Relocate SSNv2 range objects for new CA instances

pkispawn has been modified to create ou=ranges subtree for SSNv1 and optionally ou=ranges_v2 subtree for SSNv2 if it's enabled for new CA instances. The pki-server <subsystem>-db-init and <subsystem>-range-update commands have been updated to use the proper subtree to store the range objects. Hard-coded subtrees in the create.ldif have been removed. Similar changes are made to KRA as well, but since there are no tests for KRA with SSNv2 it's not officially supported yet.
dogtagpki · Oct 31, 2024 · 23144cc · 23144cc
1 parent a02aeba
commit 23144cc
Show file tree

Hide file tree

Showing 13 changed files with 287 additions and 49 deletions.
diff --git a/base/ca/database/ds/create.ldif b/base/ca/database/ds/create.ldif
@@ -150,16 +150,6 @@ objectClass: top
 objectClass: organizationalUnit
 ou: replica
 
-dn: ou=requests, ou=ranges,{rootSuffix}
-objectClass: top
-objectClass: organizationalUnit
-ou: requests
-
-dn: ou=certificateRepository, ou=ranges,{rootSuffix}
-objectClass: top
-objectClass: organizationalUnit
-ou: certificateRepository
-
 dn: ou=certificateProfiles,ou=ca,{rootSuffix}
 objectClass: top
 objectClass: organizationalUnit

diff --git a/base/ca/src/main/java/org/dogtagpki/server/ca/cli/CADBCLI.java b/base/ca/src/main/java/org/dogtagpki/server/ca/cli/CADBCLI.java
@@ -24,7 +24,6 @@
 import org.dogtagpki.server.cli.SubsystemDBEmptyCLI;
 import org.dogtagpki.server.cli.SubsystemDBIndexCLI;
 import org.dogtagpki.server.cli.SubsystemDBInfoCLI;
-import org.dogtagpki.server.cli.SubsystemDBInitCLI;
 import org.dogtagpki.server.cli.SubsystemDBRemoveCLI;
 import org.dogtagpki.server.cli.SubsystemDBReplicationCLI;
 import org.dogtagpki.server.cli.SubsystemDBVLVCLI;
@@ -39,7 +38,7 @@ public CADBCLI(CLI parent) {
 
         addModule(new SubsystemDBInfoCLI(this));
         addModule(new SubsystemDBCreateCLI(this));
-        addModule(new SubsystemDBInitCLI(this));
+        addModule(new CADBInitCLI(this));
         addModule(new SubsystemDBEmptyCLI(this));
         addModule(new SubsystemDBRemoveCLI(this));
         addModule(new CADBUpgradeCLI(this));

diff --git a/base/ca/src/main/java/org/dogtagpki/server/ca/cli/CADBInitCLI.java b/base/ca/src/main/java/org/dogtagpki/server/ca/cli/CADBInitCLI.java
@@ -0,0 +1,38 @@
+//
+// Copyright Red Hat, Inc.
+//
+// SPDX-License-Identifier: GPL-2.0-or-later
+//
+package org.dogtagpki.server.ca.cli;
+
+import org.dogtagpki.cli.CLI;
+import org.dogtagpki.server.cli.SubsystemDBInitCLI;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import com.netscape.cmscore.apps.DatabaseConfig;
+import com.netscape.cmscore.dbs.CertificateRepository;
+import com.netscape.cmscore.dbs.Repository.IDGenerator;
+
+/**
+ * @author Endi S. Dewata
+ */
+public class CADBInitCLI extends SubsystemDBInitCLI {
+
+    public static Logger logger = LoggerFactory.getLogger(CADBInitCLI.class);
+
+    public CADBInitCLI(CLI parent) {
+        super("init", "Initialize CA database", parent);
+    }
+
+    @Override
+    public void init(DatabaseConfig dbConfig) throws Exception {
+
+        super.init(dbConfig);
+
+        String value = dbConfig.getString(
+                CertificateRepository.PROP_CERT_ID_GENERATOR,
+                CertificateRepository.DEFAULT_CERT_ID_GENERATOR);
+        serialIDGenerator = IDGenerator.fromString(value);
+    }
+}
diff --git a/base/ca/src/main/java/org/dogtagpki/server/ca/cli/CARangeUpdateCLI.java b/base/ca/src/main/java/org/dogtagpki/server/ca/cli/CARangeUpdateCLI.java
@@ -28,6 +28,17 @@ public CARangeUpdateCLI(CLI parent) {
         super(parent);
     }
 
+    @Override
+    public void init(DatabaseConfig dbConfig) throws Exception {
+
+        super.init(dbConfig);
+
+        String value = dbConfig.getString(
+                CertificateRepository.PROP_CERT_ID_GENERATOR,
+                CertificateRepository.DEFAULT_CERT_ID_GENERATOR);
+        serialIDGenerator = IDGenerator.fromString(value);
+    }
+
     @Override
     public void updateSerialNumberRange(
             PKISocketFactory socketFactory,
@@ -36,12 +47,7 @@ public void updateSerialNumberRange(
             DatabaseConfig dbConfig,
             String baseDN) throws Exception {
 
-        String value = dbConfig.getString(
-                CertificateRepository.PROP_CERT_ID_GENERATOR,
-                CertificateRepository.DEFAULT_CERT_ID_GENERATOR);
-        idGenerator = IDGenerator.fromString(value);
-
-        if (idGenerator == IDGenerator.RANDOM) {
+        if (serialIDGenerator == IDGenerator.RANDOM) {
             logger.info("No need to update certificate ID range");
             return;
         }

diff --git a/base/kra/database/ds/create.ldif b/base/kra/database/ds/create.ldif
@@ -107,13 +107,3 @@ objectClass: top
 objectClass: organizationalUnit
 ou: replica
 
-dn: ou=requests, ou=ranges,{rootSuffix}
-objectClass: top
-objectClass: organizationalUnit
-ou: requests
-
-dn: ou=keyRepository, ou=ranges,{rootSuffix}
-objectClass: top
-objectClass: organizationalUnit
-ou: certificateRepository
-
diff --git a/base/kra/src/main/java/org/dogtagpki/server/kra/cli/KRACLI.java b/base/kra/src/main/java/org/dogtagpki/server/kra/cli/KRACLI.java
@@ -20,7 +20,6 @@
 
 import org.dogtagpki.cli.CLI;
 import org.dogtagpki.server.cli.SDCLI;
-import org.dogtagpki.server.cli.SubsystemDBCLI;
 import org.dogtagpki.server.cli.SubsystemGroupCLI;
 import org.dogtagpki.server.cli.SubsystemUserCLI;
 
@@ -32,7 +31,7 @@ public class KRACLI extends CLI {
     public KRACLI(CLI parent) {
         super("kra", "KRA subsystem management commands", parent);
 
-        addModule(new SubsystemDBCLI(this));
+        addModule(new KRADBCLI(this));
         addModule(new SubsystemGroupCLI(this));
         addModule(new KRARangeCLI(this));
         addModule(new KRAIdCLI(this));

diff --git a/base/kra/src/main/java/org/dogtagpki/server/kra/cli/KRADBCLI.java b/base/kra/src/main/java/org/dogtagpki/server/kra/cli/KRADBCLI.java
@@ -0,0 +1,39 @@
+//
+// Copyright Red Hat, Inc.
+//
+// SPDX-License-Identifier: GPL-2.0-or-later
+//
+package org.dogtagpki.server.kra.cli;
+
+import org.dogtagpki.cli.CLI;
+import org.dogtagpki.server.cli.SubsystemDBAccessCLI;
+import org.dogtagpki.server.cli.SubsystemDBCreateCLI;
+import org.dogtagpki.server.cli.SubsystemDBEmptyCLI;
+import org.dogtagpki.server.cli.SubsystemDBIndexCLI;
+import org.dogtagpki.server.cli.SubsystemDBInfoCLI;
+import org.dogtagpki.server.cli.SubsystemDBRemoveCLI;
+import org.dogtagpki.server.cli.SubsystemDBReplicationCLI;
+import org.dogtagpki.server.cli.SubsystemDBUpgradeCLI;
+import org.dogtagpki.server.cli.SubsystemDBVLVCLI;
+
+/**
+ * @author Endi S. Dewata
+ */
+public class KRADBCLI extends CLI {
+
+    public KRADBCLI(CLI parent) {
+        super("db", "KRA database management commands", parent);
+
+        addModule(new SubsystemDBInfoCLI(this));
+        addModule(new SubsystemDBCreateCLI(this));
+        addModule(new KRADBInitCLI(this));
+        addModule(new SubsystemDBEmptyCLI(this));
+        addModule(new SubsystemDBRemoveCLI(this));
+        addModule(new SubsystemDBUpgradeCLI(this));
+
+        addModule(new SubsystemDBAccessCLI(this));
+        addModule(new SubsystemDBIndexCLI(this));
+        addModule(new SubsystemDBReplicationCLI(this));
+        addModule(new SubsystemDBVLVCLI(this));
+    }
+}
diff --git a/base/kra/src/main/java/org/dogtagpki/server/kra/cli/KRADBInitCLI.java b/base/kra/src/main/java/org/dogtagpki/server/kra/cli/KRADBInitCLI.java
@@ -0,0 +1,38 @@
+//
+// Copyright Red Hat, Inc.
+//
+// SPDX-License-Identifier: GPL-2.0-or-later
+//
+package org.dogtagpki.server.kra.cli;
+
+import org.dogtagpki.cli.CLI;
+import org.dogtagpki.server.cli.SubsystemDBInitCLI;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import com.netscape.cmscore.apps.DatabaseConfig;
+import com.netscape.cmscore.dbs.KeyRepository;
+import com.netscape.cmscore.dbs.Repository.IDGenerator;
+
+/**
+ * @author Endi S. Dewata
+ */
+public class KRADBInitCLI extends SubsystemDBInitCLI {
+
+    public static Logger logger = LoggerFactory.getLogger(KRADBInitCLI.class);
+
+    public KRADBInitCLI(CLI parent) {
+        super("init", "Initialize KRA database", parent);
+    }
+
+    @Override
+    public void init(DatabaseConfig dbConfig) throws Exception {
+
+        super.init(dbConfig);
+
+        String value = dbConfig.getString(
+                KeyRepository.PROP_KEY_ID_GENERATOR,
+                KeyRepository.DEFAULT_KEY_ID_GENERATOR);
+        serialIDGenerator = IDGenerator.fromString(value);
+    }
+}
diff --git a/base/kra/src/main/java/org/dogtagpki/server/kra/cli/KRARangeUpdateCLI.java b/base/kra/src/main/java/org/dogtagpki/server/kra/cli/KRARangeUpdateCLI.java
@@ -28,6 +28,17 @@ public KRARangeUpdateCLI(CLI parent) {
         super(parent);
     }
 
+    @Override
+    public void init(DatabaseConfig dbConfig) throws Exception {
+
+        super.init(dbConfig);
+
+       String value = dbConfig.getString(
+                KeyRepository.PROP_KEY_ID_GENERATOR,
+                KeyRepository.DEFAULT_KEY_ID_GENERATOR);
+        serialIDGenerator = IDGenerator.fromString(value);
+    }
+
     @Override
     public void updateSerialNumberRange(
             PKISocketFactory socketFactory,
@@ -36,12 +47,7 @@ public void updateSerialNumberRange(
             DatabaseConfig dbConfig,
             String baseDN) throws Exception {
 
-        String value = dbConfig.getString(
-                KeyRepository.PROP_KEY_ID_GENERATOR,
-                KeyRepository.DEFAULT_KEY_ID_GENERATOR);
-        IDGenerator idGenerator = IDGenerator.fromString(value);
-
-        if (idGenerator == IDGenerator.RANDOM) {
+        if (serialIDGenerator == IDGenerator.RANDOM) {
             logger.info("No need to update key ID range");
             return;
         }

diff --git a/base/server/python/pki/server/deployment/__init__.py b/base/server/python/pki/server/deployment/__init__.py
@@ -1186,7 +1186,6 @@ def configure_ca(self, subsystem):
             subsystem.set_config('dbs.requestIncrement', '10000000')  # decimal
             subsystem.set_config('dbs.requestLowWaterMark', '2000000')  # decimal
             subsystem.set_config('dbs.requestCloneTransferNumber', '10000')  # decimal
-            subsystem.set_config('dbs.requestRangeDN', 'ou=requests,ou=ranges')
 
             request_number_range_start = self.mdict.get('pki_request_number_range_start')
             if request_number_range_start:
@@ -1208,6 +1207,12 @@ def configure_ca(self, subsystem):
             if request_transfer:
                 subsystem.set_config('dbs.requestCloneTransferNumber', request_transfer)
 
+            if request_id_generator == 'legacy2':
+                request_dn = 'ou=requests,ou=ranges_v2'
+            else:
+                request_dn = 'ou=requests,ou=ranges'
+            subsystem.set_config('dbs.requestRangeDN', request_dn)
+
         cert_id_generator = self.mdict['pki_cert_id_generator']
 
         subsystem.set_config('dbs.cert.id.generator', cert_id_generator)
@@ -1221,7 +1226,6 @@ def configure_ca(self, subsystem):
             subsystem.set_config('dbs.serialIncrement', '10000000')  # hex
             subsystem.set_config('dbs.serialLowWaterMark', '2000000')  # hex
             subsystem.set_config('dbs.serialCloneTransferNumber', '10000')  # hex
-            subsystem.set_config('dbs.serialRangeDN', 'ou=certificateRepository,ou=ranges')
 
             if config.str2bool(self.mdict['pki_random_serial_numbers_enable']):
                 subsystem.set_config('dbs.enableRandomSerialNumbers', 'true')
@@ -1247,6 +1251,12 @@ def configure_ca(self, subsystem):
             if serial_transfer:
                 subsystem.set_config('dbs.serialCloneTransferNumber', serial_transfer)
 
+            if cert_id_generator == 'legacy2':
+                serial_dn = 'ou=certificateRepository,ou=ranges_v2'
+            else:
+                serial_dn = 'ou=certificateRepository,ou=ranges'
+            subsystem.set_config('dbs.serialRangeDN', serial_dn)
+
         replica_number_range_start = self.mdict.get('pki_replica_number_range_start')
         if replica_number_range_start:
             subsystem.set_config('dbs.beginReplicaNumber', replica_number_range_start)
@@ -1277,7 +1287,12 @@ def configure_kra(self, subsystem):
             subsystem.set_config('dbs.requestIncrement', '10000000')  # decimal
             subsystem.set_config('dbs.requestLowWaterMark', '2000000')  # decimal
             subsystem.set_config('dbs.requestCloneTransferNumber', '10000')  # decimal
-            subsystem.set_config('dbs.requestRangeDN', 'ou=requests,ou=ranges')
+
+            if request_id_generator == 'legacy2':
+                request_dn = 'ou=requests,ou=ranges_v2'
+            else:
+                request_dn = 'ou=requests,ou=ranges'
+            subsystem.set_config('dbs.requestRangeDN', request_dn)
 
         key_id_generator = self.mdict['pki_key_id_generator']
 
@@ -1292,7 +1307,12 @@ def configure_kra(self, subsystem):
             subsystem.set_config('dbs.serialIncrement', '10000000')  # hex
             subsystem.set_config('dbs.serialLowWaterMark', '2000000')  # hex
             subsystem.set_config('dbs.serialCloneTransferNumber', '10000')  # hex
-            subsystem.set_config('dbs.serialRangeDN', 'ou=keyRepository,ou=ranges')
+
+            if key_id_generator == 'legacy2':
+                serial_dn = 'ou=keyRepository,ou=ranges_v2'
+            else:
+                serial_dn = 'ou=keyRepository,ou=ranges'
+            subsystem.set_config('dbs.serialRangeDN', serial_dn)
 
         if config.str2bool(self.mdict['pki_kra_ephemeral_requests']):
             logger.debug('Setting ephemeral requests to true')

diff --git a/base/server/src/main/java/com/netscape/cms/servlet/csadmin/LDAPConfigurator.java b/base/server/src/main/java/com/netscape/cms/servlet/csadmin/LDAPConfigurator.java
@@ -238,6 +238,18 @@ public LDAPEntry getEntry(String dn) throws Exception {
         }
     }
 
+    public void createEntry(String dn, String[] objectClasses) throws Exception {
+
+        logger.info("Adding " + dn);
+
+        LDAPAttributeSet attrs = new LDAPAttributeSet();
+        attrs.add(new LDAPAttribute("objectClass", objectClasses));
+
+        LDAPEntry entry = new LDAPEntry(dn, attrs);
+
+        connection.add(entry);
+    }
+
     public void validateDatabaseOwnership(String database, String baseDN) throws Exception {
 
         logger.info("Validating database " + database + " is owned by " + baseDN);