Index: base/silent/src/tks/ConfigureTKS.java =================================================================== --- base/silent/src/tks/ConfigureTKS.java (revision 2598) +++ base/silent/src/tks/ConfigureTKS.java (working copy) @@ -152,6 +152,9 @@ public static String subsystem_name = null; public static String tks_audit_signing_cert_subject_name = null; + // Name Panel - CertSubjectPanel() + public static String ca_domain_url = null; + public ConfigureTKS () { // do nothing :) @@ -470,7 +473,17 @@ ArrayList cert_list = null; ArrayList dn_list = null; - String domain_url = "https://" + ca_hostname + ":" + ca_ssl_port ; + String domain_url = null; + if ( ( ca_domain_url != null ) && + ( !ca_domain_url.equals( "" ) ) && + ( !ca_domain_url.equals( "empty" ) ) ) { + domain_url = ca_domain_url; + } else { + // Use the CA EE hostname and the CA EE port + domain_url = "https://" + ca_hostname + ":" + ca_ssl_port; + } + System.out.println("CertSubjectPanel() domain_url='" + + domain_url + "'."); String query_string = "p=9" + "&op=next" + "&xml=true" + "&subsystem=" + @@ -990,6 +1003,9 @@ // subsystemName StringHolder x_subsystem_name = new StringHolder(); + // Name Panel - CertSubjectPanel() + StringHolder x_ca_domain_url = new StringHolder(); + // parse the args ArgParser parser = new ArgParser("ConfigureTKS"); @@ -1104,6 +1120,10 @@ "-subsystem_name %s #CA subsystem name", x_subsystem_name); + parser.addOption ( + "-ca_domain_url %s #URL to CA used to Issue Certificates for TKS Instance Creation", + x_ca_domain_url); + parser.addOption( "-tks_audit_signing_cert_subject_name %s #TKS audit signing cert subject name", x_tks_audit_signing_cert_subject_name); @@ -1189,6 +1209,8 @@ subsystem_name = x_subsystem_name.value ; tks_audit_signing_cert_subject_name = x_tks_audit_signing_cert_subject_name.value; + ca_domain_url = x_ca_domain_url.value; + boolean st = ca.ConfigureTKSInstance(); if (!st) { Index: base/silent/src/drm/ConfigureDRM.java =================================================================== --- base/silent/src/drm/ConfigureDRM.java (revision 2598) +++ base/silent/src/drm/ConfigureDRM.java (working copy) @@ -179,6 +179,9 @@ public static String subsystem_name = null; + // Name Panel - CertSubjectPanel() + public static String ca_domain_url = null; + // cloning public static boolean clone = false; public static String clone_uri = null; @@ -576,7 +579,17 @@ ArrayList dn_list = null; String query_string = null; - String domain_url = "https://" + ca_hostname + ":" + ca_ssl_port ; + String domain_url = null; + if ( ( ca_domain_url != null ) && + ( !ca_domain_url.equals( "" ) ) && + ( !ca_domain_url.equals( "empty" ) ) ) { + domain_url = ca_domain_url; + } else { + // Use the CA EE hostname and the CA EE port + domain_url = "https://" + ca_hostname + ":" + ca_ssl_port; + } + System.out.println("CertSubjectPanel() domain_url='" + + domain_url + "'."); if (!clone) { query_string = "p=9" + "&op=next" + "&xml=true" + @@ -1143,6 +1156,9 @@ // subsystemName StringHolder x_subsystem_name = new StringHolder(); + // Name Panel - CertSubjectPanel() + StringHolder x_ca_domain_url = new StringHolder(); + //clone parameters StringHolder x_clone = new StringHolder(); StringHolder x_clone_uri = new StringHolder(); @@ -1281,6 +1297,10 @@ "-subsystem_name %s #CA subsystem name", x_subsystem_name); + parser.addOption ( + "-ca_domain_url %s #URL to CA used to Issue Certificates for DRM Instance Creation", + x_ca_domain_url); + parser.addOption( "-drm_audit_signing_cert_subject_name %s #DRM audit signing cert subject name", x_drm_audit_signing_cert_subject_name); @@ -1387,6 +1407,8 @@ subsystem_name = x_subsystem_name.value; + ca_domain_url = x_ca_domain_url.value; + if ((x_clone.value != null) && (x_clone.value.equalsIgnoreCase("true"))) { clone = true; } else { Index: base/silent/src/ra/ConfigureRA.java =================================================================== --- base/silent/src/ra/ConfigureRA.java (revision 2598) +++ base/silent/src/ra/ConfigureRA.java (working copy) @@ -125,6 +125,12 @@ // Admin Certificate Request Panel public static String requestor_name = null; + // CA Info Panel - SubsystemPanel() + public static String ca_issuance_url = null; + + // Name Panel - CertSubjectPanel() + public static String ca_domain_url = null; + public ConfigureRA () { // do nothing :) @@ -298,13 +304,23 @@ px.prettyprintxml(); sleep_time(); - // 'ca_url' is not used, but refers to - // the CA EE hostname and the CA EE port - String ca_url = "https://" + ca_hostname + ":" + ca_ssl_port ; + String ca_url = null; + if ( ( ca_issuance_url != null ) && + ( !ca_issuance_url.equals( "" ) ) && + ( !ca_issuance_url.equals( "empty" ) ) ) { + ca_url = ca_issuance_url; + } else { + // Use the CA EE hostname and the CA EE port + ca_url = "https://" + ca_hostname + ":" + ca_ssl_port; + } + System.out.println("SubsystemPanel() ca_url='" + + ca_url + "'."); + // CA choice panel query_string = "p=4" + - "&urls=0" + + "&urls=" + + URLEncoder.encode(ca_url) + "&op=next" + "&xml=true" ; @@ -442,9 +458,17 @@ ArrayList cert_list = null; ArrayList dn_list = null; - // 'ca_url' is not used, but refers to - // the CA EE hostname and the CA EE port - String ca_url = "https://" + ca_hostname + ":" + ca_ssl_port ; + String ca_url = null; + if ( ( ca_domain_url != null ) && + ( !ca_domain_url.equals( "" ) ) && + ( !ca_domain_url.equals( "empty" ) ) ) { + ca_url = ca_domain_url; + } else { + // Use the CA EE hostname and the CA EE port + ca_url = "https://" + ca_hostname + ":" + ca_ssl_port; + } + System.out.println("CertSubjectPanel() ca_url='" + + ca_url + "'."); String query_string = "p=9" + "&sslserver=" + @@ -455,7 +479,8 @@ URLEncoder.encode(ra_subsystem_cert_subject_name) + "&subsystem_nick=" + URLEncoder.encode(ra_subsystem_cert_nickname) + - "&urls=0" + + "&urls=" + + URLEncoder.encode(ca_url) + "&op=next" + "&xml=true" ; @@ -830,7 +855,13 @@ // subsystemName StringHolder x_subsystem_name = new StringHolder(); + // CA Info Panel - SubsystemPanel() + StringHolder x_ca_issuance_url = new StringHolder(); + // Name Panel - CertSubjectPanel() + StringHolder x_ca_domain_url = new StringHolder(); + + // parse the args ArgParser parser = new ArgParser("ConfigureRA"); @@ -915,6 +946,14 @@ "-subsystem_name %s #RA subsystem name", x_subsystem_name); + parser.addOption ( + "-ca_issuance_url %s #URL to CA used to Issue Certificates", + x_ca_issuance_url); + + parser.addOption ( + "-ca_domain_url %s #URL to CA used to Issue Certificates for RA Instance Creation", + x_ca_domain_url); + // and then match the arguments String [] unmatched = null; unmatched = parser.matchAllArgs (args,0,parser.EXIT_ON_UNMATCHED); @@ -973,8 +1012,12 @@ subsystem_name = x_subsystem_name.value ; + ca_issuance_url = x_ca_issuance_url.value; + ca_domain_url = x_ca_domain_url.value; + + boolean st = ca.ConfigureRAInstance(); if (!st) Index: base/silent/src/ca/ConfigureCA.java =================================================================== --- base/silent/src/ca/ConfigureCA.java (revision 2598) +++ base/silent/src/ca/ConfigureCA.java (working copy) @@ -177,6 +177,9 @@ public static String subsystem_name = null; + // Name Panel - CertSubjectPanel() + public static String ca_domain_url = null; + public static String external_ca= null; public static String ext_ca_cert_file = null; public static String ext_ca_cert_chain_file = null; @@ -643,6 +646,17 @@ ArrayList dn_list = null; String query_string = null; + String domain_url = null; + if ( ( ca_domain_url != null ) && + ( !ca_domain_url.equals( "" ) ) && + ( !ca_domain_url.equals( "empty" ) ) ) { + domain_url = "&urls=" + URLEncoder.encode(ca_domain_url); + } else { + domain_url = "&urls=0" + ""; + } + System.out.println("CertSubjectPanel() domain_url='" + + domain_url + "'."); + // use subject names provided as input if (!clone) { @@ -652,12 +666,12 @@ + URLEncoder.encode(ca_ocsp_cert_subject_name) + "&signing=" + URLEncoder.encode(ca_sign_cert_subject_name) + "&sslserver=" + URLEncoder.encode(ca_server_cert_subject_name) + "&audit_signing=" - + URLEncoder.encode(ca_audit_signing_cert_subject_name) + "&urls=0" - + ""; + + URLEncoder.encode(ca_audit_signing_cert_subject_name) + + domain_url; } else { query_string = "p=11" + "&op=next" + "&xml=true" + "&sslserver=" - + URLEncoder.encode(ca_server_cert_subject_name) + "&urls=0" - + ""; + + URLEncoder.encode(ca_server_cert_subject_name) + + domain_url; } hr = hc.sslConnect(cs_hostname, cs_port, wizard_uri, query_string); @@ -1517,6 +1531,9 @@ // subsystemName StringHolder x_subsystem_name = new StringHolder(); + // Name Panel - CertSubjectPanel() + StringHolder x_ca_domain_url = new StringHolder(); + // external CA cert StringHolder x_external_ca = new StringHolder(); StringHolder x_ext_ca_cert_file = new StringHolder(); @@ -1633,6 +1650,10 @@ parser.addOption("-subsystem_name %s #CA subsystem name", x_subsystem_name); + + parser.addOption ( + "-ca_domain_url %s #URL to CA used to Issue Certificates for CA Instance Creation", + x_ca_domain_url); parser.addOption("-external %s #Subordinate to external CA [true,false] (optional, default false)", x_external_ca); @@ -1741,6 +1762,8 @@ ca_audit_signing_cert_subject_name = x_ca_audit_signing_cert_subject_name.value; subsystem_name = x_subsystem_name.value; + + ca_domain_url = x_ca_domain_url.value; external_ca = set_default(x_external_ca.value, "false"); ext_ca_cert_file = x_ext_ca_cert_file.value; Index: base/silent/src/ocsp/ConfigureOCSP.java =================================================================== --- base/silent/src/ocsp/ConfigureOCSP.java (revision 2598) +++ base/silent/src/ocsp/ConfigureOCSP.java (working copy) @@ -165,6 +165,10 @@ public static String ocsp_audit_signing_cert_subject_name = null; public static String subsystem_name = null; + + // Name Panel - CertSubjectPanel() + public static String ca_domain_url = null; + public ConfigureOCSP () { // do nothing :) @@ -494,7 +498,17 @@ ArrayList cert_list = null; ArrayList dn_list = null; - String domain_url = "https://" + ca_hostname + ":" + ca_ssl_port ; + String domain_url = null; + if ( ( ca_domain_url != null ) && + ( !ca_domain_url.equals( "" ) ) && + ( !ca_domain_url.equals( "empty" ) ) ) { + domain_url = ca_domain_url; + } else { + // Use the CA EE hostname and the CA EE port + domain_url = "https://" + ca_hostname + ":" + ca_ssl_port; + } + System.out.println("CertSubjectPanel() domain_url='" + + domain_url + "'."); String query_string = "p=9" + "&op=next" + "&xml=true" + "&subsystem=" + @@ -1028,6 +1042,9 @@ // subsystemName StringHolder x_subsystem_name = new StringHolder(); + // Name Panel - CertSubjectPanel() + StringHolder x_ca_domain_url = new StringHolder(); + // parse the args ArgParser parser = new ArgParser("ConfigureOCSP"); @@ -1152,6 +1169,10 @@ "-subsystem_name %s #OCSP subsystem name", x_subsystem_name); + parser.addOption ( + "-ca_domain_url %s #URL to CA used to Issue Certificates for OCSP Instance Creation", + x_ca_domain_url); + parser.addOption( "-ocsp_audit_signing_cert_subject_name %s #OCSP audit signing cert subject name", x_ocsp_audit_signing_cert_subject_name); @@ -1247,6 +1268,7 @@ subsystem_name = x_subsystem_name.value ; + ca_domain_url = x_ca_domain_url.value; boolean st = ca.ConfigureOCSPInstance(); Index: base/silent/src/tps/ConfigureTPS.java =================================================================== --- base/silent/src/tps/ConfigureTPS.java (revision 2598) +++ base/silent/src/tps/ConfigureTPS.java (working copy) @@ -79,11 +79,15 @@ public static String ca_ssl_port = null; public static String ca_admin_port = null; - public static String drm_hostname = null; - public static String drm_ssl_port = null; + public static String drm_agent_hostname = null; + public static String drm_agent_port = null; + public static String drm_admin_hostname = null; + public static String drm_admin_port = null; - public static String tks_hostname = null; - public static String tks_ssl_port = null; + public static String tks_agent_hostname = null; + public static String tks_agent_port = null; + public static String tks_admin_hostname = null; + public static String tks_admin_port = null; public static String client_certdb_dir = null; public static String client_token_name = null; @@ -171,6 +175,18 @@ // Admin Certificate Request Panel public static String requestor_name = null; + // CA Info Panel - SubsystemPanel() + public static String ca_issuance_url = null; + + // TKS Info Panel - SubsystemPanel() + public static String tks_key_management_url = null; + + // DRM Info Panel - SubsystemPanel() + public static String drm_server_side_keygen_url = null; + + // Name Panel - CertSubjectPanel() + public static String ca_domain_url = null; + public ConfigureTPS () { // do nothing :) @@ -344,13 +360,23 @@ px.prettyprintxml(); sleep_time(); - // 'ca_url' is not used, but refers to - // the CA EE hostname and the CA EE port - String ca_url = "https://" + ca_hostname + ":" + ca_ssl_port ; // CA choice panel + String ca_url = null; + if ( ( ca_issuance_url != null ) && + ( !ca_issuance_url.equals( "" ) ) && + ( !ca_issuance_url.equals( "empty" ) ) ) { + ca_url = ca_issuance_url; + } else { + // Use the CA EE hostname and the CA EE port + ca_url = "https://" + ca_hostname + ":" + ca_ssl_port; + } + System.out.println("SubsystemPanel() ca_url='" + + ca_url + "'."); + query_string = "p=6" + - "&urls=0" + + "&urls=" + + URLEncoder.encode(ca_url) + "&op=next" + "&xml=true" ; @@ -361,13 +387,27 @@ px.prettyprintxml(); sleep_time(); + // TKS choice panel - // - // 'tks_url' is not used, but refers to - // the TKS Agent hostname and the TKS Agent port - String tks_url = "https://" + tks_hostname + ":" + tks_ssl_port ; + String tks_url = null; + if ( ( tks_key_management_url != null ) && + ( !tks_key_management_url.equals( "" ) ) && + ( !tks_key_management_url.equals( "empty" ) ) ) { + tks_url = tks_key_management_url; + } else { + // Use the TKS Agent hostname and the TKS Agent port + tks_url = "https://" + tks_agent_hostname + ":" + tks_agent_port; + } + System.out.println("SubsystemPanel() tks_url='" + + tks_url + "'."); + query_string = "p=7" + - "&urls=0" + + "&urls=" + + URLEncoder.encode(tks_url) + + "&adminhost=" + + URLEncoder.encode(tks_admin_hostname) + + "&adminport=" + + tks_admin_port + "&op=next" + "&xml=true" ; @@ -377,21 +417,34 @@ px.parse(bais); px.prettyprintxml(); + sleep_time(); + // DRM / server side keygen panel - - sleep_time(); if(ss_keygen.equalsIgnoreCase("true")) { ss_keygen = "keygen"; } - // 'drm_url' is not used, but refers to - // the DRM Agent hostname and the DRM Agent port - String drm_url = "https://" + drm_hostname + ":" + drm_ssl_port ; + String drm_url = null; + if ( ( drm_server_side_keygen_url != null ) && + ( !drm_server_side_keygen_url.equals( "" ) ) && + ( !drm_server_side_keygen_url.equals( "empty" ) ) ) { + drm_url = drm_server_side_keygen_url; + } else { + // Use the DRM Agent hostname and the DRM Agent port + drm_url = "https://" + drm_agent_hostname + ":" + drm_agent_port; + } + System.out.println("SubsystemPanel() drm_url='" + + drm_url + "'."); query_string = "p=8" + "&choice=" + ss_keygen + - "&urls=0" + + "&urls=" + + URLEncoder.encode(drm_url) + + "&adminhost=" + + URLEncoder.encode(drm_admin_hostname) + + "&adminport=" + + drm_admin_port + "&op=next" + "&xml=true" ; @@ -578,9 +631,17 @@ ArrayList dn_list = null; ArrayList friendly_list = null; - // 'ca_url' is not used, but refers to - // the CA EE hostname and the CA EE port - String ca_url = "https://" + ca_hostname + ":" + ca_ssl_port ; + String ca_url = null; + if ( ( ca_domain_url != null ) && + ( !ca_domain_url.equals( "" ) ) && + ( !ca_domain_url.equals( "empty" ) ) ) { + ca_url = ca_domain_url; + } else { + // Use the CA EE hostname and the CA EE port + ca_url = "https://" + ca_hostname + ":" + ca_ssl_port; + } + System.out.println("CertSubjectPanel() ca_url='" + + ca_url + "'."); String query_string = "p=12" + "&sslserver=" + @@ -595,7 +656,8 @@ URLEncoder.encode(tps_audit_signing_cert_subject_name) + "&audit_signing_nick=" + URLEncoder.encode(tps_audit_signing_cert_nickname) + - "&urls=0" + + "&urls=" + + URLEncoder.encode(ca_url) + "&op=next" + "&xml=true" ; @@ -959,11 +1021,15 @@ StringHolder x_ca_ssl_port = new StringHolder(); StringHolder x_ca_admin_port = new StringHolder(); - StringHolder x_drm_hostname = new StringHolder(); - StringHolder x_drm_ssl_port = new StringHolder(); + StringHolder x_drm_agent_hostname = new StringHolder(); + StringHolder x_drm_agent_port = new StringHolder(); + StringHolder x_drm_admin_hostname = new StringHolder(); + StringHolder x_drm_admin_port = new StringHolder(); - StringHolder x_tks_hostname = new StringHolder(); - StringHolder x_tks_ssl_port = new StringHolder(); + StringHolder x_tks_agent_hostname = new StringHolder(); + StringHolder x_tks_agent_port = new StringHolder(); + StringHolder x_tks_admin_hostname = new StringHolder(); + StringHolder x_tks_admin_port = new StringHolder(); StringHolder x_client_certdb_dir = new StringHolder(); StringHolder x_client_token_name = new StringHolder(); @@ -1023,7 +1089,19 @@ // subsystemName StringHolder x_subsystem_name = new StringHolder(); + // CA Info Panel - SubsystemPanel() + StringHolder x_ca_issuance_url = new StringHolder(); + // TKS Info Panel - SubsystemPanel() + StringHolder x_tks_key_management_url = new StringHolder(); + + // DRM Info Panel - SubsystemPanel() + StringHolder x_drm_server_side_keygen_url = new StringHolder(); + + // Name Panel - CertSubjectPanel() + StringHolder x_ca_domain_url = new StringHolder(); + + // parse the args ArgParser parser = new ArgParser("ConfigureTPS"); @@ -1058,17 +1136,25 @@ parser.addOption ("-ca_admin_port %s #CA SSL Admin port", x_ca_admin_port); - parser.addOption ("-drm_hostname %s #DRM Hostname", - x_drm_hostname); - parser.addOption ("-drm_ssl_port %s #DRM SSL port", - x_drm_ssl_port); + parser.addOption ("-drm_agent_hostname %s #DRM Agent Hostname", + x_drm_agent_hostname); + parser.addOption ("-drm_agent_port %s #DRM Agent SSL port", + x_drm_agent_port); parser.addOption ("-ss_keygen %s #Enable Server Side Keygen [true,false]", x_ss_keygen); + parser.addOption ("-drm_admin_hostname %s #DRM Admin Hostname", + x_drm_admin_hostname); + parser.addOption ("-drm_admin_port %s #DRM SSL Admin port", + x_drm_admin_port); - parser.addOption ("-tks_hostname %s #TKS Hostname", - x_tks_hostname); - parser.addOption ("-tks_ssl_port %s #TKS SSL port", - x_tks_ssl_port); + parser.addOption ("-tks_agent_hostname %s #TKS Agent Hostname", + x_tks_agent_hostname); + parser.addOption ("-tks_agent_port %s #TKS Agent SSL port", + x_tks_agent_port); + parser.addOption ("-tks_admin_hostname %s #TKS Admin Hostname", + x_tks_admin_hostname); + parser.addOption ("-tks_admin_port %s #TKS SSL Admin port", + x_tks_admin_port); parser.addOption ("-client_certdb_dir %s #Client CertDB dir", x_client_certdb_dir); @@ -1158,7 +1244,23 @@ "-subsystem_name %s #CA subsystem name", x_subsystem_name); + parser.addOption ( + "-ca_issuance_url %s #URL to CA used to Issue Certificates", + x_ca_issuance_url); + parser.addOption ( + "-tks_key_management_url %s #URL to TKS used for Key Management", + x_tks_key_management_url); + + parser.addOption ( + "-drm_server_side_keygen_url %s #URL to DRM used for Server-Side Keygen", + x_drm_server_side_keygen_url); + + parser.addOption ( + "-ca_domain_url %s #URL to CA used to Issue Certificates for TPS Instance Creation", + x_ca_domain_url); + + // and then match the arguments String [] unmatched = null; unmatched = parser.matchAllArgs (args,0,parser.EXIT_ON_UNMATCHED); @@ -1189,11 +1291,15 @@ ca_ssl_port = x_ca_ssl_port.value; ca_admin_port = x_ca_admin_port.value; - tks_hostname = x_tks_hostname.value; - tks_ssl_port = x_tks_ssl_port.value; + tks_agent_hostname = x_tks_agent_hostname.value; + tks_agent_port = x_tks_agent_port.value; + tks_admin_hostname = x_tks_admin_hostname.value; + tks_admin_port = x_tks_admin_port.value; - drm_hostname = x_drm_hostname.value; - drm_ssl_port = x_drm_ssl_port.value; + drm_agent_hostname = x_drm_agent_hostname.value; + drm_agent_port = x_drm_agent_port.value; + drm_admin_hostname = x_drm_admin_hostname.value; + drm_admin_port = x_drm_admin_port.value; client_certdb_dir = x_client_certdb_dir.value; client_token_name = x_client_token_name.value; @@ -1252,8 +1358,16 @@ subsystem_name = x_subsystem_name.value ; + ca_issuance_url = x_ca_issuance_url.value; + tks_key_management_url = x_tks_key_management_url.value; + drm_server_side_keygen_url = x_drm_server_side_keygen_url.value; + + ca_domain_url = x_ca_domain_url.value; + + + boolean st = ca.ConfigureTPSInstance(); if (!st) Index: base/silent/src/subca/ConfigureSubCA.java =================================================================== --- base/silent/src/subca/ConfigureSubCA.java (revision 2598) +++ base/silent/src/subca/ConfigureSubCA.java (working copy) @@ -172,6 +172,9 @@ public static String subsystem_name = null; + // Name Panel - CertSubjectPanel() + public static String ca_domain_url = null; + // names public static String subca_sign_cert_subject_name = null; public static String subca_subsystem_cert_subject_name = null; @@ -534,7 +537,17 @@ ArrayList cert_list = null; ArrayList dn_list = null; - String domain_url = "https://" + ca_hostname + ":" + ca_ssl_port ; + String domain_url = null; + if ( ( ca_domain_url != null ) && + ( !ca_domain_url.equals( "" ) ) && + ( !ca_domain_url.equals( "empty" ) ) ) { + domain_url = ca_domain_url; + } else { + // Use the CA EE hostname and the CA EE port + domain_url = "https://" + ca_hostname + ":" + ca_ssl_port; + } + System.out.println("CertSubjectPanel() domain_url='" + + domain_url + "'."); String query_string = "p=11" + "&op=next" + "&xml=true" + @@ -548,8 +561,8 @@ URLEncoder.encode(subca_subsystem_cert_subject_name) + "&audit_signing=" + URLEncoder.encode(subca_audit_signing_cert_subject_name) + - "&urls=0" + - ""; + "&urls=" + + URLEncoder.encode(domain_url); hr = hc.sslConnect(cs_hostname,cs_port,wizard_uri,query_string); @@ -1078,6 +1091,9 @@ // subsystem name StringHolder x_subsystem_name = new StringHolder(); + // Name Panel - CertSubjectPanel() + StringHolder x_ca_domain_url = new StringHolder(); + // subject names StringHolder x_subca_sign_cert_subject_name = new StringHolder(); StringHolder x_subca_subsystem_cert_subject_name = new StringHolder(); @@ -1203,6 +1219,10 @@ x_subsystem_name); parser.addOption ( + "-ca_domain_url %s #URL to CA used to Issue Certificates for SubCA Instance Creation", + x_ca_domain_url); + + parser.addOption ( "-subca_sign_cert_subject_name %s #subCA cert subject name", x_subca_sign_cert_subject_name); parser.addOption ( @@ -1305,6 +1325,8 @@ save_p12 = x_save_p12.value; backup_pwd = x_backup_pwd.value; subsystem_name = x_subsystem_name.value; + + ca_domain_url = x_ca_domain_url.value; subca_sign_cert_subject_name = x_subca_sign_cert_subject_name.value ; subca_subsystem_cert_subject_name = Index: base/silent/templates/silent_subca_ip_port.template =================================================================== --- base/silent/templates/silent_subca_ip_port.template (revision 0) +++ base/silent/templates/silent_subca_ip_port.template (revision 0) @@ -0,0 +1,612 @@ +#!/bin/bash +## BEGIN COPYRIGHT BLOCK +## (C) 2009 Red Hat, Inc. +## All rights reserved. +## END COPYRIGHT BLOCK + + +## Always switch into this base directory +## prior to script execution so that all +## of its output is written to this directory + +cd `dirname $0` + + +## Disallow script to be run as the name of this template +pki_silent_script=`basename $0` +if [ "${pki_silent_script}" = "silent_subca_ip_port.template" ] ; then + printf "\n" + printf "Usage: (1) Install AND configure a directory server instance.\n\n" + printf " (2) Install AND configure a Root CA subsystem instance\n" + printf " that is its own security domain.\n\n" + printf " (3) Use 'pkicreate' to install a second CA subsystem\n" + printf " instance (this will become a Subordinate CA).\n" + printf " [Do NOT configure this CA subsystem instance!]\n\n" + printf " (4) Install the 'pki-silent' package.\n\n" + printf " (5) Copy '$0' to a new script name\n" + printf " without the '.template' extension.\n" + printf " (e .g. - 'configure_subca_ip_port_instance')\n\n" + printf " (6) Fill in all MANDATORY user-defined variables\n" + printf " in the new script.\n\n" + printf " (7) Change any OPTIONAL user-defined variables\n" + printf " in the new script as desired.\n\n" + printf " (8) Become the 'root' user, and execute the new script to\n" + printf " configure a Subordinate CA subsystem instance.\n\n" +exit 255 +fi + + +## +## This script MUST be run as root! +## + +ROOTUID=0 + +OS=`uname` +if [ "${OS}" = "Linux" ] ; then + MY_EUID=`/usr/bin/id -u` + MY_UID=`/usr/bin/id -ur` + USERNAME=`/usr/bin/id -un` +else + printf "ERROR: Unsupported operating system '${OS}'!\n" + exit 255 +fi + +if [ "${MY_UID}" != "${ROOTUID}" ] && + [ "${MY_EUID}" != "${ROOTUID}" ] ; then + printf "ERROR: The '$0' script must be run as root!\n" + exit 255 +fi + + + +############################################################################## +############################################################################## +## ## +## P K I S I L E N T - V A R I A B L E D E C L A R A T I O N ## +## ## +############################################################################## +############################################################################## + +############################################################################## +## U S E R - D E F I N E D V A R I A B L E S ( M A N D A T O R Y ) ## +############################################################################## + +## +## IMPORTANT: 'Escape' ALL spaces in EACH variable specified below! +## +## For Example: +## +## pki_security_domain_name="My\ Security\ Domain" +## + +## PKI CA Subsystem Hosts (FQDN) +pki_ca_ee_host= +pki_ca_admin_host= + +## PKI Subordinate CA Subsystem Hosts (FQDN) +pki_subca_agent_host= +pki_subca_ee_host= +pki_subca_eeca_host= +pki_subca_admin_host= + +## +## NOTE: Default PKI CA Instance Ports +## +## 9180 - non-secure port (not role specific) +## 9701 - non-secure Tomcat port +## 9443 - secure Agent port +## 9444 - secure EE port +## 9445 - secure Admin port +## 9446 - secure EE Client Auth port (not necessarily labeled) +## +## +## For Example: +## +## semanage port -l | grep pki +## +## pki_ca_port_t tcp 9180, 9701, 9443, 9444, 9445 +## pki_subca_port_t tcp 19180, 19701, 19443, 19444, 19445 +## + +## PKI CA ports (Security Domain) +pki_ca_nonssl_port= +pki_ca_agent_port= +pki_ca_ee_port= +pki_ca_admin_port= + +## PKI Alternate Subordinate CA ports (not a Security Domain) +## +## NOTE: Replace the CA EE Security Domain Host and Port to optionally use +## a Different Existing Subordinate CA to Issue Certificates for +## this Subordinate CA Instance Creation +## +pki_alternate_subca_ee_host=${pki_ca_ee_host} +pki_alternate_subca_ee_port=${pki_ca_ee_port} + +## PKI Subordinate CA ports (not a Security Domain) +pki_subca_admin_port= + +## PKI Silent Security Database Variables +## (e. g. - PKI Silent "browser" database) +pki_silent_security_database_repository="/tmp" +pki_silent_security_token_password= +pki_silent_security_token_name=internal + +## PKI Security Domain Variables +## (e. g. - Security Domain Login Panel) +pki_security_domain_name= +pki_security_domain_host="${pki_ca_admin_host}" +pki_security_domain_admin_name=admin +pki_security_domain_admin_password= + +## PKI Internal LDAP Database Variables +## (e. g. - Database Panel) +## +## If the LDAP server is located locally, specify: +## +## pki_ldap_host=localhost +## +## However, if the LDAP server is located remotely, specify the FQDN: +## +## pki_ldap_host="ds_host.example.com" (for example) +## +pki_ldap_host= +pki_ldap_port=389 +pki_bind_dn="cn=Directory\ Manager" +pki_bind_password= +## +## For first time configurations, the default case is to set: +## +## pki_remove_data=false +## +## For testing, however, it is often convenient to simply OVERWRITE any +## existing data in the LDAP database. If this is desirable, set: +## +## pki_remove_data=true +## +pki_remove_data= + +## PKI Instance-Specific Token Variables +## (e. g. - Module Panel) +pki_subca_token_name=internal +pki_subca_token_password= + +## PKI Instance-Specific Backup Variables +## (e. g. - Backup Key and Certificates Panel) +pki_subca_backup_password= + +## PKI Email Variables +## +## For example, to specify 'pkitest@example.com': +## +## pki_email_name=pkitest +## pki_email_company=example +## pki_email_domain=com +## +pki_email_name= +pki_email_company= +pki_email_domain= + +## PKI Silent Admin Variables +## (e. g. - Import Admin Certificate into PKI Silent "browser" database) +pki_silent_admin_user=admin +pki_silent_admin_password= +pki_silent_admin_email="${pki_email_name}\@${pki_email_company}\.${pki_email_domain}" + +## PKI Subsystem Names +pki_subca_subsystem_name="Certificate\ Authority" + +## PKI Subsystem Instance Names +pki_subca_instance_name="pki-subca" + +## PKI Silent Log Files +pki_silent_subca_log=/tmp/subca.log + +## URL to CA used to Issue Certificates for Subordinate CA Instance Creation +## +## * each 'hostname:port' must be a CA EE Hostname and CA EE Port +## * referenced CA does not need to be a Security Domain +## * referenced CA must reside within the same security domain +## as this Subordinate CA instance +## +## NOTE: To pass in a value of an empty string, specify the value "empty" +## instead of "" since ArgParser() throws away empty strings. +## +## This special "empty" string value may be specified for any of +## the following variables: +## +## * pki_subca_instance_ca_domain_url="empty" +## +pki_subca_instance_ca_domain_url="https://${pki_alternate_subca_ee_host}:${pki_alternate_subca_ee_port}" + + + +############################################################################## +## U S E R - D E F I N E D V A R I A B L E S ( O P T I O N A L ) ## +############################################################################## + +## +## NOTE: For comparison's sake, if the default instances were manually +## configured using a Firefox browser, the content of the corresponding +## Firefox browser's security libraries would be something similar +## to this: +## +## Certificate Nickname Trust Attributes +## SSL,S/MIME,JAR/XPI +## +## Certificate Authority 2 - ${pki_security_domain_name} ,, +## CA Administrator of Instance ${pki_subca_instance_name}'s +## ${pki_security_domain_name} ID u,u,u +## ${pki_subca_admin_host} P,, +## Certificate Authority - ${pki_security_domain_name} CT,C,C +## +## where: +## +## Nickname: "Certificate Authority 2 - " +## + "${pki_security_domain_name}" +## Subject Name: "cn=Certificate Authority 2," +## + "o=${pki_security_domain_name}" +## +## Nickname: "CA Administrator of Instance " +## + "${pki_subca_instance_name}'s " +## + "${pki_security_domain_name} ID" +## Subject Name: "cn=CA Administrator of Instance " +## + "${pki_subca_instance_name}," +## + "uid=admin," +## + "e=${pki_silent_admin_email}," +## + "o=${pki_security_domain_name}" +## +## Nickname: "${pki_subca_admin_host}" +## Subject Name: "cn=${pki_subca_admin_host}," +## + "o=${pki_security_domain_name}" +## +## Nickname: "Certificate Authority - " +## + "${pki_security_domain_name}" +## Subject Name: "cn=Certificate Authority," +## + "o=${pki_security_domain_name}" +## + + +## Miscellaneous CA Variables +## +## REMINDER: 'Escape' ALL spaces in EACH variable specified below! +## +## NOTE: For comparison's sake, if the default instances were manually +## configured using a Firefox browser, the content of the corresponding +## "/var/lib/${pki_subca_instance_name}/alias/" security libraries +## would be something similar to this: +## +## Certificate Nickname Trust Attributes +## SSL,S/MIME,JAR/XPI +## +## caSigningCert cert-${pki_subca_instance_name} CTu,Cu,Cu +## Server-Cert cert-${pki_subca_instance_name} u,u,u +## Certificate Authority - ${pki_security_domain_name} CT,c, +## ocspSigningCert cert-${pki_subca_instance_name} u,u,u +## auditSigningCert cert-${pki_subca_instance_name} u,u,u +## subsystemCert cert-${pki_subca_instance_name} u,u,u +## +## where: +## +## Nickname: "caSigningCert cert-${pki_subca_instance_name}" +## Subject Name: "cn=Certificate Authority 2," +## + "o=${pki_security_domain_name}" +## +## Nickname: "Server-Cert cert-${pki_subca_instance_name}" +## Subject Name: "cn=${pki_subca_admin_host}," +## + "o=${pki_security_domain_name}" +## +## Nickname: "Certificate Authority - " +## + "${pki_security_domain_name}" +## Subject Name: "cn=Certificate Authority," +## + "o=${pki_security_domain_name}" +## +## Nickname: "ocspSigningCert cert-${pki_subca_instance_name}" +## Subject Name: "cn=OCSP Signing Certificate 2," +## + "o=${pki_security_domain_name}" +## +## Nickname: "auditSigningCert cert-${pki_subca_instance_name}" +## Subject Name: "cn=CA Audit Signing Certificate 2," +## + "o=${pki_security_domain_name}" +## +## Nickname: "subsystemCert cert-${pki_subca_instance_name}" +## Subject Name: "cn=CA Subsystem Certificate 2," +## + "o=${pki_security_domain_name}" +## +## NOTE: The parameters for the signing algorithms have the following meaning: +## subca_signing_algorithm - signature algorithm used by +## the CA and OCSP signing certs +## to sign objects. +## subca_signing_signingalgorithm - optionally specify the +## algorithm used by the CA +## signing cert to sign objects +## subca_ocsp_signing_signingalgorithm - optionally specify the +## algorithm used by the CA ocsp +## signing cert to sign objects +## + +subca_agent_name="CA\ Administrator\ of\ Instance\ ${pki_subca_instance_name}\'s\ ${pki_security_domain_name}\ ID" +subca_agent_key_size=2048 +subca_agent_key_type=rsa +subca_agent_cert_subject="cn=CA\ Administrator\ of\ Instance\ ${pki_subca_instance_name},uid=admin,e=${pki_silent_admin_email},o=${pki_security_domain_name}" +subca_base_dn="dc=${pki_subca_admin_host}-${pki_subca_instance_name}" +subca_db_name="${pki_subca_admin_host}-${pki_subca_instance_name}" +subca_key_size=2048 +subca_key_type=rsa +subca_signing_algorithm=SHA256withRSA +subca_signing_signingalgorithm=SHA256withRSA +subca_ocsp_signing_signingalgorithm=SHA256withRSA +subca_save_p12=false +subca_sign_cert_subject_name="cn=Certificate\ Authority\ 2,o=${pki_security_domain_name}" +subca_subsystem_cert_subject_name="cn=CA\ Subsystem\ Certificate\ 2,o=${pki_security_domain_name}" +subca_ocsp_cert_subject_name="cn=OCSP\ Signing\ Certificate\ 2,o=${pki_security_domain_name}" +subca_server_cert_subject_name="cn=${pki_subca_ee_host},o=${pki_security_domain_name}" +subca_audit_signing_cert_subject_name="cn=CA\ Audit\ Signing\ Certificate\ 2,o=${pki_security_domain_name}" + + + +############################################################################## +############################################################################## +## ## +## P K I S I L E N T - S U B S Y S T E M C O N F I G U R A T I O N ## +## ## +############################################################################## +############################################################################## + +############################################################################## +## P K I S I L E N T I N I T I A L I Z A T I O N ## +############################################################################## + +## (1) Make certain that user has defined all MANDATORY user-defined variables! +usage_errors=0 +usage_error_preamble="ERROR: User MUST define a value for" + +if [ "${pki_ca_ee_host}" = "" ] ; then + printf "${usage_error_preamble} 'pki_ca_ee_host'!\n" + usage_errors=`expr ${usage_errors} + 1` +fi +if [ "${pki_ca_admin_host}" = "" ] ; then + printf "${usage_error_preamble} 'pki_ca_admin_host'!\n" + usage_errors=`expr ${usage_errors} + 1` +fi +if [ "${pki_subca_agent_host}" = "" ] ; then + printf "${usage_error_preamble} 'pki_subca_agent_host'!\n" + usage_errors=`expr ${usage_errors} + 1` +fi +if [ "${pki_subca_ee_host}" = "" ] ; then + printf "${usage_error_preamble} 'pki_subca_ee_host'!\n" + usage_errors=`expr ${usage_errors} + 1` +fi +if [ "${pki_subca_eeca_host}" = "" ] ; then + printf "${usage_error_preamble} 'pki_subca_eeca_host'!\n" + usage_errors=`expr ${usage_errors} + 1` +fi +if [ "${pki_subca_admin_host}" = "" ] ; then + printf "${usage_error_preamble} 'pki_subca_admin_host'!\n" + usage_errors=`expr ${usage_errors} + 1` +fi +if [ "${pki_ca_nonssl_port}" = "" ] ; then + printf "${usage_error_preamble} 'pki_ca_nonssl_port'!\n" + usage_errors=`expr ${usage_errors} + 1` +fi +if [ "${pki_ca_agent_port}" = "" ] ; then + printf "${usage_error_preamble} 'pki_ca_agent_port'!\n" + usage_errors=`expr ${usage_errors} + 1` +fi +if [ "${pki_ca_ee_port}" = "" ] ; then + printf "${usage_error_preamble} 'pki_ca_ee_port'!\n" + usage_errors=`expr ${usage_errors} + 1` +fi +if [ "${pki_ca_admin_port}" = "" ] ; then + printf "${usage_error_preamble} 'pki_ca_admin_port'!\n" + usage_errors=`expr ${usage_errors} + 1` +fi +if [ "${pki_subca_admin_port}" = "" ] ; then + printf "${usage_error_preamble} 'pki_subca_admin_port'!\n" + usage_errors=`expr ${usage_errors} + 1` +fi +if [ "${pki_silent_security_token_password}" = "" ] ; then + printf "${usage_error_preamble} 'pki_silent_security_token_password'!\n" + usage_errors=`expr ${usage_errors} + 1` +fi +if [ "${pki_security_domain_name}" = "" ] ; then + printf "${usage_error_preamble} 'pki_security_domain_name'!\n" + usage_errors=`expr ${usage_errors} + 1` +fi +if [ "${pki_security_domain_admin_password}" = "" ] ; then + printf "${usage_error_preamble} 'pki_security_domain_admin_password'!\n" + usage_errors=`expr ${usage_errors} + 1` +fi +if [ "${pki_ldap_host}" = "" ] ; then + printf "${usage_error_preamble} 'pki_ldap_host'!\n" + usage_errors=`expr ${usage_errors} + 1` +fi +if [ "${pki_bind_password}" = "" ] ; then + printf "${usage_error_preamble} 'pki_bind_password'!\n" + usage_errors=`expr ${usage_errors} + 1` +fi +if [ "${pki_remove_data}" = "" ] ; then + printf "${usage_error_preamble} 'pki_remove_data'!\n" + usage_errors=`expr ${usage_errors} + 1` +fi +if [ "${pki_subca_token_password}" = "" ] ; then + printf "${usage_error_preamble} 'pki_subca_token_password'!\n" + usage_errors=`expr ${usage_errors} + 1` +fi +if [ "${pki_subca_backup_password}" = "" ] ; then + printf "${usage_error_preamble} 'pki_subca_backup_password'!\n" + usage_errors=`expr ${usage_errors} + 1` +fi +if [ "${pki_email_name}" = "" ] ; then + printf "${usage_error_preamble} 'pki_email_name'!\n" + usage_errors=`expr ${usage_errors} + 1` +fi +if [ "${pki_email_company}" = "" ] ; then + printf "${usage_error_preamble} 'pki_email_company'!\n" + usage_errors=`expr ${usage_errors} + 1` +fi +if [ "${pki_email_domain}" = "" ] ; then + printf "${usage_error_preamble} 'pki_email_domain'!\n" + usage_errors=`expr ${usage_errors} + 1` +fi +if [ "${pki_silent_admin_password}" = "" ] ; then + printf "${usage_error_preamble} 'pki_silent_admin_password'!\n" + usage_errors=`expr ${usage_errors} + 1` +fi + + +## (2) Make certain that a PKI instance of the specified name EXISTS, +## but has NOT been previously CONFIGURED! +existence_errors=0 +existence_error_preamble="ERROR: No PKI Instance named" +configuration_errors=0 +configuration_error_preamble="ERROR: A PKI Instance named" +configuration_error_postamble="EXISTS,\n but has PREVIOUSLY been CONFIGURED!" + +if [ ! -f "/var/lib/${pki_subca_instance_name}/conf/CS.cfg" ] ; then + printf "${existence_error_preamble} '${pki_subca_instance_name}' EXISTS!\n" + existence_errors=`expr ${existence_errors} + 1` +else + subca_configuration_check=`grep -c preop /var/lib/${pki_subca_instance_name}/conf/CS.cfg` + if [ ${subca_configuration_check} -eq 0 ] ; then + printf "${configuration_error_preamble} '${pki_subca_instance_name}' " + printf "${configuration_error_postamble}\n" + configuration_errors=`expr ${configuration_errors} + 1` + fi +fi + + +if [ ${usage_errors} -ne 0 ] || + [ ${existence_errors} -ne 0 ] || + [ ${configuration_errors} -ne 0 ] ; then + printf "\n" + printf "Please correct ALL errors listed above and re-run\n" + printf "the '$0' script!\n\n" + exit 255 +fi + + +## (3) Make certain that 'pkisilent' exists and is executable on this system. +if [ ! -x "/usr/bin/pkisilent" ] ; then + printf "\n" + printf "ERROR: Please install the 'pki-silent' package and re-run\n" + printf "the '$0' script!\n\n" + exit 255 +fi + + +## (4) Check for old PKI Silent Security Databases, but DO NOT remove them! +## Instead, just inform the user. +if [ -f "${pki_silent_security_database_repository}/cert8.db" ] || + [ -f "${pki_silent_security_database_repository}/key3.db" ] || + [ -f "${pki_silent_security_database_repository}/secmod.db" ] ; then + printf "\n" + printf "WARNING: The existing security databases\n" + printf " (i. e. - 'cert8.db', 'key3.db', and/or 'secmod.db')\n" + printf " required by '${pki_silent_script}' at the\n" + printf " specified location '${pki_silent_security_database_repository}'\n" + printf " will be used.\n\n" +fi + + +## (5) Remove any old PKI Silent log file named '${pki_silent_subca_log}' +printf "Removing old PKI Silent log files:\n" +if [ -f ${pki_silent_subca_log} ] ; then + printf " Removing old '${pki_silent_subca_log}' . . . " + rm ${pki_silent_subca_log} + printf "done.\n" +fi +printf "Done.\n\n" + + + +############################################################################## +## C A L C U L A T E P K I I N S T A N C E P I N S ## +############################################################################## + +## PKI Subsystem Instance PINS +subca_preop_pin=`cat /var/lib/${pki_subca_instance_name}/conf/CS.cfg \ + | grep preop.pin | grep -v grep | awk -F= '{print $2}'` + + + +############################################################################## +## C E R T I F I C A T E A U T H O R I T Y ## +############################################################################## +## +## For example, upon completion, +## execute '/sbin/service ${pki_subca_instance_name} status': +## +## ${pki_subca_instance_name} (pid 7843) is running ... +## +## Unsecure Port = http://${pki_subca_ee_host}:19180/ca/ee/ca +## Secure Agent Port = https://${pki_subca_agent_host}:19443/ca/agent/ca +## Secure EE Port = https://${pki_subca_ee_host}:19444/ca/ee/ca +## Secure Admin Port = https://${pki_subca_admin_host}:19445/ca/services +## PKI Console Port = pkiconsole https://${pki_subca_admin_host}:19445/ca +## Tomcat Port = 19701 (for shutdown) +## +## +## Security Domain URL: +## ================================================================== +## https://${pki_ca_admin_host}:9445 +## ================================================================== +## + +## Configure Subordinate CA +printf "'${pki_silent_script}': Configuring '${pki_subca_instance_name}' . . .\n" +pkisilent ConfigureSubCA \ + -cs_hostname "${pki_subca_admin_host}" \ + -cs_port ${pki_subca_admin_port} \ + -sd_hostname "${pki_security_domain_host}" \ + -sd_ssl_port ${pki_ca_ee_port} \ + -sd_agent_port ${pki_ca_agent_port} \ + -sd_admin_port ${pki_ca_admin_port} \ + -sd_admin_name "${pki_security_domain_admin_name}" \ + -sd_admin_password ${pki_security_domain_admin_password} \ + -ca_hostname ${pki_ca_ee_host} \ + -ca_port ${pki_ca_nonssl_port} \ + -ca_ssl_port ${pki_ca_ee_port} \ + -client_certdb_dir ${pki_silent_security_database_repository} \ + -client_certdb_pwd ${pki_silent_security_token_password} \ + -client_token_name ${pki_silent_security_token_name} \ + -preop_pin ${subca_preop_pin} \ + -domain_name "${pki_security_domain_name}" \ + -admin_user ${pki_silent_admin_user} \ + -admin_password ${pki_silent_admin_password} \ + -admin_email "${pki_silent_admin_email}" \ + -agent_name ${subca_agent_name} \ + -ldap_host ${pki_ldap_host} \ + -ldap_port ${pki_ldap_port} \ + -bind_dn "${pki_bind_dn}" \ + -bind_password ${pki_bind_password} \ + -base_dn "${subca_base_dn}" \ + -db_name "${subca_db_name}" \ + -remove_data "${pki_remove_data}" \ + -key_size ${subca_key_size} \ + -key_type ${subca_key_type} \ + -signing_algorithm ${subca_signing_algorithm} \ + -signing_signingalgorithm ${subca_signing_signingalgorithm} \ + -ocsp_signing_signingalgorithm ${subca_ocsp_signing_signingalgorithm} \ + -token_name ${pki_subca_token_name} \ + -token_pwd ${pki_subca_token_password} \ + -agent_key_size ${subca_agent_key_size} \ + -agent_key_type ${subca_agent_key_type} \ + -agent_cert_subject "${subca_agent_cert_subject}" \ + -subsystem_name "${pki_subca_subsystem_name}" \ + -ca_domain_url "${pki_subca_instance_ca_domain_url}" \ + -save_p12 ${subca_save_p12} \ + -backup_pwd ${pki_subca_backup_password} \ + -subca_sign_cert_subject_name "${subca_sign_cert_subject_name}" \ + -subca_subsystem_cert_subject_name "${subca_subsystem_cert_subject_name}" \ + -subca_ocsp_cert_subject_name "${subca_ocsp_cert_subject_name}" \ + -subca_server_cert_subject_name "${subca_server_cert_subject_name}" \ + -subca_audit_signing_cert_subject_name \ + "${subca_audit_signing_cert_subject_name}" \ + | tee ${pki_silent_subca_log} + +## Restart Subordinate CA +/sbin/service ${pki_subca_instance_name} restart + +exit 0 Property changes on: base/silent/templates/silent_subca_ip_port.template ___________________________________________________________________ Added: svn:executable + * Index: base/silent/templates/silentEC_ca.template =================================================================== --- base/silent/templates/silentEC_ca.template (revision 2598) +++ base/silent/templates/silentEC_ca.template (working copy) @@ -174,8 +174,8 @@ ## ## *180 - non-secure port (not role specific) ## *701 - non-secure Tomcat port -## *443 - secure EE port -## *444 - secure Agent port +## *443 - secure Agent port +## *444 - secure EE port ## *445 - secure Admin port ## ## @@ -186,7 +186,7 @@ ## pki_ca_port_t tcp 9180, 9701, 9443, 9444, 9445 ## -## CA ports +## CA ports (Security Domain) ca_nonssl_port=9180 ca_agent_port=9443 ca_ee_port=9444 @@ -306,6 +306,20 @@ ca_ocsp_cert_subject_name="cn=OCSP\ Signing\ Certificate,ou=${ca_instance_name},o=${pki_security_domain_name}" ca_server_cert_subject_name="cn=${pki_host},ou=${ca_instance_name},o=${pki_security_domain_name}" ca_audit_signing_cert_subject_name="cn=CA\ Audit\ Signing\ Certificate,ou=${ca_instance_name},o=${pki_security_domain_name}" +## URL to CA used to Issue Certificates for CA Instance Creation +## +## IMPORTANT: The CA referenced by this URL must reside within the +## same security domain as this CA instance. +## +## NOTE: To pass in a value of an empty string, specify the value "empty" +## instead of "" since ArgParser() throws away empty strings. +## +## This special "empty" string value may be specified for any of +## the following variables: +## +## * ca_instance_ca_domain_url="empty" +## +ca_instance_ca_domain_url="empty" ## Optional CA Variables for creating a clone CA ## @@ -590,6 +604,7 @@ -save_p12 ${ca_save_p12} \ -backup_pwd ${ca_backup_password} \ -subsystem_name ${ca_subsystem_name} \ + -ca_domain_url "${ca_instance_ca_domain_url}" \ -token_name ${ca_token_name} \ -token_pwd ${ca_token_password} \ -ca_sign_cert_subject_name "${ca_sign_cert_subject_name}" \ Index: base/silent/templates/silent_tks_ip_port.template =================================================================== --- base/silent/templates/silent_tks_ip_port.template (revision 2598) +++ base/silent/templates/silent_tks_ip_port.template (working copy) @@ -94,8 +94,8 @@ ## ## 9180 - non-secure port (not role specific) ## 9701 - non-secure Tomcat port -## 9443 - secure EE port -## 9444 - secure Agent port +## 9443 - secure Agent port +## 9444 - secure EE port ## 9445 - secure Admin port ## 9446 - secure EE Client Auth port (not necessarily labeled) ## @@ -103,8 +103,8 @@ ## ## 13180 - non-secure port (not role specific) ## 13701 - non-secure Tomcat port -## 13443 - secure EE port -## 13444 - secure Agent port +## 13443 - secure Agent port +## 13444 - secure EE port ## 13445 - secure Admin port ## ## For Example: @@ -115,12 +115,20 @@ ## pki_tks_port_t tcp 13180, 13701, 13443, 13444, 13445 ## -## PKI CA ports +## PKI CA ports (Security Domain) pki_ca_nonssl_port= +pki_ca_agent_port= pki_ca_ee_port= -pki_ca_agent_port= pki_ca_admin_port= +## PKI Subordinate CA ports (not a Security Domain) +## +## NOTE: Replace the CA EE Security Domain Host and Port to optionally use +## a Subordinate CA to Issue Certificates for TKS Instance Creation +## +pki_subca_ee_host=${pki_ca_ee_host} +pki_subca_ee_port=${pki_ca_ee_port} + ## PKI TKS ports pki_tks_admin_port= @@ -199,8 +207,63 @@ ## PKI Silent Log Files pki_silent_tks_log=/tmp/tks.log +## URL to CA used to Issue Certificates for TKS Instance Creation +## +## * each 'hostname:port' must be a CA EE Hostname and CA EE Port +## * referenced CA does not need to be a Security Domain (see CAVEAT) +## * referenced CA must reside within the same security domain +## as this TKS instance +## +## CAVEAT: If the chosen CA is a security domain: +## +## * all TKS subsystem certificates (including the +## 'Subsystem' certificates) will be stored on this CA +## * the TKS subsystem client 'Administration' +## certificate will automatically be imported into +## the NSS client security databases associated with +## the 'pkisilent' invocation of this TKS subsystem +## * the 'pkisilent' client security databases may be +## used inside a firefox browser with no further +## changes +## +## If the chosen CA is NOT a security domain: +## +## * all TKS subsystem certificates EXCEPT the TKS +## 'Subsystem' certificate will be stored on this CA; +## the TKS 'Subsystem' certificate will be stored on +## the CA that is the security domain for this TKS +## subsystem +## * the TKS subsystem client 'Administration' +## certificate will NOT automatically be imported into +## the NSS client security databases associated with +## the 'pkisilent' invocation of this TKS subsystem; +## import will fail with something similar to the +## following message: +## +## ERROR: exception importing cert: Security +## library failed to decode certificate +## package: (-8183) security library: +## improperly formatted DER-encoded +## message. +## +## * in order to utilize the 'pkisilent' client +## security databases inside a firefox browser, +## one will need to manually import the TKS +## 'Administration' certificate for the TKS subsystem +## stored in this non-security domain CA +## +## NOTE: To pass in a value of an empty string, specify the value "empty" +## instead of "" since ArgParser() throws away empty strings. +## +## This special "empty" string value may be specified for any of +## the following variables: +## +## * pki_tks_instance_ca_domain_url="empty" +## +pki_tks_instance_ca_domain_url="https://${pki_subca_ee_host}:${pki_subca_ee_port}" + ############################################################################## ## U S E R - D E F I N E D V A R I A B L E S ( O P T I O N A L ) ## ############################################################################## @@ -536,6 +599,7 @@ -agent_key_type ${tks_agent_key_type} \ -agent_cert_subject "${tks_agent_cert_subject}" \ -subsystem_name ${pki_tks_subsystem_name} \ + -ca_domain_url "${pki_tks_instance_ca_domain_url}" \ -save_p12 ${tks_save_p12} \ -backup_pwd ${pki_tks_backup_password} \ -tks_subsystem_cert_subject_name "${tks_subsystem_cert_subject_name}" \ Index: base/silent/templates/subca_silent.template =================================================================== --- base/silent/templates/subca_silent.template (revision 2598) +++ base/silent/templates/subca_silent.template (working copy) @@ -149,8 +149,8 @@ ## ## *180 - non-secure port (not role specific) ## *701 - non-secure Tomcat port -## *443 - secure EE port -## *444 - secure Agent port +## *443 - secure Agent port +## *444 - secure EE port ## *445 - secure Admin port ## ## @@ -162,20 +162,37 @@ ## pki_ca1_port_t tcp 9580, 9801, 9543, 9544, 9545 ## -## CA ports +## CA ports (Security Domain) ca_nonssl_port=9180 ca_agent_port=9443 ca_ee_port=9444 ca_admin_port=9445 -## Subordinate CA ports +## Subordinate CA ports (not a Security Domain) subca_nonssl_port=9580 subca_agent_port=9543 subca_ee_port=9544 subca_admin_port=9545 +## URL to CA used to Issue Certificates for Subordinate CA Instance Creation +## +## * each 'hostname:port' must be a CA EE Hostname and CA EE Port +## * referenced CA does not need to be a Security Domain +## * referenced CA must reside within the same security domain +## as this Subordinate CA instance +## +## NOTE: To pass in a value of an empty string, specify the value "empty" +## instead of "" since ArgParser() throws away empty strings. +## +## This special "empty" string value may be specified for any of +## the following variables: +## +## * subca_instance_ca_domain_url="empty" +## +subca_instance_ca_domain_url="https://${pki_security_domain_host}:${ca_ee_port}" + ############################################################################## ## U S E R - D E F I N E D V A R I A B L E S ( O P T I O N A L ) ## ############################################################################## @@ -499,6 +516,7 @@ -save_p12 ${subca_save_p12} \ -backup_pwd ${subca_backup_password} \ -subsystem_name "${ca_subsystem_name}" \ + -ca_domain_url "${subca_instance_ca_domain_url}" \ -subca_sign_cert_subject_name "${subca_sign_cert_subject_name}" \ -subca_subsystem_cert_subject_name "${subca_subsystem_cert_subject_name}" \ -subca_ocsp_cert_subject_name "${subca_ocsp_cert_subject_name}" \ Index: base/silent/templates/silent_ra_to_ip_port.template =================================================================== --- base/silent/templates/silent_ra_to_ip_port.template (revision 2598) +++ base/silent/templates/silent_ra_to_ip_port.template (working copy) @@ -92,8 +92,8 @@ ## ## 9180 - non-secure port (not role specific) ## 9701 - non-secure Tomcat port -## 9443 - secure EE port -## 9444 - secure Agent port +## 9443 - secure Agent port +## 9444 - secure EE port ## 9445 - secure Admin port ## 9446 - secure EE Client Auth port (not necessarily labeled) ## @@ -111,12 +111,27 @@ ## pki_ra_port_t tcp 12890, 12888, 12889 ## -## PKI CA ports +## PKI CA ports (Security Domain) pki_ca_nonssl_port= +pki_ca_agent_port= pki_ca_ee_port= -pki_ca_agent_port= pki_ca_admin_port= +## PKI Subordinate CA ports (not a Security Domain) +## +## NOTE: Replace the CA EE Security Domain Host and Port to optionally use +## a Subordinate CA to Issue Certificates for Requests Submitted via +## this RA +## +pki_alternate_subca_ee_host=${pki_ca_ee_host} +pki_alternate_subca_ee_port=${pki_ca_ee_port} +## +## NOTE: Replace the CA EE Security Domain Host and Port to optionally use +## a Subordinate CA to Issue Certificates for RA Instance Creation +## +pki_subca_ee_host=${pki_ca_ee_host} +pki_subca_ee_port=${pki_ca_ee_port} + ## PKI RA ports pki_ra_clientauth_port= pki_ra_nonclientauth_port= @@ -168,8 +183,73 @@ ## PKI Silent Log Files pki_silent_ra_log=/tmp/ra.log +## URL to CA used to Issue Certificates for Requests Submitted via RA +## +## * each 'hostname:port' must be a CA EE Hostname and CA EE Port +## * referenced CA does not need to be a Security Domain +## * referenced CA must reside within the same security domain +## as the associated RA instance +## +## NOTE: To pass in a value of an empty string, specify the value "empty" +## instead of "" since ArgParser() throws away empty strings. +## +## This special "empty" string value may be specified for any of +## the following variables: +## +## * pki_ra_chosen_ca_issuance_url="empty" +## * pki_ra_instance_ca_domain_url="empty" +## +pki_ra_chosen_ca_issuance_url="https://${pki_alternate_subca_ee_host}:${pki_alternate_subca_ee_port}" +## URL to CA used to Issue Certificates for RA Instance Creation +## +## * each 'hostname:port' must be a CA EE Hostname and CA EE Port +## * referenced CA does not need to be a Security Domain (see CAVEAT) +## * referenced CA must reside within the same security domain +## as this RA instance +## +## CAVEAT: If the chosen CA is a security domain: +## +## * all RA subsystem certificates (including the +## 'Subsystem' certificates) will be stored on this CA +## * the RA subsystem client 'Administration' +## certificate will automatically be imported into +## the NSS client security databases associated with +## the 'pkisilent' invocation of this RA subsystem +## * the 'pkisilent' client security databases may be +## used inside a firefox browser with no further +## changes +## +## If the chosen CA is NOT a security domain: +## +## * all RA subsystem certificates EXCEPT the RA +## 'Subsystem' certificate will be stored on this CA; +## the RA 'Subsystem' certificate will be stored on +## the CA that is the security domain for this RA +## subsystem +## * the RA subsystem client 'Administration' +## certificate will NOT automatically be imported into +## the NSS client security databases associated with +## the 'pkisilent' invocation of this RA subsystem; +## import will fail with something similar to the +## following message: +## +## ERROR: exception importing cert: Security +## library failed to decode certificate +## package: (-8183) security library: +## improperly formatted DER-encoded +## message. +## +## * in order to utilize the 'pkisilent' client +## security databases inside a firefox browser, +## one will need to manually import the RA +## 'Administration' certificate for the RA subsystem +## stored in this non-security domain CA +## +pki_ra_instance_ca_domain_url="https://${pki_subca_ee_host}:${pki_subca_ee_port}" + + ############################################################################## ## U S E R - D E F I N E D V A R I A B L E S ( O P T I O N A L ) ## ############################################################################## @@ -440,6 +520,7 @@ -ca_port ${ra_chosen_ca_nonssl_port} \ -ca_ssl_port ${ra_chosen_ca_ssl_port} \ -ca_admin_port ${ra_chosen_ca_admin_port} \ + -ca_issuance_url "${pki_ra_chosen_ca_issuance_url}" \ -client_certdb_dir ${pki_silent_security_database_repository} \ -client_certdb_pwd ${pki_silent_security_token_password} \ -preop_pin ${ra_preop_pin} \ @@ -456,6 +537,7 @@ -agent_key_type ${ra_agent_key_type} \ -agent_cert_subject "${ra_agent_cert_subject}" \ -subsystem_name ${pki_ra_subsystem_name} \ + -ca_domain_url "${pki_ra_instance_ca_domain_url}" \ -ra_server_cert_nickname "${ra_server_cert_nickname}" \ -ra_server_cert_subject_name "${ra_server_cert_subject_name}" \ -ra_subsystem_cert_nickname "${ra_subsystem_cert_nickname}" \ Index: base/silent/templates/silent_ocsp_ip_port.template =================================================================== --- base/silent/templates/silent_ocsp_ip_port.template (revision 2598) +++ base/silent/templates/silent_ocsp_ip_port.template (working copy) @@ -94,8 +94,8 @@ ## ## 9180 - non-secure port (not role specific) ## 9701 - non-secure Tomcat port -## 9443 - secure EE port -## 9444 - secure Agent port +## 9443 - secure Agent port +## 9444 - secure EE port ## 9445 - secure Admin port ## 9446 - secure EE Client Auth port (not necessarily labeled) ## @@ -103,8 +103,8 @@ ## ## 11180 - non-secure port (not role specific) ## 11701 - non-secure Tomcat port -## 11443 - secure EE port -## 11444 - secure Agent port +## 11443 - secure Agent port +## 11444 - secure EE port ## 11445 - secure Admin port ## ## For Example: @@ -115,12 +115,20 @@ ## pki_ocsp_port_t tcp 11180, 11701, 11443, 11444, 11445 ## -## PKI CA ports +## PKI CA ports (Security Domain) pki_ca_nonssl_port= +pki_ca_agent_port= pki_ca_ee_port= -pki_ca_agent_port= pki_ca_admin_port= +## PKI Subordinate CA ports (not a Security Domain) +## +## NOTE: Replace the CA EE Security Domain Host and Port to optionally use +## a Subordinate CA to Issue Certificates for OCSP Instance Creation +## +pki_subca_ee_host=${pki_ca_ee_host} +pki_subca_ee_port=${pki_ca_ee_port} + ## PKI OCSP ports pki_ocsp_admin_port= @@ -200,8 +208,63 @@ ## PKI Silent Log Files pki_silent_ocsp_log=/tmp/ocsp.log +## URL to CA used to Issue Certificates for OCSP Instance Creation +## +## * each 'hostname:port' must be a CA EE Hostname and CA EE Port +## * referenced CA does not need to be a Security Domain (see CAVEAT) +## * referenced CA must reside within the same security domain +## as this OCSP instance +## +## CAVEAT: If the chosen CA is a security domain: +## +## * all OCSP subsystem certificates (including the +## 'Subsystem' certificates) will be stored on this CA +## * the OCSP subsystem client 'Administration' +## certificate will automatically be imported into +## the NSS client security databases associated with +## the 'pkisilent' invocation of this OCSP subsystem +## * the 'pkisilent' client security databases may be +## used inside a firefox browser with no further +## changes +## +## If the chosen CA is NOT a security domain: +## +## * all OCSP subsystem certificates EXCEPT the OCSP +## 'Subsystem' certificate will be stored on this CA; +## the OCSP 'Subsystem' certificate will be stored on +## the CA that is the security domain for this OCSP +## subsystem +## * the OCSP subsystem client 'Administration' +## certificate will NOT automatically be imported into +## the NSS client security databases associated with +## the 'pkisilent' invocation of this OCSP subsystem; +## import will fail with something similar to the +## following message: +## +## ERROR: exception importing cert: Security +## library failed to decode certificate +## package: (-8183) security library: +## improperly formatted DER-encoded +## message. +## +## * in order to utilize the 'pkisilent' client +## security databases inside a firefox browser, +## one will need to manually import the OCSP +## 'Administration' certificate for the OCSP subsystem +## stored in this non-security domain CA +## +## NOTE: To pass in a value of an empty string, specify the value "empty" +## instead of "" since ArgParser() throws away empty strings. +## +## This special "empty" string value may be specified for any of +## the following variables: +## +## * pki_ocsp_instance_ca_domain_url="empty" +## +pki_ocsp_instance_ca_domain_url="https://${pki_subca_ee_host}:${pki_subca_ee_port}" + ############################################################################## ## U S E R - D E F I N E D V A R I A B L E S ( O P T I O N A L ) ## ############################################################################## @@ -532,6 +595,7 @@ -agent_key_type ${ocsp_agent_key_type} \ -agent_cert_subject "${ocsp_agent_cert_subject}" \ -subsystem_name ${pki_ocsp_subsystem_name} \ + -ca_domain_url "${pki_ocsp_instance_ca_domain_url}" \ -save_p12 ${ocsp_save_p12} \ -backup_pwd ${pki_ocsp_backup_password} \ -ocsp_sign_cert_subject_name "${ocsp_sign_cert_subject_name}" \ Index: base/silent/templates/silent_tps_to_ip_port.template =================================================================== --- base/silent/templates/silent_tps_to_ip_port.template (revision 2598) +++ base/silent/templates/silent_tps_to_ip_port.template (working copy) @@ -90,9 +90,11 @@ ## PKI KRA Subsystem Hosts (FQDN) pki_kra_agent_host= +pki_kra_admin_host= ## PKI TKS Subsystem Hosts (FQDN) pki_tks_agent_host= +pki_tks_admin_host= ## PKI TPS Subsystem Host (computed by default) pki_host=`hostname` @@ -102,8 +104,8 @@ ## ## 9180 - non-secure port (not role specific) ## 9701 - non-secure Tomcat port -## 9443 - secure EE port -## 9444 - secure Agent port +## 9443 - secure Agent port +## 9444 - secure EE port ## 9445 - secure Admin port ## 9446 - secure EE Client Auth port (not necessarily labeled) ## @@ -111,16 +113,16 @@ ## ## 10180 - non-secure port (not role specific) ## 10701 - non-secure Tomcat port -## 10443 - secure EE port -## 10444 - secure Agent port +## 10443 - secure Agent port +## 10444 - secure EE port ## 10445 - secure Admin port ## ## NOTE: Default PKI TKS Instance Ports ## ## 13180 - non-secure port (not role specific) ## 13701 - non-secure Tomcat port -## 13443 - secure EE port -## 13444 - secure Agent port +## 13443 - secure Agent port +## 13444 - secure EE port ## 13445 - secure Admin port ## ## NOTE: Default PKI TPS Instance Ports @@ -140,17 +142,34 @@ ## pki_tps_port_t tcp 7890, 7888, 7889 ## -## CA ports +## PKI CA ports (Security Domain) pki_ca_nonssl_port= +pki_ca_agent_port= pki_ca_ee_port= -pki_ca_agent_port= pki_ca_admin_port= +## PKI Subordinate CA ports (not a Security Domain) +## +## NOTE: Replace the CA EE Security Domain Host and Port to optionally use +## a Subordinate CA to Issue Certificates for Requests Submitted via +## this TPS +## +pki_alternate_subca_ee_host=${pki_ca_ee_host} +pki_alternate_subca_ee_port=${pki_ca_ee_port} +## +## NOTE: Replace the CA EE Security Domain Host and Port to optionally use +## a Subordinate CA to Issue Certificates for TPS Instance Creation +## +pki_subca_ee_host=${pki_ca_ee_host} +pki_subca_ee_port=${pki_ca_ee_port} + ## DRM ports pki_kra_agent_port= +pki_kra_admin_port= ## TKS ports pki_tks_agent_port= +pki_tks_admin_port= ## TPS ports pki_tps_clientauth_port= @@ -202,6 +221,28 @@ pki_email_company= pki_email_domain= +## +## TPS Variables +## +## IMPORTANT: The 'tps_ldap_auth_base_dn' should contain individual +## comma separated 'dc=' values for each +## portion of the value returned by 'dnsdomainname' on +## the machine which hosts the LDAP server. +## +## For example, if 'dnsdomain' returns 'foo.example.com', +## then: +## +## tps_ldap_auth_base_dn="dc=foo,dc=example,dc=com" +## +## Using this example, the following command may be +## executed to test for a valid base DN: +## +## /usr/bin/ldapsearch -x -h ${pki_ldap_host} +## -p ${pki_ldap_port} -b 'dc=foo,dc=example,dc=com' +## -s base 'objectclass=*' +## +tps_ldap_auth_base_dn="dc=${pki_email_company},dc=${pki_email_domain}" + ## PKI Silent Admin Variables ## (e. g. - Import Admin Certificate into PKI Silent "browser" database) pki_silent_admin_user=admin @@ -217,8 +258,91 @@ ## PKI Silent Log Files pki_silent_tps_log=/tmp/tps.log +## URL to CA used to Issue Certificates for Requests Submitted via TPS +## +## * each 'hostname:port' must be a CA EE Hostname and CA EE Port +## * referenced CA does not need to be a Security Domain +## * referenced CA must reside within the same security domain +## as the associated TPS instance +## +## NOTE: To pass in a value of an empty string, specify the value "empty" +## instead of "" since ArgParser() throws away empty strings. +## +## This special "empty" string value may be specified for any of +## the following variables: +## +## * pki_tps_chosen_ca_issuance_url="empty" +## * pki_tps_chosen_tks_key_management_url="empty" +## * pki_tps_chosen_drm_server_side_keygen_url="empty" +## * pki_tps_instance_ca_domain_url="empty" +## +pki_tps_chosen_ca_issuance_url="https://${pki_alternate_subca_ee_host}:${pki_alternate_subca_ee_port}" +## URL to TKS used for Key Management for TPS +## +## * each 'hostname:port' must be a TKS Agent Hostname and TKS Agent Port +## * referenced TKS must reside within the same security domain +## as the associated TPS instance +## +pki_tps_chosen_tks_key_management_url="https://${pki_tks_agent_host}:${pki_tks_agent_port}" +## URL to optional DRM used for Server-Side Keygen for TPS (tps_ss_keygen=true) +## +## * each 'hostname:port' must be a DRM Agent Hostname and DRM Agent Port +## * referenced DRM must reside within the same security domain +## as the associated TPS instance +## +pki_tps_chosen_drm_server_side_keygen_url="https://${pki_kra_agent_host}:${pki_kra_agent_port}" + +## URL to CA used to Issue Certificates for TPS Instance Creation +## +## * each 'hostname:port' must be a CA EE Hostname and CA EE Port +## * referenced CA does not need to be a Security Domain (see CAVEAT) +## * referenced CA must reside within the same security domain +## as this TPS instance +## +## CAVEAT: If the chosen CA is a security domain: +## +## * all TPS subsystem certificates (including the +## 'Subsystem' certificates) will be stored on this CA +## * the TPS subsystem client 'Administration' +## certificate will automatically be imported into +## the NSS client security databases associated with +## the 'pkisilent' invocation of this TPS subsystem +## * the 'pkisilent' client security databases may be +## used inside a firefox browser with no further +## changes +## +## If the chosen CA is NOT a security domain: +## +## * all TPS subsystem certificates EXCEPT the TPS +## 'Subsystem' certificate will be stored on this CA; +## the TPS 'Subsystem' certificate will be stored on +## the CA that is the security domain for this TPS +## subsystem +## * the TPS subsystem client 'Administration' +## certificate will NOT automatically be imported into +## the NSS client security databases associated with +## the 'pkisilent' invocation of this TPS subsystem; +## import will fail with something similar to the +## following message: +## +## ERROR: exception importing cert: Security +## library failed to decode certificate +## package: (-8183) security library: +## improperly formatted DER-encoded +## message. +## +## * in order to utilize the 'pkisilent' client +## security databases inside a firefox browser, +## one will need to manually import the TPS +## 'Administration' certificate for the TPS subsystem +## stored in this non-security domain CA +## +pki_tps_instance_ca_domain_url="https://${pki_subca_ee_host}:${pki_subca_ee_port}" + + + ############################################################################## ## U S E R - D E F I N E D V A R I A B L E S ( O P T I O N A L ) ## ############################################################################## @@ -295,17 +419,20 @@ tps_chosen_ca_nonssl_port=${pki_ca_nonssl_port} tps_chosen_ca_ssl_port=${pki_ca_ee_port} tps_chosen_ca_admin_port=${pki_ca_admin_port} -tps_chosen_tks_hostname=${pki_tks_agent_host} -tps_chosen_tks_ssl_port=${pki_tks_agent_port} -tps_chosen_drm_hostname=${pki_kra_agent_host} -tps_chosen_drm_ssl_port=${pki_kra_agent_port} +tps_chosen_tks_agent_hostname=${pki_tks_agent_host} +tps_chosen_tks_agent_port=${pki_tks_agent_port} +tps_chosen_tks_admin_hostname=${pki_tks_admin_host} +tps_chosen_tks_admin_port=${pki_tks_admin_port} +tps_chosen_drm_agent_hostname=${pki_kra_agent_host} +tps_chosen_drm_agent_port=${pki_kra_agent_port} +tps_chosen_drm_admin_hostname=${pki_kra_admin_host} +tps_chosen_drm_admin_port=${pki_kra_admin_port} tps_agent_name="TPS\ Administrator\'s\ ${pki_security_domain_name}\ ID" tps_agent_key_size=2048 tps_agent_key_type=rsa tps_agent_cert_subject="cn=TPS\ Administrator,uid=admin,e=${pki_silent_admin_email},o=${pki_security_domain_name}" tps_ldap_auth_host="${pki_ldap_host}" tps_ldap_auth_port=${pki_ldap_port} -tps_ldap_auth_base_dn="dc=${pki_email_company},dc=${pki_email_domain}" tps_base_dn="dc=${pki_host}-${pki_tps_instance_name}" tps_db_name="${pki_host}-${pki_tps_instance_name}" tps_key_size=2048 @@ -348,10 +475,18 @@ printf "${usage_error_preamble} 'pki_kra_agent_host'!\n" usage_errors=`expr ${usage_errors} + 1` fi +if [ "${pki_kra_admin_host}" = "" ] ; then + printf "${usage_error_preamble} 'pki_kra_admin_host'!\n" + usage_errors=`expr ${usage_errors} + 1` +fi if [ "${pki_tks_agent_host}" = "" ] ; then printf "${usage_error_preamble} 'pki_tks_agent_host'!\n" usage_errors=`expr ${usage_errors} + 1` fi +if [ "${pki_tks_admin_host}" = "" ] ; then + printf "${usage_error_preamble} 'pki_tks_admin_host'!\n" + usage_errors=`expr ${usage_errors} + 1` +fi if [ "${pki_ca_nonssl_port}" = "" ] ; then printf "${usage_error_preamble} 'pki_ca_nonssl_port'!\n" usage_errors=`expr ${usage_errors} + 1` @@ -372,10 +507,18 @@ printf "${usage_error_preamble} 'pki_kra_agent_port'!\n" usage_errors=`expr ${usage_errors} + 1` fi +if [ "${pki_kra_admin_port}" = "" ] ; then + printf "${usage_error_preamble} 'pki_kra_admin_port'!\n" + usage_errors=`expr ${usage_errors} + 1` +fi if [ "${pki_tks_agent_port}" = "" ] ; then printf "${usage_error_preamble} 'pki_tks_agent_port'!\n" usage_errors=`expr ${usage_errors} + 1` fi +if [ "${pki_tks_admin_port}" = "" ] ; then + printf "${usage_error_preamble} 'pki_tks_admin_port'!\n" + usage_errors=`expr ${usage_errors} + 1` +fi if [ "${pki_tps_clientauth_port}" = "" ] ; then printf "${usage_error_preamble} 'pki_tps_clientauth_port'!\n" usage_errors=`expr ${usage_errors} + 1` @@ -542,11 +685,18 @@ -ca_port ${tps_chosen_ca_nonssl_port} \ -ca_ssl_port ${tps_chosen_ca_ssl_port} \ -ca_admin_port ${tps_chosen_ca_admin_port} \ - -drm_hostname ${tps_chosen_drm_hostname} \ - -drm_ssl_port ${tps_chosen_drm_ssl_port} \ + -ca_issuance_url "${pki_tps_chosen_ca_issuance_url}" \ + -drm_agent_hostname ${tps_chosen_drm_agent_hostname} \ + -drm_agent_port ${tps_chosen_drm_agent_port} \ + -drm_admin_hostname ${tps_chosen_drm_admin_hostname} \ + -drm_admin_port ${tps_chosen_drm_admin_port} \ + -drm_server_side_keygen_url "${pki_tps_chosen_drm_server_side_keygen_url}" \ -ss_keygen ${tps_ss_keygen} \ - -tks_hostname ${tps_chosen_tks_hostname} \ - -tks_ssl_port ${tps_chosen_tks_ssl_port} \ + -tks_agent_hostname ${tps_chosen_tks_agent_hostname} \ + -tks_agent_port ${tps_chosen_tks_agent_port} \ + -tks_admin_hostname ${tps_chosen_tks_admin_hostname} \ + -tks_admin_port ${tps_chosen_tks_admin_port} \ + -tks_key_management_url "${pki_tps_chosen_tks_key_management_url}" \ -client_certdb_dir ${pki_silent_security_database_repository} \ -client_certdb_pwd ${pki_silent_security_token_password} \ -client_token_name ${pki_silent_security_token_name} \ @@ -570,6 +720,7 @@ -agent_key_type ${tps_agent_key_type} \ -agent_cert_subject "${tps_agent_cert_subject}" \ -subsystem_name ${pki_tps_subsystem_name} \ + -ca_domain_url "${pki_tps_instance_ca_domain_url}" \ -ldap_auth_host ${tps_ldap_auth_host} \ -ldap_auth_port ${tps_ldap_auth_port} \ -ldap_auth_base_dn ${tps_ldap_auth_base_dn} \ Index: base/silent/templates/silentEC_subca.template =================================================================== --- base/silent/templates/silentEC_subca.template (revision 2598) +++ base/silent/templates/silentEC_subca.template (working copy) @@ -177,8 +177,8 @@ ## ## *180 - non-secure port (not role specific) ## *701 - non-secure Tomcat port -## *443 - secure EE port -## *444 - secure Agent port +## *443 - secure Agent port +## *444 - secure EE port ## *445 - secure Admin port ## ## @@ -190,18 +190,34 @@ ## pki_ca1_port_t tcp 9580, 9801, 9543, 9544, 9545 ## -## CA ports +## CA ports (Security Domain) ca_nonssl_port=9180 ca_agent_port=9443 ca_ee_port=9444 ca_admin_port=9445 -## Subordinate CA ports +## Subordinate CA ports (not a Security Domain) subca_nonssl_port=9580 subca_agent_port=9543 subca_ee_port=9544 subca_admin_port=9545 +## URL to CA used to Issue Certificates for Subordinate CA Instance Creation +## +## * each 'hostname:port' must be a CA EE Hostname and CA EE Port +## * referenced CA does not need to be a Security Domain +## * referenced CA must reside within the same security domain +## as this Subordinate CA instance +## +## NOTE: To pass in a value of an empty string, specify the value "empty" +## instead of "" since ArgParser() throws away empty strings. +## +## This special "empty" string value may be specified for any of +## the following variables: +## +## * subca_instance_ca_domain_url="empty" +## +subca_instance_ca_domain_url="https://${pki_security_domain_host}:${ca_ee_port}" ############################################################################## @@ -559,6 +575,7 @@ -save_p12 ${subca_save_p12} \ -backup_pwd ${subca_backup_password} \ -subsystem_name "${subca_subsystem_name}" \ + -ca_domain_url "${subca_instance_ca_domain_url}" \ -subca_sign_cert_subject_name "${subca_sign_cert_subject_name}" \ -subca_subsystem_cert_subject_name "${subca_subsystem_cert_subject_name}" \ -subca_ocsp_cert_subject_name "${subca_ocsp_cert_subject_name}" \ Index: base/silent/templates/silent_kra_ip_port.template =================================================================== --- base/silent/templates/silent_kra_ip_port.template (revision 2598) +++ base/silent/templates/silent_kra_ip_port.template (working copy) @@ -94,8 +94,8 @@ ## ## 9180 - non-secure port (not role specific) ## 9701 - non-secure Tomcat port -## 9443 - secure EE port -## 9444 - secure Agent port +## 9443 - secure Agent port +## 9444 - secure EE port ## 9445 - secure Admin port ## 9446 - secure EE Client Auth port (not necessarily labeled) ## @@ -103,8 +103,8 @@ ## ## 10180 - non-secure port (not role specific) ## 10701 - non-secure Tomcat port -## 10443 - secure EE port -## 10444 - secure Agent port +## 10443 - secure Agent port +## 10444 - secure EE port ## 10445 - secure Admin port ## ## For Example: @@ -115,12 +115,20 @@ ## pki_kra_port_t tcp 10180, 10701, 10443, 10444, 10445 ## -## PKI CA ports +## PKI CA ports (Security Domain) pki_ca_nonssl_port= +pki_ca_agent_port= pki_ca_ee_port= -pki_ca_agent_port= pki_ca_admin_port= +## PKI Subordinate CA ports (not a Security Domain) +## +## NOTE: Replace the CA EE Security Domain Host and Port to optionally use +## a Subordinate CA to Issue Certificates for KRA Instance Creation +## +pki_subca_ee_host=${pki_ca_ee_host} +pki_subca_ee_port=${pki_ca_ee_port} + ## PKI DRM ports pki_kra_admin_port= @@ -200,8 +208,63 @@ ## PKI Silent Log Files pki_silent_kra_log=/tmp/kra.log +## URL to CA used to Issue Certificates for KRA Instance Creation +## +## * each 'hostname:port' must be a CA EE Hostname and CA EE Port +## * referenced CA does not need to be a Security Domain (see CAVEAT) +## * referenced CA must reside within the same security domain +## as this KRA instance +## +## CAVEAT: If the chosen CA is a security domain: +## +## * all KRA subsystem certificates (including the +## 'Subsystem' certificates) will be stored on this CA +## * the KRA subsystem client 'Administration' +## certificate will automatically be imported into +## the NSS client security databases associated with +## the 'pkisilent' invocation of this KRA subsystem +## * the 'pkisilent' client security databases may be +## used inside a firefox browser with no further +## changes +## +## If the chosen CA is NOT a security domain: +## +## * all KRA subsystem certificates EXCEPT the KRA +## 'Subsystem' certificate will be stored on this CA; +## the KRA 'Subsystem' certificate will be stored on +## the CA that is the security domain for this KRA +## subsystem +## * the KRA subsystem client 'Administration' +## certificate will NOT automatically be imported into +## the NSS client security databases associated with +## the 'pkisilent' invocation of this KRA subsystem; +## import will fail with something similar to the +## following message: +## +## ERROR: exception importing cert: Security +## library failed to decode certificate +## package: (-8183) security library: +## improperly formatted DER-encoded +## message. +## +## * in order to utilize the 'pkisilent' client +## security databases inside a firefox browser, +## one will need to manually import the KRA +## 'Administration' certificate for the KRA subsystem +## stored in this non-security domain CA +## +## NOTE: To pass in a value of an empty string, specify the value "empty" +## instead of "" since ArgParser() throws away empty strings. +## +## This special "empty" string value may be specified for any of +## the following variables: +## +## * pki_kra_instance_ca_domain_url="empty" +## +pki_kra_instance_ca_domain_url="https://${pki_subca_ee_host}:${pki_subca_ee_port}" + ############################################################################## ## U S E R - D E F I N E D V A R I A B L E S ( O P T I O N A L ) ## ############################################################################## @@ -542,6 +605,7 @@ -agent_key_type ${kra_agent_key_type} \ -agent_cert_subject "${kra_agent_cert_subject}" \ -subsystem_name ${pki_kra_subsystem_name} \ + -ca_domain_url "${pki_kra_instance_ca_domain_url}" \ -save_p12 ${kra_save_p12} \ -backup_pwd ${pki_kra_backup_password} \ -drm_transport_cert_subject_name "${kra_transport_cert_subject_name}" \ Index: base/silent/templates/silentEC_tks.template =================================================================== --- base/silent/templates/silentEC_tks.template (revision 2598) +++ base/silent/templates/silentEC_tks.template (working copy) @@ -174,8 +174,8 @@ ## ## *180 - non-secure port (not role specific) ## *701 - non-secure Tomcat port -## *443 - secure EE port -## *444 - secure Agent port +## *443 - secure Agent port +## *444 - secure EE port ## *445 - secure Admin port ## ## @@ -186,7 +186,7 @@ ## pki_tks_port_t tcp 13180, 13701, 13443, 13444, 13445 ## -## CA ports +## CA ports (Security Domain) ca_nonssl_port=9180 ca_agent_port=9443 ca_ee_port=9444 @@ -198,6 +198,62 @@ tks_ee_port=14454 tks_admin_port=14455 +## URL to CA used to Issue Certificates for TKS Instance Creation +## +## * each 'hostname:port' must be a CA EE Hostname and CA EE Port +## * referenced CA does not need to be a Security Domain (see CAVEAT) +## * referenced CA must reside within the same security domain +## as this TKS instance +## +## CAVEAT: If the chosen CA is a security domain: +## +## * all TKS subsystem certificates (including the +## 'Subsystem' certificates) will be stored on this CA +## * the TKS subsystem client 'Administration' +## certificate will automatically be imported into +## the NSS client security databases associated with +## the 'pkisilent' invocation of this TKS subsystem +## * the 'pkisilent' client security databases may be +## used inside a firefox browser with no further +## changes +## +## If the chosen CA is NOT a security domain: +## +## * all TKS subsystem certificates EXCEPT the TKS +## 'Subsystem' certificate will be stored on this CA; +## the TKS 'Subsystem' certificate will be stored on +## the CA that is the security domain for this TKS +## subsystem +## * the TKS subsystem client 'Administration' +## certificate will NOT automatically be imported into +## the NSS client security databases associated with +## the 'pkisilent' invocation of this TKS subsystem; +## import will fail with something similar to the +## following message: +## +## ERROR: exception importing cert: Security +## library failed to decode certificate +## package: (-8183) security library: +## improperly formatted DER-encoded +## message. +## +## * in order to utilize the 'pkisilent' client +## security databases inside a firefox browser, +## one will need to manually import the TKS +## 'Administration' certificate for the TKS subsystem +## stored in this non-security domain CA +## +## NOTE: To pass in a value of an empty string, specify the value "empty" +## instead of "" since ArgParser() throws away empty strings. +## +## This special "empty" string value may be specified for any of +## the following variables: +## +## * tks_instance_ca_domain_url="empty" +## +tks_instance_ca_domain_url="https://${pki_security_domain_host}:${ca_ee_port}" + + ############################################################################## ## U S E R - D E F I N E D V A R I A B L E S ( O P T I O N A L ) ## ############################################################################## @@ -497,6 +553,7 @@ -agent_key_type ${tks_agent_key_type} \ -agent_cert_subject "${tks_agent_cert_subject}" \ -subsystem_name ${tks_subsystem_name} \ + -ca_domain_url "${tks_instance_ca_domain_url}" \ -tks_subsystem_cert_subject_name "${tks_subsystem_cert_subject_name}" \ -tks_server_cert_subject_name "${tks_server_cert_subject_name}" \ -tks_audit_signing_cert_subject_name \ Index: base/silent/templates/silentEC_ocsp.template =================================================================== --- base/silent/templates/silentEC_ocsp.template (revision 2598) +++ base/silent/templates/silentEC_ocsp.template (working copy) @@ -174,8 +174,8 @@ ## ## *180 - non-secure port (not role specific) ## *701 - non-secure Tomcat port -## *443 - secure EE port -## *444 - secure Agent port +## *443 - secure Agent port +## *444 - secure EE port ## *445 - secure Admin port ## ## @@ -186,7 +186,7 @@ ## pki_ocsp_port_t tcp 11180, 11701, 11443, 11444, 11445 ## -## CA ports +## CA ports (Security Domain) ca_nonssl_port=31180 ca_agent_port=31443 ca_ee_port=31444 @@ -198,7 +198,62 @@ ocsp_ee_port=12444 ocsp_admin_port=12445 +## URL to CA used to Issue Certificates for OCSP Instance Creation +## +## * each 'hostname:port' must be a CA EE Hostname and CA EE Port +## * referenced CA does not need to be a Security Domain (see CAVEAT) +## * referenced CA must reside within the same security domain +## as this OCSP instance +## +## CAVEAT: If the chosen CA is a security domain: +## +## * all OCSP subsystem certificates (including the +## 'Subsystem' certificates) will be stored on this CA +## * the OCSP subsystem client 'Administration' +## certificate will automatically be imported into +## the NSS client security databases associated with +## the 'pkisilent' invocation of this OCSP subsystem +## * the 'pkisilent' client security databases may be +## used inside a firefox browser with no further +## changes +## +## If the chosen CA is NOT a security domain: +## +## * all OCSP subsystem certificates EXCEPT the OCSP +## 'Subsystem' certificate will be stored on this CA; +## the OCSP 'Subsystem' certificate will be stored on +## the CA that is the security domain for this OCSP +## subsystem +## * the OCSP subsystem client 'Administration' +## certificate will NOT automatically be imported into +## the NSS client security databases associated with +## the 'pkisilent' invocation of this OCSP subsystem; +## import will fail with something similar to the +## following message: +## +## ERROR: exception importing cert: Security +## library failed to decode certificate +## package: (-8183) security library: +## improperly formatted DER-encoded +## message. +## +## * in order to utilize the 'pkisilent' client +## security databases inside a firefox browser, +## one will need to manually import the OCSP +## 'Administration' certificate for the OCSP subsystem +## stored in this non-security domain CA +## +## NOTE: To pass in a value of an empty string, specify the value "empty" +## instead of "" since ArgParser() throws away empty strings. +## +## This special "empty" string value may be specified for any of +## the following variables: +## +## * ocsp_instance_ca_domain_url="empty" +## +ocsp_instance_ca_domain_url="https://${pki_security_domain_host}:${ca_ee_port}" + ############################################################################## ## U S E R - D E F I N E D V A R I A B L E S ( O P T I O N A L ) ## ############################################################################## @@ -503,6 +558,7 @@ -agent_key_type ${ocsp_agent_key_type} \ -agent_cert_subject "${ocsp_agent_cert_subject}" \ -subsystem_name ${ocsp_subsystem_name} \ + -ca_domain_url "${ocsp_instance_ca_domain_url}" \ -ocsp_sign_cert_subject_name "${ocsp_sign_cert_subject_name}" \ -ocsp_subsystem_cert_subject_name "${ocsp_subsystem_cert_subject_name}" \ -ocsp_server_cert_subject_name "${ocsp_server_cert_subject_name}" \ Index: base/silent/templates/silentEC_tps.template =================================================================== --- base/silent/templates/silentEC_tps.template (revision 2598) +++ base/silent/templates/silentEC_tps.template (working copy) @@ -145,6 +145,28 @@ pki_email_company= pki_email_domain= +# +## TPS Variables +## +## IMPORTANT: The 'tps_ldap_auth_base_dn' should contain individual +## comma separated 'dc=' values for each +## portion of the value returned by 'dnsdomainname' on +## the machine which hosts the LDAP server. +## +## For example, if 'dnsdomain' returns 'foo.example.com', +## then: +## +## tps_ldap_auth_base_dn="dc=foo,dc=example,dc=com" +## +## Using this example, the following command may be +## executed to test for a valid base DN: +## +## /usr/bin/ldapsearch -x -h ${pki_ldap_host} +## -p ${pki_ldap_port} -b 'dc=foo,dc=example,dc=com' +## -s base 'objectclass=*' +## +tps_ldap_auth_base_dn="dc=${pki_email_company},dc=${pki_email_domain}" + ## PKI Silent Admin Variables ## (e. g. - Import Admin Certificate into PKI Silent "browser" database) pki_silent_admin_user=admin @@ -187,7 +209,7 @@ ## pki_tps_port_t tcp 7890, 7888, 7889 ## -## CA ports +## CA ports (Security Domain) ca_nonssl_port=31180 ca_agent_port=31443 ca_ee_port=31444 @@ -210,8 +232,91 @@ tps_clientauth_port=9089 tps_nonclientauth_port=9090 +## URL to CA used to Issue Certificates for Requests Submitted via TPS +## +## * each 'hostname:port' must be a CA EE Hostname and CA EE Port +## * referenced CA does not need to be a Security Domain +## * referenced CA must reside within the same security domain +## as the associated TPS instance +## +## NOTE: To pass in a value of an empty string, specify the value "empty" +## instead of "" since ArgParser() throws away empty strings. +## +## This special "empty" string value may be specified for any of +## the following variables: +## +## * tps_chosen_ca_issuance_url="empty" +## * tps_chosen_tks_key_management_url="empty" +## * tps_chosen_drm_server_side_keygen_url="empty" +## * tps_instance_ca_domain_url="empty" +## +tps_chosen_ca_issuance_url="https://${pki_security_domain_host}:${ca_ee_port}" +## URL to TKS used for Key Management for TPS +## +## * each 'hostname:port' must be a TKS Agent Hostname and TKS Agent Port +## * referenced TKS must reside within the same security domain +## as the associated TPS instance +## +tps_chosen_tks_key_management_url="https://${pki_security_domain_host}:${tks_agent_port}" +## URL to optional DRM used for Server-Side Keygen for TPS (tps_ss_keygen=true) +## +## * each 'hostname:port' must be a DRM Agent Hostname and DRM Agent Port +## * referenced DRM must reside within the same security domain +## as the associated TPS instance +## +tps_chosen_drm_server_side_keygen_url="https://${pki_security_domain_host}:${kra_agent_port}" + +## URL to CA used to Issue Certificates for TPS Instance Creation +## +## * each 'hostname:port' must be a CA EE Hostname and CA EE Port +## * referenced CA does not need to be a Security Domain (see CAVEAT) +## * referenced CA must reside within the same security domain +## as this TPS instance +## +## CAVEAT: If the chosen CA is a security domain: +## +## * all TPS subsystem certificates (including the +## 'Subsystem' certificates) will be stored on this CA +## * the TPS subsystem client 'Administration' +## certificate will automatically be imported into +## the NSS client security databases associated with +## the 'pkisilent' invocation of this TPS subsystem +## * the 'pkisilent' client security databases may be +## used inside a firefox browser with no further +## changes +## +## If the chosen CA is NOT a security domain: +## +## * all TPS subsystem certificates EXCEPT the TPS +## 'Subsystem' certificate will be stored on this CA; +## the TPS 'Subsystem' certificate will be stored on +## the CA that is the security domain for this TPS +## subsystem +## * the TPS subsystem client 'Administration' +## certificate will NOT automatically be imported into +## the NSS client security databases associated with +## the 'pkisilent' invocation of this TPS subsystem; +## import will fail with something similar to the +## following message: +## +## ERROR: exception importing cert: Security +## library failed to decode certificate +## package: (-8183) security library: +## improperly formatted DER-encoded +## message. +## +## * in order to utilize the 'pkisilent' client +## security databases inside a firefox browser, +## one will need to manually import the TPS +## 'Administration' certificate for the TPS subsystem +## stored in this non-security domain CA +## +tps_instance_ca_domain_url="https://${pki_security_domain_host}:${ca_ee_port}" + + + ############################################################################## ## U S E R - D E F I N E D V A R I A B L E S ( O P T I O N A L ) ## ############################################################################## @@ -292,17 +397,20 @@ tps_chosen_ca_nonssl_port=${ca_nonssl_port} tps_chosen_ca_ssl_port=${ca_ee_port} tps_chosen_ca_admin_port=${ca_admin_port} -tps_chosen_tks_hostname=${pki_host} -tps_chosen_tks_ssl_port=${tks_ee_port} -tps_chosen_drm_hostname=${pki_host} -tps_chosen_drm_ssl_port=${kra_ee_port} +tps_chosen_tks_agent_hostname=${pki_host} +tps_chosen_tks_agent_port=${tks_agent_port} +tps_chosen_tks_admin_hostname=${pki_host} +tps_chosen_tks_admin_port=${tks_admin_port} +tps_chosen_drm_agent_hostname=${pki_host} +tps_chosen_drm_agent_port=${kra_agent_port} +tps_chosen_drm_admin_hostname=${pki_host} +tps_chosen_drm_admin_port=${kra_admin_port} tps_agent_name="TPS\ Administrator\'s\ ${pki_security_domain_name}\ ID" tps_agent_key_size=nistp256 tps_agent_key_type=ecc tps_agent_cert_subject="cn=TPS\ Administrator,uid=admin,e=${pki_silent_admin_email},o=${pki_security_domain_name}" tps_ldap_auth_host=localhost tps_ldap_auth_port=389 -tps_ldap_auth_base_dn="dc=${pki_email_company},dc=${pki_email_domain}" tps_base_dn="dc=${pki_host}-${tps_instance_name}" tps_db_name="${pki_host}-${tps_instance_name}" tps_key_size=256 @@ -481,11 +589,18 @@ -ca_port ${tps_chosen_ca_nonssl_port} \ -ca_ssl_port ${tps_chosen_ca_ssl_port} \ -ca_admin_port ${tps_chosen_ca_admin_port} \ - -drm_hostname ${tps_chosen_drm_hostname} \ - -drm_ssl_port ${tps_chosen_drm_ssl_port} \ + -ca_issuance_url "${tps_chosen_ca_issuance_url}" \ + -drm_agent_hostname ${tps_chosen_drm_agent_hostname} \ + -drm_agent_port ${tps_chosen_drm_agent_port} \ + -drm_admin_hostname ${tps_chosen_drm_admin_hostname} \ + -drm_admin_port ${tps_chosen_drm_admin_port} \ + -drm_server_side_keygen_url "${tps_chosen_drm_server_side_keygen_url}" \ -ss_keygen ${tps_ss_keygen} \ - -tks_hostname ${tps_chosen_tks_hostname} \ - -tks_ssl_port ${tps_chosen_tks_ssl_port} \ + -tks_agent_hostname ${tps_chosen_tks_agent_hostname} \ + -tks_agent_port ${tps_chosen_tks_agent_port} \ + -tks_admin_hostname ${tps_chosen_tks_admin_hostname} \ + -tks_admin_port ${tps_chosen_tks_admin_port} \ + -tks_key_management_url "${tps_chosen_tks_key_management_url}" \ -client_certdb_dir ${pki_silent_security_database_repository} \ -client_certdb_pwd ${pki_silent_security_token_password} \ -client_token_name ${pki_silent_security_token_name} \ @@ -509,6 +624,7 @@ -agent_key_type ${tps_agent_key_type} \ -agent_cert_subject "${tps_agent_cert_subject}" \ -subsystem_name ${tps_subsystem_name} \ + -ca_domain_url "${tps_instance_ca_domain_url}" \ -subsystem_key_type ${tps_key_type} \ -subsystem_key_size ${tps_key_curvename} \ -audit_signing_key_size 2048 \ Index: base/silent/templates/silent_ca_ip_port.template =================================================================== --- base/silent/templates/silent_ca_ip_port.template (revision 2598) +++ base/silent/templates/silent_ca_ip_port.template (working copy) @@ -89,8 +89,8 @@ ## ## 9180 - non-secure port (not role specific) ## 9701 - non-secure Tomcat port -## 9443 - secure EE port -## 9444 - secure Agent port +## 9443 - secure Agent port +## 9444 - secure EE port ## 9445 - secure Admin port ## 9446 - secure EE Client Auth port (not necessarily labeled) ## @@ -102,7 +102,7 @@ ## pki_ca_port_t tcp 9180, 9701, 9443, 9444, 9445 ## -## PKI CA ports +## PKI CA ports (Security Domain) pki_ca_admin_port= ## PKI Silent Security Database Variables @@ -297,6 +297,20 @@ ca_ocsp_cert_subject_name="cn=OCSP\ Signing\ Certificate,o=${pki_security_domain_name}" ca_server_cert_subject_name="cn=${pki_ca_ee_host},o=${pki_security_domain_name}" ca_audit_signing_cert_subject_name="cn=CA\ Audit\ Signing\ Certificate,o=${pki_security_domain_name}" +## URL to CA used to Issue Certificates for CA Instance Creation +## +## IMPORTANT: The CA referenced by this URL must reside within the +## same security domain as this CA instance. +## +## NOTE: To pass in a value of an empty string, specify the value "empty" +## instead of "" since ArgParser() throws away empty strings. +## +## This special "empty" string value may be specified for any of +## the following variables: +## +## * ca_instance_ca_domain_url="empty" +## +ca_instance_ca_domain_url="empty" @@ -518,6 +532,7 @@ -save_p12 ${ca_save_p12} \ -backup_pwd ${pki_ca_backup_password} \ -subsystem_name ${pki_ca_subsystem_name} \ + -ca_domain_url "${ca_instance_ca_domain_url}" \ -token_name ${pki_ca_token_name} \ -token_pwd ${pki_ca_token_password} \ -ca_sign_cert_subject_name "${ca_sign_cert_subject_name}" \ Index: base/silent/templates/pki_silent.template =================================================================== --- base/silent/templates/pki_silent.template (revision 2598) +++ base/silent/templates/pki_silent.template (working copy) @@ -137,6 +137,28 @@ pki_email_company= pki_email_domain= +## +## TPS Variables +## +## IMPORTANT: The 'tps_ldap_auth_base_dn' should contain individual +## comma separated 'dc=' values for each +## portion of the value returned by 'dnsdomainname' on +## the machine which hosts the LDAP server. +## +## For example, if 'dnsdomain' returns 'foo.example.com', +## then: +## +## tps_ldap_auth_base_dn="dc=foo,dc=example,dc=com" +## +## Using this example, the following command may be +## executed to test for a valid base DN: +## +## /usr/bin/ldapsearch -x -h ${pki_ldap_host} +## -p ${pki_ldap_port} -b 'dc=foo,dc=example,dc=com' +## -s base 'objectclass=*' +## +tps_ldap_auth_base_dn="dc=${pki_email_company},dc=${pki_email_domain}" + ## PKI Silent Admin Variables ## (e. g. - Import Admin Certificate into PKI Silent "browser" database) pki_silent_admin_user=admin @@ -175,8 +197,8 @@ ## ## *180 - non-secure port (not role specific) ## *701 - non-secure Tomcat port -## *443 - secure EE port -## *444 - secure Agent port +## *443 - secure Agent port +## *444 - secure EE port ## *445 - secure Admin port ## ## RA, TPS: @@ -198,7 +220,7 @@ ## pki_tps_port_t tcp 7890, 7888, 7889 ## -## CA ports +## CA ports (Security Domain) ca_nonssl_port=9180 ca_agent_port=9443 ca_ee_port=9444 @@ -232,8 +254,107 @@ tps_clientauth_port=7889 tps_nonclientauth_port=7890 +## URL to CA used to Issue Certificates for PKI Instance Creation +## +## * each 'hostname:port' must be a CA EE Hostname and CA EE Port +## * referenced CA does not need to be a Security Domain (see CAVEAT) +## * referenced CA must reside within the same security domain +## as the associated PKI instance +## +## CAVEAT: If the chosen CA is a security domain: +## +## * all PKI subsystem certificates (including the +## 'Subsystem' certificates) will be stored on this CA +## * all PKI subsystem client 'Administration' +## certificates will automatically be imported into +## the NSS client security databases associated with +## the 'pkisilent' invocation of each PKI subsystem +## * the 'pkisilent' client security databases may be +## used inside a firefox browser with no further +## changes +## +## If the chosen CA is NOT a security domain: +## +## * all PKI subsystem certificates EXCEPT the +## 'Subsystem' certificate will be stored on this CA; +## the 'Subsystem' certificate will be stored on the +## CA that is the security domain for this PKI +## subsystem +## * no non-CA PKI subsystem client 'Administration' +## certificates will automatically be imported into +## the NSS client security databases associated with +## the 'pkisilent' invocation of each PKI subsystem; +## import will fail with something similar to the +## following message: +## +## ERROR: exception importing cert: Security +## library failed to decode certificate +## package: (-8183) security library: +## improperly formatted DER-encoded +## message. +## +## * in order to utilize the 'pkisilent' client +## security databases inside a firefox browser, one +## will need to manually import all 'Administration' +## certificates for each of the non-CA PKI subsystems +## stored in this non-security domain CA +## +## NOTE: To pass in a value of an empty string, specify the value "empty" +## instead of "" since ArgParser() throws away empty strings. +## +## This special "empty" string value may be specified for any of +## the following variables: +## +## * ca_instance_ca_domain_url="empty" +## * kra_instance_ca_domain_url="empty" +## * ocsp_instance_ca_domain_url="empty" +## * tks_instance_ca_domain_url="empty" +## * ra_chosen_ca_issuance_url="empty" +## * ra_instance_ca_domain_url="empty" +## * tps_chosen_ca_issuance_url="empty" +## * tps_chosen_tks_key_management_url="empty" +## * tps_chosen_drm_server_side_keygen_url="empty" +## * tps_instance_ca_domain_url="empty" +## +kra_instance_ca_domain_url="https://${pki_security_domain_host}:${ca_ee_port}" +ocsp_instance_ca_domain_url="https://${pki_security_domain_host}:${ca_ee_port}" +ra_instance_ca_domain_url="https://${pki_security_domain_host}:${ca_ee_port}" + +tks_instance_ca_domain_url="https://${pki_security_domain_host}:${ca_ee_port}" + +tps_instance_ca_domain_url="https://${pki_security_domain_host}:${ca_ee_port}" + +## URL to CA used to Issue Certificates for Requests Submitted via PKI instance +## +## * each 'hostname:port' must be a CA EE Hostname and CA EE Port +## * referenced CA does not need to be a Security Domain +## * referenced CA must reside within the same security domain +## as the associated PKI instance +## +ra_chosen_ca_issuance_url="https://${pki_security_domain_host}:${ca_ee_port}" + +tps_chosen_ca_issuance_url="https://${pki_security_domain_host}:${ca_ee_port}" + +## URL to TKS used for Key Management for TPS +## +## * each 'hostname:port' must be a TKS Agent Hostname and TKS Agent Port +## * referenced TKS must reside within the same security domain +## as the associated TPS instance +## +tps_chosen_tks_key_management_url="https://${pki_security_domain_host}:${tks_agent_port}" + +## URL to optional DRM used for Server-Side Keygen for TPS (tps_ss_keygen=true) +## +## * each 'hostname:port' must be a DRM Agent Hostname and DRM Agent Port +## * referenced DRM must reside within the same security domain +## as the associated TPS instance +## +tps_chosen_drm_server_side_keygen_url="https://${pki_security_domain_host}:${kra_agent_port}" + + + ############################################################################## ## U S E R - D E F I N E D V A R I A B L E S ( O P T I O N A L ) ## ############################################################################## @@ -394,6 +515,10 @@ ca_ocsp_cert_subject_name="cn=OCSP\ Signing\ Certificate,o=${pki_security_domain_name}" ca_server_cert_subject_name="cn=${pki_host},o=${pki_security_domain_name}" ca_audit_signing_cert_subject_name="cn=CA\ Audit\ Signing\ Certificate,o=${pki_security_domain_name}" +## URL to CA used to Issue Certificates for CA Instance Creation +ca_instance_ca_domain_url="empty" +## URL to External CA used to Issue Certificates for CA Instance Creation +external_ca_domain_url="External CA" ## Optional CA Variables for creating a clone CA ## @@ -766,17 +891,20 @@ tps_chosen_ca_nonssl_port=${ca_nonssl_port} tps_chosen_ca_ssl_port=${ca_ee_port} tps_chosen_ca_admin_port=${ca_admin_port} -tps_chosen_tks_hostname=${pki_host} -tps_chosen_tks_ssl_port=${tks_ee_port} -tps_chosen_drm_hostname=${pki_host} -tps_chosen_drm_ssl_port=${kra_ee_port} +tps_chosen_tks_agent_hostname=${pki_host} +tps_chosen_tks_agent_port=${tks_agent_port} +tps_chosen_tks_admin_hostname=${pki_host} +tps_chosen_tks_admin_port=${tks_admin_port} +tps_chosen_drm_agent_hostname=${pki_host} +tps_chosen_drm_agent_port=${kra_agent_port} +tps_chosen_drm_admin_hostname=${pki_host} +tps_chosen_drm_admin_port=${kra_admin_port} tps_agent_name="TPS\ Administrator\'s\ ${pki_security_domain_name}\ ID" tps_agent_key_size=2048 tps_agent_key_type=rsa tps_agent_cert_subject="cn=TPS\ Administrator,uid=admin,e=${pki_silent_admin_email},o=${pki_security_domain_name}" tps_ldap_auth_host=localhost tps_ldap_auth_port=389 -tps_ldap_auth_base_dn="dc=${pki_email_company},dc=${pki_email_domain}" tps_base_dn="dc=${pki_host}-${tps_instance_name}" tps_db_name="${pki_host}-${tps_instance_name}" tps_key_size=2048 @@ -1105,6 +1233,7 @@ -save_p12 ${ca_save_p12} \ -backup_pwd ${ca_backup_password} \ -subsystem_name ${ca_subsystem_name} \ + -ca_domain_url "${ca_instance_ca_domain_url}" \ -token_name ${ca_token_name} \ -token_pwd ${ca_token_password} \ -ca_sign_cert_subject_name "${ca_sign_cert_subject_name}" \ @@ -1173,6 +1302,7 @@ # -save_p12 ${ca_save_p12} \ # -backup_pwd ${ca_backup_password} \ # -subsystem_name ${ca_subsystem_name} \ +# -ca_domain_url "${ca_instance_ca_domain_url}" \ # -token_name ${ca_token_name} \ # -token_pwd ${ca_token_password} \ # -ca_sign_cert_subject_name "${ca_sign_cert_subject_name}" \ @@ -1239,6 +1369,7 @@ # -save_p12 ${ca_save_p12} \ # -backup_pwd ${ca_backup_password} \ # -subsystem_name ${ca_subsystem_name} \ +# -ca_domain_url "${external_ca_domain_url}" \ # -token_name ${ca_token_name} \ # -token_pwd ${ca_token_password} \ # -ca_sign_cert_subject_name "${ca_sign_cert_subject_name}" \ @@ -1311,6 +1442,7 @@ # -save_p12 ${ca_save_p12} \ # -backup_pwd ${ca_backup_password} \ # -subsystem_name ${ca_subsystem_name} \ +# -ca_domain_url "${external_ca_domain_url}" \ # -token_name ${ca_token_name} \ # -token_pwd ${ca_token_password} \ # -ca_sign_cert_subject_name "${ca_sign_cert_subject_name}" \ @@ -1381,6 +1513,7 @@ -agent_key_type ${kra_agent_key_type} \ -agent_cert_subject "${kra_agent_cert_subject}" \ -subsystem_name ${kra_subsystem_name} \ + -ca_domain_url "${kra_instance_ca_domain_url}" \ -save_p12 ${kra_save_p12} \ -backup_pwd ${kra_backup_password} \ -drm_transport_cert_subject_name "${kra_transport_cert_subject_name}" \ @@ -1451,6 +1584,7 @@ # -agent_key_type ${kra_agent_key_type} \ # -agent_cert_subject "${kra_agent_cert_subject}" \ # -subsystem_name ${kra_subsystem_name} \ +# -ca_domain_url "${kra_instance_ca_domain_url}" \ # -save_p12 ${kra_save_p12} \ # -backup_pwd ${kra_backup_password} \ # -drm_transport_cert_subject_name "${kra_transport_cert_subject_name}" \ @@ -1524,6 +1658,7 @@ -agent_key_type ${ocsp_agent_key_type} \ -agent_cert_subject "${ocsp_agent_cert_subject}" \ -subsystem_name ${ocsp_subsystem_name} \ + -ca_domain_url "${ocsp_instance_ca_domain_url}" \ -save_p12 ${ocsp_save_p12} \ -backup_pwd ${ocsp_backup_password} \ -ocsp_sign_cert_subject_name "${ocsp_sign_cert_subject_name}" \ @@ -1592,6 +1727,7 @@ -agent_key_type ${tks_agent_key_type} \ -agent_cert_subject "${tks_agent_cert_subject}" \ -subsystem_name ${tks_subsystem_name} \ + -ca_domain_url "${tks_instance_ca_domain_url}" \ -save_p12 ${tks_save_p12} \ -backup_pwd ${tks_backup_password} \ -tks_subsystem_cert_subject_name "${tks_subsystem_cert_subject_name}" \ @@ -1636,6 +1772,7 @@ -ca_port ${ra_chosen_ca_nonssl_port} \ -ca_ssl_port ${ra_chosen_ca_ssl_port} \ -ca_admin_port ${ra_chosen_ca_admin_port} \ + -ca_issuance_url ${ra_chosen_ca_issuance_url} \ -client_certdb_dir ${pki_silent_security_database_repository} \ -client_certdb_pwd ${pki_silent_security_token_password} \ -client_token_name ${pki_silent_security_token_name} \ @@ -1653,6 +1790,7 @@ -agent_key_type ${ra_agent_key_type} \ -agent_cert_subject "${ra_agent_cert_subject}" \ -subsystem_name ${ra_subsystem_name} \ + -ca_domain_url "${ra_instance_ca_domain_url}" \ -ra_server_cert_nickname "${ra_server_cert_nickname}" \ -ra_server_cert_subject_name "${ra_server_cert_subject_name}" \ -ra_subsystem_cert_nickname "${ra_subsystem_cert_nickname}" \ @@ -1704,11 +1842,18 @@ -ca_port ${tps_chosen_ca_nonssl_port} \ -ca_ssl_port ${tps_chosen_ca_ssl_port} \ -ca_admin_port ${tps_chosen_ca_admin_port} \ - -drm_hostname ${tps_chosen_drm_hostname} \ - -drm_ssl_port ${tps_chosen_drm_ssl_port} \ + -ca_issuance_url ${tps_chosen_ca_issuance_url} \ + -drm_agent_hostname ${tps_chosen_drm_agent_hostname} \ + -drm_agent_port ${tps_chosen_drm_agent_port} \ + -drm_admin_hostname ${tps_chosen_drm_admin_hostname} \ + -drm_admin_port ${tps_chosen_drm_admin_port} \ + -drm_server_side_keygen_url ${tps_chosen_drm_server_side_keygen_url} \ -ss_keygen ${tps_ss_keygen} \ - -tks_hostname ${tps_chosen_tks_hostname} \ - -tks_ssl_port ${tps_chosen_tks_ssl_port} \ + -tks_agent_hostname ${tps_chosen_tks_agent_hostname} \ + -tks_agent_port ${tps_chosen_tks_agent_port} \ + -tks_admin_hostname ${tps_chosen_tks_admin_hostname} \ + -tks_admin_port ${tps_chosen_tks_admin_port} \ + -tks_key_management_url ${tps_chosen_tks_key_management_url} \ -client_certdb_dir ${pki_silent_security_database_repository} \ -client_certdb_pwd ${pki_silent_security_token_password} \ -client_token_name ${pki_silent_security_token_name} \ @@ -1734,6 +1879,7 @@ -save_p12 ${tps_save_p12} \ -backup_pwd ${tps_backup_password} \ -subsystem_name ${tps_subsystem_name} \ + -ca_domain_url "${tps_instance_ca_domain_url}" \ -ldap_auth_host ${tps_ldap_auth_host} \ -ldap_auth_port ${tps_ldap_auth_port} \ -ldap_auth_base_dn ${tps_ldap_auth_base_dn} \ Index: base/silent/templates/silentEC_kra.template =================================================================== --- base/silent/templates/silentEC_kra.template (revision 2598) +++ base/silent/templates/silentEC_kra.template (working copy) @@ -174,8 +174,8 @@ ## ## *180 - non-secure port (not role specific) ## *701 - non-secure Tomcat port -## *443 - secure EE port -## *444 - secure Agent port +## *443 - secure Agent port +## *444 - secure EE port ## *445 - secure Admin port ## ## @@ -186,7 +186,7 @@ ## pki_kra_port_t tcp 10180, 10701, 10443, 10444, 10445 ## -## CA ports +## CA ports (Security Domain) ca_nonssl_port=9180 ca_agent_port=9443 ca_ee_port=9444 @@ -198,7 +198,62 @@ kra_ee_port=10444 kra_admin_port=10445 +## URL to CA used to Issue Certificates for KRA Instance Creation +## +## * each 'hostname:port' must be a CA EE Hostname and CA EE Port +## * referenced CA does not need to be a Security Domain (see CAVEAT) +## * referenced CA must reside within the same security domain +## as this KRA instance +## +## CAVEAT: If the chosen CA is a security domain: +## +## * all KRA subsystem certificates (including the +## 'Subsystem' certificates) will be stored on this CA +## * the KRA subsystem client 'Administration' +## certificate will automatically be imported into +## the NSS client security databases associated with +## the 'pkisilent' invocation of this KRA subsystem +## * the 'pkisilent' client security databases may be +## used inside a firefox browser with no further +## changes +## +## If the chosen CA is NOT a security domain: +## +## * all KRA subsystem certificates EXCEPT the KRA +## 'Subsystem' certificate will be stored on this CA; +## the KRA 'Subsystem' certificate will be stored on +## the CA that is the security domain for this KRA +## subsystem +## * the KRA subsystem client 'Administration' +## certificate will NOT automatically be imported into +## the NSS client security databases associated with +## the 'pkisilent' invocation of this KRA subsystem; +## import will fail with something similar to the +## following message: +## +## ERROR: exception importing cert: Security +## library failed to decode certificate +## package: (-8183) security library: +## improperly formatted DER-encoded +## message. +## +## * in order to utilize the 'pkisilent' client +## security databases inside a firefox browser, +## one will need to manually import the KRA +## 'Administration' certificate for the KRA subsystem +## stored in this non-security domain CA +## +## NOTE: To pass in a value of an empty string, specify the value "empty" +## instead of "" since ArgParser() throws away empty strings. +## +## This special "empty" string value may be specified for any of +## the following variables: +## +## * kra_instance_ca_domain_url="empty" +## +kra_instance_ca_domain_url="https://${pki_security_domain_host}:${ca_ee_port}" + ############################################################################## ## U S E R - D E F I N E D V A R I A B L E S ( O P T I O N A L ) ## ############################################################################## @@ -550,6 +605,7 @@ -agent_key_type ${kra_agent_key_type} \ -agent_cert_subject "${kra_agent_cert_subject}" \ -subsystem_name ${kra_subsystem_name} \ + -ca_domain_url "${kra_instance_ca_domain_url}" \ -drm_transport_cert_subject_name "${kra_transport_cert_subject_name}" \ -drm_subsystem_cert_subject_name "${kra_subsystem_cert_subject_name}" \ -drm_storage_cert_subject_name "${kra_storage_cert_subject_name}" \ Index: base/ra/lib/perl/PKI/RA/CAInfoPanel.pm =================================================================== --- base/ra/lib/perl/PKI/RA/CAInfoPanel.pm (revision 2598) +++ base/ra/lib/perl/PKI/RA/CAInfoPanel.pm (working copy) @@ -250,8 +250,8 @@ sub get_domain_xml { - my $ca_ee_host = $1; - my $https_ee_port = $2; + my $ca_ee_host = $_[0]; + my $https_ee_port = $_[1]; # get the domain xml # e. g. - https://water.sfbay.redhat.com:9445/ca/admin/ca/getDomainXML @@ -273,9 +273,9 @@ sub get_secure_admin_port_from_domain_xml { - my $content = $1; - my $ca_ee_host = $2; - my $https_ee_port = $3; + my $content = $_[0]; + my $ca_ee_host = $_[1]; + my $https_ee_port = $_[2]; # Retrieve the secure admin port corresponding # to the selected EE host and secure ee port. @@ -287,7 +287,7 @@ foreach my $c (@{$xml->{'CAList'}[0]->{'CA'}}) { if( ( $ca_ee_host eq $c->{'Host'}[0] ) && ( $https_ee_port eq $c->{'SecurePort'}[0] ) ) { - $https_admin_port = https_$c->{'SecureAdminPort'}[0]; + $https_admin_port = $c->{'SecureAdminPort'}[0]; last; } } @@ -297,9 +297,9 @@ sub get_secure_agent_port_from_domain_xml { - my $content = $1; - my $ca_ee_host = $2; - my $https_ee_port = $3; + my $content = $_[0]; + my $ca_ee_host = $_[1]; + my $https_ee_port = $_[2]; # Retrieve the secure agent port corresponding # to the selected EE host and secure ee port. @@ -311,7 +311,7 @@ foreach my $c (@{$xml->{'CAList'}[0]->{'CA'}}) { if( ( $ca_ee_host eq $c->{'Host'}[0] ) && ( $https_ee_port eq $c->{'SecurePort'}[0] ) ) { - $https_agent_port = https_$c->{'SecureAgentPort'}[0]; + $https_agent_port = $c->{'SecureAgentPort'}[0]; last; } } @@ -321,9 +321,9 @@ sub get_admin_host_from_domain_xml { - my $content = $1; - my $ca_ee_host = $2; - my $https_ee_port = $3; + my $content = $_[0]; + my $ca_ee_host = $_[1]; + my $https_ee_port = $_[2]; # Retrieve the admin host corresponding # to the selected EE host and secure ee port. @@ -337,10 +337,10 @@ ( $https_ee_port eq $c->{'SecurePort'}[0] ) ) { if( $c->{'AdminHost'}[0] ne "" ) { # IP Port Separation Schema - $ca_admin_host = https_$c->{'AdminHost'}[0]; + $ca_admin_host = $c->{'AdminHost'}[0]; } else { # Port Separation Schema - $ca_admin_host = https_$c->{'Host'}[0]; + $ca_admin_host = $c->{'Host'}[0]; } last; } @@ -352,9 +352,9 @@ sub get_agent_host_from_domain_xml { - my $content = $1; - my $ca_ee_host = $2; - my $https_ee_port = $3; + my $content = $_[0]; + my $ca_ee_host = $_[1]; + my $https_ee_port = $_[2]; # Retrieve the agent host corresponding # to the selected EE host and secure ee port. @@ -368,10 +368,10 @@ ( $https_ee_port eq $c->{'SecurePort'}[0] ) ) { if( $c->{'AgentHost'}[0] ne "" ) { # IP Port Separation Schema - $ca_agent_host = https_$c->{'AgentHost'}[0]; + $ca_agent_host = $c->{'AgentHost'}[0]; } else { # Port Separation Schema - $ca_agent_host = https_$c->{'Host'}[0]; + $ca_agent_host = $c->{'Host'}[0]; } last; } Index: base/ra/lib/perl/PKI/RA/NamePanel.pm =================================================================== --- base/ra/lib/perl/PKI/RA/NamePanel.pm (revision 2598) +++ base/ra/lib/perl/PKI/RA/NamePanel.pm (working copy) @@ -293,16 +293,26 @@ "auth_hostname=" . $sdom_url->host . "&" . "auth_port=" . $sdom_url->port; + # NOTE: Must save the original values of '$ca_ee_host' and + # '$https_ee_port' because if 'subsystem' is not + # the last value specifed in 'CS.cfg::preop.cert.list', + # it was discovered that the following code was + # resetting these values for every value that follows. + my $sslget_ca_ee_host = ""; + my $sslget_https_ee_port = ""; if ($certtag eq "subsystem") { - $ca_ee_host = $sdom_url->host; - $https_ee_port = $sdom_url->port; + $sslget_ca_ee_host = $sdom_url->host; + $sslget_https_ee_port = $sdom_url->port; + } else { + $sslget_ca_ee_host = $ca_ee_host; + $sslget_https_ee_port = $https_ee_port; } if ($changed eq "true") { -$req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"$token_pwd\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $ca_ee_host:$https_ee_port"; -$debug_req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"(sensitive)\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $ca_ee_host:$https_ee_port"; +$req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"$token_pwd\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $sslget_ca_ee_host:$sslget_https_ee_port"; +$debug_req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"(sensitive)\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $sslget_ca_ee_host:$sslget_https_ee_port"; } else { -$req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"$db_password\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $ca_ee_host:$https_ee_port"; -$debug_req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"(sensitive)\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $ca_ee_host:$https_ee_port"; +$req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"$db_password\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $sslget_ca_ee_host:$sslget_https_ee_port"; +$debug_req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"(sensitive)\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $sslget_ca_ee_host:$sslget_https_ee_port"; } &PKI::RA::Wizard::debug_log("debug_req = " . $debug_req); Index: base/tps/lib/perl/PKI/TPS/CAInfoPanel.pm =================================================================== --- base/tps/lib/perl/PKI/TPS/CAInfoPanel.pm (revision 2598) +++ base/tps/lib/perl/PKI/TPS/CAInfoPanel.pm (working copy) @@ -249,8 +249,8 @@ sub get_domain_xml { - my $ca_ee_host = $1; - my $https_ee_port = $2; + my $ca_ee_host = $_[0]; + my $https_ee_port = $_[1]; # get the domain xml # e. g. - https://water.sfbay.redhat.com:9445/ca/admin/ca/getDomainXML @@ -272,9 +272,9 @@ sub get_secure_admin_port_from_domain_xml { - my $content = $1; - my $ca_ee_host = $2; - my $https_ee_port = $3; + my $content = $_[0]; + my $ca_ee_host = $_[1]; + my $https_ee_port = $_[2]; # Retrieve the secure admin port corresponding # to the selected EE host and secure ee port. @@ -286,7 +286,7 @@ foreach my $c (@{$xml->{'CAList'}[0]->{'CA'}}) { if( ( $ca_ee_host eq $c->{'Host'}[0] ) && ( $https_ee_port eq $c->{'SecurePort'}[0] ) ) { - $https_admin_port = https_$c->{'SecureAdminPort'}[0]; + $https_admin_port = $c->{'SecureAdminPort'}[0]; last; } } @@ -296,9 +296,9 @@ sub get_secure_agent_port_from_domain_xml { - my $content = $1; - my $ca_ee_host = $2; - my $https_ee_port = $3; + my $content = $_[0]; + my $ca_ee_host = $_[1]; + my $https_ee_port = $_[2]; # Retrieve the secure agent port corresponding # to the selected EE host and secure ee port. @@ -310,7 +310,7 @@ foreach my $c (@{$xml->{'CAList'}[0]->{'CA'}}) { if( ( $ca_ee_host eq $c->{'Host'}[0] ) && ( $https_ee_port eq $c->{'SecurePort'}[0] ) ) { - $https_agent_port = https_$c->{'SecureAgentPort'}[0]; + $https_agent_port = $c->{'SecureAgentPort'}[0]; last; } } @@ -320,9 +320,9 @@ sub get_admin_host_from_domain_xml { - my $content = $1; - my $ca_ee_host = $2; - my $https_ee_port = $3; + my $content = $_[0]; + my $ca_ee_host = $_[1]; + my $https_ee_port = $_[2]; # Retrieve the admin host corresponding # to the selected EE host and secure ee port. @@ -336,10 +336,10 @@ ( $https_ee_port eq $c->{'SecurePort'}[0] ) ) { if( $c->{'AdminHost'}[0] ne "" ) { # IP Port Separation Schema - $ca_admin_host = https_$c->{'AdminHost'}[0]; + $ca_admin_host = $c->{'AdminHost'}[0]; } else { # Port Separation Schema - $ca_admin_host = https_$c->{'Host'}[0]; + $ca_admin_host = $c->{'Host'}[0]; } last; } @@ -350,9 +350,9 @@ sub get_agent_host_from_domain_xml { - my $content = $1; - my $ca_ee_host = $2; - my $https_ee_port = $3; + my $content = $_[0]; + my $ca_ee_host = $_[1]; + my $https_ee_port = $_[2]; # Retrieve the agent host corresponding # to the selected EE host and secure ee port. @@ -366,10 +366,10 @@ ( $https_ee_port eq $c->{'SecurePort'}[0] ) ) { if( $c->{'AgentHost'}[0] ne "" ) { # IP Port Separation Schema - $ca_agent_host = https_$c->{'AgentHost'}[0]; + $ca_agent_host = $c->{'AgentHost'}[0]; } else { # Port Separation Schema - $ca_agent_host = https_$c->{'Host'}[0]; + $ca_agent_host = $c->{'Host'}[0]; } last; } Index: base/tps/lib/perl/PKI/TPS/NamePanel.pm =================================================================== --- base/tps/lib/perl/PKI/TPS/NamePanel.pm (revision 2598) +++ base/tps/lib/perl/PKI/TPS/NamePanel.pm (working copy) @@ -301,18 +301,28 @@ "auth_hostname=" . $sdom_url->host . "&" . "auth_port=" . $sdom_url->port; + # NOTE: Must save the original values of '$ca_ee_host' and + # '$https_ee_port' because if 'subsystem' is not + # the last value specifed in 'CS.cfg::preop.cert.list', + # it was discovered that the following code was + # resetting these values for every value that follows. + my $sslget_ca_ee_host = ""; + my $sslget_https_ee_port = ""; if ($certtag eq "subsystem") { - $ca_ee_host = $sdom_url->host; - $https_ee_port = $sdom_url->port; + $sslget_ca_ee_host = $sdom_url->host; + $sslget_https_ee_port = $sdom_url->port; + } else { + $sslget_ca_ee_host = $ca_ee_host; + $sslget_https_ee_port = $https_ee_port; } if ($changed eq "true") { # nickname changed is true, using token passwd for calling sslget -$req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"$token_pwd\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $ca_ee_host:$https_ee_port"; -$debug_req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"(sensitive)\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $ca_ee_host:$https_ee_port"; +$req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"$token_pwd\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $sslget_ca_ee_host:$sslget_https_ee_port"; +$debug_req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"(sensitive)\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $sslget_ca_ee_host:$sslget_https_ee_port"; } else { # nickname changed is false, using internal passwd for calling sslget -$req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"$db_password\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $ca_ee_host:$https_ee_port"; -$debug_req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"(sensitive)\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $ca_ee_host:$https_ee_port"; +$req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"$db_password\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $sslget_ca_ee_host:$sslget_https_ee_port"; +$debug_req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"(sensitive)\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $sslget_ca_ee_host:$sslget_https_ee_port"; } &PKI::TPS::Wizard::debug_log("debug_req = " . $debug_req);