From 385897582fcc6d3c954528d11dce7aabf31e2c17 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Wed, 6 May 2015 16:19:19 -0400 Subject: [PATCH] Added options for internal token and replication passwords. The installation code has been modified such that it provides several options for internal token and replication passwords: * reuse the same admin/database passwords (default) * specify new psaswords * generate new random passwords https://fedorahosted.org/pki/ticket/1354 --- .../certsrv/system/ConfigurationRequest.java | 157 +++------------------ .../certsrv/system/SystemConfigResource.java | 10 -- .../dogtagpki/server/rest/SystemConfigService.java | 42 ++++-- base/server/etc/default.cfg | 10 ++ .../python/pki/server/deployment/pkihelper.py | 3 + .../python/pki/server/deployment/pkiparser.py | 32 ++++- 6 files changed, 89 insertions(+), 165 deletions(-) diff --git a/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java b/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java index 0caa215fbd6334ad6656002470f69d6b8426c861..932745c481c6863e11960b0b60e3a10bd57a30f8 100644 --- a/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java +++ b/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java @@ -21,7 +21,6 @@ import java.net.URI; import java.net.URISyntaxException; import java.util.List; -import javax.ws.rs.core.MultivaluedMap; import javax.xml.bind.annotation.XmlAccessType; import javax.xml.bind.annotation.XmlAccessorType; import javax.xml.bind.annotation.XmlElement; @@ -29,8 +28,6 @@ import javax.xml.bind.annotation.XmlRootElement; import javax.xml.bind.annotation.adapters.XmlAdapter; import javax.xml.bind.annotation.adapters.XmlJavaTypeAdapter; -import org.apache.commons.lang.StringUtils; - /** * @author alee * @@ -38,69 +35,6 @@ import org.apache.commons.lang.StringUtils; @XmlRootElement(name="ConfigurationRequest") @XmlAccessorType(XmlAccessType.FIELD) public class ConfigurationRequest { - private static final String PIN = "pin"; - private static final String TOKEN = "token"; - private static final String TOKEN_PASSWORD = "tokenPassword"; - private static final String SECURITY_DOMAIN_TYPE = "securityDomainType"; - private static final String SECURITY_DOMAIN_URI = "securityDomainUri"; - private static final String SECURITY_DOMAIN_NAME = "securityDomainName"; - private static final String SECURITY_DOMAIN_USER = "securityDomainUser"; - private static final String SECURITY_DOMAIN_PASSWORD = "securityDomainPassword"; - private static final String IS_CLONE = "isClone"; - private static final String CLONE_URI = "cloneUri"; - private static final String SUBSYSTEM_NAME = "subsystemName"; - private static final String P12_FILE = "p12File"; - private static final String P12_PASSWORD = "p12Password"; - private static final String HIERARCHY = "hierarchy"; - private static final String DSHOST = "dsHost"; - private static final String DSPORT = "dsPort"; - private static final String BASEDN = "basedn"; - private static final String CREATE_NEW_DB = "createNewDB"; - private static final String BINDDN = "binddn"; - private static final String DATABASE = "database"; - private static final String SECURECONN = "secureConn"; - private static final String REMOVEDATA = "removeData"; - private static final String MASTER_REPLICATION_PORT = "masterReplicationPort"; - private static final String CLONE_REPLICATION_PORT = "cloneReplicationPort"; - private static final String REPLICATE_SCHEMA = "replicateSchema"; - private static final String REPLICATION_SECURITY = "replicationSecurity"; - private static final String SETUP_REPLICATION = "setupReplication"; - private static final String ISSUING_CA = "issuingCa"; - private static final String BACKUP_KEYS = "backupKeys"; - private static final String BACKUP_FILE = "backupFile"; - private static final String BACKUP_PASSWORD = "backupPassword"; - private static final String ADMIN_UID = "adminUid"; - private static final String ADMIN_EMAIL = "adminEmail"; - private static final String ADMIN_PASSWORD = "adminPassword"; - private static final String ADMIN_CERT_REQUEST = "adminCertRequest"; - private static final String ADMIN_CERT_REQUEST_TYPE = "adminCertRequestType"; - private static final String ADMIN_SUBJECT_DN = "adminSubjectDN"; - private static final String ADMIN_NAME = "adminName"; - private static final String ADMIN_PROFILE_ID = "adminProfileID"; - private static final String IMPORT_ADMIN_CERT = "importAdminCert"; - private static final String ADMIN_CERT = "adminCert"; - private static final String STANDALONE = "standAlone"; - private static final String STEP_TWO = "stepTwo"; - private static final String GENERATE_SERVER_CERT = "generateServerCert"; - private static final String SUBORDINATE_SECURITY_DOMAIN_NAME = "subordinateSecurityDomainName"; - - // TPS specific parameters - private static final String AUTHDB_BASEDN = "authdbBaseDN"; - private static final String AUTHDB_HOST = "authdbHost"; - private static final String AUTHDB_PORT = "authdbPort"; - private static final String AUTHDB_SECURE_CONN = "authdbSecureConn"; - private static final String CA_URI = "caUri"; - private static final String TKS_URI = "tksUri"; - private static final String KRA_URI = "kraUri"; - private static final String ENABLE_SERVER_SIDE_KEYGEN = "enableServerSideKeygen"; - - // TKS/TPS shared secret parameters - private static final String IMPORT_SHARED_SECRET = "importSharedSecret"; - - // Parameters for shared tomcat instances - private static final String GENERATE_SUBSYSTEM_CERT="generateSubsystemCert"; - private static final String SHARED_DB = "sharedDB"; - private static final String SHARED_DBUSER_DN = "sharedDBUserDN"; //defaults public static final String TOKEN_DEFAULT = "Internal Key Storage Token"; @@ -190,6 +124,12 @@ public class ConfigurationRequest { protected String replicationSecurity; @XmlElement + protected String replicationPasswordSource; + + @XmlElement + protected String replicationPassword; + + @XmlElement protected String setupReplication; @XmlElement @@ -292,75 +232,6 @@ public class ConfigurationRequest { // required for JAXB } - public ConfigurationRequest(MultivaluedMap form) throws URISyntaxException { - pin = form.getFirst(PIN); - token = form.getFirst(TOKEN); - tokenPassword = form.getFirst(TOKEN_PASSWORD); - securityDomainType = form.getFirst(SECURITY_DOMAIN_TYPE); - securityDomainUri = form.getFirst(SECURITY_DOMAIN_URI); - securityDomainName = form.getFirst(SECURITY_DOMAIN_NAME); - securityDomainUser = form.getFirst(SECURITY_DOMAIN_USER); - securityDomainPassword = form.getFirst(SECURITY_DOMAIN_PASSWORD); - isClone = form.getFirst(IS_CLONE); - cloneUri = form.getFirst(CLONE_URI); - subsystemName = form.getFirst(SUBSYSTEM_NAME); - p12File = form.getFirst(P12_FILE); - p12Password = form.getFirst(P12_PASSWORD); - hierarchy = form.getFirst(HIERARCHY); - dsHost = form.getFirst(DSHOST); - dsPort = form.getFirst(DSPORT); - baseDN = form.getFirst(BASEDN); - createNewDB = form.getFirst(CREATE_NEW_DB); - bindDN = form.getFirst(BINDDN); - database = form.getFirst(DATABASE); - secureConn = form.getFirst(SECURECONN); - removeData = form.getFirst(REMOVEDATA); - masterReplicationPort = form.getFirst(MASTER_REPLICATION_PORT); - cloneReplicationPort = form.getFirst(CLONE_REPLICATION_PORT); - replicateSchema = form.getFirst(REPLICATE_SCHEMA); - replicationSecurity = form.getFirst(REPLICATION_SECURITY); - setupReplication = form.getFirst(SETUP_REPLICATION); - //TODO - figure out how to get the cert requests - issuingCA = form.getFirst(ISSUING_CA); - backupFile = form.getFirst(BACKUP_FILE); - backupPassword = form.getFirst(BACKUP_PASSWORD); - backupKeys = form.getFirst(BACKUP_KEYS); - adminUID = form.getFirst(ADMIN_UID); - adminEmail = form.getFirst(ADMIN_EMAIL); - adminPassword = form.getFirst(ADMIN_PASSWORD); - adminCertRequest = form.getFirst(ADMIN_CERT_REQUEST); - adminCertRequestType = form.getFirst(ADMIN_CERT_REQUEST_TYPE); - adminSubjectDN = form.getFirst(ADMIN_SUBJECT_DN); - adminName = form.getFirst(ADMIN_NAME); - adminProfileID = form.getFirst(ADMIN_PROFILE_ID); - adminCert = form.getFirst(ADMIN_CERT); - importAdminCert = form.getFirst(IMPORT_ADMIN_CERT); - standAlone = form.getFirst(STANDALONE); - stepTwo = form.getFirst(STEP_TWO); - generateServerCert = form.getFirst(GENERATE_SERVER_CERT); - authdbBaseDN = form.getFirst(AUTHDB_BASEDN); - authdbHost = form.getFirst(AUTHDB_HOST); - authdbPort = form.getFirst(AUTHDB_PORT); - authdbSecureConn = form.getFirst(AUTHDB_SECURE_CONN); - subordinateSecurityDomainName = form.getFirst(SUBORDINATE_SECURITY_DOMAIN_NAME); - - String value = form.getFirst(CA_URI); - if (!StringUtils.isEmpty(value)) setCaUri(new URI(value)); - - value = form.getFirst(TKS_URI); - if (!StringUtils.isEmpty(value)) setTksUri(new URI(value)); - - value = form.getFirst(KRA_URI); - if (!StringUtils.isEmpty(value)) setKraUri(new URI(value)); - - enableServerSideKeyGen = form.getFirst(ENABLE_SERVER_SIDE_KEYGEN); - importSharedSecret = form.getFirst(IMPORT_SHARED_SECRET); - - generateSubsystemCert = form.getFirst(GENERATE_SUBSYSTEM_CERT); - sharedDB = form.getFirst(SHARED_DB); - sharedDBUserDN = form.getFirst(SHARED_DBUSER_DN); - } - public String getSubsystemName() { return subsystemName; } @@ -637,6 +508,22 @@ public class ConfigurationRequest { this.replicationSecurity = replicationSecurity; } + public String getReplicationPasswordSource() { + return replicationPasswordSource; + } + + public void setReplicationPasswordSource(String replicationPasswordSource) { + this.replicationPasswordSource = replicationPasswordSource; + } + + public String getReplicationPassword() { + return replicationPassword; + } + + public void setReplicationPassword(String replicationPassword) { + this.replicationPassword = replicationPassword; + } + public boolean getSetupReplication() { // default to true if (setupReplication == null) { diff --git a/base/common/src/com/netscape/certsrv/system/SystemConfigResource.java b/base/common/src/com/netscape/certsrv/system/SystemConfigResource.java index 2a490805dbfb3f3a94771fa03be7865d36153d4a..0cebb607433aea8571ff524df42872e9ae781c43 100644 --- a/base/common/src/com/netscape/certsrv/system/SystemConfigResource.java +++ b/base/common/src/com/netscape/certsrv/system/SystemConfigResource.java @@ -17,13 +17,8 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.certsrv.system; -import java.net.URISyntaxException; - -import javax.ws.rs.Consumes; import javax.ws.rs.POST; import javax.ws.rs.Path; -import javax.ws.rs.core.MediaType; -import javax.ws.rs.core.MultivaluedMap; /** @@ -34,10 +29,5 @@ public interface SystemConfigResource { @POST @Path("configure") - @Consumes({ MediaType.APPLICATION_FORM_URLENCODED }) - public ConfigurationResponse configure(MultivaluedMap form) throws URISyntaxException; - - @POST - @Path("configure") public ConfigurationResponse configure(ConfigurationRequest data); } diff --git a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java index 12dd54dac37f9677ca9cddfefc9c870a53ca671b..d074cd4af0926160f8df1bb6030c054ade0c9f0a 100644 --- a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java +++ b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java @@ -19,7 +19,6 @@ package org.dogtagpki.server.rest; import java.math.BigInteger; import java.net.MalformedURLException; -import java.net.URISyntaxException; import java.net.URL; import java.security.NoSuchAlgorithmException; import java.security.PublicKey; @@ -31,7 +30,6 @@ import java.util.Random; import javax.servlet.http.HttpServletRequest; import javax.ws.rs.core.Context; import javax.ws.rs.core.HttpHeaders; -import javax.ws.rs.core.MultivaluedMap; import javax.ws.rs.core.Request; import javax.ws.rs.core.UriInfo; @@ -110,15 +108,6 @@ public class SystemConfigService extends PKIService implements SystemConfigResou } /* (non-Javadoc) - * @see com.netscape.cms.servlet.csadmin.SystemConfigurationResource#configure(javax.ws.rs.core.MultivaluedMap) - */ - @Override - public ConfigurationResponse configure(MultivaluedMap form) throws URISyntaxException { - ConfigurationRequest data = new ConfigurationRequest(form); - return configure(data); - } - - /* (non-Javadoc) * @see com.netscape.cms.servlet.csadmin.SystemConfigurationResource#configure(com.netscape.cms.servlet.csadmin.data.ConfigurationData) */ @Override @@ -697,7 +686,32 @@ public class SystemConfigService extends PKIService implements SystemConfigResou try { /* BZ 430745 create password for replication manager */ - String replicationpwd = Integer.toString(new Random().nextInt()); + String replicationPasswordSource = data.getReplicationPasswordSource(); + if (StringUtils.isEmpty(replicationPasswordSource)) { + replicationPasswordSource = "default"; + } + CMS.debug("Replication password source: " + replicationPasswordSource); + + String replicationPassword; + + if ("default".equals(replicationPasswordSource)) { + + // use user-provided password if specified + replicationPassword = data.getReplicationPassword(); + + if (StringUtils.isEmpty(replicationPassword)) { + // otherwise use internal database password + replicationPassword = data.getBindpwd(); + } + + } else if ("random".equals(replicationPasswordSource)) { + // generate random password + replicationPassword = Integer.toString(new Random().nextInt()); + + } else { + CMS.debug("Invalid replication password source: " + replicationPasswordSource); + throw new BadRequestException("Invalid replication password source: " + replicationPasswordSource); + } IConfigStore psStore = null; String passwordFile = null; @@ -705,14 +719,14 @@ public class SystemConfigService extends PKIService implements SystemConfigResou psStore = CMS.createFileConfigStore(passwordFile); psStore.putString("internaldb", data.getBindpwd()); if (data.getSetupReplication()) { - psStore.putString("replicationdb", replicationpwd); + psStore.putString("replicationdb", replicationPassword); } psStore.commit(false); if (!data.getStepTwo()) { ConfigurationUtils.populateDB(); - cs.putString("preop.internaldb.replicationpwd", replicationpwd); + cs.putString("preop.internaldb.replicationpwd", replicationPassword); cs.putString("preop.database.removeData", "false"); if (data.getSharedDB()) { cs.putString("preop.internaldb.dbuser", data.getSharedDBUserDN()); diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg index 3b082020d055bd4a46cfbefc36c81ae46d4d6c4b..e6d7512e9dc04b1ff4a634908c2182ab3c580fd6 100644 --- a/base/server/etc/default.cfg +++ b/base/server/etc/default.cfg @@ -24,6 +24,7 @@ sensitive_parameters= pki_ds_password pki_one_time_pin pki_pin + pki_replication_password pki_security_domain_password pki_token_password @@ -98,6 +99,15 @@ pki_issuing_ca_hostname=%(pki_security_domain_hostname)s pki_issuing_ca_https_port=%(pki_security_domain_https_port)s pki_issuing_ca_uri=https://%(pki_issuing_ca_hostname)s:%(pki_issuing_ca_https_port)s pki_issuing_ca=%(pki_issuing_ca_uri)s + +# Valid values: default, random +pki_pin_source= +pki_pin= + +# Valid values: default, random +pki_replication_password_source= +pki_replication_password= + pki_restart_configured_instance=True pki_security_domain_hostname=%(pki_hostname)s pki_security_domain_https_port=8443 diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py index b9d48eea3d9f3ce89766b93fecb16195fada67e1..239ae3788e32704595645b8b922555c7c481a67e 100644 --- a/base/server/python/pki/server/deployment/pkihelper.py +++ b/base/server/python/pki/server/deployment/pkihelper.py @@ -3873,6 +3873,9 @@ class ConfigClient: if not self.clone: self.set_admin_parameters(data) + data.replicationPasswordSource = self.mdict['pki_replication_password_source'] + data.replicationPassword = self.mdict['pki_replication_password'] + # Issuing CA Information self.set_issuing_ca_parameters(data) diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py index 39cef9413171f6a22bb2292edc1f7a18d07257fc..2899bcde9ea9d8bbd4627e621d427350138a8efa 100644 --- a/base/server/python/pki/server/deployment/pkiparser.py +++ b/base/server/python/pki/server/deployment/pkiparser.py @@ -327,10 +327,14 @@ class PKIConfigParser: # means that we need to deal with escaping '%' characters # that might be present. no_interpolation = ( - 'pki_admin_password', 'pki_backup_password', + 'pki_admin_password', + 'pki_backup_password', 'pki_client_database_password', 'pki_client_pkcs12_password', - 'pki_ds_password', 'pki_security_domain_password') + 'pki_ds_password', + 'pki_pin', + 'pki_replicationdb_password', + 'pki_security_domain_password') print 'Loading deployment configuration from ' + \ config.user_deployment_cfg + '.' @@ -552,18 +556,34 @@ class PKIConfigParser: self.mdict['pki_user_deployment_cfg'] = config.user_deployment_cfg self.mdict['pki_deployed_instance_name'] = \ config.pki_deployed_instance_name + + self.flatten_master_dict() + # Generate random 'pin's for use as security database passwords # and add these to the "sensitive" key value pairs read in from # the configuration file pin_low = 100000000000 pin_high = 999999999999 - self.mdict['pki_pin'] = \ - random.randint(pin_low, pin_high) + + pin_source = self.mdict['pki_pin_source'] + if not pin_source: + pin_source = 'default' + + if pin_source == 'default': + # use user-provided PIN if specified + if not self.mdict['pki_pin']: + # otherwise use the admin password + self.mdict['pki_pin'] = self.mdict['pki_admin_password'] + + elif pin_source == 'random': + self.mdict['pki_pin'] = \ + random.randint(pin_low, pin_high) + else: + raise Exception('Invalid security database PIN source: %s' % pin_source) + self.mdict['pki_client_pin'] = \ random.randint(pin_low, pin_high) - self.flatten_master_dict() - pkilogging.sensitive_parameters = \ self.mdict['sensitive_parameters'].split() -- 1.9.3