ ArrayList list = new ArrayList();
+ IConfigStore cs = CMS.getConfigStore();
+ String certList = cs.getString("preop.cert.list", "");
+ StringTokenizer st = new StringTokenizer(certList, ",");
+ while (st.hasMoreTokens()) {
+ String s = st.nextToken();
+ if (s.equals("sslserver"))
+ continue;
+ String name = "preop.master." + s + ".nickname";
+ String nickname = cs.getString(name);
+ list.add(nickname);
+
+ name = "preop.cert." + s + ".dn";
+ String dn = cs.getString(name);
+ list.add(dn);
+ }
+ return list;
+ }
+
private boolean isCASigningCert(String name) {
String n = "preop.master.signing.nickname";
IConfigStore cs = CMS.getConfigStore();
@@ -660,6 +690,7 @@
CryptoManager cm = CryptoManager.getInstance();
certList = config.getString("preop.cert.list");
StringTokenizer st = new StringTokenizer(certList, ",");
+ String cstype = config.getString("cs.type").toLowerCase();
while (st.hasMoreTokens()) {
String token = st.nextToken();
if (token.equals("sslserver"))
@@ -677,6 +708,11 @@
X509Certificate cert = cm.findCertByNickname(nickname);
if (cert == null)
return false;
+
+ // TODO : remove this when we eliminate the extraneous nicknames
+ // needed for self tests cert verification
+ config.putString(cstype + ".cert." + token + ".nickname", nickname);
+
}
} catch (Exception e) {
context.put("errorString", "Check your CS.cfg for cloning");
Index: base/setup/pkiremove
===================================================================
--- base/setup/pkiremove (revision 2521)
+++ base/setup/pkiremove (working copy)
@@ -19,6 +19,11 @@
# --- END COPYRIGHT BLOCK ---
#
+use strict;
+use LWP::UserAgent;
+use HTTP::Request::Common qw(POST);
+use URI::Escape;
+
##############################################################
# This script is used to remove an existing PKI instance.
#
@@ -31,6 +36,11 @@
# # instance name
# # (e. g. - pki-pki1)
#
+# -security_domain_user= # Security domain user
+# # (e. g. - admin)
+#
+# -security_domain_pwd= # Security domain password
+#
# [-token_pwd=] # Password of token containing
# # subsystem certificate
#
@@ -155,6 +165,9 @@
my $pki_instance_name = "";
my $force = 0;
my $token_pwd = "";
+my $sec_user = "";
+my $sec_pass = "";
+my $sec_token = "";
my $pki_instance_path = "";
my $subsystem_type = "";
@@ -193,6 +206,16 @@
. "# instance name\n"
. " "
. "# (e. g. - pki-pki1)\n\n"
+ . " -security_domain_user= "
+ . "# Security domain\n"
+ . " "
+ . "# user id\n"
+ . " "
+ . "# (e. g. - admin)\n\n"
+ . " -security_domain_pwd= "
+ . "# Secuity domain\n"
+ . " "
+ . "# password\n\n"
. " [-token_pwd=] "
. "# Password for\n"
. " "
@@ -214,8 +237,67 @@
return;
}
+sub get_install_token()
+{
+ my ($secuser, $secpass) = @_;
+ my $token;
+
+ my $conf_file = $pki_instance_path . "/conf/CS.cfg";
+ my $sechost;
+ my $secadminport;
+ my $adminsport;
+ my $typeval;
+ my $machinename;
+
+ if (!defined($secuser) || ($secuser eq "") ||
+ !defined($secpass) || ($secpass eq "")) {
+ return undef;
+ }
+
+ open(DAT, $conf_file) or die "Could not open CS.cfg file to update security domain";
+ my @conf_data=;
+ foreach my $line (@conf_data) {
+ chomp($line);
+ (my $varname, my $valname) = split(/=/, $line);
+ if ($varname eq "cs.type") { $typeval = $valname; }
+ if ($varname eq "service.machineName") { $machinename = $valname; }
+ if ($varname eq "pkicreate.admin_secure_port") { $adminsport = $valname; }
+ if ($varname eq "securitydomain.host") { $sechost = $valname; }
+ if ($varname eq "securitydomain.httpsadminport") { $secadminport = $valname; }
+ }
+
+ my $subca_url = "https://" . $machinename . ":" . $adminsport .
+ "/ca/admin/console/config/wizard?p=5&subsystem=" . $typeval;
+ my $loginURL = "https://" . $sechost . ":" . $secadminport . "/ca/admin/ca/getCookie";
+
+ my $ua = LWP::UserAgent->new;
+ $ua->agent('Mozilla/8.0');
+
+ my $req = POST $loginURL,
+ [ uid => $secuser, pwd => $secpass, url => $subca_url ];
+
+ $req->header('Accept' => 'text/html');
+
+ # send request
+ my $res = $ua->request($req);
+ # check the outcome
+ if ($res->is_success) {
+ if ($res->decoded_content =~ m/header.session_id = \"(.*)\";/) {
+ $token = $1;
+ } else {
+ if ($res->decoded_content =~m/header.errorString = \"(.*)\";/) {
+ print $1;
+ }
+ }
+ } else {
+ print "Error: " . $res->status_line . "\n";
+ }
+ return $token;
+}
+
sub update_domain()
{
+ my ($install_token,) = @_;
my $conf_file = $pki_instance_path . "/conf/CS.cfg";
my $sport;
my $ncsport;
@@ -226,9 +308,10 @@
my $adminsport;
my $agentsport;
my $secselect;
+ my $sechost;
my $typeval;
my $machinename;
- my $subsytemnick;
+ my $status;
open(DAT, $conf_file) or die "Could not open CS.cfg file to update security domain";
my @conf_data=;
@@ -250,6 +333,93 @@
if ($varname eq "pkicreate.agent_secure_port") { $agentsport = $valname; }
}
+ close(DAT);
+
+ # NOTE: Don't check for the existence of "$httpport", as this will
+ # be undefined for a Security Domain that has been migrated!
+ if ((!defined($sechost)) ||
+ (!defined($seceeport)) ||
+ (!defined($secagentport)) ||
+ (!defined($secadminport))) {
+ print (STDOUT "No security domain defined.\nIf this is an unconfigured instance, then that is OK.\n" .
+ "Otherwise, manually delete the entry from the security domain master.\n" );
+ return;
+ }
+
+ my $listval = $typeval . "List";
+ my %params = ( name => $pki_instance_name,
+ type => $typeval,
+ list => $listval,
+ host => $machinename,
+ sport => $sport,
+ ncsport => $ncsport,
+ adminsport => $adminsport,
+ agentsport => $agentsport,
+ operation => "remove" );
+
+ my $param_string = "";
+ while (my ($k, $v) = each %params) {
+ $param_string = $param_string . $k . "=" . uri_escape($v) . "&";
+ }
+ chop($param_string); # remove last &
+
+ if ($install_token ne "") {
+ print STDOUT "Contacting the security domain master to update the security domain\n";
+
+ my $updateURL = "https://" . $sechost . ":" . $secadminport . "/ca/admin/ca/updateDomainXML";
+ $params{"sessionID"} = $install_token;
+
+ my $ua = LWP::UserAgent->new;
+ $ua->agent('Mozilla/8.0');
+
+ my $req = POST $updateURL, [%params];
+ $req->header('Accept' => 'text/html');
+ my $res = $ua->request($req);
+
+ if ($res->is_success) {
+ $res->decoded_content =~/\(.*?)\<\/Status\>/;
+ $status = $1;
+ } else {
+ print "Warning: unable to update domain using admin port. " . $res->status_line . "\n";
+ $status = &update_domain_using_agent_port($param_string);
+ }
+
+ # these next lines are here to account for new clones of existing instances
+ # the new clones will have the updateDomainXML servlet on the admin interface
+ # but - because acls are replicated from the master - may not have the updated
+ # acl to allow enterprise users to update the domain. In this case, try the old
+ # interface.
+
+ if ($status ne "0") {
+ $status = &update_domain_using_agent_port($param_string);
+ }
+ } else {
+ $status = &update_domain_using_agent_port($param_string);
+ }
+
+ die ("Security Domain returns non-zero status for updateDomainXML.") if ($status ne "0");
+}
+
+sub update_domain_using_agent_port()
+{
+ my ($param_string, ) = @_;
+ my $conf_file = $pki_instance_path . "/conf/CS.cfg";
+ my $typeval;
+ my $sechost;
+ my $secagentport;
+ my $subsystemnick;
+
+ open(DAT, $conf_file) or die "Could not open CS.cfg file to update security domain";
+ my @conf_data=;
+ foreach my $line (@conf_data) {
+ chomp($line);
+ (my $varname, my $valname) = split(/=/, $line);
+
+ if ($varname eq "cs.type") { $typeval = $valname; }
+ if ($varname eq "securitydomain.host") { $sechost = $valname; }
+ if ($varname eq "securitydomain.httpsagentport") { $secagentport = $valname; }
+ }
+
my $subsystemnick_param = lc($typeval) . ".cert.subsystem.nickname";
foreach my $line (@conf_data) {
@@ -262,72 +432,44 @@
(my $token_name, my $nick) = split(/:/, $subsystemnick, 2);
if ((!defined($nick)) || ($nick eq "")) {
$token_name = "internal";
- }
-
- # NOTE: Don't check for the existence of "$httpport", as this will
- # be undefined for a Security Domain that has been migrated!
- if ((!defined($sechost)) ||
- (!defined($seceeport)) ||
- (!defined($secagentport)) ||
- (!defined($secadminport))) {
- print (STDOUT "No security domain defined.\nIf this is an unconfigured instance, then that is OK.\n" .
- "Otherwise, manually delete the entry from the security domain master.\n" );
- return;
}
- if ($secselect ne "new") {
- # This is not a domain master, so we need to update the master
- print (STDOUT "Contacting the security domain master to update the security domain\n");
- my $listval = $typeval . "List";
- my $updateURL = "/ca/agent/ca/updateDomainXML";
+ my $updateURL = "/ca/agent/ca/updateDomainXML";
- if ($token_pwd eq "") {
- my $pwfile = $pki_instance_path . "/conf/password.conf";
- if (-r $pwfile) {
- open(DAT, $pwfile) or die "Could not open password.conf file to generate pk12 files.";
- my @pw_data=;
- foreach my $line (@pw_data) {
- chomp($line);
- if (($typeval eq "CA") ||
- ($typeval eq "KRA") ||
- ($typeval eq "OCSP") ||
- ($typeval eq "TKS")) {
- (my $varname, my $valname) = split(/=/, $line);
- if ($varname eq $token_name) { $token_pwd = $valname; }
- if ($varname eq "hardware-$token_name") { $token_pwd = $valname; }
- } else { # TPS, RA
- (my $varname, my $valname) = split(/:/, $line);
- if ($varname eq $token_name) { $token_pwd = $valname; }
- if ($varname eq "hardware-$token_name") { $token_pwd = $valname; }
- }
+ if ($token_pwd eq "") {
+ my $pwfile = $pki_instance_path . "/conf/password.conf";
+ if (-r $pwfile) {
+ open(DAT, $pwfile) or die "Could not open password.conf file to get token pssword.";
+ my @pw_data=;
+ foreach my $line (@pw_data) {
+ chomp($line);
+ if (($typeval eq "CA") ||
+ ($typeval eq "KRA") ||
+ ($typeval eq "OCSP") ||
+ ($typeval eq "TKS")) {
+ (my $varname, my $valname) = split(/=/, $line);
+ if ($varname eq $token_name) { $token_pwd = $valname; }
+ if ($varname eq "hardware-$token_name") { $token_pwd = $valname; }
+ } else { # TPS, RA
+ (my $varname, my $valname) = split(/:/, $line);
+ if ($varname eq $token_name) { $token_pwd = $valname; }
+ if ($varname eq "hardware-$token_name") { $token_pwd = $valname; }
}
- close($pwfile);
}
+ close($pwfile);
}
while ($token_pwd eq "") {
$token_pwd = prompt( "No password found for $token_name. What is the password for this token?");
}
+ }
- my $params = "name=$pki_instance_name" .
- "&type=$typeval" .
- "&list=$listval" .
- "&host=$machinename" .
- "&sport=$sport" .
- "&ncsport=$ncsport" .
- "&adminsport=$adminsport" .
- "&agentsport=$agentsport" .
- "&operation=remove";
+ #update domainXML
+ my $cmd = `/usr/bin/sslget -d \"$pki_instance_path/alias\" -p \"$token_pwd\" -v -n \"$subsystemnick\" -r \"$updateURL\" -e \"$param_string\" $sechost:$secagentport 2>&1`;
- #update domainXML
- my $cmd = `/usr/bin/sslget -d \"$pki_instance_path/alias\" -p \"$token_pwd\" -v -n \"$subsystemnick\" -r \"$updateURL\" -e \"$params\" $sechost:$secagentport 2>&1`;
-
- $cmd =~ /\(.*?)\<\/Status\>/;
- $cmd = $1;
-
- die ("Security Domain returns non-zero status for updateDomainXML.") if ($cmd ne "0");
-
- }
+ $cmd =~ /\(.*?)\<\/Status\>/;
+ $cmd = $1;
+ return $cmd;
}
sub remove_fcontext()
@@ -351,8 +493,8 @@
my $setype = "pki_" . $subsystem_type;
my $default_inst_name = "pki-" . $subsystem_type;
my $default_inst_root = "/var/lib";
- my $default_log_path = "/var/log/" . $default_instance_name;
- my $default_conf_path = "/etc/" . $default_instance_name;
+ my $default_log_path = "/var/log/" . $default_inst_name;
+ my $default_conf_path = "/etc/" . $default_inst_name;
my $log_path = "$pki_instance_path/logs";
my $conf_path = "$pki_instance_path/conf";
@@ -538,7 +680,10 @@
$cleanup->open( "<$source_file_path" ) or die "Could not open file!\n";
- eval { update_domain(); };
+ if (($sec_user ne "") && ($sec_pass ne "")) {
+ $sec_token = &get_install_token($sec_user, $sec_pass)
+ }
+ eval { &update_domain($sec_token); };
warn "Error updating security domain: " . $@ if $@;
if (( $^O eq "linux") && ( is_Fedora() || (is_RHEL() && (! is_RHEL4())) )) {
@@ -678,6 +823,8 @@
# Parse command-line arguments.
$result = GetOptions( "pki_instance_root=s" => \$pki_instance_root,
"pki_instance_name=s" => \$pki_instance_name,
+ "security_domain_user=s" => \$sec_user,
+ "security_domain_pwd=s" => \$sec_pass,
"token_pwd=s" => \$token_pwd,
"force" => \$force );
Index: base/tks/shared/webapps/tks/WEB-INF/web.xml
===================================================================
--- base/tks/shared/webapps/tks/WEB-INF/web.xml (revision 2521)
+++ base/tks/shared/webapps/tks/WEB-INF/web.xml (working copy)
@@ -308,18 +308,6 @@
certServer.clone.configuration.GetConfigEntries
-
- tksGetTokenInfo
- com.netscape.cms.servlet.csadmin.GetTokenInfo
- GetClientCert
- false
- authority
- tks ID
- tksGetTokenInfo
- interface
- ee
-
-
[PKI_OPEN_SEPARATE_PORTS_WEB_COMMENT]
AgentRequestFilter
@@ -472,10 +460,6 @@
-
- tksGetTokenInfo
- /ee/tks/getTokenInfo
-
Index: base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml
===================================================================
--- base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml (revision 2521)
+++ base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml (working copy)
@@ -436,18 +436,6 @@
-
- ocspGetTokenInfo
- com.netscape.cms.servlet.csadmin.GetTokenInfo
- GetClientCert
- false
- authority
- ocsp
- ID
- ocspGetTokenInfo
- interface
- ee
-
[PKI_OPEN_SEPARATE_PORTS_WEB_COMMENT]
@@ -645,10 +633,6 @@
-
- ocspGetTokenInfo
- /ee/ocsp/getTokenInfo
-
Index: base/kra/shared/webapps/kra/WEB-INF/web.xml
===================================================================
--- base/kra/shared/webapps/kra/WEB-INF/web.xml (revision 2521)
+++ base/kra/shared/webapps/kra/WEB-INF/web.xml (working copy)
@@ -693,7 +693,7 @@
ID
kraUpdateNumberRange
interface
- ee
+ admin
AuthMgr
TokenAuth
AuthzMgr
@@ -724,18 +724,6 @@
-
- kraGetTokenInfo
- com.netscape.cms.servlet.csadmin.GetTokenInfo
- GetClientCert
- false
- authority
- kra
- ID
- kraGetTokenInfo
- interface
- ee
-
[PKI_OPEN_SEPARATE_PORTS_WEB_COMMENT]
@@ -998,7 +986,7 @@
kraUpdateNumberRange
- /ee/kra/updateNumberRange
+ /admin/kra/updateNumberRange
@@ -1009,10 +997,6 @@
-
- kraGetTokenInfo
- /ee/kra/getTokenInfo
-