Skip to content

Commit

Permalink
Add est to pkispawn
Browse files Browse the repository at this point in the history
This initial commit add est configuration for deployment in instance with existing CA.

Actually, several step are just skipped which could be required like
creating initial users, reporting the status, etc....

The final installation is compliant with the page:
https://github.com/dogtagpki/pki/blob/master/docs/installation/est/Installing_EST.md
  • Loading branch information
fmarco76 committed Sep 6, 2024
1 parent 7f86116 commit dfb98e1
Show file tree
Hide file tree
Showing 23 changed files with 290 additions and 20 deletions.
2 changes: 1 addition & 1 deletion base/ca/database/ds/acl.ldif
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ resourceACLS: certServer.general.configuration:read,modify,delete:allow (read) g
resourceACLS: certServer.policy.configuration:read,modify:allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Auditors";allow (modify) group="Administrators":Administrators, agents and auditors are allowed to read policy configuration but only administrators allowed to modify
resourceACLS: certServer.acl.configuration:read,modify:allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Auditors";allow (modify) group="Administrators":Administrators, agents and auditors are allowed to read ACL configuration but only administrators allowed to modify
resourceACLS: certServer.log.configuration:read,modify:allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents";allow (modify) group="Administrators":Administrators, Agents, and auditors are allowed to read the log configuration but only administrators are allowed to modify
resourceACLS: certServer.securitydomain.domainxml:read,modify:allow (read) user="anybody";allow (modify) group="Subsystem Group" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise RA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators":Anybody is allowed to read domain.xml but only Subsystem group and Enterprise Administrators are allowed to modify the domain.xml
resourceACLS: certServer.securitydomain.domainxml:read,modify:allow (read) user="anybody";allow (modify) group="Subsystem Group" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise RA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators" || group="Enterprise EST Administrators":Anybody is allowed to read domain.xml but only Subsystem group and Enterprise Administrators are allowed to modify the domain.xml
resourceACLS: certServer.log.configuration.fileName:read,modify:allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents" ;deny (modify) user=anybody:Nobody is allowed to modify a fileName parameter
#resourceACLS: certServer.log.configuration.signedAudit.expirationTime:read,modify:allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents";deny (modify) user=anybody:Nobody is allowed to modify an expirationTime parameter.
resourceACLS: certServer.log.content.signedAudit:read:allow (read) group="Auditors":Only auditor is allowed to read the signed audit log
Expand Down
6 changes: 6 additions & 0 deletions base/ca/database/ds/create.ldif
Original file line number Diff line number Diff line change
Expand Up @@ -93,6 +93,12 @@ objectClass: groupOfUniqueNames
cn: Enterprise TPS Administrators
description: People who are the administrators for the security domain for TPS

dn: cn=Enterprise EST Administrators,ou=groups,{rootSuffix}
objectClass: top
objectClass: groupOfUniqueNames
cn: Enterprise EST Administrators
description: People who are the administrators for the security domain for EST

dn: ou=requests,{rootSuffix}
objectClass: top
objectClass: organizationalUnit
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ visible=false
enable=true
enableBy=admin
auth.instance_id=TokenAuth
authz.acl=group="Enterprise OCSP Administrators" || group="Enterprise RA Administrators" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators"
authz.acl=group="Enterprise OCSP Administrators" || group="Enterprise RA Administrators" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators" || group="Enterprise EST Administrators"
name=Audit Signing Certificate Enrollment
input.list=i1,i2
input.i1.class_id=certReqInputImpl
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ visible=false
enable=true
enableBy=admin
auth.instance_id=TokenAuth
authz.acl=group="Enterprise OCSP Administrators" || group="Enterprise RA Administrators" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators"
authz.acl=group="Enterprise OCSP Administrators" || group="Enterprise RA Administrators" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators" || group="Enterprise EST Administrators"
name=Security Domain DRM storage Certificate Enrollment
input.list=i1,i2
input.i1.class_id=certReqInputImpl
Expand Down
2 changes: 1 addition & 1 deletion base/ca/shared/profiles/ca/caInternalAuthOCSPCert.cfg
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ visible=false
enable=true
enableBy=admin
auth.instance_id=TokenAuth
authz.acl=group="Enterprise OCSP Administrators" || group="Enterprise RA Administrators" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators"
authz.acl=group="Enterprise OCSP Administrators" || group="Enterprise RA Administrators" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators" || group="Enterprise EST Administrators"
name=Security Domain OCSP Manager Signing Certificate Enrollment
input.list=i1,i2
input.i1.class_id=certReqInputImpl
Expand Down
2 changes: 1 addition & 1 deletion base/ca/shared/profiles/ca/caInternalAuthServerCert.cfg
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ visible=false
enable=true
enableBy=admin
auth.instance_id=TokenAuth
authz.acl=group="Enterprise OCSP Administrators" || group="Enterprise RA Administrators" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators"
authz.acl=group="Enterprise OCSP Administrators" || group="Enterprise RA Administrators" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators" || group="Enterprise EST Administrators"
name=Security Domain Server Certificate Enrollment
input.list=i1,i2
input.i1.class_id=certReqInputImpl
Expand Down
2 changes: 1 addition & 1 deletion base/ca/shared/profiles/ca/caInternalAuthSubsystemCert.cfg
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ visible=false
enable=true
enableBy=admin
auth.instance_id=TokenAuth
authz.acl=group="Enterprise OCSP Administrators" || group="Enterprise RA Administrators" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators"
authz.acl=group="Enterprise OCSP Administrators" || group="Enterprise RA Administrators" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators" || group="Enterprise EST Administrators"
name=Security Domain Subsystem Certificate Enrollment
input.list=i1,i2
input.i1.class_id=certReqInputImpl
Expand Down
2 changes: 1 addition & 1 deletion base/ca/shared/profiles/ca/caInternalAuthTransportCert.cfg
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ visible=false
enable=true
enableBy=admin
auth.instance_id=TokenAuth
authz.acl=group="Enterprise OCSP Administrators" || group="Enterprise RA Administrators" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators"
authz.acl=group="Enterprise OCSP Administrators" || group="Enterprise RA Administrators" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators" || group="Enterprise EST Administrators"
name=Security Domain Data Recovery Manager Transport Certificate Enrollment
input.list=i1,i2
input.i1.class_id=certReqInputImpl
Expand Down
2 changes: 2 additions & 0 deletions base/est/CMakeLists.txt
Original file line number Diff line number Diff line change
@@ -1,5 +1,7 @@
project(est NONE)

add_subdirectory(shared/conf)

javac(pki-est-classes
SOURCES
src/main/java/*.java
Expand Down
8 changes: 8 additions & 0 deletions base/est/shared/conf/CMakeLists.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
configure_file(${CMAKE_CURRENT_SOURCE_DIR}/CS.cfg ${CMAKE_CURRENT_BINARY_DIR}/CS.cfg @ONLY)

install(
FILES
${CMAKE_CURRENT_BINARY_DIR}/CS.cfg
DESTINATION
${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/conf
)
14 changes: 14 additions & 0 deletions base/est/shared/conf/CS.cfg
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
_000=##
_001=## Enrollment over Secure Transport (EST) Configuration File
_002=##
est.cert.list=sslserver,subsystem,audit_signing
est.cert.sslserver.certusage=SSLServer
est.cert.subsystem.certusage=SSLClient
est.cert.audit_signing.certusage=ObjectSigner
preop.cert.list=sslserver,subsystem,audit_signing
preop.cert.audit_signing.profile=caInternalAuthAuditSigningCert
preop.cert.sslserver.profile=caInternalAuthServerCert
preop.cert.subsystem.profile=caInternalAuthSubsystemCert
preop.cert.admin.profile=adminCert.profile
preop.module.token=Internal Key Storage Token

23 changes: 23 additions & 0 deletions base/est/webapps/est/index.jsp
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
<!-- --- BEGIN COPYRIGHT BLOCK ---
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; version 2 of the License.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License along
with this program; if not, write to the Free Software Foundation, Inc.,
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
Copyright (C) 2007 Red Hat, Inc.
All rights reserved.
--- END COPYRIGHT BLOCK --- -->
<html>
<head>
</head>
<body>
</body>
</html>
30 changes: 30 additions & 0 deletions base/server/etc/default.cfg
Original file line number Diff line number Diff line change
Expand Up @@ -589,3 +589,33 @@ pki_import_shared_secret=False
pki_share_db=True
pki_share_dbuser_dn=uid=pkidbuser,ou=people,%(pki_ds_base_dn)s
pki_source_phone_home_xml=/usr/share/pki/%(pki_subsystem_type)s/conf/phoneHome.xml


###############################################################################
## EST Configuration: ##
## ##
## Values in this section are common to PKI EST subsystems, and contain ##
## required information which MAY be overridden by users as necessary. ##
###############################################################################
[EST]
pki_realm_config=True
pki_import_admin_cert=True
pki_admin_email=%(pki_admin_name)s@%(pki_dns_domainname)s
pki_admin_name=%(pki_admin_uid)s
pki_admin_nickname=PKI Administrator for %(pki_dns_domainname)s
pki_admin_subject_dn=cn=PKI Administrator,e=%(pki_admin_email)s,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
pki_admin_uid=estadmin
pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_name)s EST
pki_audit_signing_subject_dn=cn=EST Audit Signing Certificate,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
pki_ds_base_dn=o=%(pki_instance_name)s-EST
pki_ds_database=%(pki_instance_name)s-EST
pki_ds_hostname=%(pki_hostname)s
pki_subsystem_name=EST %(pki_hostname)s %(pki_https_port)s
pki_ca_uri=https://%(pki_hostname)s:%(pki_https_port)s
pki_share_db=True
pki_share_dbuser_dn=uid=pkidbuser,ou=people,%(pki_ds_base_dn)s
pki_est_ca_profile=estServiceCert
pki_est_ca_user=
pki_est_ca_password=
pki_est_ca_certificate=%(pki_subsystem_nickname)s

26 changes: 26 additions & 0 deletions base/server/examples/installation/est.cfg
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
[DEFAULT]
pki_server_database_password=Secret.123

[EST]
pki_admin_email[email protected]
pki_admin_name=estadmin
pki_admin_nickname=estadmin
pki_admin_password=Secret.123
pki_admin_uid=estadmin

pki_admin_setup=False
pki_realm_config=True

pki_client_pkcs12_password=Secret.123

pki_ds_base_dn=dc=est,dc=pki,dc=example,dc=com
pki_ds_database=est
pki_ds_password=Secret.123

pki_security_domain_name=EXAMPLE
pki_security_domain_user=caadmin
pki_security_domain_password=Secret.123

pki_audit_signing_nickname=est_audit_signing
pki_sslserver_nickname=sslserver
pki_subsystem_nickname=subsystem
2 changes: 1 addition & 1 deletion base/server/python/pki/server/__init__.py
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,7 @@
ETC_SYSTEMD_DIR = '/etc/systemd'
LIB_SYSTEMD_DIR = '/lib/systemd'

SUBSYSTEM_TYPES = ['ca', 'kra', 'ocsp', 'tks', 'tps']
SUBSYSTEM_TYPES = ['ca', 'kra', 'ocsp', 'tks', 'tps', 'est']

DEFAULT_DIR_MODE = 0o0770
DEFAULT_FILE_MODE = 0o0660
Expand Down
47 changes: 45 additions & 2 deletions base/server/python/pki/server/deployment/__init__.py
Original file line number Diff line number Diff line change
Expand Up @@ -3615,7 +3615,7 @@ def setup_system_certs(self, nssdb, subsystem):
# For external/standalone KRA/OCSP/TKS/TPS case, all system certs will be provided.
# No system certs will be generated including the SSL server cert.

if subsystem.type in ['KRA', 'OCSP', 'TKS', 'TPS'] and external:
if subsystem.type in ['KRA', 'OCSP', 'TKS', 'TPS', 'EST'] and external:
continue

request = self.create_cert_setup_request(subsystem, tag, system_cert)
Expand Down Expand Up @@ -4071,7 +4071,8 @@ def setup_admin_user(self, subsystem, cert_data):
'Enterprise RA Administrators',
'Enterprise TKS Administrators',
'Enterprise OCSP Administrators',
'Enterprise TPS Administrators'
'Enterprise TPS Administrators',
'Enterprise EST Administrators'
])

elif subsystem.type == 'KRA':
Expand Down Expand Up @@ -4968,6 +4969,45 @@ def finalize_tps(self, subsystem):
logger.info('Setting up shared secret')
self.setup_shared_secret(subsystem)

def finalize_est(self, subsystem):
if config.str2bool(self.mdict['pki_realm_config']):
logger.info('Configuring EST Realm')
realm_config = {
'class': 'com.netscape.cms.realm.PKILDAPRealm',
'url': self.mdict['pki_ds_url'],
'authType': 'BasicAuth',
'bindDN': self.mdict['pki_ds_bind_dn'],
'bindPassword': self.mdict['pki_ds_password'],
'usersDN': 'ou=people,{}'.format(self.mdict['pki_ds_base_dn']),
'groupsDN': 'ou=groups,{}'.format(self.mdict['pki_ds_base_dn'])
}
subsystem.add_realm(realm_config)
backend_config = {
'class': 'org.dogtagpki.est.DogtagRABackend',
'url': self.mdict['pki_ca_uri'],
'profile': self.mdict['pki_est_ca_profile'],
'username': self.mdict['pki_est_ca_user'],
'password': self.mdict['pki_est_ca_password'],
'passwordFile': self.mdict['pki_est_ca_password'],
'nickname': self.mdict['pki_est_ca_certificate']
}
subsystem.add_backend(backend_config)
est_auth_exec = '''#!/usr/bin/python3
import json, sys
ALLOWED_ROLE = 'estclient'
obj = json.loads(sys.stdin.read())
if not ALLOWED_ROLE in obj['authzData']['principal']['roles']:
print(f'Principal does not have required role {ALLOWED_ROLE!r}')
sys.exit(1)'''
with open('/usr/local/libexec/estauthz', 'w', ) as auth_exec:
auth_exec.write(est_auth_exec)
os.chmod("/usr/local/libexec/estauthz", 0o755)
authorizer_config = {
'class': 'org.dogtagpki.est.ExternalProcessRequestAuthorizer',
'executable': '/usr/local/libexec/estauthz'
}
subsystem.add_authorizer(authorizer_config)

def finalize_subsystem(self, subsystem):

if subsystem.type == 'CA':
Expand All @@ -4985,6 +5025,9 @@ def finalize_subsystem(self, subsystem):
if subsystem.type == 'TPS':
self.finalize_tps(subsystem)

if subsystem.type == 'EST':
self.finalize_est(subsystem)

# save EC type for sslserver cert (if present)
ec_type = subsystem.config.get('preop.cert.sslserver.ec.type', 'ECDHE')
subsystem.set_config('jss.ssl.sslserver.ectype', ec_type)
Expand Down
6 changes: 3 additions & 3 deletions base/server/python/pki/server/deployment/pkiconfig.py
Original file line number Diff line number Diff line change
Expand Up @@ -36,13 +36,13 @@
PKI_DEPLOYMENT_DEFAULT_UID = 17
PKI_DEPLOYMENT_DEFAULT_USER = "pkiuser"

PKI_SUBSYSTEMS = ["CA", "KRA", "OCSP", "TKS", "TPS"]
PKI_SUBSYSTEMS = ["CA", "KRA", "OCSP", "TKS", "TPS", "EST"]
PKI_BASE_RESERVED_NAMES = ["alias", "bin", "ca", "common", "conf", "kra",
"lib", "logs", "ocsp", "temp", "tks", "tps",
"webapps", "work"]
"est", "webapps", "work"]
PKI_CONFIGURATION_RESERVED_NAMES = ["CA", "java", "nssdb", "rpm-gpg",
"rsyslog", "tls"]
PKI_TOMCAT_REGISTRY_RESERVED_NAMES = ["ca", "kra", "ocsp", "tks", "tps"]
PKI_TOMCAT_REGISTRY_RESERVED_NAMES = ["ca", "kra", "ocsp", "tks", "tps", "est"]

PKI_DEPLOYMENT_INTERRUPT_BANNER = "-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+"\
"-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-"
Expand Down
2 changes: 1 addition & 1 deletion base/server/python/pki/server/deployment/pkiparser.py
Original file line number Diff line number Diff line change
Expand Up @@ -297,7 +297,7 @@ def __init__(self, description, epilog, deployer=None):
nargs=1, choices=config.PKI_SUBSYSTEMS,
metavar='<subsystem>',
help='where <subsystem> is '
'CA, KRA, OCSP, TKS, or TPS')
'CA, KRA, OCSP, TKS, TPS or EST')
self.optional.add_argument(
'-h', '--help',
dest='help', action='help',
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -84,7 +84,8 @@ def spawn(self, deployer):
if clone:
deployer.request_ranges(subsystem)

deployer.setup_database(subsystem, master_config)
if subsystem.type != 'EST' or config.str2bool(deployer.mdict['pki_realm_config']):
deployer.setup_database(subsystem, master_config)

if not clone and subsystem.type == 'CA':
subsystem.import_profiles(
Expand Down
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@

# Authors:
# Matthew Harmsen <[email protected]>
#
Expand Down
15 changes: 12 additions & 3 deletions base/server/python/pki/server/pkispawn.py
Original file line number Diff line number Diff line change
Expand Up @@ -190,8 +190,8 @@ def main(argv):
parser.indent = 0

deployer.subsystem_type = parser.read_text(
'Subsystem (CA/KRA/OCSP/TKS/TPS)',
options=['CA', 'KRA', 'OCSP', 'TKS', 'TPS'],
'Subsystem (CA/KRA/OCSP/TKS/TPS/EST)',
options=['CA', 'KRA', 'OCSP', 'TKS', 'TPS', 'EST'],
default='CA', case_sensitive=False).upper()
print()
else:
Expand Down Expand Up @@ -668,6 +668,9 @@ def main(argv):
elif deployer.subsystem_type == 'TPS':
print_tps_step_one_information(parser.mdict, deployer.instance)

elif deployer.subsystem_type == 'EST':
print_est_step_one_information(parser.mdict, deployer.instance)

else:
print_final_install_information(parser.mdict, deployer.instance)

Expand All @@ -681,7 +684,7 @@ def validate_user_deployment_cfg(user_deployment_cfg):
line = line.strip()
if not line.startswith('['):
continue
if line not in ['[DEFAULT]', '[Tomcat]', '[CA]', '[KRA]', '[OCSP]', '[TKS]', '[TPS]']:
if line not in ['[DEFAULT]', '[Tomcat]', '[CA]', '[KRA]', '[OCSP]', '[TKS]', '[TPS]', '[EST]']:
raise Exception('Invalid deployment configuration section: %s' % line)


Expand Down Expand Up @@ -906,6 +909,12 @@ def print_tps_step_one_information(mdict, instance):
print(log.PKI_RUN_INSTALLATION_STEP_TWO)
print(log.PKI_SPAWN_INFORMATION_FOOTER)

def print_tps_step_one_information(mdict, instance):

print(log.PKI_SPAWN_INFORMATION_HEADER)
print("TO BE COMPLETED")
print(log.PKI_RUN_INSTALLATION_STEP_TWO)
print(log.PKI_SPAWN_INFORMATION_FOOTER)

def print_skip_configuration_information(mdict, instance):

Expand Down
Loading

0 comments on commit dfb98e1

Please sign in to comment.