[Pki-devel] [PATCH] Fixes for pki-silent in RHCS 8.1 ECC Errata
Matthew Harmsen
mharmsen at redhat.com
Thu May 23 00:07:11 UTC 2013
Please review the attached patch which addresses the following two
'pki-silent' issues in RHCS 8.1:
* *Bugzilla Bug #951891*
<https://bugzilla.redhat.com/show_bug.cgi?id=951891>-'silent_ra_to_ip_port.template'
fails to configure an RA successfully
* *Bugzilla Bug #952392*
<https://bugzilla.redhat.com/show_bug.cgi?id=952392>-Allow RA and
TPS URLs to be specified by pkisilent and utilized by the RA and TPS
servers
This patch has been tested extensively on an IP Port Separated x86_64
machine running RHEL 5.9.
Testing utilized the following deployment scenario:
* CA (security domain)
o Subordinate CA (no security domain)
+ KRA
+ TKS
+ RA
+ TPS
The KRA, RA, and TPS were tested both by signing the subsystems
certificates with the CA and again with the Subordinate CA; this testing
led to the filing of "TRAC Ticket #620 - Ability of a non-security
domain CA to store an "Administration" cert in the NSS client security
database".
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20130522/7219acf4/attachment.htm>
-------------- next part --------------
Index: base/silent/src/tks/ConfigureTKS.java
===================================================================
--- base/silent/src/tks/ConfigureTKS.java (revision 2598)
+++ base/silent/src/tks/ConfigureTKS.java (working copy)
@@ -152,6 +152,9 @@
public static String subsystem_name = null;
public static String tks_audit_signing_cert_subject_name = null;
+ // Name Panel - CertSubjectPanel()
+ public static String ca_domain_url = null;
+
public ConfigureTKS ()
{
// do nothing :)
@@ -470,7 +473,17 @@
ArrayList cert_list = null;
ArrayList dn_list = null;
- String domain_url = "https://" + ca_hostname + ":" + ca_ssl_port ;
+ String domain_url = null;
+ if ( ( ca_domain_url != null ) &&
+ ( !ca_domain_url.equals( "" ) ) &&
+ ( !ca_domain_url.equals( "empty" ) ) ) {
+ domain_url = ca_domain_url;
+ } else {
+ // Use the CA EE hostname and the CA EE port
+ domain_url = "https://" + ca_hostname + ":" + ca_ssl_port;
+ }
+ System.out.println("CertSubjectPanel() domain_url='" +
+ domain_url + "'.");
String query_string = "p=9" + "&op=next" + "&xml=true" +
"&subsystem=" +
@@ -990,6 +1003,9 @@
// subsystemName
StringHolder x_subsystem_name = new StringHolder();
+ // Name Panel - CertSubjectPanel()
+ StringHolder x_ca_domain_url = new StringHolder();
+
// parse the args
ArgParser parser = new ArgParser("ConfigureTKS");
@@ -1104,6 +1120,10 @@
"-subsystem_name %s #CA subsystem name",
x_subsystem_name);
+ parser.addOption (
+ "-ca_domain_url %s #URL to CA used to Issue Certificates for TKS Instance Creation",
+ x_ca_domain_url);
+
parser.addOption(
"-tks_audit_signing_cert_subject_name %s #TKS audit signing cert subject name",
x_tks_audit_signing_cert_subject_name);
@@ -1189,6 +1209,8 @@
subsystem_name = x_subsystem_name.value ;
tks_audit_signing_cert_subject_name = x_tks_audit_signing_cert_subject_name.value;
+ ca_domain_url = x_ca_domain_url.value;
+
boolean st = ca.ConfigureTKSInstance();
if (!st) {
Index: base/silent/src/drm/ConfigureDRM.java
===================================================================
--- base/silent/src/drm/ConfigureDRM.java (revision 2598)
+++ base/silent/src/drm/ConfigureDRM.java (working copy)
@@ -179,6 +179,9 @@
public static String subsystem_name = null;
+ // Name Panel - CertSubjectPanel()
+ public static String ca_domain_url = null;
+
// cloning
public static boolean clone = false;
public static String clone_uri = null;
@@ -576,7 +579,17 @@
ArrayList dn_list = null;
String query_string = null;
- String domain_url = "https://" + ca_hostname + ":" + ca_ssl_port ;
+ String domain_url = null;
+ if ( ( ca_domain_url != null ) &&
+ ( !ca_domain_url.equals( "" ) ) &&
+ ( !ca_domain_url.equals( "empty" ) ) ) {
+ domain_url = ca_domain_url;
+ } else {
+ // Use the CA EE hostname and the CA EE port
+ domain_url = "https://" + ca_hostname + ":" + ca_ssl_port;
+ }
+ System.out.println("CertSubjectPanel() domain_url='" +
+ domain_url + "'.");
if (!clone) {
query_string = "p=9" + "&op=next" + "&xml=true" +
@@ -1143,6 +1156,9 @@
// subsystemName
StringHolder x_subsystem_name = new StringHolder();
+ // Name Panel - CertSubjectPanel()
+ StringHolder x_ca_domain_url = new StringHolder();
+
//clone parameters
StringHolder x_clone = new StringHolder();
StringHolder x_clone_uri = new StringHolder();
@@ -1281,6 +1297,10 @@
"-subsystem_name %s #CA subsystem name",
x_subsystem_name);
+ parser.addOption (
+ "-ca_domain_url %s #URL to CA used to Issue Certificates for DRM Instance Creation",
+ x_ca_domain_url);
+
parser.addOption(
"-drm_audit_signing_cert_subject_name %s #DRM audit signing cert subject name",
x_drm_audit_signing_cert_subject_name);
@@ -1387,6 +1407,8 @@
subsystem_name = x_subsystem_name.value;
+ ca_domain_url = x_ca_domain_url.value;
+
if ((x_clone.value != null) && (x_clone.value.equalsIgnoreCase("true"))) {
clone = true;
} else {
Index: base/silent/src/ra/ConfigureRA.java
===================================================================
--- base/silent/src/ra/ConfigureRA.java (revision 2598)
+++ base/silent/src/ra/ConfigureRA.java (working copy)
@@ -125,6 +125,12 @@
// Admin Certificate Request Panel
public static String requestor_name = null;
+ // CA Info Panel - SubsystemPanel()
+ public static String ca_issuance_url = null;
+
+ // Name Panel - CertSubjectPanel()
+ public static String ca_domain_url = null;
+
public ConfigureRA ()
{
// do nothing :)
@@ -298,13 +304,23 @@
px.prettyprintxml();
sleep_time();
- // 'ca_url' is not used, but refers to
- // the CA EE hostname and the CA EE port
- String ca_url = "https://" + ca_hostname + ":" + ca_ssl_port ;
+ String ca_url = null;
+ if ( ( ca_issuance_url != null ) &&
+ ( !ca_issuance_url.equals( "" ) ) &&
+ ( !ca_issuance_url.equals( "empty" ) ) ) {
+ ca_url = ca_issuance_url;
+ } else {
+ // Use the CA EE hostname and the CA EE port
+ ca_url = "https://" + ca_hostname + ":" + ca_ssl_port;
+ }
+ System.out.println("SubsystemPanel() ca_url='" +
+ ca_url + "'.");
+
// CA choice panel
query_string = "p=4" +
- "&urls=0" +
+ "&urls=" +
+ URLEncoder.encode(ca_url) +
"&op=next" +
"&xml=true" ;
@@ -442,9 +458,17 @@
ArrayList cert_list = null;
ArrayList dn_list = null;
- // 'ca_url' is not used, but refers to
- // the CA EE hostname and the CA EE port
- String ca_url = "https://" + ca_hostname + ":" + ca_ssl_port ;
+ String ca_url = null;
+ if ( ( ca_domain_url != null ) &&
+ ( !ca_domain_url.equals( "" ) ) &&
+ ( !ca_domain_url.equals( "empty" ) ) ) {
+ ca_url = ca_domain_url;
+ } else {
+ // Use the CA EE hostname and the CA EE port
+ ca_url = "https://" + ca_hostname + ":" + ca_ssl_port;
+ }
+ System.out.println("CertSubjectPanel() ca_url='" +
+ ca_url + "'.");
String query_string = "p=9" +
"&sslserver=" +
@@ -455,7 +479,8 @@
URLEncoder.encode(ra_subsystem_cert_subject_name) +
"&subsystem_nick=" +
URLEncoder.encode(ra_subsystem_cert_nickname) +
- "&urls=0" +
+ "&urls=" +
+ URLEncoder.encode(ca_url) +
"&op=next" +
"&xml=true" ;
@@ -830,7 +855,13 @@
// subsystemName
StringHolder x_subsystem_name = new StringHolder();
+ // CA Info Panel - SubsystemPanel()
+ StringHolder x_ca_issuance_url = new StringHolder();
+ // Name Panel - CertSubjectPanel()
+ StringHolder x_ca_domain_url = new StringHolder();
+
+
// parse the args
ArgParser parser = new ArgParser("ConfigureRA");
@@ -915,6 +946,14 @@
"-subsystem_name %s #RA subsystem name",
x_subsystem_name);
+ parser.addOption (
+ "-ca_issuance_url %s #URL to CA used to Issue Certificates",
+ x_ca_issuance_url);
+
+ parser.addOption (
+ "-ca_domain_url %s #URL to CA used to Issue Certificates for RA Instance Creation",
+ x_ca_domain_url);
+
// and then match the arguments
String [] unmatched = null;
unmatched = parser.matchAllArgs (args,0,parser.EXIT_ON_UNMATCHED);
@@ -973,8 +1012,12 @@
subsystem_name = x_subsystem_name.value ;
+ ca_issuance_url = x_ca_issuance_url.value;
+ ca_domain_url = x_ca_domain_url.value;
+
+
boolean st = ca.ConfigureRAInstance();
if (!st)
Index: base/silent/src/ca/ConfigureCA.java
===================================================================
--- base/silent/src/ca/ConfigureCA.java (revision 2598)
+++ base/silent/src/ca/ConfigureCA.java (working copy)
@@ -177,6 +177,9 @@
public static String subsystem_name = null;
+ // Name Panel - CertSubjectPanel()
+ public static String ca_domain_url = null;
+
public static String external_ca= null;
public static String ext_ca_cert_file = null;
public static String ext_ca_cert_chain_file = null;
@@ -643,6 +646,17 @@
ArrayList dn_list = null;
String query_string = null;
+ String domain_url = null;
+ if ( ( ca_domain_url != null ) &&
+ ( !ca_domain_url.equals( "" ) ) &&
+ ( !ca_domain_url.equals( "empty" ) ) ) {
+ domain_url = "&urls=" + URLEncoder.encode(ca_domain_url);
+ } else {
+ domain_url = "&urls=0" + "";
+ }
+ System.out.println("CertSubjectPanel() domain_url='" +
+ domain_url + "'.");
+
// use subject names provided as input
if (!clone) {
@@ -652,12 +666,12 @@
+ URLEncoder.encode(ca_ocsp_cert_subject_name) + "&signing="
+ URLEncoder.encode(ca_sign_cert_subject_name) + "&sslserver="
+ URLEncoder.encode(ca_server_cert_subject_name) + "&audit_signing="
- + URLEncoder.encode(ca_audit_signing_cert_subject_name) + "&urls=0"
- + "";
+ + URLEncoder.encode(ca_audit_signing_cert_subject_name)
+ + domain_url;
} else {
query_string = "p=11" + "&op=next" + "&xml=true" + "&sslserver="
- + URLEncoder.encode(ca_server_cert_subject_name) + "&urls=0"
- + "";
+ + URLEncoder.encode(ca_server_cert_subject_name)
+ + domain_url;
}
hr = hc.sslConnect(cs_hostname, cs_port, wizard_uri, query_string);
@@ -1517,6 +1531,9 @@
// subsystemName
StringHolder x_subsystem_name = new StringHolder();
+ // Name Panel - CertSubjectPanel()
+ StringHolder x_ca_domain_url = new StringHolder();
+
// external CA cert
StringHolder x_external_ca = new StringHolder();
StringHolder x_ext_ca_cert_file = new StringHolder();
@@ -1633,6 +1650,10 @@
parser.addOption("-subsystem_name %s #CA subsystem name",
x_subsystem_name);
+
+ parser.addOption (
+ "-ca_domain_url %s #URL to CA used to Issue Certificates for CA Instance Creation",
+ x_ca_domain_url);
parser.addOption("-external %s #Subordinate to external CA [true,false] (optional, default false)",
x_external_ca);
@@ -1741,6 +1762,8 @@
ca_audit_signing_cert_subject_name = x_ca_audit_signing_cert_subject_name.value;
subsystem_name = x_subsystem_name.value;
+
+ ca_domain_url = x_ca_domain_url.value;
external_ca = set_default(x_external_ca.value, "false");
ext_ca_cert_file = x_ext_ca_cert_file.value;
Index: base/silent/src/ocsp/ConfigureOCSP.java
===================================================================
--- base/silent/src/ocsp/ConfigureOCSP.java (revision 2598)
+++ base/silent/src/ocsp/ConfigureOCSP.java (working copy)
@@ -165,6 +165,10 @@
public static String ocsp_audit_signing_cert_subject_name = null;
public static String subsystem_name = null;
+
+ // Name Panel - CertSubjectPanel()
+ public static String ca_domain_url = null;
+
public ConfigureOCSP ()
{
// do nothing :)
@@ -494,7 +498,17 @@
ArrayList cert_list = null;
ArrayList dn_list = null;
- String domain_url = "https://" + ca_hostname + ":" + ca_ssl_port ;
+ String domain_url = null;
+ if ( ( ca_domain_url != null ) &&
+ ( !ca_domain_url.equals( "" ) ) &&
+ ( !ca_domain_url.equals( "empty" ) ) ) {
+ domain_url = ca_domain_url;
+ } else {
+ // Use the CA EE hostname and the CA EE port
+ domain_url = "https://" + ca_hostname + ":" + ca_ssl_port;
+ }
+ System.out.println("CertSubjectPanel() domain_url='" +
+ domain_url + "'.");
String query_string = "p=9" + "&op=next" + "&xml=true" +
"&subsystem=" +
@@ -1028,6 +1042,9 @@
// subsystemName
StringHolder x_subsystem_name = new StringHolder();
+ // Name Panel - CertSubjectPanel()
+ StringHolder x_ca_domain_url = new StringHolder();
+
// parse the args
ArgParser parser = new ArgParser("ConfigureOCSP");
@@ -1152,6 +1169,10 @@
"-subsystem_name %s #OCSP subsystem name",
x_subsystem_name);
+ parser.addOption (
+ "-ca_domain_url %s #URL to CA used to Issue Certificates for OCSP Instance Creation",
+ x_ca_domain_url);
+
parser.addOption(
"-ocsp_audit_signing_cert_subject_name %s #OCSP audit signing cert subject name",
x_ocsp_audit_signing_cert_subject_name);
@@ -1247,6 +1268,7 @@
subsystem_name = x_subsystem_name.value ;
+ ca_domain_url = x_ca_domain_url.value;
boolean st = ca.ConfigureOCSPInstance();
Index: base/silent/src/tps/ConfigureTPS.java
===================================================================
--- base/silent/src/tps/ConfigureTPS.java (revision 2598)
+++ base/silent/src/tps/ConfigureTPS.java (working copy)
@@ -79,11 +79,15 @@
public static String ca_ssl_port = null;
public static String ca_admin_port = null;
- public static String drm_hostname = null;
- public static String drm_ssl_port = null;
+ public static String drm_agent_hostname = null;
+ public static String drm_agent_port = null;
+ public static String drm_admin_hostname = null;
+ public static String drm_admin_port = null;
- public static String tks_hostname = null;
- public static String tks_ssl_port = null;
+ public static String tks_agent_hostname = null;
+ public static String tks_agent_port = null;
+ public static String tks_admin_hostname = null;
+ public static String tks_admin_port = null;
public static String client_certdb_dir = null;
public static String client_token_name = null;
@@ -171,6 +175,18 @@
// Admin Certificate Request Panel
public static String requestor_name = null;
+ // CA Info Panel - SubsystemPanel()
+ public static String ca_issuance_url = null;
+
+ // TKS Info Panel - SubsystemPanel()
+ public static String tks_key_management_url = null;
+
+ // DRM Info Panel - SubsystemPanel()
+ public static String drm_server_side_keygen_url = null;
+
+ // Name Panel - CertSubjectPanel()
+ public static String ca_domain_url = null;
+
public ConfigureTPS ()
{
// do nothing :)
@@ -344,13 +360,23 @@
px.prettyprintxml();
sleep_time();
- // 'ca_url' is not used, but refers to
- // the CA EE hostname and the CA EE port
- String ca_url = "https://" + ca_hostname + ":" + ca_ssl_port ;
// CA choice panel
+ String ca_url = null;
+ if ( ( ca_issuance_url != null ) &&
+ ( !ca_issuance_url.equals( "" ) ) &&
+ ( !ca_issuance_url.equals( "empty" ) ) ) {
+ ca_url = ca_issuance_url;
+ } else {
+ // Use the CA EE hostname and the CA EE port
+ ca_url = "https://" + ca_hostname + ":" + ca_ssl_port;
+ }
+ System.out.println("SubsystemPanel() ca_url='" +
+ ca_url + "'.");
+
query_string = "p=6" +
- "&urls=0" +
+ "&urls=" +
+ URLEncoder.encode(ca_url) +
"&op=next" +
"&xml=true" ;
@@ -361,13 +387,27 @@
px.prettyprintxml();
sleep_time();
+
// TKS choice panel
- //
- // 'tks_url' is not used, but refers to
- // the TKS Agent hostname and the TKS Agent port
- String tks_url = "https://" + tks_hostname + ":" + tks_ssl_port ;
+ String tks_url = null;
+ if ( ( tks_key_management_url != null ) &&
+ ( !tks_key_management_url.equals( "" ) ) &&
+ ( !tks_key_management_url.equals( "empty" ) ) ) {
+ tks_url = tks_key_management_url;
+ } else {
+ // Use the TKS Agent hostname and the TKS Agent port
+ tks_url = "https://" + tks_agent_hostname + ":" + tks_agent_port;
+ }
+ System.out.println("SubsystemPanel() tks_url='" +
+ tks_url + "'.");
+
query_string = "p=7" +
- "&urls=0" +
+ "&urls=" +
+ URLEncoder.encode(tks_url) +
+ "&adminhost=" +
+ URLEncoder.encode(tks_admin_hostname) +
+ "&adminport=" +
+ tks_admin_port +
"&op=next" +
"&xml=true" ;
@@ -377,21 +417,34 @@
px.parse(bais);
px.prettyprintxml();
+ sleep_time();
+
// DRM / server side keygen panel
-
- sleep_time();
if(ss_keygen.equalsIgnoreCase("true"))
{
ss_keygen = "keygen";
}
- // 'drm_url' is not used, but refers to
- // the DRM Agent hostname and the DRM Agent port
- String drm_url = "https://" + drm_hostname + ":" + drm_ssl_port ;
+ String drm_url = null;
+ if ( ( drm_server_side_keygen_url != null ) &&
+ ( !drm_server_side_keygen_url.equals( "" ) ) &&
+ ( !drm_server_side_keygen_url.equals( "empty" ) ) ) {
+ drm_url = drm_server_side_keygen_url;
+ } else {
+ // Use the DRM Agent hostname and the DRM Agent port
+ drm_url = "https://" + drm_agent_hostname + ":" + drm_agent_port;
+ }
+ System.out.println("SubsystemPanel() drm_url='" +
+ drm_url + "'.");
query_string = "p=8" +
"&choice=" + ss_keygen +
- "&urls=0" +
+ "&urls=" +
+ URLEncoder.encode(drm_url) +
+ "&adminhost=" +
+ URLEncoder.encode(drm_admin_hostname) +
+ "&adminport=" +
+ drm_admin_port +
"&op=next" +
"&xml=true" ;
@@ -578,9 +631,17 @@
ArrayList dn_list = null;
ArrayList friendly_list = null;
- // 'ca_url' is not used, but refers to
- // the CA EE hostname and the CA EE port
- String ca_url = "https://" + ca_hostname + ":" + ca_ssl_port ;
+ String ca_url = null;
+ if ( ( ca_domain_url != null ) &&
+ ( !ca_domain_url.equals( "" ) ) &&
+ ( !ca_domain_url.equals( "empty" ) ) ) {
+ ca_url = ca_domain_url;
+ } else {
+ // Use the CA EE hostname and the CA EE port
+ ca_url = "https://" + ca_hostname + ":" + ca_ssl_port;
+ }
+ System.out.println("CertSubjectPanel() ca_url='" +
+ ca_url + "'.");
String query_string = "p=12" +
"&sslserver=" +
@@ -595,7 +656,8 @@
URLEncoder.encode(tps_audit_signing_cert_subject_name) +
"&audit_signing_nick=" +
URLEncoder.encode(tps_audit_signing_cert_nickname) +
- "&urls=0" +
+ "&urls=" +
+ URLEncoder.encode(ca_url) +
"&op=next" +
"&xml=true" ;
@@ -959,11 +1021,15 @@
StringHolder x_ca_ssl_port = new StringHolder();
StringHolder x_ca_admin_port = new StringHolder();
- StringHolder x_drm_hostname = new StringHolder();
- StringHolder x_drm_ssl_port = new StringHolder();
+ StringHolder x_drm_agent_hostname = new StringHolder();
+ StringHolder x_drm_agent_port = new StringHolder();
+ StringHolder x_drm_admin_hostname = new StringHolder();
+ StringHolder x_drm_admin_port = new StringHolder();
- StringHolder x_tks_hostname = new StringHolder();
- StringHolder x_tks_ssl_port = new StringHolder();
+ StringHolder x_tks_agent_hostname = new StringHolder();
+ StringHolder x_tks_agent_port = new StringHolder();
+ StringHolder x_tks_admin_hostname = new StringHolder();
+ StringHolder x_tks_admin_port = new StringHolder();
StringHolder x_client_certdb_dir = new StringHolder();
StringHolder x_client_token_name = new StringHolder();
@@ -1023,7 +1089,19 @@
// subsystemName
StringHolder x_subsystem_name = new StringHolder();
+ // CA Info Panel - SubsystemPanel()
+ StringHolder x_ca_issuance_url = new StringHolder();
+ // TKS Info Panel - SubsystemPanel()
+ StringHolder x_tks_key_management_url = new StringHolder();
+
+ // DRM Info Panel - SubsystemPanel()
+ StringHolder x_drm_server_side_keygen_url = new StringHolder();
+
+ // Name Panel - CertSubjectPanel()
+ StringHolder x_ca_domain_url = new StringHolder();
+
+
// parse the args
ArgParser parser = new ArgParser("ConfigureTPS");
@@ -1058,17 +1136,25 @@
parser.addOption ("-ca_admin_port %s #CA SSL Admin port",
x_ca_admin_port);
- parser.addOption ("-drm_hostname %s #DRM Hostname",
- x_drm_hostname);
- parser.addOption ("-drm_ssl_port %s #DRM SSL port",
- x_drm_ssl_port);
+ parser.addOption ("-drm_agent_hostname %s #DRM Agent Hostname",
+ x_drm_agent_hostname);
+ parser.addOption ("-drm_agent_port %s #DRM Agent SSL port",
+ x_drm_agent_port);
parser.addOption ("-ss_keygen %s #Enable Server Side Keygen [true,false]",
x_ss_keygen);
+ parser.addOption ("-drm_admin_hostname %s #DRM Admin Hostname",
+ x_drm_admin_hostname);
+ parser.addOption ("-drm_admin_port %s #DRM SSL Admin port",
+ x_drm_admin_port);
- parser.addOption ("-tks_hostname %s #TKS Hostname",
- x_tks_hostname);
- parser.addOption ("-tks_ssl_port %s #TKS SSL port",
- x_tks_ssl_port);
+ parser.addOption ("-tks_agent_hostname %s #TKS Agent Hostname",
+ x_tks_agent_hostname);
+ parser.addOption ("-tks_agent_port %s #TKS Agent SSL port",
+ x_tks_agent_port);
+ parser.addOption ("-tks_admin_hostname %s #TKS Admin Hostname",
+ x_tks_admin_hostname);
+ parser.addOption ("-tks_admin_port %s #TKS SSL Admin port",
+ x_tks_admin_port);
parser.addOption ("-client_certdb_dir %s #Client CertDB dir",
x_client_certdb_dir);
@@ -1158,7 +1244,23 @@
"-subsystem_name %s #CA subsystem name",
x_subsystem_name);
+ parser.addOption (
+ "-ca_issuance_url %s #URL to CA used to Issue Certificates",
+ x_ca_issuance_url);
+ parser.addOption (
+ "-tks_key_management_url %s #URL to TKS used for Key Management",
+ x_tks_key_management_url);
+
+ parser.addOption (
+ "-drm_server_side_keygen_url %s #URL to DRM used for Server-Side Keygen",
+ x_drm_server_side_keygen_url);
+
+ parser.addOption (
+ "-ca_domain_url %s #URL to CA used to Issue Certificates for TPS Instance Creation",
+ x_ca_domain_url);
+
+
// and then match the arguments
String [] unmatched = null;
unmatched = parser.matchAllArgs (args,0,parser.EXIT_ON_UNMATCHED);
@@ -1189,11 +1291,15 @@
ca_ssl_port = x_ca_ssl_port.value;
ca_admin_port = x_ca_admin_port.value;
- tks_hostname = x_tks_hostname.value;
- tks_ssl_port = x_tks_ssl_port.value;
+ tks_agent_hostname = x_tks_agent_hostname.value;
+ tks_agent_port = x_tks_agent_port.value;
+ tks_admin_hostname = x_tks_admin_hostname.value;
+ tks_admin_port = x_tks_admin_port.value;
- drm_hostname = x_drm_hostname.value;
- drm_ssl_port = x_drm_ssl_port.value;
+ drm_agent_hostname = x_drm_agent_hostname.value;
+ drm_agent_port = x_drm_agent_port.value;
+ drm_admin_hostname = x_drm_admin_hostname.value;
+ drm_admin_port = x_drm_admin_port.value;
client_certdb_dir = x_client_certdb_dir.value;
client_token_name = x_client_token_name.value;
@@ -1252,8 +1358,16 @@
subsystem_name = x_subsystem_name.value ;
+ ca_issuance_url = x_ca_issuance_url.value;
+ tks_key_management_url = x_tks_key_management_url.value;
+ drm_server_side_keygen_url = x_drm_server_side_keygen_url.value;
+
+ ca_domain_url = x_ca_domain_url.value;
+
+
+
boolean st = ca.ConfigureTPSInstance();
if (!st)
Index: base/silent/src/subca/ConfigureSubCA.java
===================================================================
--- base/silent/src/subca/ConfigureSubCA.java (revision 2598)
+++ base/silent/src/subca/ConfigureSubCA.java (working copy)
@@ -172,6 +172,9 @@
public static String subsystem_name = null;
+ // Name Panel - CertSubjectPanel()
+ public static String ca_domain_url = null;
+
// names
public static String subca_sign_cert_subject_name = null;
public static String subca_subsystem_cert_subject_name = null;
@@ -534,7 +537,17 @@
ArrayList cert_list = null;
ArrayList dn_list = null;
- String domain_url = "https://" + ca_hostname + ":" + ca_ssl_port ;
+ String domain_url = null;
+ if ( ( ca_domain_url != null ) &&
+ ( !ca_domain_url.equals( "" ) ) &&
+ ( !ca_domain_url.equals( "empty" ) ) ) {
+ domain_url = ca_domain_url;
+ } else {
+ // Use the CA EE hostname and the CA EE port
+ domain_url = "https://" + ca_hostname + ":" + ca_ssl_port;
+ }
+ System.out.println("CertSubjectPanel() domain_url='" +
+ domain_url + "'.");
String query_string = "p=11" + "&op=next" + "&xml=true" +
@@ -548,8 +561,8 @@
URLEncoder.encode(subca_subsystem_cert_subject_name) +
"&audit_signing=" +
URLEncoder.encode(subca_audit_signing_cert_subject_name) +
- "&urls=0" +
- "";
+ "&urls=" +
+ URLEncoder.encode(domain_url);
hr = hc.sslConnect(cs_hostname,cs_port,wizard_uri,query_string);
@@ -1078,6 +1091,9 @@
// subsystem name
StringHolder x_subsystem_name = new StringHolder();
+ // Name Panel - CertSubjectPanel()
+ StringHolder x_ca_domain_url = new StringHolder();
+
// subject names
StringHolder x_subca_sign_cert_subject_name = new StringHolder();
StringHolder x_subca_subsystem_cert_subject_name = new StringHolder();
@@ -1203,6 +1219,10 @@
x_subsystem_name);
parser.addOption (
+ "-ca_domain_url %s #URL to CA used to Issue Certificates for SubCA Instance Creation",
+ x_ca_domain_url);
+
+ parser.addOption (
"-subca_sign_cert_subject_name %s #subCA cert subject name",
x_subca_sign_cert_subject_name);
parser.addOption (
@@ -1305,6 +1325,8 @@
save_p12 = x_save_p12.value;
backup_pwd = x_backup_pwd.value;
subsystem_name = x_subsystem_name.value;
+
+ ca_domain_url = x_ca_domain_url.value;
subca_sign_cert_subject_name = x_subca_sign_cert_subject_name.value ;
subca_subsystem_cert_subject_name =
Index: base/silent/templates/silent_subca_ip_port.template
===================================================================
--- base/silent/templates/silent_subca_ip_port.template (revision 0)
+++ base/silent/templates/silent_subca_ip_port.template (revision 0)
@@ -0,0 +1,612 @@
+#!/bin/bash
+## BEGIN COPYRIGHT BLOCK
+## (C) 2009 Red Hat, Inc.
+## All rights reserved.
+## END COPYRIGHT BLOCK
+
+
+## Always switch into this base directory
+## prior to script execution so that all
+## of its output is written to this directory
+
+cd `dirname $0`
+
+
+## Disallow script to be run as the name of this template
+pki_silent_script=`basename $0`
+if [ "${pki_silent_script}" = "silent_subca_ip_port.template" ] ; then
+ printf "\n"
+ printf "Usage: (1) Install AND configure a directory server instance.\n\n"
+ printf " (2) Install AND configure a Root CA subsystem instance\n"
+ printf " that is its own security domain.\n\n"
+ printf " (3) Use 'pkicreate' to install a second CA subsystem\n"
+ printf " instance (this will become a Subordinate CA).\n"
+ printf " [Do NOT configure this CA subsystem instance!]\n\n"
+ printf " (4) Install the 'pki-silent' package.\n\n"
+ printf " (5) Copy '$0' to a new script name\n"
+ printf " without the '.template' extension.\n"
+ printf " (e .g. - 'configure_subca_ip_port_instance')\n\n"
+ printf " (6) Fill in all MANDATORY user-defined variables\n"
+ printf " in the new script.\n\n"
+ printf " (7) Change any OPTIONAL user-defined variables\n"
+ printf " in the new script as desired.\n\n"
+ printf " (8) Become the 'root' user, and execute the new script to\n"
+ printf " configure a Subordinate CA subsystem instance.\n\n"
+exit 255
+fi
+
+
+##
+## This script MUST be run as root!
+##
+
+ROOTUID=0
+
+OS=`uname`
+if [ "${OS}" = "Linux" ] ; then
+ MY_EUID=`/usr/bin/id -u`
+ MY_UID=`/usr/bin/id -ur`
+ USERNAME=`/usr/bin/id -un`
+else
+ printf "ERROR: Unsupported operating system '${OS}'!\n"
+ exit 255
+fi
+
+if [ "${MY_UID}" != "${ROOTUID}" ] &&
+ [ "${MY_EUID}" != "${ROOTUID}" ] ; then
+ printf "ERROR: The '$0' script must be run as root!\n"
+ exit 255
+fi
+
+
+
+##############################################################################
+##############################################################################
+## ##
+## P K I S I L E N T - V A R I A B L E D E C L A R A T I O N ##
+## ##
+##############################################################################
+##############################################################################
+
+##############################################################################
+## U S E R - D E F I N E D V A R I A B L E S ( M A N D A T O R Y ) ##
+##############################################################################
+
+##
+## IMPORTANT: 'Escape' ALL spaces in EACH variable specified below!
+##
+## For Example:
+##
+## pki_security_domain_name="My\ Security\ Domain"
+##
+
+## PKI CA Subsystem Hosts (FQDN)
+pki_ca_ee_host=
+pki_ca_admin_host=
+
+## PKI Subordinate CA Subsystem Hosts (FQDN)
+pki_subca_agent_host=
+pki_subca_ee_host=
+pki_subca_eeca_host=
+pki_subca_admin_host=
+
+##
+## NOTE: Default PKI CA Instance Ports
+##
+## 9180 - non-secure port (not role specific)
+## 9701 - non-secure Tomcat port
+## 9443 - secure Agent port
+## 9444 - secure EE port
+## 9445 - secure Admin port
+## 9446 - secure EE Client Auth port (not necessarily labeled)
+##
+##
+## For Example:
+##
+## semanage port -l | grep pki
+##
+## pki_ca_port_t tcp 9180, 9701, 9443, 9444, 9445
+## pki_subca_port_t tcp 19180, 19701, 19443, 19444, 19445
+##
+
+## PKI CA ports (Security Domain)
+pki_ca_nonssl_port=
+pki_ca_agent_port=
+pki_ca_ee_port=
+pki_ca_admin_port=
+
+## PKI Alternate Subordinate CA ports (not a Security Domain)
+##
+## NOTE: Replace the CA EE Security Domain Host and Port to optionally use
+## a Different Existing Subordinate CA to Issue Certificates for
+## this Subordinate CA Instance Creation
+##
+pki_alternate_subca_ee_host=${pki_ca_ee_host}
+pki_alternate_subca_ee_port=${pki_ca_ee_port}
+
+## PKI Subordinate CA ports (not a Security Domain)
+pki_subca_admin_port=
+
+## PKI Silent Security Database Variables
+## (e. g. - PKI Silent "browser" database)
+pki_silent_security_database_repository="/tmp"
+pki_silent_security_token_password=
+pki_silent_security_token_name=internal
+
+## PKI Security Domain Variables
+## (e. g. - Security Domain Login Panel)
+pki_security_domain_name=
+pki_security_domain_host="${pki_ca_admin_host}"
+pki_security_domain_admin_name=admin
+pki_security_domain_admin_password=
+
+## PKI Internal LDAP Database Variables
+## (e. g. - Database Panel)
+##
+## If the LDAP server is located locally, specify:
+##
+## pki_ldap_host=localhost
+##
+## However, if the LDAP server is located remotely, specify the FQDN:
+##
+## pki_ldap_host="ds_host.example.com" (for example)
+##
+pki_ldap_host=
+pki_ldap_port=389
+pki_bind_dn="cn=Directory\ Manager"
+pki_bind_password=
+##
+## For first time configurations, the default case is to set:
+##
+## pki_remove_data=false
+##
+## For testing, however, it is often convenient to simply OVERWRITE any
+## existing data in the LDAP database. If this is desirable, set:
+##
+## pki_remove_data=true
+##
+pki_remove_data=
+
+## PKI Instance-Specific Token Variables
+## (e. g. - Module Panel)
+pki_subca_token_name=internal
+pki_subca_token_password=
+
+## PKI Instance-Specific Backup Variables
+## (e. g. - Backup Key and Certificates Panel)
+pki_subca_backup_password=
+
+## PKI Email Variables
+##
+## For example, to specify 'pkitest at example.com':
+##
+## pki_email_name=pkitest
+## pki_email_company=example
+## pki_email_domain=com
+##
+pki_email_name=
+pki_email_company=
+pki_email_domain=
+
+## PKI Silent Admin Variables
+## (e. g. - Import Admin Certificate into PKI Silent "browser" database)
+pki_silent_admin_user=admin
+pki_silent_admin_password=
+pki_silent_admin_email="${pki_email_name}\@${pki_email_company}\.${pki_email_domain}"
+
+## PKI Subsystem Names
+pki_subca_subsystem_name="Certificate\ Authority"
+
+## PKI Subsystem Instance Names
+pki_subca_instance_name="pki-subca"
+
+## PKI Silent Log Files
+pki_silent_subca_log=/tmp/subca.log
+
+## URL to CA used to Issue Certificates for Subordinate CA Instance Creation
+##
+## * each 'hostname:port' must be a CA EE Hostname and CA EE Port
+## * referenced CA does not need to be a Security Domain
+## * referenced CA must reside within the same security domain
+## as this Subordinate CA instance
+##
+## NOTE: To pass in a value of an empty string, specify the value "empty"
+## instead of "" since ArgParser() throws away empty strings.
+##
+## This special "empty" string value may be specified for any of
+## the following variables:
+##
+## * pki_subca_instance_ca_domain_url="empty"
+##
+pki_subca_instance_ca_domain_url="https://${pki_alternate_subca_ee_host}:${pki_alternate_subca_ee_port}"
+
+
+
+##############################################################################
+## U S E R - D E F I N E D V A R I A B L E S ( O P T I O N A L ) ##
+##############################################################################
+
+##
+## NOTE: For comparison's sake, if the default instances were manually
+## configured using a Firefox browser, the content of the corresponding
+## Firefox browser's security libraries would be something similar
+## to this:
+##
+## Certificate Nickname Trust Attributes
+## SSL,S/MIME,JAR/XPI
+##
+## Certificate Authority 2 - ${pki_security_domain_name} ,,
+## CA Administrator of Instance ${pki_subca_instance_name}'s
+## ${pki_security_domain_name} ID u,u,u
+## ${pki_subca_admin_host} P,,
+## Certificate Authority - ${pki_security_domain_name} CT,C,C
+##
+## where:
+##
+## Nickname: "Certificate Authority 2 - "
+## + "${pki_security_domain_name}"
+## Subject Name: "cn=Certificate Authority 2,"
+## + "o=${pki_security_domain_name}"
+##
+## Nickname: "CA Administrator of Instance "
+## + "${pki_subca_instance_name}'s "
+## + "${pki_security_domain_name} ID"
+## Subject Name: "cn=CA Administrator of Instance "
+## + "${pki_subca_instance_name},"
+## + "uid=admin,"
+## + "e=${pki_silent_admin_email},"
+## + "o=${pki_security_domain_name}"
+##
+## Nickname: "${pki_subca_admin_host}"
+## Subject Name: "cn=${pki_subca_admin_host},"
+## + "o=${pki_security_domain_name}"
+##
+## Nickname: "Certificate Authority - "
+## + "${pki_security_domain_name}"
+## Subject Name: "cn=Certificate Authority,"
+## + "o=${pki_security_domain_name}"
+##
+
+
+## Miscellaneous CA Variables
+##
+## REMINDER: 'Escape' ALL spaces in EACH variable specified below!
+##
+## NOTE: For comparison's sake, if the default instances were manually
+## configured using a Firefox browser, the content of the corresponding
+## "/var/lib/${pki_subca_instance_name}/alias/" security libraries
+## would be something similar to this:
+##
+## Certificate Nickname Trust Attributes
+## SSL,S/MIME,JAR/XPI
+##
+## caSigningCert cert-${pki_subca_instance_name} CTu,Cu,Cu
+## Server-Cert cert-${pki_subca_instance_name} u,u,u
+## Certificate Authority - ${pki_security_domain_name} CT,c,
+## ocspSigningCert cert-${pki_subca_instance_name} u,u,u
+## auditSigningCert cert-${pki_subca_instance_name} u,u,u
+## subsystemCert cert-${pki_subca_instance_name} u,u,u
+##
+## where:
+##
+## Nickname: "caSigningCert cert-${pki_subca_instance_name}"
+## Subject Name: "cn=Certificate Authority 2,"
+## + "o=${pki_security_domain_name}"
+##
+## Nickname: "Server-Cert cert-${pki_subca_instance_name}"
+## Subject Name: "cn=${pki_subca_admin_host},"
+## + "o=${pki_security_domain_name}"
+##
+## Nickname: "Certificate Authority - "
+## + "${pki_security_domain_name}"
+## Subject Name: "cn=Certificate Authority,"
+## + "o=${pki_security_domain_name}"
+##
+## Nickname: "ocspSigningCert cert-${pki_subca_instance_name}"
+## Subject Name: "cn=OCSP Signing Certificate 2,"
+## + "o=${pki_security_domain_name}"
+##
+## Nickname: "auditSigningCert cert-${pki_subca_instance_name}"
+## Subject Name: "cn=CA Audit Signing Certificate 2,"
+## + "o=${pki_security_domain_name}"
+##
+## Nickname: "subsystemCert cert-${pki_subca_instance_name}"
+## Subject Name: "cn=CA Subsystem Certificate 2,"
+## + "o=${pki_security_domain_name}"
+##
+## NOTE: The parameters for the signing algorithms have the following meaning:
+## subca_signing_algorithm - signature algorithm used by
+## the CA and OCSP signing certs
+## to sign objects.
+## subca_signing_signingalgorithm - optionally specify the
+## algorithm used by the CA
+## signing cert to sign objects
+## subca_ocsp_signing_signingalgorithm - optionally specify the
+## algorithm used by the CA ocsp
+## signing cert to sign objects
+##
+
+subca_agent_name="CA\ Administrator\ of\ Instance\ ${pki_subca_instance_name}\'s\ ${pki_security_domain_name}\ ID"
+subca_agent_key_size=2048
+subca_agent_key_type=rsa
+subca_agent_cert_subject="cn=CA\ Administrator\ of\ Instance\ ${pki_subca_instance_name},uid=admin,e=${pki_silent_admin_email},o=${pki_security_domain_name}"
+subca_base_dn="dc=${pki_subca_admin_host}-${pki_subca_instance_name}"
+subca_db_name="${pki_subca_admin_host}-${pki_subca_instance_name}"
+subca_key_size=2048
+subca_key_type=rsa
+subca_signing_algorithm=SHA256withRSA
+subca_signing_signingalgorithm=SHA256withRSA
+subca_ocsp_signing_signingalgorithm=SHA256withRSA
+subca_save_p12=false
+subca_sign_cert_subject_name="cn=Certificate\ Authority\ 2,o=${pki_security_domain_name}"
+subca_subsystem_cert_subject_name="cn=CA\ Subsystem\ Certificate\ 2,o=${pki_security_domain_name}"
+subca_ocsp_cert_subject_name="cn=OCSP\ Signing\ Certificate\ 2,o=${pki_security_domain_name}"
+subca_server_cert_subject_name="cn=${pki_subca_ee_host},o=${pki_security_domain_name}"
+subca_audit_signing_cert_subject_name="cn=CA\ Audit\ Signing\ Certificate\ 2,o=${pki_security_domain_name}"
+
+
+
+##############################################################################
+##############################################################################
+## ##
+## P K I S I L E N T - S U B S Y S T E M C O N F I G U R A T I O N ##
+## ##
+##############################################################################
+##############################################################################
+
+##############################################################################
+## P K I S I L E N T I N I T I A L I Z A T I O N ##
+##############################################################################
+
+## (1) Make certain that user has defined all MANDATORY user-defined variables!
+usage_errors=0
+usage_error_preamble="ERROR: User MUST define a value for"
+
+if [ "${pki_ca_ee_host}" = "" ] ; then
+ printf "${usage_error_preamble} 'pki_ca_ee_host'!\n"
+ usage_errors=`expr ${usage_errors} + 1`
+fi
+if [ "${pki_ca_admin_host}" = "" ] ; then
+ printf "${usage_error_preamble} 'pki_ca_admin_host'!\n"
+ usage_errors=`expr ${usage_errors} + 1`
+fi
+if [ "${pki_subca_agent_host}" = "" ] ; then
+ printf "${usage_error_preamble} 'pki_subca_agent_host'!\n"
+ usage_errors=`expr ${usage_errors} + 1`
+fi
+if [ "${pki_subca_ee_host}" = "" ] ; then
+ printf "${usage_error_preamble} 'pki_subca_ee_host'!\n"
+ usage_errors=`expr ${usage_errors} + 1`
+fi
+if [ "${pki_subca_eeca_host}" = "" ] ; then
+ printf "${usage_error_preamble} 'pki_subca_eeca_host'!\n"
+ usage_errors=`expr ${usage_errors} + 1`
+fi
+if [ "${pki_subca_admin_host}" = "" ] ; then
+ printf "${usage_error_preamble} 'pki_subca_admin_host'!\n"
+ usage_errors=`expr ${usage_errors} + 1`
+fi
+if [ "${pki_ca_nonssl_port}" = "" ] ; then
+ printf "${usage_error_preamble} 'pki_ca_nonssl_port'!\n"
+ usage_errors=`expr ${usage_errors} + 1`
+fi
+if [ "${pki_ca_agent_port}" = "" ] ; then
+ printf "${usage_error_preamble} 'pki_ca_agent_port'!\n"
+ usage_errors=`expr ${usage_errors} + 1`
+fi
+if [ "${pki_ca_ee_port}" = "" ] ; then
+ printf "${usage_error_preamble} 'pki_ca_ee_port'!\n"
+ usage_errors=`expr ${usage_errors} + 1`
+fi
+if [ "${pki_ca_admin_port}" = "" ] ; then
+ printf "${usage_error_preamble} 'pki_ca_admin_port'!\n"
+ usage_errors=`expr ${usage_errors} + 1`
+fi
+if [ "${pki_subca_admin_port}" = "" ] ; then
+ printf "${usage_error_preamble} 'pki_subca_admin_port'!\n"
+ usage_errors=`expr ${usage_errors} + 1`
+fi
+if [ "${pki_silent_security_token_password}" = "" ] ; then
+ printf "${usage_error_preamble} 'pki_silent_security_token_password'!\n"
+ usage_errors=`expr ${usage_errors} + 1`
+fi
+if [ "${pki_security_domain_name}" = "" ] ; then
+ printf "${usage_error_preamble} 'pki_security_domain_name'!\n"
+ usage_errors=`expr ${usage_errors} + 1`
+fi
+if [ "${pki_security_domain_admin_password}" = "" ] ; then
+ printf "${usage_error_preamble} 'pki_security_domain_admin_password'!\n"
+ usage_errors=`expr ${usage_errors} + 1`
+fi
+if [ "${pki_ldap_host}" = "" ] ; then
+ printf "${usage_error_preamble} 'pki_ldap_host'!\n"
+ usage_errors=`expr ${usage_errors} + 1`
+fi
+if [ "${pki_bind_password}" = "" ] ; then
+ printf "${usage_error_preamble} 'pki_bind_password'!\n"
+ usage_errors=`expr ${usage_errors} + 1`
+fi
+if [ "${pki_remove_data}" = "" ] ; then
+ printf "${usage_error_preamble} 'pki_remove_data'!\n"
+ usage_errors=`expr ${usage_errors} + 1`
+fi
+if [ "${pki_subca_token_password}" = "" ] ; then
+ printf "${usage_error_preamble} 'pki_subca_token_password'!\n"
+ usage_errors=`expr ${usage_errors} + 1`
+fi
+if [ "${pki_subca_backup_password}" = "" ] ; then
+ printf "${usage_error_preamble} 'pki_subca_backup_password'!\n"
+ usage_errors=`expr ${usage_errors} + 1`
+fi
+if [ "${pki_email_name}" = "" ] ; then
+ printf "${usage_error_preamble} 'pki_email_name'!\n"
+ usage_errors=`expr ${usage_errors} + 1`
+fi
+if [ "${pki_email_company}" = "" ] ; then
+ printf "${usage_error_preamble} 'pki_email_company'!\n"
+ usage_errors=`expr ${usage_errors} + 1`
+fi
+if [ "${pki_email_domain}" = "" ] ; then
+ printf "${usage_error_preamble} 'pki_email_domain'!\n"
+ usage_errors=`expr ${usage_errors} + 1`
+fi
+if [ "${pki_silent_admin_password}" = "" ] ; then
+ printf "${usage_error_preamble} 'pki_silent_admin_password'!\n"
+ usage_errors=`expr ${usage_errors} + 1`
+fi
+
+
+## (2) Make certain that a PKI instance of the specified name EXISTS,
+## but has NOT been previously CONFIGURED!
+existence_errors=0
+existence_error_preamble="ERROR: No PKI Instance named"
+configuration_errors=0
+configuration_error_preamble="ERROR: A PKI Instance named"
+configuration_error_postamble="EXISTS,\n but has PREVIOUSLY been CONFIGURED!"
+
+if [ ! -f "/var/lib/${pki_subca_instance_name}/conf/CS.cfg" ] ; then
+ printf "${existence_error_preamble} '${pki_subca_instance_name}' EXISTS!\n"
+ existence_errors=`expr ${existence_errors} + 1`
+else
+ subca_configuration_check=`grep -c preop /var/lib/${pki_subca_instance_name}/conf/CS.cfg`
+ if [ ${subca_configuration_check} -eq 0 ] ; then
+ printf "${configuration_error_preamble} '${pki_subca_instance_name}' "
+ printf "${configuration_error_postamble}\n"
+ configuration_errors=`expr ${configuration_errors} + 1`
+ fi
+fi
+
+
+if [ ${usage_errors} -ne 0 ] ||
+ [ ${existence_errors} -ne 0 ] ||
+ [ ${configuration_errors} -ne 0 ] ; then
+ printf "\n"
+ printf "Please correct ALL errors listed above and re-run\n"
+ printf "the '$0' script!\n\n"
+ exit 255
+fi
+
+
+## (3) Make certain that 'pkisilent' exists and is executable on this system.
+if [ ! -x "/usr/bin/pkisilent" ] ; then
+ printf "\n"
+ printf "ERROR: Please install the 'pki-silent' package and re-run\n"
+ printf "the '$0' script!\n\n"
+ exit 255
+fi
+
+
+## (4) Check for old PKI Silent Security Databases, but DO NOT remove them!
+## Instead, just inform the user.
+if [ -f "${pki_silent_security_database_repository}/cert8.db" ] ||
+ [ -f "${pki_silent_security_database_repository}/key3.db" ] ||
+ [ -f "${pki_silent_security_database_repository}/secmod.db" ] ; then
+ printf "\n"
+ printf "WARNING: The existing security databases\n"
+ printf " (i. e. - 'cert8.db', 'key3.db', and/or 'secmod.db')\n"
+ printf " required by '${pki_silent_script}' at the\n"
+ printf " specified location '${pki_silent_security_database_repository}'\n"
+ printf " will be used.\n\n"
+fi
+
+
+## (5) Remove any old PKI Silent log file named '${pki_silent_subca_log}'
+printf "Removing old PKI Silent log files:\n"
+if [ -f ${pki_silent_subca_log} ] ; then
+ printf " Removing old '${pki_silent_subca_log}' . . . "
+ rm ${pki_silent_subca_log}
+ printf "done.\n"
+fi
+printf "Done.\n\n"
+
+
+
+##############################################################################
+## C A L C U L A T E P K I I N S T A N C E P I N S ##
+##############################################################################
+
+## PKI Subsystem Instance PINS
+subca_preop_pin=`cat /var/lib/${pki_subca_instance_name}/conf/CS.cfg \
+ | grep preop.pin | grep -v grep | awk -F= '{print $2}'`
+
+
+
+##############################################################################
+## C E R T I F I C A T E A U T H O R I T Y ##
+##############################################################################
+##
+## For example, upon completion,
+## execute '/sbin/service ${pki_subca_instance_name} status':
+##
+## ${pki_subca_instance_name} (pid 7843) is running ...
+##
+## Unsecure Port = http://${pki_subca_ee_host}:19180/ca/ee/ca
+## Secure Agent Port = https://${pki_subca_agent_host}:19443/ca/agent/ca
+## Secure EE Port = https://${pki_subca_ee_host}:19444/ca/ee/ca
+## Secure Admin Port = https://${pki_subca_admin_host}:19445/ca/services
+## PKI Console Port = pkiconsole https://${pki_subca_admin_host}:19445/ca
+## Tomcat Port = 19701 (for shutdown)
+##
+##
+## Security Domain URL:
+## ==================================================================
+## https://${pki_ca_admin_host}:9445
+## ==================================================================
+##
+
+## Configure Subordinate CA
+printf "'${pki_silent_script}': Configuring '${pki_subca_instance_name}' . . .\n"
+pkisilent ConfigureSubCA \
+ -cs_hostname "${pki_subca_admin_host}" \
+ -cs_port ${pki_subca_admin_port} \
+ -sd_hostname "${pki_security_domain_host}" \
+ -sd_ssl_port ${pki_ca_ee_port} \
+ -sd_agent_port ${pki_ca_agent_port} \
+ -sd_admin_port ${pki_ca_admin_port} \
+ -sd_admin_name "${pki_security_domain_admin_name}" \
+ -sd_admin_password ${pki_security_domain_admin_password} \
+ -ca_hostname ${pki_ca_ee_host} \
+ -ca_port ${pki_ca_nonssl_port} \
+ -ca_ssl_port ${pki_ca_ee_port} \
+ -client_certdb_dir ${pki_silent_security_database_repository} \
+ -client_certdb_pwd ${pki_silent_security_token_password} \
+ -client_token_name ${pki_silent_security_token_name} \
+ -preop_pin ${subca_preop_pin} \
+ -domain_name "${pki_security_domain_name}" \
+ -admin_user ${pki_silent_admin_user} \
+ -admin_password ${pki_silent_admin_password} \
+ -admin_email "${pki_silent_admin_email}" \
+ -agent_name ${subca_agent_name} \
+ -ldap_host ${pki_ldap_host} \
+ -ldap_port ${pki_ldap_port} \
+ -bind_dn "${pki_bind_dn}" \
+ -bind_password ${pki_bind_password} \
+ -base_dn "${subca_base_dn}" \
+ -db_name "${subca_db_name}" \
+ -remove_data "${pki_remove_data}" \
+ -key_size ${subca_key_size} \
+ -key_type ${subca_key_type} \
+ -signing_algorithm ${subca_signing_algorithm} \
+ -signing_signingalgorithm ${subca_signing_signingalgorithm} \
+ -ocsp_signing_signingalgorithm ${subca_ocsp_signing_signingalgorithm} \
+ -token_name ${pki_subca_token_name} \
+ -token_pwd ${pki_subca_token_password} \
+ -agent_key_size ${subca_agent_key_size} \
+ -agent_key_type ${subca_agent_key_type} \
+ -agent_cert_subject "${subca_agent_cert_subject}" \
+ -subsystem_name "${pki_subca_subsystem_name}" \
+ -ca_domain_url "${pki_subca_instance_ca_domain_url}" \
+ -save_p12 ${subca_save_p12} \
+ -backup_pwd ${pki_subca_backup_password} \
+ -subca_sign_cert_subject_name "${subca_sign_cert_subject_name}" \
+ -subca_subsystem_cert_subject_name "${subca_subsystem_cert_subject_name}" \
+ -subca_ocsp_cert_subject_name "${subca_ocsp_cert_subject_name}" \
+ -subca_server_cert_subject_name "${subca_server_cert_subject_name}" \
+ -subca_audit_signing_cert_subject_name \
+ "${subca_audit_signing_cert_subject_name}" \
+ | tee ${pki_silent_subca_log}
+
+## Restart Subordinate CA
+/sbin/service ${pki_subca_instance_name} restart
+
+exit 0
Property changes on: base/silent/templates/silent_subca_ip_port.template
___________________________________________________________________
Added: svn:executable
+ *
Index: base/silent/templates/silentEC_ca.template
===================================================================
--- base/silent/templates/silentEC_ca.template (revision 2598)
+++ base/silent/templates/silentEC_ca.template (working copy)
@@ -174,8 +174,8 @@
##
## *180 - non-secure port (not role specific)
## *701 - non-secure Tomcat port
-## *443 - secure EE port
-## *444 - secure Agent port
+## *443 - secure Agent port
+## *444 - secure EE port
## *445 - secure Admin port
##
##
@@ -186,7 +186,7 @@
## pki_ca_port_t tcp 9180, 9701, 9443, 9444, 9445
##
-## CA ports
+## CA ports (Security Domain)
ca_nonssl_port=9180
ca_agent_port=9443
ca_ee_port=9444
@@ -306,6 +306,20 @@
ca_ocsp_cert_subject_name="cn=OCSP\ Signing\ Certificate,ou=${ca_instance_name},o=${pki_security_domain_name}"
ca_server_cert_subject_name="cn=${pki_host},ou=${ca_instance_name},o=${pki_security_domain_name}"
ca_audit_signing_cert_subject_name="cn=CA\ Audit\ Signing\ Certificate,ou=${ca_instance_name},o=${pki_security_domain_name}"
+## URL to CA used to Issue Certificates for CA Instance Creation
+##
+## IMPORTANT: The CA referenced by this URL must reside within the
+## same security domain as this CA instance.
+##
+## NOTE: To pass in a value of an empty string, specify the value "empty"
+## instead of "" since ArgParser() throws away empty strings.
+##
+## This special "empty" string value may be specified for any of
+## the following variables:
+##
+## * ca_instance_ca_domain_url="empty"
+##
+ca_instance_ca_domain_url="empty"
## Optional CA Variables for creating a clone CA
##
@@ -590,6 +604,7 @@
-save_p12 ${ca_save_p12} \
-backup_pwd ${ca_backup_password} \
-subsystem_name ${ca_subsystem_name} \
+ -ca_domain_url "${ca_instance_ca_domain_url}" \
-token_name ${ca_token_name} \
-token_pwd ${ca_token_password} \
-ca_sign_cert_subject_name "${ca_sign_cert_subject_name}" \
Index: base/silent/templates/silent_tks_ip_port.template
===================================================================
--- base/silent/templates/silent_tks_ip_port.template (revision 2598)
+++ base/silent/templates/silent_tks_ip_port.template (working copy)
@@ -94,8 +94,8 @@
##
## 9180 - non-secure port (not role specific)
## 9701 - non-secure Tomcat port
-## 9443 - secure EE port
-## 9444 - secure Agent port
+## 9443 - secure Agent port
+## 9444 - secure EE port
## 9445 - secure Admin port
## 9446 - secure EE Client Auth port (not necessarily labeled)
##
@@ -103,8 +103,8 @@
##
## 13180 - non-secure port (not role specific)
## 13701 - non-secure Tomcat port
-## 13443 - secure EE port
-## 13444 - secure Agent port
+## 13443 - secure Agent port
+## 13444 - secure EE port
## 13445 - secure Admin port
##
## For Example:
@@ -115,12 +115,20 @@
## pki_tks_port_t tcp 13180, 13701, 13443, 13444, 13445
##
-## PKI CA ports
+## PKI CA ports (Security Domain)
pki_ca_nonssl_port=
+pki_ca_agent_port=
pki_ca_ee_port=
-pki_ca_agent_port=
pki_ca_admin_port=
+## PKI Subordinate CA ports (not a Security Domain)
+##
+## NOTE: Replace the CA EE Security Domain Host and Port to optionally use
+## a Subordinate CA to Issue Certificates for TKS Instance Creation
+##
+pki_subca_ee_host=${pki_ca_ee_host}
+pki_subca_ee_port=${pki_ca_ee_port}
+
## PKI TKS ports
pki_tks_admin_port=
@@ -199,8 +207,63 @@
## PKI Silent Log Files
pki_silent_tks_log=/tmp/tks.log
+## URL to CA used to Issue Certificates for TKS Instance Creation
+##
+## * each 'hostname:port' must be a CA EE Hostname and CA EE Port
+## * referenced CA does not need to be a Security Domain (see CAVEAT)
+## * referenced CA must reside within the same security domain
+## as this TKS instance
+##
+## CAVEAT: If the chosen CA is a security domain:
+##
+## * all TKS subsystem certificates (including the
+## 'Subsystem' certificates) will be stored on this CA
+## * the TKS subsystem client 'Administration'
+## certificate will automatically be imported into
+## the NSS client security databases associated with
+## the 'pkisilent' invocation of this TKS subsystem
+## * the 'pkisilent' client security databases may be
+## used inside a firefox browser with no further
+## changes
+##
+## If the chosen CA is NOT a security domain:
+##
+## * all TKS subsystem certificates EXCEPT the TKS
+## 'Subsystem' certificate will be stored on this CA;
+## the TKS 'Subsystem' certificate will be stored on
+## the CA that is the security domain for this TKS
+## subsystem
+## * the TKS subsystem client 'Administration'
+## certificate will NOT automatically be imported into
+## the NSS client security databases associated with
+## the 'pkisilent' invocation of this TKS subsystem;
+## import will fail with something similar to the
+## following message:
+##
+## ERROR: exception importing cert: Security
+## library failed to decode certificate
+## package: (-8183) security library:
+## improperly formatted DER-encoded
+## message.
+##
+## * in order to utilize the 'pkisilent' client
+## security databases inside a firefox browser,
+## one will need to manually import the TKS
+## 'Administration' certificate for the TKS subsystem
+## stored in this non-security domain CA
+##
+## NOTE: To pass in a value of an empty string, specify the value "empty"
+## instead of "" since ArgParser() throws away empty strings.
+##
+## This special "empty" string value may be specified for any of
+## the following variables:
+##
+## * pki_tks_instance_ca_domain_url="empty"
+##
+pki_tks_instance_ca_domain_url="https://${pki_subca_ee_host}:${pki_subca_ee_port}"
+
##############################################################################
## U S E R - D E F I N E D V A R I A B L E S ( O P T I O N A L ) ##
##############################################################################
@@ -536,6 +599,7 @@
-agent_key_type ${tks_agent_key_type} \
-agent_cert_subject "${tks_agent_cert_subject}" \
-subsystem_name ${pki_tks_subsystem_name} \
+ -ca_domain_url "${pki_tks_instance_ca_domain_url}" \
-save_p12 ${tks_save_p12} \
-backup_pwd ${pki_tks_backup_password} \
-tks_subsystem_cert_subject_name "${tks_subsystem_cert_subject_name}" \
Index: base/silent/templates/subca_silent.template
===================================================================
--- base/silent/templates/subca_silent.template (revision 2598)
+++ base/silent/templates/subca_silent.template (working copy)
@@ -149,8 +149,8 @@
##
## *180 - non-secure port (not role specific)
## *701 - non-secure Tomcat port
-## *443 - secure EE port
-## *444 - secure Agent port
+## *443 - secure Agent port
+## *444 - secure EE port
## *445 - secure Admin port
##
##
@@ -162,20 +162,37 @@
## pki_ca1_port_t tcp 9580, 9801, 9543, 9544, 9545
##
-## CA ports
+## CA ports (Security Domain)
ca_nonssl_port=9180
ca_agent_port=9443
ca_ee_port=9444
ca_admin_port=9445
-## Subordinate CA ports
+## Subordinate CA ports (not a Security Domain)
subca_nonssl_port=9580
subca_agent_port=9543
subca_ee_port=9544
subca_admin_port=9545
+## URL to CA used to Issue Certificates for Subordinate CA Instance Creation
+##
+## * each 'hostname:port' must be a CA EE Hostname and CA EE Port
+## * referenced CA does not need to be a Security Domain
+## * referenced CA must reside within the same security domain
+## as this Subordinate CA instance
+##
+## NOTE: To pass in a value of an empty string, specify the value "empty"
+## instead of "" since ArgParser() throws away empty strings.
+##
+## This special "empty" string value may be specified for any of
+## the following variables:
+##
+## * subca_instance_ca_domain_url="empty"
+##
+subca_instance_ca_domain_url="https://${pki_security_domain_host}:${ca_ee_port}"
+
##############################################################################
## U S E R - D E F I N E D V A R I A B L E S ( O P T I O N A L ) ##
##############################################################################
@@ -499,6 +516,7 @@
-save_p12 ${subca_save_p12} \
-backup_pwd ${subca_backup_password} \
-subsystem_name "${ca_subsystem_name}" \
+ -ca_domain_url "${subca_instance_ca_domain_url}" \
-subca_sign_cert_subject_name "${subca_sign_cert_subject_name}" \
-subca_subsystem_cert_subject_name "${subca_subsystem_cert_subject_name}" \
-subca_ocsp_cert_subject_name "${subca_ocsp_cert_subject_name}" \
Index: base/silent/templates/silent_ra_to_ip_port.template
===================================================================
--- base/silent/templates/silent_ra_to_ip_port.template (revision 2598)
+++ base/silent/templates/silent_ra_to_ip_port.template (working copy)
@@ -92,8 +92,8 @@
##
## 9180 - non-secure port (not role specific)
## 9701 - non-secure Tomcat port
-## 9443 - secure EE port
-## 9444 - secure Agent port
+## 9443 - secure Agent port
+## 9444 - secure EE port
## 9445 - secure Admin port
## 9446 - secure EE Client Auth port (not necessarily labeled)
##
@@ -111,12 +111,27 @@
## pki_ra_port_t tcp 12890, 12888, 12889
##
-## PKI CA ports
+## PKI CA ports (Security Domain)
pki_ca_nonssl_port=
+pki_ca_agent_port=
pki_ca_ee_port=
-pki_ca_agent_port=
pki_ca_admin_port=
+## PKI Subordinate CA ports (not a Security Domain)
+##
+## NOTE: Replace the CA EE Security Domain Host and Port to optionally use
+## a Subordinate CA to Issue Certificates for Requests Submitted via
+## this RA
+##
+pki_alternate_subca_ee_host=${pki_ca_ee_host}
+pki_alternate_subca_ee_port=${pki_ca_ee_port}
+##
+## NOTE: Replace the CA EE Security Domain Host and Port to optionally use
+## a Subordinate CA to Issue Certificates for RA Instance Creation
+##
+pki_subca_ee_host=${pki_ca_ee_host}
+pki_subca_ee_port=${pki_ca_ee_port}
+
## PKI RA ports
pki_ra_clientauth_port=
pki_ra_nonclientauth_port=
@@ -168,8 +183,73 @@
## PKI Silent Log Files
pki_silent_ra_log=/tmp/ra.log
+## URL to CA used to Issue Certificates for Requests Submitted via RA
+##
+## * each 'hostname:port' must be a CA EE Hostname and CA EE Port
+## * referenced CA does not need to be a Security Domain
+## * referenced CA must reside within the same security domain
+## as the associated RA instance
+##
+## NOTE: To pass in a value of an empty string, specify the value "empty"
+## instead of "" since ArgParser() throws away empty strings.
+##
+## This special "empty" string value may be specified for any of
+## the following variables:
+##
+## * pki_ra_chosen_ca_issuance_url="empty"
+## * pki_ra_instance_ca_domain_url="empty"
+##
+pki_ra_chosen_ca_issuance_url="https://${pki_alternate_subca_ee_host}:${pki_alternate_subca_ee_port}"
+## URL to CA used to Issue Certificates for RA Instance Creation
+##
+## * each 'hostname:port' must be a CA EE Hostname and CA EE Port
+## * referenced CA does not need to be a Security Domain (see CAVEAT)
+## * referenced CA must reside within the same security domain
+## as this RA instance
+##
+## CAVEAT: If the chosen CA is a security domain:
+##
+## * all RA subsystem certificates (including the
+## 'Subsystem' certificates) will be stored on this CA
+## * the RA subsystem client 'Administration'
+## certificate will automatically be imported into
+## the NSS client security databases associated with
+## the 'pkisilent' invocation of this RA subsystem
+## * the 'pkisilent' client security databases may be
+## used inside a firefox browser with no further
+## changes
+##
+## If the chosen CA is NOT a security domain:
+##
+## * all RA subsystem certificates EXCEPT the RA
+## 'Subsystem' certificate will be stored on this CA;
+## the RA 'Subsystem' certificate will be stored on
+## the CA that is the security domain for this RA
+## subsystem
+## * the RA subsystem client 'Administration'
+## certificate will NOT automatically be imported into
+## the NSS client security databases associated with
+## the 'pkisilent' invocation of this RA subsystem;
+## import will fail with something similar to the
+## following message:
+##
+## ERROR: exception importing cert: Security
+## library failed to decode certificate
+## package: (-8183) security library:
+## improperly formatted DER-encoded
+## message.
+##
+## * in order to utilize the 'pkisilent' client
+## security databases inside a firefox browser,
+## one will need to manually import the RA
+## 'Administration' certificate for the RA subsystem
+## stored in this non-security domain CA
+##
+pki_ra_instance_ca_domain_url="https://${pki_subca_ee_host}:${pki_subca_ee_port}"
+
+
##############################################################################
## U S E R - D E F I N E D V A R I A B L E S ( O P T I O N A L ) ##
##############################################################################
@@ -440,6 +520,7 @@
-ca_port ${ra_chosen_ca_nonssl_port} \
-ca_ssl_port ${ra_chosen_ca_ssl_port} \
-ca_admin_port ${ra_chosen_ca_admin_port} \
+ -ca_issuance_url "${pki_ra_chosen_ca_issuance_url}" \
-client_certdb_dir ${pki_silent_security_database_repository} \
-client_certdb_pwd ${pki_silent_security_token_password} \
-preop_pin ${ra_preop_pin} \
@@ -456,6 +537,7 @@
-agent_key_type ${ra_agent_key_type} \
-agent_cert_subject "${ra_agent_cert_subject}" \
-subsystem_name ${pki_ra_subsystem_name} \
+ -ca_domain_url "${pki_ra_instance_ca_domain_url}" \
-ra_server_cert_nickname "${ra_server_cert_nickname}" \
-ra_server_cert_subject_name "${ra_server_cert_subject_name}" \
-ra_subsystem_cert_nickname "${ra_subsystem_cert_nickname}" \
Index: base/silent/templates/silent_ocsp_ip_port.template
===================================================================
--- base/silent/templates/silent_ocsp_ip_port.template (revision 2598)
+++ base/silent/templates/silent_ocsp_ip_port.template (working copy)
@@ -94,8 +94,8 @@
##
## 9180 - non-secure port (not role specific)
## 9701 - non-secure Tomcat port
-## 9443 - secure EE port
-## 9444 - secure Agent port
+## 9443 - secure Agent port
+## 9444 - secure EE port
## 9445 - secure Admin port
## 9446 - secure EE Client Auth port (not necessarily labeled)
##
@@ -103,8 +103,8 @@
##
## 11180 - non-secure port (not role specific)
## 11701 - non-secure Tomcat port
-## 11443 - secure EE port
-## 11444 - secure Agent port
+## 11443 - secure Agent port
+## 11444 - secure EE port
## 11445 - secure Admin port
##
## For Example:
@@ -115,12 +115,20 @@
## pki_ocsp_port_t tcp 11180, 11701, 11443, 11444, 11445
##
-## PKI CA ports
+## PKI CA ports (Security Domain)
pki_ca_nonssl_port=
+pki_ca_agent_port=
pki_ca_ee_port=
-pki_ca_agent_port=
pki_ca_admin_port=
+## PKI Subordinate CA ports (not a Security Domain)
+##
+## NOTE: Replace the CA EE Security Domain Host and Port to optionally use
+## a Subordinate CA to Issue Certificates for OCSP Instance Creation
+##
+pki_subca_ee_host=${pki_ca_ee_host}
+pki_subca_ee_port=${pki_ca_ee_port}
+
## PKI OCSP ports
pki_ocsp_admin_port=
@@ -200,8 +208,63 @@
## PKI Silent Log Files
pki_silent_ocsp_log=/tmp/ocsp.log
+## URL to CA used to Issue Certificates for OCSP Instance Creation
+##
+## * each 'hostname:port' must be a CA EE Hostname and CA EE Port
+## * referenced CA does not need to be a Security Domain (see CAVEAT)
+## * referenced CA must reside within the same security domain
+## as this OCSP instance
+##
+## CAVEAT: If the chosen CA is a security domain:
+##
+## * all OCSP subsystem certificates (including the
+## 'Subsystem' certificates) will be stored on this CA
+## * the OCSP subsystem client 'Administration'
+## certificate will automatically be imported into
+## the NSS client security databases associated with
+## the 'pkisilent' invocation of this OCSP subsystem
+## * the 'pkisilent' client security databases may be
+## used inside a firefox browser with no further
+## changes
+##
+## If the chosen CA is NOT a security domain:
+##
+## * all OCSP subsystem certificates EXCEPT the OCSP
+## 'Subsystem' certificate will be stored on this CA;
+## the OCSP 'Subsystem' certificate will be stored on
+## the CA that is the security domain for this OCSP
+## subsystem
+## * the OCSP subsystem client 'Administration'
+## certificate will NOT automatically be imported into
+## the NSS client security databases associated with
+## the 'pkisilent' invocation of this OCSP subsystem;
+## import will fail with something similar to the
+## following message:
+##
+## ERROR: exception importing cert: Security
+## library failed to decode certificate
+## package: (-8183) security library:
+## improperly formatted DER-encoded
+## message.
+##
+## * in order to utilize the 'pkisilent' client
+## security databases inside a firefox browser,
+## one will need to manually import the OCSP
+## 'Administration' certificate for the OCSP subsystem
+## stored in this non-security domain CA
+##
+## NOTE: To pass in a value of an empty string, specify the value "empty"
+## instead of "" since ArgParser() throws away empty strings.
+##
+## This special "empty" string value may be specified for any of
+## the following variables:
+##
+## * pki_ocsp_instance_ca_domain_url="empty"
+##
+pki_ocsp_instance_ca_domain_url="https://${pki_subca_ee_host}:${pki_subca_ee_port}"
+
##############################################################################
## U S E R - D E F I N E D V A R I A B L E S ( O P T I O N A L ) ##
##############################################################################
@@ -532,6 +595,7 @@
-agent_key_type ${ocsp_agent_key_type} \
-agent_cert_subject "${ocsp_agent_cert_subject}" \
-subsystem_name ${pki_ocsp_subsystem_name} \
+ -ca_domain_url "${pki_ocsp_instance_ca_domain_url}" \
-save_p12 ${ocsp_save_p12} \
-backup_pwd ${pki_ocsp_backup_password} \
-ocsp_sign_cert_subject_name "${ocsp_sign_cert_subject_name}" \
Index: base/silent/templates/silent_tps_to_ip_port.template
===================================================================
--- base/silent/templates/silent_tps_to_ip_port.template (revision 2598)
+++ base/silent/templates/silent_tps_to_ip_port.template (working copy)
@@ -90,9 +90,11 @@
## PKI KRA Subsystem Hosts (FQDN)
pki_kra_agent_host=
+pki_kra_admin_host=
## PKI TKS Subsystem Hosts (FQDN)
pki_tks_agent_host=
+pki_tks_admin_host=
## PKI TPS Subsystem Host (computed by default)
pki_host=`hostname`
@@ -102,8 +104,8 @@
##
## 9180 - non-secure port (not role specific)
## 9701 - non-secure Tomcat port
-## 9443 - secure EE port
-## 9444 - secure Agent port
+## 9443 - secure Agent port
+## 9444 - secure EE port
## 9445 - secure Admin port
## 9446 - secure EE Client Auth port (not necessarily labeled)
##
@@ -111,16 +113,16 @@
##
## 10180 - non-secure port (not role specific)
## 10701 - non-secure Tomcat port
-## 10443 - secure EE port
-## 10444 - secure Agent port
+## 10443 - secure Agent port
+## 10444 - secure EE port
## 10445 - secure Admin port
##
## NOTE: Default PKI TKS Instance Ports
##
## 13180 - non-secure port (not role specific)
## 13701 - non-secure Tomcat port
-## 13443 - secure EE port
-## 13444 - secure Agent port
+## 13443 - secure Agent port
+## 13444 - secure EE port
## 13445 - secure Admin port
##
## NOTE: Default PKI TPS Instance Ports
@@ -140,17 +142,34 @@
## pki_tps_port_t tcp 7890, 7888, 7889
##
-## CA ports
+## PKI CA ports (Security Domain)
pki_ca_nonssl_port=
+pki_ca_agent_port=
pki_ca_ee_port=
-pki_ca_agent_port=
pki_ca_admin_port=
+## PKI Subordinate CA ports (not a Security Domain)
+##
+## NOTE: Replace the CA EE Security Domain Host and Port to optionally use
+## a Subordinate CA to Issue Certificates for Requests Submitted via
+## this TPS
+##
+pki_alternate_subca_ee_host=${pki_ca_ee_host}
+pki_alternate_subca_ee_port=${pki_ca_ee_port}
+##
+## NOTE: Replace the CA EE Security Domain Host and Port to optionally use
+## a Subordinate CA to Issue Certificates for TPS Instance Creation
+##
+pki_subca_ee_host=${pki_ca_ee_host}
+pki_subca_ee_port=${pki_ca_ee_port}
+
## DRM ports
pki_kra_agent_port=
+pki_kra_admin_port=
## TKS ports
pki_tks_agent_port=
+pki_tks_admin_port=
## TPS ports
pki_tps_clientauth_port=
@@ -202,6 +221,28 @@
pki_email_company=
pki_email_domain=
+##
+## TPS Variables
+##
+## IMPORTANT: The 'tps_ldap_auth_base_dn' should contain individual
+## comma separated 'dc=<component>' values for each
+## portion of the value returned by 'dnsdomainname' on
+## the machine which hosts the LDAP server.
+##
+## For example, if 'dnsdomain' returns 'foo.example.com',
+## then:
+##
+## tps_ldap_auth_base_dn="dc=foo,dc=example,dc=com"
+##
+## Using this example, the following command may be
+## executed to test for a valid base DN:
+##
+## /usr/bin/ldapsearch -x -h ${pki_ldap_host}
+## -p ${pki_ldap_port} -b 'dc=foo,dc=example,dc=com'
+## -s base 'objectclass=*'
+##
+tps_ldap_auth_base_dn="dc=${pki_email_company},dc=${pki_email_domain}"
+
## PKI Silent Admin Variables
## (e. g. - Import Admin Certificate into PKI Silent "browser" database)
pki_silent_admin_user=admin
@@ -217,8 +258,91 @@
## PKI Silent Log Files
pki_silent_tps_log=/tmp/tps.log
+## URL to CA used to Issue Certificates for Requests Submitted via TPS
+##
+## * each 'hostname:port' must be a CA EE Hostname and CA EE Port
+## * referenced CA does not need to be a Security Domain
+## * referenced CA must reside within the same security domain
+## as the associated TPS instance
+##
+## NOTE: To pass in a value of an empty string, specify the value "empty"
+## instead of "" since ArgParser() throws away empty strings.
+##
+## This special "empty" string value may be specified for any of
+## the following variables:
+##
+## * pki_tps_chosen_ca_issuance_url="empty"
+## * pki_tps_chosen_tks_key_management_url="empty"
+## * pki_tps_chosen_drm_server_side_keygen_url="empty"
+## * pki_tps_instance_ca_domain_url="empty"
+##
+pki_tps_chosen_ca_issuance_url="https://${pki_alternate_subca_ee_host}:${pki_alternate_subca_ee_port}"
+## URL to TKS used for Key Management for TPS
+##
+## * each 'hostname:port' must be a TKS Agent Hostname and TKS Agent Port
+## * referenced TKS must reside within the same security domain
+## as the associated TPS instance
+##
+pki_tps_chosen_tks_key_management_url="https://${pki_tks_agent_host}:${pki_tks_agent_port}"
+## URL to optional DRM used for Server-Side Keygen for TPS (tps_ss_keygen=true)
+##
+## * each 'hostname:port' must be a DRM Agent Hostname and DRM Agent Port
+## * referenced DRM must reside within the same security domain
+## as the associated TPS instance
+##
+pki_tps_chosen_drm_server_side_keygen_url="https://${pki_kra_agent_host}:${pki_kra_agent_port}"
+
+## URL to CA used to Issue Certificates for TPS Instance Creation
+##
+## * each 'hostname:port' must be a CA EE Hostname and CA EE Port
+## * referenced CA does not need to be a Security Domain (see CAVEAT)
+## * referenced CA must reside within the same security domain
+## as this TPS instance
+##
+## CAVEAT: If the chosen CA is a security domain:
+##
+## * all TPS subsystem certificates (including the
+## 'Subsystem' certificates) will be stored on this CA
+## * the TPS subsystem client 'Administration'
+## certificate will automatically be imported into
+## the NSS client security databases associated with
+## the 'pkisilent' invocation of this TPS subsystem
+## * the 'pkisilent' client security databases may be
+## used inside a firefox browser with no further
+## changes
+##
+## If the chosen CA is NOT a security domain:
+##
+## * all TPS subsystem certificates EXCEPT the TPS
+## 'Subsystem' certificate will be stored on this CA;
+## the TPS 'Subsystem' certificate will be stored on
+## the CA that is the security domain for this TPS
+## subsystem
+## * the TPS subsystem client 'Administration'
+## certificate will NOT automatically be imported into
+## the NSS client security databases associated with
+## the 'pkisilent' invocation of this TPS subsystem;
+## import will fail with something similar to the
+## following message:
+##
+## ERROR: exception importing cert: Security
+## library failed to decode certificate
+## package: (-8183) security library:
+## improperly formatted DER-encoded
+## message.
+##
+## * in order to utilize the 'pkisilent' client
+## security databases inside a firefox browser,
+## one will need to manually import the TPS
+## 'Administration' certificate for the TPS subsystem
+## stored in this non-security domain CA
+##
+pki_tps_instance_ca_domain_url="https://${pki_subca_ee_host}:${pki_subca_ee_port}"
+
+
+
##############################################################################
## U S E R - D E F I N E D V A R I A B L E S ( O P T I O N A L ) ##
##############################################################################
@@ -295,17 +419,20 @@
tps_chosen_ca_nonssl_port=${pki_ca_nonssl_port}
tps_chosen_ca_ssl_port=${pki_ca_ee_port}
tps_chosen_ca_admin_port=${pki_ca_admin_port}
-tps_chosen_tks_hostname=${pki_tks_agent_host}
-tps_chosen_tks_ssl_port=${pki_tks_agent_port}
-tps_chosen_drm_hostname=${pki_kra_agent_host}
-tps_chosen_drm_ssl_port=${pki_kra_agent_port}
+tps_chosen_tks_agent_hostname=${pki_tks_agent_host}
+tps_chosen_tks_agent_port=${pki_tks_agent_port}
+tps_chosen_tks_admin_hostname=${pki_tks_admin_host}
+tps_chosen_tks_admin_port=${pki_tks_admin_port}
+tps_chosen_drm_agent_hostname=${pki_kra_agent_host}
+tps_chosen_drm_agent_port=${pki_kra_agent_port}
+tps_chosen_drm_admin_hostname=${pki_kra_admin_host}
+tps_chosen_drm_admin_port=${pki_kra_admin_port}
tps_agent_name="TPS\ Administrator\'s\ ${pki_security_domain_name}\ ID"
tps_agent_key_size=2048
tps_agent_key_type=rsa
tps_agent_cert_subject="cn=TPS\ Administrator,uid=admin,e=${pki_silent_admin_email},o=${pki_security_domain_name}"
tps_ldap_auth_host="${pki_ldap_host}"
tps_ldap_auth_port=${pki_ldap_port}
-tps_ldap_auth_base_dn="dc=${pki_email_company},dc=${pki_email_domain}"
tps_base_dn="dc=${pki_host}-${pki_tps_instance_name}"
tps_db_name="${pki_host}-${pki_tps_instance_name}"
tps_key_size=2048
@@ -348,10 +475,18 @@
printf "${usage_error_preamble} 'pki_kra_agent_host'!\n"
usage_errors=`expr ${usage_errors} + 1`
fi
+if [ "${pki_kra_admin_host}" = "" ] ; then
+ printf "${usage_error_preamble} 'pki_kra_admin_host'!\n"
+ usage_errors=`expr ${usage_errors} + 1`
+fi
if [ "${pki_tks_agent_host}" = "" ] ; then
printf "${usage_error_preamble} 'pki_tks_agent_host'!\n"
usage_errors=`expr ${usage_errors} + 1`
fi
+if [ "${pki_tks_admin_host}" = "" ] ; then
+ printf "${usage_error_preamble} 'pki_tks_admin_host'!\n"
+ usage_errors=`expr ${usage_errors} + 1`
+fi
if [ "${pki_ca_nonssl_port}" = "" ] ; then
printf "${usage_error_preamble} 'pki_ca_nonssl_port'!\n"
usage_errors=`expr ${usage_errors} + 1`
@@ -372,10 +507,18 @@
printf "${usage_error_preamble} 'pki_kra_agent_port'!\n"
usage_errors=`expr ${usage_errors} + 1`
fi
+if [ "${pki_kra_admin_port}" = "" ] ; then
+ printf "${usage_error_preamble} 'pki_kra_admin_port'!\n"
+ usage_errors=`expr ${usage_errors} + 1`
+fi
if [ "${pki_tks_agent_port}" = "" ] ; then
printf "${usage_error_preamble} 'pki_tks_agent_port'!\n"
usage_errors=`expr ${usage_errors} + 1`
fi
+if [ "${pki_tks_admin_port}" = "" ] ; then
+ printf "${usage_error_preamble} 'pki_tks_admin_port'!\n"
+ usage_errors=`expr ${usage_errors} + 1`
+fi
if [ "${pki_tps_clientauth_port}" = "" ] ; then
printf "${usage_error_preamble} 'pki_tps_clientauth_port'!\n"
usage_errors=`expr ${usage_errors} + 1`
@@ -542,11 +685,18 @@
-ca_port ${tps_chosen_ca_nonssl_port} \
-ca_ssl_port ${tps_chosen_ca_ssl_port} \
-ca_admin_port ${tps_chosen_ca_admin_port} \
- -drm_hostname ${tps_chosen_drm_hostname} \
- -drm_ssl_port ${tps_chosen_drm_ssl_port} \
+ -ca_issuance_url "${pki_tps_chosen_ca_issuance_url}" \
+ -drm_agent_hostname ${tps_chosen_drm_agent_hostname} \
+ -drm_agent_port ${tps_chosen_drm_agent_port} \
+ -drm_admin_hostname ${tps_chosen_drm_admin_hostname} \
+ -drm_admin_port ${tps_chosen_drm_admin_port} \
+ -drm_server_side_keygen_url "${pki_tps_chosen_drm_server_side_keygen_url}" \
-ss_keygen ${tps_ss_keygen} \
- -tks_hostname ${tps_chosen_tks_hostname} \
- -tks_ssl_port ${tps_chosen_tks_ssl_port} \
+ -tks_agent_hostname ${tps_chosen_tks_agent_hostname} \
+ -tks_agent_port ${tps_chosen_tks_agent_port} \
+ -tks_admin_hostname ${tps_chosen_tks_admin_hostname} \
+ -tks_admin_port ${tps_chosen_tks_admin_port} \
+ -tks_key_management_url "${pki_tps_chosen_tks_key_management_url}" \
-client_certdb_dir ${pki_silent_security_database_repository} \
-client_certdb_pwd ${pki_silent_security_token_password} \
-client_token_name ${pki_silent_security_token_name} \
@@ -570,6 +720,7 @@
-agent_key_type ${tps_agent_key_type} \
-agent_cert_subject "${tps_agent_cert_subject}" \
-subsystem_name ${pki_tps_subsystem_name} \
+ -ca_domain_url "${pki_tps_instance_ca_domain_url}" \
-ldap_auth_host ${tps_ldap_auth_host} \
-ldap_auth_port ${tps_ldap_auth_port} \
-ldap_auth_base_dn ${tps_ldap_auth_base_dn} \
Index: base/silent/templates/silentEC_subca.template
===================================================================
--- base/silent/templates/silentEC_subca.template (revision 2598)
+++ base/silent/templates/silentEC_subca.template (working copy)
@@ -177,8 +177,8 @@
##
## *180 - non-secure port (not role specific)
## *701 - non-secure Tomcat port
-## *443 - secure EE port
-## *444 - secure Agent port
+## *443 - secure Agent port
+## *444 - secure EE port
## *445 - secure Admin port
##
##
@@ -190,18 +190,34 @@
## pki_ca1_port_t tcp 9580, 9801, 9543, 9544, 9545
##
-## CA ports
+## CA ports (Security Domain)
ca_nonssl_port=9180
ca_agent_port=9443
ca_ee_port=9444
ca_admin_port=9445
-## Subordinate CA ports
+## Subordinate CA ports (not a Security Domain)
subca_nonssl_port=9580
subca_agent_port=9543
subca_ee_port=9544
subca_admin_port=9545
+## URL to CA used to Issue Certificates for Subordinate CA Instance Creation
+##
+## * each 'hostname:port' must be a CA EE Hostname and CA EE Port
+## * referenced CA does not need to be a Security Domain
+## * referenced CA must reside within the same security domain
+## as this Subordinate CA instance
+##
+## NOTE: To pass in a value of an empty string, specify the value "empty"
+## instead of "" since ArgParser() throws away empty strings.
+##
+## This special "empty" string value may be specified for any of
+## the following variables:
+##
+## * subca_instance_ca_domain_url="empty"
+##
+subca_instance_ca_domain_url="https://${pki_security_domain_host}:${ca_ee_port}"
##############################################################################
@@ -559,6 +575,7 @@
-save_p12 ${subca_save_p12} \
-backup_pwd ${subca_backup_password} \
-subsystem_name "${subca_subsystem_name}" \
+ -ca_domain_url "${subca_instance_ca_domain_url}" \
-subca_sign_cert_subject_name "${subca_sign_cert_subject_name}" \
-subca_subsystem_cert_subject_name "${subca_subsystem_cert_subject_name}" \
-subca_ocsp_cert_subject_name "${subca_ocsp_cert_subject_name}" \
Index: base/silent/templates/silent_kra_ip_port.template
===================================================================
--- base/silent/templates/silent_kra_ip_port.template (revision 2598)
+++ base/silent/templates/silent_kra_ip_port.template (working copy)
@@ -94,8 +94,8 @@
##
## 9180 - non-secure port (not role specific)
## 9701 - non-secure Tomcat port
-## 9443 - secure EE port
-## 9444 - secure Agent port
+## 9443 - secure Agent port
+## 9444 - secure EE port
## 9445 - secure Admin port
## 9446 - secure EE Client Auth port (not necessarily labeled)
##
@@ -103,8 +103,8 @@
##
## 10180 - non-secure port (not role specific)
## 10701 - non-secure Tomcat port
-## 10443 - secure EE port
-## 10444 - secure Agent port
+## 10443 - secure Agent port
+## 10444 - secure EE port
## 10445 - secure Admin port
##
## For Example:
@@ -115,12 +115,20 @@
## pki_kra_port_t tcp 10180, 10701, 10443, 10444, 10445
##
-## PKI CA ports
+## PKI CA ports (Security Domain)
pki_ca_nonssl_port=
+pki_ca_agent_port=
pki_ca_ee_port=
-pki_ca_agent_port=
pki_ca_admin_port=
+## PKI Subordinate CA ports (not a Security Domain)
+##
+## NOTE: Replace the CA EE Security Domain Host and Port to optionally use
+## a Subordinate CA to Issue Certificates for KRA Instance Creation
+##
+pki_subca_ee_host=${pki_ca_ee_host}
+pki_subca_ee_port=${pki_ca_ee_port}
+
## PKI DRM ports
pki_kra_admin_port=
@@ -200,8 +208,63 @@
## PKI Silent Log Files
pki_silent_kra_log=/tmp/kra.log
+## URL to CA used to Issue Certificates for KRA Instance Creation
+##
+## * each 'hostname:port' must be a CA EE Hostname and CA EE Port
+## * referenced CA does not need to be a Security Domain (see CAVEAT)
+## * referenced CA must reside within the same security domain
+## as this KRA instance
+##
+## CAVEAT: If the chosen CA is a security domain:
+##
+## * all KRA subsystem certificates (including the
+## 'Subsystem' certificates) will be stored on this CA
+## * the KRA subsystem client 'Administration'
+## certificate will automatically be imported into
+## the NSS client security databases associated with
+## the 'pkisilent' invocation of this KRA subsystem
+## * the 'pkisilent' client security databases may be
+## used inside a firefox browser with no further
+## changes
+##
+## If the chosen CA is NOT a security domain:
+##
+## * all KRA subsystem certificates EXCEPT the KRA
+## 'Subsystem' certificate will be stored on this CA;
+## the KRA 'Subsystem' certificate will be stored on
+## the CA that is the security domain for this KRA
+## subsystem
+## * the KRA subsystem client 'Administration'
+## certificate will NOT automatically be imported into
+## the NSS client security databases associated with
+## the 'pkisilent' invocation of this KRA subsystem;
+## import will fail with something similar to the
+## following message:
+##
+## ERROR: exception importing cert: Security
+## library failed to decode certificate
+## package: (-8183) security library:
+## improperly formatted DER-encoded
+## message.
+##
+## * in order to utilize the 'pkisilent' client
+## security databases inside a firefox browser,
+## one will need to manually import the KRA
+## 'Administration' certificate for the KRA subsystem
+## stored in this non-security domain CA
+##
+## NOTE: To pass in a value of an empty string, specify the value "empty"
+## instead of "" since ArgParser() throws away empty strings.
+##
+## This special "empty" string value may be specified for any of
+## the following variables:
+##
+## * pki_kra_instance_ca_domain_url="empty"
+##
+pki_kra_instance_ca_domain_url="https://${pki_subca_ee_host}:${pki_subca_ee_port}"
+
##############################################################################
## U S E R - D E F I N E D V A R I A B L E S ( O P T I O N A L ) ##
##############################################################################
@@ -542,6 +605,7 @@
-agent_key_type ${kra_agent_key_type} \
-agent_cert_subject "${kra_agent_cert_subject}" \
-subsystem_name ${pki_kra_subsystem_name} \
+ -ca_domain_url "${pki_kra_instance_ca_domain_url}" \
-save_p12 ${kra_save_p12} \
-backup_pwd ${pki_kra_backup_password} \
-drm_transport_cert_subject_name "${kra_transport_cert_subject_name}" \
Index: base/silent/templates/silentEC_tks.template
===================================================================
--- base/silent/templates/silentEC_tks.template (revision 2598)
+++ base/silent/templates/silentEC_tks.template (working copy)
@@ -174,8 +174,8 @@
##
## *180 - non-secure port (not role specific)
## *701 - non-secure Tomcat port
-## *443 - secure EE port
-## *444 - secure Agent port
+## *443 - secure Agent port
+## *444 - secure EE port
## *445 - secure Admin port
##
##
@@ -186,7 +186,7 @@
## pki_tks_port_t tcp 13180, 13701, 13443, 13444, 13445
##
-## CA ports
+## CA ports (Security Domain)
ca_nonssl_port=9180
ca_agent_port=9443
ca_ee_port=9444
@@ -198,6 +198,62 @@
tks_ee_port=14454
tks_admin_port=14455
+## URL to CA used to Issue Certificates for TKS Instance Creation
+##
+## * each 'hostname:port' must be a CA EE Hostname and CA EE Port
+## * referenced CA does not need to be a Security Domain (see CAVEAT)
+## * referenced CA must reside within the same security domain
+## as this TKS instance
+##
+## CAVEAT: If the chosen CA is a security domain:
+##
+## * all TKS subsystem certificates (including the
+## 'Subsystem' certificates) will be stored on this CA
+## * the TKS subsystem client 'Administration'
+## certificate will automatically be imported into
+## the NSS client security databases associated with
+## the 'pkisilent' invocation of this TKS subsystem
+## * the 'pkisilent' client security databases may be
+## used inside a firefox browser with no further
+## changes
+##
+## If the chosen CA is NOT a security domain:
+##
+## * all TKS subsystem certificates EXCEPT the TKS
+## 'Subsystem' certificate will be stored on this CA;
+## the TKS 'Subsystem' certificate will be stored on
+## the CA that is the security domain for this TKS
+## subsystem
+## * the TKS subsystem client 'Administration'
+## certificate will NOT automatically be imported into
+## the NSS client security databases associated with
+## the 'pkisilent' invocation of this TKS subsystem;
+## import will fail with something similar to the
+## following message:
+##
+## ERROR: exception importing cert: Security
+## library failed to decode certificate
+## package: (-8183) security library:
+## improperly formatted DER-encoded
+## message.
+##
+## * in order to utilize the 'pkisilent' client
+## security databases inside a firefox browser,
+## one will need to manually import the TKS
+## 'Administration' certificate for the TKS subsystem
+## stored in this non-security domain CA
+##
+## NOTE: To pass in a value of an empty string, specify the value "empty"
+## instead of "" since ArgParser() throws away empty strings.
+##
+## This special "empty" string value may be specified for any of
+## the following variables:
+##
+## * tks_instance_ca_domain_url="empty"
+##
+tks_instance_ca_domain_url="https://${pki_security_domain_host}:${ca_ee_port}"
+
+
##############################################################################
## U S E R - D E F I N E D V A R I A B L E S ( O P T I O N A L ) ##
##############################################################################
@@ -497,6 +553,7 @@
-agent_key_type ${tks_agent_key_type} \
-agent_cert_subject "${tks_agent_cert_subject}" \
-subsystem_name ${tks_subsystem_name} \
+ -ca_domain_url "${tks_instance_ca_domain_url}" \
-tks_subsystem_cert_subject_name "${tks_subsystem_cert_subject_name}" \
-tks_server_cert_subject_name "${tks_server_cert_subject_name}" \
-tks_audit_signing_cert_subject_name \
Index: base/silent/templates/silentEC_ocsp.template
===================================================================
--- base/silent/templates/silentEC_ocsp.template (revision 2598)
+++ base/silent/templates/silentEC_ocsp.template (working copy)
@@ -174,8 +174,8 @@
##
## *180 - non-secure port (not role specific)
## *701 - non-secure Tomcat port
-## *443 - secure EE port
-## *444 - secure Agent port
+## *443 - secure Agent port
+## *444 - secure EE port
## *445 - secure Admin port
##
##
@@ -186,7 +186,7 @@
## pki_ocsp_port_t tcp 11180, 11701, 11443, 11444, 11445
##
-## CA ports
+## CA ports (Security Domain)
ca_nonssl_port=31180
ca_agent_port=31443
ca_ee_port=31444
@@ -198,7 +198,62 @@
ocsp_ee_port=12444
ocsp_admin_port=12445
+## URL to CA used to Issue Certificates for OCSP Instance Creation
+##
+## * each 'hostname:port' must be a CA EE Hostname and CA EE Port
+## * referenced CA does not need to be a Security Domain (see CAVEAT)
+## * referenced CA must reside within the same security domain
+## as this OCSP instance
+##
+## CAVEAT: If the chosen CA is a security domain:
+##
+## * all OCSP subsystem certificates (including the
+## 'Subsystem' certificates) will be stored on this CA
+## * the OCSP subsystem client 'Administration'
+## certificate will automatically be imported into
+## the NSS client security databases associated with
+## the 'pkisilent' invocation of this OCSP subsystem
+## * the 'pkisilent' client security databases may be
+## used inside a firefox browser with no further
+## changes
+##
+## If the chosen CA is NOT a security domain:
+##
+## * all OCSP subsystem certificates EXCEPT the OCSP
+## 'Subsystem' certificate will be stored on this CA;
+## the OCSP 'Subsystem' certificate will be stored on
+## the CA that is the security domain for this OCSP
+## subsystem
+## * the OCSP subsystem client 'Administration'
+## certificate will NOT automatically be imported into
+## the NSS client security databases associated with
+## the 'pkisilent' invocation of this OCSP subsystem;
+## import will fail with something similar to the
+## following message:
+##
+## ERROR: exception importing cert: Security
+## library failed to decode certificate
+## package: (-8183) security library:
+## improperly formatted DER-encoded
+## message.
+##
+## * in order to utilize the 'pkisilent' client
+## security databases inside a firefox browser,
+## one will need to manually import the OCSP
+## 'Administration' certificate for the OCSP subsystem
+## stored in this non-security domain CA
+##
+## NOTE: To pass in a value of an empty string, specify the value "empty"
+## instead of "" since ArgParser() throws away empty strings.
+##
+## This special "empty" string value may be specified for any of
+## the following variables:
+##
+## * ocsp_instance_ca_domain_url="empty"
+##
+ocsp_instance_ca_domain_url="https://${pki_security_domain_host}:${ca_ee_port}"
+
##############################################################################
## U S E R - D E F I N E D V A R I A B L E S ( O P T I O N A L ) ##
##############################################################################
@@ -503,6 +558,7 @@
-agent_key_type ${ocsp_agent_key_type} \
-agent_cert_subject "${ocsp_agent_cert_subject}" \
-subsystem_name ${ocsp_subsystem_name} \
+ -ca_domain_url "${ocsp_instance_ca_domain_url}" \
-ocsp_sign_cert_subject_name "${ocsp_sign_cert_subject_name}" \
-ocsp_subsystem_cert_subject_name "${ocsp_subsystem_cert_subject_name}" \
-ocsp_server_cert_subject_name "${ocsp_server_cert_subject_name}" \
Index: base/silent/templates/silentEC_tps.template
===================================================================
--- base/silent/templates/silentEC_tps.template (revision 2598)
+++ base/silent/templates/silentEC_tps.template (working copy)
@@ -145,6 +145,28 @@
pki_email_company=
pki_email_domain=
+#
+## TPS Variables
+##
+## IMPORTANT: The 'tps_ldap_auth_base_dn' should contain individual
+## comma separated 'dc=<component>' values for each
+## portion of the value returned by 'dnsdomainname' on
+## the machine which hosts the LDAP server.
+##
+## For example, if 'dnsdomain' returns 'foo.example.com',
+## then:
+##
+## tps_ldap_auth_base_dn="dc=foo,dc=example,dc=com"
+##
+## Using this example, the following command may be
+## executed to test for a valid base DN:
+##
+## /usr/bin/ldapsearch -x -h ${pki_ldap_host}
+## -p ${pki_ldap_port} -b 'dc=foo,dc=example,dc=com'
+## -s base 'objectclass=*'
+##
+tps_ldap_auth_base_dn="dc=${pki_email_company},dc=${pki_email_domain}"
+
## PKI Silent Admin Variables
## (e. g. - Import Admin Certificate into PKI Silent "browser" database)
pki_silent_admin_user=admin
@@ -187,7 +209,7 @@
## pki_tps_port_t tcp 7890, 7888, 7889
##
-## CA ports
+## CA ports (Security Domain)
ca_nonssl_port=31180
ca_agent_port=31443
ca_ee_port=31444
@@ -210,8 +232,91 @@
tps_clientauth_port=9089
tps_nonclientauth_port=9090
+## URL to CA used to Issue Certificates for Requests Submitted via TPS
+##
+## * each 'hostname:port' must be a CA EE Hostname and CA EE Port
+## * referenced CA does not need to be a Security Domain
+## * referenced CA must reside within the same security domain
+## as the associated TPS instance
+##
+## NOTE: To pass in a value of an empty string, specify the value "empty"
+## instead of "" since ArgParser() throws away empty strings.
+##
+## This special "empty" string value may be specified for any of
+## the following variables:
+##
+## * tps_chosen_ca_issuance_url="empty"
+## * tps_chosen_tks_key_management_url="empty"
+## * tps_chosen_drm_server_side_keygen_url="empty"
+## * tps_instance_ca_domain_url="empty"
+##
+tps_chosen_ca_issuance_url="https://${pki_security_domain_host}:${ca_ee_port}"
+## URL to TKS used for Key Management for TPS
+##
+## * each 'hostname:port' must be a TKS Agent Hostname and TKS Agent Port
+## * referenced TKS must reside within the same security domain
+## as the associated TPS instance
+##
+tps_chosen_tks_key_management_url="https://${pki_security_domain_host}:${tks_agent_port}"
+## URL to optional DRM used for Server-Side Keygen for TPS (tps_ss_keygen=true)
+##
+## * each 'hostname:port' must be a DRM Agent Hostname and DRM Agent Port
+## * referenced DRM must reside within the same security domain
+## as the associated TPS instance
+##
+tps_chosen_drm_server_side_keygen_url="https://${pki_security_domain_host}:${kra_agent_port}"
+
+## URL to CA used to Issue Certificates for TPS Instance Creation
+##
+## * each 'hostname:port' must be a CA EE Hostname and CA EE Port
+## * referenced CA does not need to be a Security Domain (see CAVEAT)
+## * referenced CA must reside within the same security domain
+## as this TPS instance
+##
+## CAVEAT: If the chosen CA is a security domain:
+##
+## * all TPS subsystem certificates (including the
+## 'Subsystem' certificates) will be stored on this CA
+## * the TPS subsystem client 'Administration'
+## certificate will automatically be imported into
+## the NSS client security databases associated with
+## the 'pkisilent' invocation of this TPS subsystem
+## * the 'pkisilent' client security databases may be
+## used inside a firefox browser with no further
+## changes
+##
+## If the chosen CA is NOT a security domain:
+##
+## * all TPS subsystem certificates EXCEPT the TPS
+## 'Subsystem' certificate will be stored on this CA;
+## the TPS 'Subsystem' certificate will be stored on
+## the CA that is the security domain for this TPS
+## subsystem
+## * the TPS subsystem client 'Administration'
+## certificate will NOT automatically be imported into
+## the NSS client security databases associated with
+## the 'pkisilent' invocation of this TPS subsystem;
+## import will fail with something similar to the
+## following message:
+##
+## ERROR: exception importing cert: Security
+## library failed to decode certificate
+## package: (-8183) security library:
+## improperly formatted DER-encoded
+## message.
+##
+## * in order to utilize the 'pkisilent' client
+## security databases inside a firefox browser,
+## one will need to manually import the TPS
+## 'Administration' certificate for the TPS subsystem
+## stored in this non-security domain CA
+##
+tps_instance_ca_domain_url="https://${pki_security_domain_host}:${ca_ee_port}"
+
+
+
##############################################################################
## U S E R - D E F I N E D V A R I A B L E S ( O P T I O N A L ) ##
##############################################################################
@@ -292,17 +397,20 @@
tps_chosen_ca_nonssl_port=${ca_nonssl_port}
tps_chosen_ca_ssl_port=${ca_ee_port}
tps_chosen_ca_admin_port=${ca_admin_port}
-tps_chosen_tks_hostname=${pki_host}
-tps_chosen_tks_ssl_port=${tks_ee_port}
-tps_chosen_drm_hostname=${pki_host}
-tps_chosen_drm_ssl_port=${kra_ee_port}
+tps_chosen_tks_agent_hostname=${pki_host}
+tps_chosen_tks_agent_port=${tks_agent_port}
+tps_chosen_tks_admin_hostname=${pki_host}
+tps_chosen_tks_admin_port=${tks_admin_port}
+tps_chosen_drm_agent_hostname=${pki_host}
+tps_chosen_drm_agent_port=${kra_agent_port}
+tps_chosen_drm_admin_hostname=${pki_host}
+tps_chosen_drm_admin_port=${kra_admin_port}
tps_agent_name="TPS\ Administrator\'s\ ${pki_security_domain_name}\ ID"
tps_agent_key_size=nistp256
tps_agent_key_type=ecc
tps_agent_cert_subject="cn=TPS\ Administrator,uid=admin,e=${pki_silent_admin_email},o=${pki_security_domain_name}"
tps_ldap_auth_host=localhost
tps_ldap_auth_port=389
-tps_ldap_auth_base_dn="dc=${pki_email_company},dc=${pki_email_domain}"
tps_base_dn="dc=${pki_host}-${tps_instance_name}"
tps_db_name="${pki_host}-${tps_instance_name}"
tps_key_size=256
@@ -481,11 +589,18 @@
-ca_port ${tps_chosen_ca_nonssl_port} \
-ca_ssl_port ${tps_chosen_ca_ssl_port} \
-ca_admin_port ${tps_chosen_ca_admin_port} \
- -drm_hostname ${tps_chosen_drm_hostname} \
- -drm_ssl_port ${tps_chosen_drm_ssl_port} \
+ -ca_issuance_url "${tps_chosen_ca_issuance_url}" \
+ -drm_agent_hostname ${tps_chosen_drm_agent_hostname} \
+ -drm_agent_port ${tps_chosen_drm_agent_port} \
+ -drm_admin_hostname ${tps_chosen_drm_admin_hostname} \
+ -drm_admin_port ${tps_chosen_drm_admin_port} \
+ -drm_server_side_keygen_url "${tps_chosen_drm_server_side_keygen_url}" \
-ss_keygen ${tps_ss_keygen} \
- -tks_hostname ${tps_chosen_tks_hostname} \
- -tks_ssl_port ${tps_chosen_tks_ssl_port} \
+ -tks_agent_hostname ${tps_chosen_tks_agent_hostname} \
+ -tks_agent_port ${tps_chosen_tks_agent_port} \
+ -tks_admin_hostname ${tps_chosen_tks_admin_hostname} \
+ -tks_admin_port ${tps_chosen_tks_admin_port} \
+ -tks_key_management_url "${tps_chosen_tks_key_management_url}" \
-client_certdb_dir ${pki_silent_security_database_repository} \
-client_certdb_pwd ${pki_silent_security_token_password} \
-client_token_name ${pki_silent_security_token_name} \
@@ -509,6 +624,7 @@
-agent_key_type ${tps_agent_key_type} \
-agent_cert_subject "${tps_agent_cert_subject}" \
-subsystem_name ${tps_subsystem_name} \
+ -ca_domain_url "${tps_instance_ca_domain_url}" \
-subsystem_key_type ${tps_key_type} \
-subsystem_key_size ${tps_key_curvename} \
-audit_signing_key_size 2048 \
Index: base/silent/templates/silent_ca_ip_port.template
===================================================================
--- base/silent/templates/silent_ca_ip_port.template (revision 2598)
+++ base/silent/templates/silent_ca_ip_port.template (working copy)
@@ -89,8 +89,8 @@
##
## 9180 - non-secure port (not role specific)
## 9701 - non-secure Tomcat port
-## 9443 - secure EE port
-## 9444 - secure Agent port
+## 9443 - secure Agent port
+## 9444 - secure EE port
## 9445 - secure Admin port
## 9446 - secure EE Client Auth port (not necessarily labeled)
##
@@ -102,7 +102,7 @@
## pki_ca_port_t tcp 9180, 9701, 9443, 9444, 9445
##
-## PKI CA ports
+## PKI CA ports (Security Domain)
pki_ca_admin_port=
## PKI Silent Security Database Variables
@@ -297,6 +297,20 @@
ca_ocsp_cert_subject_name="cn=OCSP\ Signing\ Certificate,o=${pki_security_domain_name}"
ca_server_cert_subject_name="cn=${pki_ca_ee_host},o=${pki_security_domain_name}"
ca_audit_signing_cert_subject_name="cn=CA\ Audit\ Signing\ Certificate,o=${pki_security_domain_name}"
+## URL to CA used to Issue Certificates for CA Instance Creation
+##
+## IMPORTANT: The CA referenced by this URL must reside within the
+## same security domain as this CA instance.
+##
+## NOTE: To pass in a value of an empty string, specify the value "empty"
+## instead of "" since ArgParser() throws away empty strings.
+##
+## This special "empty" string value may be specified for any of
+## the following variables:
+##
+## * ca_instance_ca_domain_url="empty"
+##
+ca_instance_ca_domain_url="empty"
@@ -518,6 +532,7 @@
-save_p12 ${ca_save_p12} \
-backup_pwd ${pki_ca_backup_password} \
-subsystem_name ${pki_ca_subsystem_name} \
+ -ca_domain_url "${ca_instance_ca_domain_url}" \
-token_name ${pki_ca_token_name} \
-token_pwd ${pki_ca_token_password} \
-ca_sign_cert_subject_name "${ca_sign_cert_subject_name}" \
Index: base/silent/templates/pki_silent.template
===================================================================
--- base/silent/templates/pki_silent.template (revision 2598)
+++ base/silent/templates/pki_silent.template (working copy)
@@ -137,6 +137,28 @@
pki_email_company=
pki_email_domain=
+##
+## TPS Variables
+##
+## IMPORTANT: The 'tps_ldap_auth_base_dn' should contain individual
+## comma separated 'dc=<component>' values for each
+## portion of the value returned by 'dnsdomainname' on
+## the machine which hosts the LDAP server.
+##
+## For example, if 'dnsdomain' returns 'foo.example.com',
+## then:
+##
+## tps_ldap_auth_base_dn="dc=foo,dc=example,dc=com"
+##
+## Using this example, the following command may be
+## executed to test for a valid base DN:
+##
+## /usr/bin/ldapsearch -x -h ${pki_ldap_host}
+## -p ${pki_ldap_port} -b 'dc=foo,dc=example,dc=com'
+## -s base 'objectclass=*'
+##
+tps_ldap_auth_base_dn="dc=${pki_email_company},dc=${pki_email_domain}"
+
## PKI Silent Admin Variables
## (e. g. - Import Admin Certificate into PKI Silent "browser" database)
pki_silent_admin_user=admin
@@ -175,8 +197,8 @@
##
## *180 - non-secure port (not role specific)
## *701 - non-secure Tomcat port
-## *443 - secure EE port
-## *444 - secure Agent port
+## *443 - secure Agent port
+## *444 - secure EE port
## *445 - secure Admin port
##
## RA, TPS:
@@ -198,7 +220,7 @@
## pki_tps_port_t tcp 7890, 7888, 7889
##
-## CA ports
+## CA ports (Security Domain)
ca_nonssl_port=9180
ca_agent_port=9443
ca_ee_port=9444
@@ -232,8 +254,107 @@
tps_clientauth_port=7889
tps_nonclientauth_port=7890
+## URL to CA used to Issue Certificates for PKI Instance Creation
+##
+## * each 'hostname:port' must be a CA EE Hostname and CA EE Port
+## * referenced CA does not need to be a Security Domain (see CAVEAT)
+## * referenced CA must reside within the same security domain
+## as the associated PKI instance
+##
+## CAVEAT: If the chosen CA is a security domain:
+##
+## * all PKI subsystem certificates (including the
+## 'Subsystem' certificates) will be stored on this CA
+## * all PKI subsystem client 'Administration'
+## certificates will automatically be imported into
+## the NSS client security databases associated with
+## the 'pkisilent' invocation of each PKI subsystem
+## * the 'pkisilent' client security databases may be
+## used inside a firefox browser with no further
+## changes
+##
+## If the chosen CA is NOT a security domain:
+##
+## * all PKI subsystem certificates EXCEPT the
+## 'Subsystem' certificate will be stored on this CA;
+## the 'Subsystem' certificate will be stored on the
+## CA that is the security domain for this PKI
+## subsystem
+## * no non-CA PKI subsystem client 'Administration'
+## certificates will automatically be imported into
+## the NSS client security databases associated with
+## the 'pkisilent' invocation of each PKI subsystem;
+## import will fail with something similar to the
+## following message:
+##
+## ERROR: exception importing cert: Security
+## library failed to decode certificate
+## package: (-8183) security library:
+## improperly formatted DER-encoded
+## message.
+##
+## * in order to utilize the 'pkisilent' client
+## security databases inside a firefox browser, one
+## will need to manually import all 'Administration'
+## certificates for each of the non-CA PKI subsystems
+## stored in this non-security domain CA
+##
+## NOTE: To pass in a value of an empty string, specify the value "empty"
+## instead of "" since ArgParser() throws away empty strings.
+##
+## This special "empty" string value may be specified for any of
+## the following variables:
+##
+## * ca_instance_ca_domain_url="empty"
+## * kra_instance_ca_domain_url="empty"
+## * ocsp_instance_ca_domain_url="empty"
+## * tks_instance_ca_domain_url="empty"
+## * ra_chosen_ca_issuance_url="empty"
+## * ra_instance_ca_domain_url="empty"
+## * tps_chosen_ca_issuance_url="empty"
+## * tps_chosen_tks_key_management_url="empty"
+## * tps_chosen_drm_server_side_keygen_url="empty"
+## * tps_instance_ca_domain_url="empty"
+##
+kra_instance_ca_domain_url="https://${pki_security_domain_host}:${ca_ee_port}"
+ocsp_instance_ca_domain_url="https://${pki_security_domain_host}:${ca_ee_port}"
+ra_instance_ca_domain_url="https://${pki_security_domain_host}:${ca_ee_port}"
+
+tks_instance_ca_domain_url="https://${pki_security_domain_host}:${ca_ee_port}"
+
+tps_instance_ca_domain_url="https://${pki_security_domain_host}:${ca_ee_port}"
+
+## URL to CA used to Issue Certificates for Requests Submitted via PKI instance
+##
+## * each 'hostname:port' must be a CA EE Hostname and CA EE Port
+## * referenced CA does not need to be a Security Domain
+## * referenced CA must reside within the same security domain
+## as the associated PKI instance
+##
+ra_chosen_ca_issuance_url="https://${pki_security_domain_host}:${ca_ee_port}"
+
+tps_chosen_ca_issuance_url="https://${pki_security_domain_host}:${ca_ee_port}"
+
+## URL to TKS used for Key Management for TPS
+##
+## * each 'hostname:port' must be a TKS Agent Hostname and TKS Agent Port
+## * referenced TKS must reside within the same security domain
+## as the associated TPS instance
+##
+tps_chosen_tks_key_management_url="https://${pki_security_domain_host}:${tks_agent_port}"
+
+## URL to optional DRM used for Server-Side Keygen for TPS (tps_ss_keygen=true)
+##
+## * each 'hostname:port' must be a DRM Agent Hostname and DRM Agent Port
+## * referenced DRM must reside within the same security domain
+## as the associated TPS instance
+##
+tps_chosen_drm_server_side_keygen_url="https://${pki_security_domain_host}:${kra_agent_port}"
+
+
+
##############################################################################
## U S E R - D E F I N E D V A R I A B L E S ( O P T I O N A L ) ##
##############################################################################
@@ -394,6 +515,10 @@
ca_ocsp_cert_subject_name="cn=OCSP\ Signing\ Certificate,o=${pki_security_domain_name}"
ca_server_cert_subject_name="cn=${pki_host},o=${pki_security_domain_name}"
ca_audit_signing_cert_subject_name="cn=CA\ Audit\ Signing\ Certificate,o=${pki_security_domain_name}"
+## URL to CA used to Issue Certificates for CA Instance Creation
+ca_instance_ca_domain_url="empty"
+## URL to External CA used to Issue Certificates for CA Instance Creation
+external_ca_domain_url="External CA"
## Optional CA Variables for creating a clone CA
##
@@ -766,17 +891,20 @@
tps_chosen_ca_nonssl_port=${ca_nonssl_port}
tps_chosen_ca_ssl_port=${ca_ee_port}
tps_chosen_ca_admin_port=${ca_admin_port}
-tps_chosen_tks_hostname=${pki_host}
-tps_chosen_tks_ssl_port=${tks_ee_port}
-tps_chosen_drm_hostname=${pki_host}
-tps_chosen_drm_ssl_port=${kra_ee_port}
+tps_chosen_tks_agent_hostname=${pki_host}
+tps_chosen_tks_agent_port=${tks_agent_port}
+tps_chosen_tks_admin_hostname=${pki_host}
+tps_chosen_tks_admin_port=${tks_admin_port}
+tps_chosen_drm_agent_hostname=${pki_host}
+tps_chosen_drm_agent_port=${kra_agent_port}
+tps_chosen_drm_admin_hostname=${pki_host}
+tps_chosen_drm_admin_port=${kra_admin_port}
tps_agent_name="TPS\ Administrator\'s\ ${pki_security_domain_name}\ ID"
tps_agent_key_size=2048
tps_agent_key_type=rsa
tps_agent_cert_subject="cn=TPS\ Administrator,uid=admin,e=${pki_silent_admin_email},o=${pki_security_domain_name}"
tps_ldap_auth_host=localhost
tps_ldap_auth_port=389
-tps_ldap_auth_base_dn="dc=${pki_email_company},dc=${pki_email_domain}"
tps_base_dn="dc=${pki_host}-${tps_instance_name}"
tps_db_name="${pki_host}-${tps_instance_name}"
tps_key_size=2048
@@ -1105,6 +1233,7 @@
-save_p12 ${ca_save_p12} \
-backup_pwd ${ca_backup_password} \
-subsystem_name ${ca_subsystem_name} \
+ -ca_domain_url "${ca_instance_ca_domain_url}" \
-token_name ${ca_token_name} \
-token_pwd ${ca_token_password} \
-ca_sign_cert_subject_name "${ca_sign_cert_subject_name}" \
@@ -1173,6 +1302,7 @@
# -save_p12 ${ca_save_p12} \
# -backup_pwd ${ca_backup_password} \
# -subsystem_name ${ca_subsystem_name} \
+# -ca_domain_url "${ca_instance_ca_domain_url}" \
# -token_name ${ca_token_name} \
# -token_pwd ${ca_token_password} \
# -ca_sign_cert_subject_name "${ca_sign_cert_subject_name}" \
@@ -1239,6 +1369,7 @@
# -save_p12 ${ca_save_p12} \
# -backup_pwd ${ca_backup_password} \
# -subsystem_name ${ca_subsystem_name} \
+# -ca_domain_url "${external_ca_domain_url}" \
# -token_name ${ca_token_name} \
# -token_pwd ${ca_token_password} \
# -ca_sign_cert_subject_name "${ca_sign_cert_subject_name}" \
@@ -1311,6 +1442,7 @@
# -save_p12 ${ca_save_p12} \
# -backup_pwd ${ca_backup_password} \
# -subsystem_name ${ca_subsystem_name} \
+# -ca_domain_url "${external_ca_domain_url}" \
# -token_name ${ca_token_name} \
# -token_pwd ${ca_token_password} \
# -ca_sign_cert_subject_name "${ca_sign_cert_subject_name}" \
@@ -1381,6 +1513,7 @@
-agent_key_type ${kra_agent_key_type} \
-agent_cert_subject "${kra_agent_cert_subject}" \
-subsystem_name ${kra_subsystem_name} \
+ -ca_domain_url "${kra_instance_ca_domain_url}" \
-save_p12 ${kra_save_p12} \
-backup_pwd ${kra_backup_password} \
-drm_transport_cert_subject_name "${kra_transport_cert_subject_name}" \
@@ -1451,6 +1584,7 @@
# -agent_key_type ${kra_agent_key_type} \
# -agent_cert_subject "${kra_agent_cert_subject}" \
# -subsystem_name ${kra_subsystem_name} \
+# -ca_domain_url "${kra_instance_ca_domain_url}" \
# -save_p12 ${kra_save_p12} \
# -backup_pwd ${kra_backup_password} \
# -drm_transport_cert_subject_name "${kra_transport_cert_subject_name}" \
@@ -1524,6 +1658,7 @@
-agent_key_type ${ocsp_agent_key_type} \
-agent_cert_subject "${ocsp_agent_cert_subject}" \
-subsystem_name ${ocsp_subsystem_name} \
+ -ca_domain_url "${ocsp_instance_ca_domain_url}" \
-save_p12 ${ocsp_save_p12} \
-backup_pwd ${ocsp_backup_password} \
-ocsp_sign_cert_subject_name "${ocsp_sign_cert_subject_name}" \
@@ -1592,6 +1727,7 @@
-agent_key_type ${tks_agent_key_type} \
-agent_cert_subject "${tks_agent_cert_subject}" \
-subsystem_name ${tks_subsystem_name} \
+ -ca_domain_url "${tks_instance_ca_domain_url}" \
-save_p12 ${tks_save_p12} \
-backup_pwd ${tks_backup_password} \
-tks_subsystem_cert_subject_name "${tks_subsystem_cert_subject_name}" \
@@ -1636,6 +1772,7 @@
-ca_port ${ra_chosen_ca_nonssl_port} \
-ca_ssl_port ${ra_chosen_ca_ssl_port} \
-ca_admin_port ${ra_chosen_ca_admin_port} \
+ -ca_issuance_url ${ra_chosen_ca_issuance_url} \
-client_certdb_dir ${pki_silent_security_database_repository} \
-client_certdb_pwd ${pki_silent_security_token_password} \
-client_token_name ${pki_silent_security_token_name} \
@@ -1653,6 +1790,7 @@
-agent_key_type ${ra_agent_key_type} \
-agent_cert_subject "${ra_agent_cert_subject}" \
-subsystem_name ${ra_subsystem_name} \
+ -ca_domain_url "${ra_instance_ca_domain_url}" \
-ra_server_cert_nickname "${ra_server_cert_nickname}" \
-ra_server_cert_subject_name "${ra_server_cert_subject_name}" \
-ra_subsystem_cert_nickname "${ra_subsystem_cert_nickname}" \
@@ -1704,11 +1842,18 @@
-ca_port ${tps_chosen_ca_nonssl_port} \
-ca_ssl_port ${tps_chosen_ca_ssl_port} \
-ca_admin_port ${tps_chosen_ca_admin_port} \
- -drm_hostname ${tps_chosen_drm_hostname} \
- -drm_ssl_port ${tps_chosen_drm_ssl_port} \
+ -ca_issuance_url ${tps_chosen_ca_issuance_url} \
+ -drm_agent_hostname ${tps_chosen_drm_agent_hostname} \
+ -drm_agent_port ${tps_chosen_drm_agent_port} \
+ -drm_admin_hostname ${tps_chosen_drm_admin_hostname} \
+ -drm_admin_port ${tps_chosen_drm_admin_port} \
+ -drm_server_side_keygen_url ${tps_chosen_drm_server_side_keygen_url} \
-ss_keygen ${tps_ss_keygen} \
- -tks_hostname ${tps_chosen_tks_hostname} \
- -tks_ssl_port ${tps_chosen_tks_ssl_port} \
+ -tks_agent_hostname ${tps_chosen_tks_agent_hostname} \
+ -tks_agent_port ${tps_chosen_tks_agent_port} \
+ -tks_admin_hostname ${tps_chosen_tks_admin_hostname} \
+ -tks_admin_port ${tps_chosen_tks_admin_port} \
+ -tks_key_management_url ${tps_chosen_tks_key_management_url} \
-client_certdb_dir ${pki_silent_security_database_repository} \
-client_certdb_pwd ${pki_silent_security_token_password} \
-client_token_name ${pki_silent_security_token_name} \
@@ -1734,6 +1879,7 @@
-save_p12 ${tps_save_p12} \
-backup_pwd ${tps_backup_password} \
-subsystem_name ${tps_subsystem_name} \
+ -ca_domain_url "${tps_instance_ca_domain_url}" \
-ldap_auth_host ${tps_ldap_auth_host} \
-ldap_auth_port ${tps_ldap_auth_port} \
-ldap_auth_base_dn ${tps_ldap_auth_base_dn} \
Index: base/silent/templates/silentEC_kra.template
===================================================================
--- base/silent/templates/silentEC_kra.template (revision 2598)
+++ base/silent/templates/silentEC_kra.template (working copy)
@@ -174,8 +174,8 @@
##
## *180 - non-secure port (not role specific)
## *701 - non-secure Tomcat port
-## *443 - secure EE port
-## *444 - secure Agent port
+## *443 - secure Agent port
+## *444 - secure EE port
## *445 - secure Admin port
##
##
@@ -186,7 +186,7 @@
## pki_kra_port_t tcp 10180, 10701, 10443, 10444, 10445
##
-## CA ports
+## CA ports (Security Domain)
ca_nonssl_port=9180
ca_agent_port=9443
ca_ee_port=9444
@@ -198,7 +198,62 @@
kra_ee_port=10444
kra_admin_port=10445
+## URL to CA used to Issue Certificates for KRA Instance Creation
+##
+## * each 'hostname:port' must be a CA EE Hostname and CA EE Port
+## * referenced CA does not need to be a Security Domain (see CAVEAT)
+## * referenced CA must reside within the same security domain
+## as this KRA instance
+##
+## CAVEAT: If the chosen CA is a security domain:
+##
+## * all KRA subsystem certificates (including the
+## 'Subsystem' certificates) will be stored on this CA
+## * the KRA subsystem client 'Administration'
+## certificate will automatically be imported into
+## the NSS client security databases associated with
+## the 'pkisilent' invocation of this KRA subsystem
+## * the 'pkisilent' client security databases may be
+## used inside a firefox browser with no further
+## changes
+##
+## If the chosen CA is NOT a security domain:
+##
+## * all KRA subsystem certificates EXCEPT the KRA
+## 'Subsystem' certificate will be stored on this CA;
+## the KRA 'Subsystem' certificate will be stored on
+## the CA that is the security domain for this KRA
+## subsystem
+## * the KRA subsystem client 'Administration'
+## certificate will NOT automatically be imported into
+## the NSS client security databases associated with
+## the 'pkisilent' invocation of this KRA subsystem;
+## import will fail with something similar to the
+## following message:
+##
+## ERROR: exception importing cert: Security
+## library failed to decode certificate
+## package: (-8183) security library:
+## improperly formatted DER-encoded
+## message.
+##
+## * in order to utilize the 'pkisilent' client
+## security databases inside a firefox browser,
+## one will need to manually import the KRA
+## 'Administration' certificate for the KRA subsystem
+## stored in this non-security domain CA
+##
+## NOTE: To pass in a value of an empty string, specify the value "empty"
+## instead of "" since ArgParser() throws away empty strings.
+##
+## This special "empty" string value may be specified for any of
+## the following variables:
+##
+## * kra_instance_ca_domain_url="empty"
+##
+kra_instance_ca_domain_url="https://${pki_security_domain_host}:${ca_ee_port}"
+
##############################################################################
## U S E R - D E F I N E D V A R I A B L E S ( O P T I O N A L ) ##
##############################################################################
@@ -550,6 +605,7 @@
-agent_key_type ${kra_agent_key_type} \
-agent_cert_subject "${kra_agent_cert_subject}" \
-subsystem_name ${kra_subsystem_name} \
+ -ca_domain_url "${kra_instance_ca_domain_url}" \
-drm_transport_cert_subject_name "${kra_transport_cert_subject_name}" \
-drm_subsystem_cert_subject_name "${kra_subsystem_cert_subject_name}" \
-drm_storage_cert_subject_name "${kra_storage_cert_subject_name}" \
Index: base/ra/lib/perl/PKI/RA/CAInfoPanel.pm
===================================================================
--- base/ra/lib/perl/PKI/RA/CAInfoPanel.pm (revision 2598)
+++ base/ra/lib/perl/PKI/RA/CAInfoPanel.pm (working copy)
@@ -250,8 +250,8 @@
sub get_domain_xml
{
- my $ca_ee_host = $1;
- my $https_ee_port = $2;
+ my $ca_ee_host = $_[0];
+ my $https_ee_port = $_[1];
# get the domain xml
# e. g. - https://water.sfbay.redhat.com:9445/ca/admin/ca/getDomainXML
@@ -273,9 +273,9 @@
sub get_secure_admin_port_from_domain_xml
{
- my $content = $1;
- my $ca_ee_host = $2;
- my $https_ee_port = $3;
+ my $content = $_[0];
+ my $ca_ee_host = $_[1];
+ my $https_ee_port = $_[2];
# Retrieve the secure admin port corresponding
# to the selected EE host and secure ee port.
@@ -287,7 +287,7 @@
foreach my $c (@{$xml->{'CAList'}[0]->{'CA'}}) {
if( ( $ca_ee_host eq $c->{'Host'}[0] ) &&
( $https_ee_port eq $c->{'SecurePort'}[0] ) ) {
- $https_admin_port = https_$c->{'SecureAdminPort'}[0];
+ $https_admin_port = $c->{'SecureAdminPort'}[0];
last;
}
}
@@ -297,9 +297,9 @@
sub get_secure_agent_port_from_domain_xml
{
- my $content = $1;
- my $ca_ee_host = $2;
- my $https_ee_port = $3;
+ my $content = $_[0];
+ my $ca_ee_host = $_[1];
+ my $https_ee_port = $_[2];
# Retrieve the secure agent port corresponding
# to the selected EE host and secure ee port.
@@ -311,7 +311,7 @@
foreach my $c (@{$xml->{'CAList'}[0]->{'CA'}}) {
if( ( $ca_ee_host eq $c->{'Host'}[0] ) &&
( $https_ee_port eq $c->{'SecurePort'}[0] ) ) {
- $https_agent_port = https_$c->{'SecureAgentPort'}[0];
+ $https_agent_port = $c->{'SecureAgentPort'}[0];
last;
}
}
@@ -321,9 +321,9 @@
sub get_admin_host_from_domain_xml
{
- my $content = $1;
- my $ca_ee_host = $2;
- my $https_ee_port = $3;
+ my $content = $_[0];
+ my $ca_ee_host = $_[1];
+ my $https_ee_port = $_[2];
# Retrieve the admin host corresponding
# to the selected EE host and secure ee port.
@@ -337,10 +337,10 @@
( $https_ee_port eq $c->{'SecurePort'}[0] ) ) {
if( $c->{'AdminHost'}[0] ne "" ) {
# IP Port Separation Schema
- $ca_admin_host = https_$c->{'AdminHost'}[0];
+ $ca_admin_host = $c->{'AdminHost'}[0];
} else {
# Port Separation Schema
- $ca_admin_host = https_$c->{'Host'}[0];
+ $ca_admin_host = $c->{'Host'}[0];
}
last;
}
@@ -352,9 +352,9 @@
sub get_agent_host_from_domain_xml
{
- my $content = $1;
- my $ca_ee_host = $2;
- my $https_ee_port = $3;
+ my $content = $_[0];
+ my $ca_ee_host = $_[1];
+ my $https_ee_port = $_[2];
# Retrieve the agent host corresponding
# to the selected EE host and secure ee port.
@@ -368,10 +368,10 @@
( $https_ee_port eq $c->{'SecurePort'}[0] ) ) {
if( $c->{'AgentHost'}[0] ne "" ) {
# IP Port Separation Schema
- $ca_agent_host = https_$c->{'AgentHost'}[0];
+ $ca_agent_host = $c->{'AgentHost'}[0];
} else {
# Port Separation Schema
- $ca_agent_host = https_$c->{'Host'}[0];
+ $ca_agent_host = $c->{'Host'}[0];
}
last;
}
Index: base/ra/lib/perl/PKI/RA/NamePanel.pm
===================================================================
--- base/ra/lib/perl/PKI/RA/NamePanel.pm (revision 2598)
+++ base/ra/lib/perl/PKI/RA/NamePanel.pm (working copy)
@@ -293,16 +293,26 @@
"auth_hostname=" . $sdom_url->host . "&" .
"auth_port=" . $sdom_url->port;
+ # NOTE: Must save the original values of '$ca_ee_host' and
+ # '$https_ee_port' because if 'subsystem' is not
+ # the last value specifed in 'CS.cfg::preop.cert.list',
+ # it was discovered that the following code was
+ # resetting these values for every value that follows.
+ my $sslget_ca_ee_host = "";
+ my $sslget_https_ee_port = "";
if ($certtag eq "subsystem") {
- $ca_ee_host = $sdom_url->host;
- $https_ee_port = $sdom_url->port;
+ $sslget_ca_ee_host = $sdom_url->host;
+ $sslget_https_ee_port = $sdom_url->port;
+ } else {
+ $sslget_ca_ee_host = $ca_ee_host;
+ $sslget_https_ee_port = $https_ee_port;
}
if ($changed eq "true") {
-$req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"$token_pwd\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $ca_ee_host:$https_ee_port";
-$debug_req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"(sensitive)\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $ca_ee_host:$https_ee_port";
+$req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"$token_pwd\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $sslget_ca_ee_host:$sslget_https_ee_port";
+$debug_req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"(sensitive)\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $sslget_ca_ee_host:$sslget_https_ee_port";
} else {
-$req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"$db_password\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $ca_ee_host:$https_ee_port";
-$debug_req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"(sensitive)\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $ca_ee_host:$https_ee_port";
+$req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"$db_password\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $sslget_ca_ee_host:$sslget_https_ee_port";
+$debug_req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"(sensitive)\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $sslget_ca_ee_host:$sslget_https_ee_port";
}
&PKI::RA::Wizard::debug_log("debug_req = " . $debug_req);
Index: base/tps/lib/perl/PKI/TPS/CAInfoPanel.pm
===================================================================
--- base/tps/lib/perl/PKI/TPS/CAInfoPanel.pm (revision 2598)
+++ base/tps/lib/perl/PKI/TPS/CAInfoPanel.pm (working copy)
@@ -249,8 +249,8 @@
sub get_domain_xml
{
- my $ca_ee_host = $1;
- my $https_ee_port = $2;
+ my $ca_ee_host = $_[0];
+ my $https_ee_port = $_[1];
# get the domain xml
# e. g. - https://water.sfbay.redhat.com:9445/ca/admin/ca/getDomainXML
@@ -272,9 +272,9 @@
sub get_secure_admin_port_from_domain_xml
{
- my $content = $1;
- my $ca_ee_host = $2;
- my $https_ee_port = $3;
+ my $content = $_[0];
+ my $ca_ee_host = $_[1];
+ my $https_ee_port = $_[2];
# Retrieve the secure admin port corresponding
# to the selected EE host and secure ee port.
@@ -286,7 +286,7 @@
foreach my $c (@{$xml->{'CAList'}[0]->{'CA'}}) {
if( ( $ca_ee_host eq $c->{'Host'}[0] ) &&
( $https_ee_port eq $c->{'SecurePort'}[0] ) ) {
- $https_admin_port = https_$c->{'SecureAdminPort'}[0];
+ $https_admin_port = $c->{'SecureAdminPort'}[0];
last;
}
}
@@ -296,9 +296,9 @@
sub get_secure_agent_port_from_domain_xml
{
- my $content = $1;
- my $ca_ee_host = $2;
- my $https_ee_port = $3;
+ my $content = $_[0];
+ my $ca_ee_host = $_[1];
+ my $https_ee_port = $_[2];
# Retrieve the secure agent port corresponding
# to the selected EE host and secure ee port.
@@ -310,7 +310,7 @@
foreach my $c (@{$xml->{'CAList'}[0]->{'CA'}}) {
if( ( $ca_ee_host eq $c->{'Host'}[0] ) &&
( $https_ee_port eq $c->{'SecurePort'}[0] ) ) {
- $https_agent_port = https_$c->{'SecureAgentPort'}[0];
+ $https_agent_port = $c->{'SecureAgentPort'}[0];
last;
}
}
@@ -320,9 +320,9 @@
sub get_admin_host_from_domain_xml
{
- my $content = $1;
- my $ca_ee_host = $2;
- my $https_ee_port = $3;
+ my $content = $_[0];
+ my $ca_ee_host = $_[1];
+ my $https_ee_port = $_[2];
# Retrieve the admin host corresponding
# to the selected EE host and secure ee port.
@@ -336,10 +336,10 @@
( $https_ee_port eq $c->{'SecurePort'}[0] ) ) {
if( $c->{'AdminHost'}[0] ne "" ) {
# IP Port Separation Schema
- $ca_admin_host = https_$c->{'AdminHost'}[0];
+ $ca_admin_host = $c->{'AdminHost'}[0];
} else {
# Port Separation Schema
- $ca_admin_host = https_$c->{'Host'}[0];
+ $ca_admin_host = $c->{'Host'}[0];
}
last;
}
@@ -350,9 +350,9 @@
sub get_agent_host_from_domain_xml
{
- my $content = $1;
- my $ca_ee_host = $2;
- my $https_ee_port = $3;
+ my $content = $_[0];
+ my $ca_ee_host = $_[1];
+ my $https_ee_port = $_[2];
# Retrieve the agent host corresponding
# to the selected EE host and secure ee port.
@@ -366,10 +366,10 @@
( $https_ee_port eq $c->{'SecurePort'}[0] ) ) {
if( $c->{'AgentHost'}[0] ne "" ) {
# IP Port Separation Schema
- $ca_agent_host = https_$c->{'AgentHost'}[0];
+ $ca_agent_host = $c->{'AgentHost'}[0];
} else {
# Port Separation Schema
- $ca_agent_host = https_$c->{'Host'}[0];
+ $ca_agent_host = $c->{'Host'}[0];
}
last;
}
Index: base/tps/lib/perl/PKI/TPS/NamePanel.pm
===================================================================
--- base/tps/lib/perl/PKI/TPS/NamePanel.pm (revision 2598)
+++ base/tps/lib/perl/PKI/TPS/NamePanel.pm (working copy)
@@ -301,18 +301,28 @@
"auth_hostname=" . $sdom_url->host . "&" .
"auth_port=" . $sdom_url->port;
+ # NOTE: Must save the original values of '$ca_ee_host' and
+ # '$https_ee_port' because if 'subsystem' is not
+ # the last value specifed in 'CS.cfg::preop.cert.list',
+ # it was discovered that the following code was
+ # resetting these values for every value that follows.
+ my $sslget_ca_ee_host = "";
+ my $sslget_https_ee_port = "";
if ($certtag eq "subsystem") {
- $ca_ee_host = $sdom_url->host;
- $https_ee_port = $sdom_url->port;
+ $sslget_ca_ee_host = $sdom_url->host;
+ $sslget_https_ee_port = $sdom_url->port;
+ } else {
+ $sslget_ca_ee_host = $ca_ee_host;
+ $sslget_https_ee_port = $https_ee_port;
}
if ($changed eq "true") {
# nickname changed is true, using token passwd for calling sslget
-$req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"$token_pwd\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $ca_ee_host:$https_ee_port";
-$debug_req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"(sensitive)\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $ca_ee_host:$https_ee_port";
+$req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"$token_pwd\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $sslget_ca_ee_host:$sslget_https_ee_port";
+$debug_req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"(sensitive)\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $sslget_ca_ee_host:$sslget_https_ee_port";
} else {
# nickname changed is false, using internal passwd for calling sslget
-$req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"$db_password\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $ca_ee_host:$https_ee_port";
-$debug_req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"(sensitive)\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $ca_ee_host:$https_ee_port";
+$req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"$db_password\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $sslget_ca_ee_host:$sslget_https_ee_port";
+$debug_req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"(sensitive)\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $sslget_ca_ee_host:$sslget_https_ee_port";
}
&PKI::TPS::Wizard::debug_log("debug_req = " . $debug_req);
More information about the Pki-devel
mailing list