Skip to content

Commit

Permalink
Update test for CA cloning with replicated DS
Browse files Browse the repository at this point in the history
The test for CA cloning with replicated DS has been updated to
import the primary CA's system certs and keys into the secondary
CA's NSS database prior to running pkispawn so it's no longer
necessary to specify the PKCS #12 path and password for pkispawn.

The ConfigurationFile.verify_predefined_configuration_file_data()
and initialization.py have been modified such that the PKCS #12
path and password are no longer mandatory for cloning.
  • Loading branch information
edewata committed Dec 11, 2023
1 parent cbcf76a commit 24c2422
Show file tree
Hide file tree
Showing 3 changed files with 35 additions and 42 deletions.
51 changes: 31 additions & 20 deletions .github/workflows/ca-clone-replicated-ds-test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,15 @@ jobs:
--pkcs12-password Secret.123
docker exec primary pki -n caadmin ca-user-show caadmin
- name: Export system certs and keys from primary CA
run: |
docker exec primary pki-server ca-clone-prepare \
--pkcs12-file $SHARED/ca-certs.p12 \
--pkcs12-password Secret.123
docker exec primary pki-server cert-export ca_signing \
--cert-file $SHARED/ca_signing.crt
- name: Set up secondary DS container
run: |
tests/bin/ds-container-create.sh secondaryds
Expand All @@ -80,6 +89,28 @@ jobs:
- name: Connect secondary DS container to network
run: docker network connect example secondaryds --alias secondaryds.example.com

- name: Set up secondary PKI container
run: |
tests/bin/runner-init.sh secondary
env:
HOSTNAME: secondary.example.com

- name: Connect secondary PKI container to network
run: docker network connect example secondary --alias secondary.example.com

- name: Create secondary PKI server
run: |
docker exec secondary pki-server create
docker exec secondary pki-server nss-create --no-password
- name: Import system certs and keys into secondary CA
run: |
docker exec secondary pki \
-d /etc/pki/pki-tomcat/alias \
pkcs12-import \
--pkcs12 $SHARED/ca-certs.p12 \
--password Secret.123
# https://github.com/dogtagpki/389-ds-base/wiki/Configuring-DS-Replication-with-DS-Tools
- name: Preparing DS backend
run: |
Expand Down Expand Up @@ -218,24 +249,6 @@ jobs:
diff primaryds.dn secondaryds.dn
- name: Export certs and keys from primary CA
run: |
docker exec primary pki-server ca-clone-prepare \
--pkcs12-file $SHARED/ca-certs.p12 \
--pkcs12-password Secret.123
docker exec primary pki-server cert-export ca_signing \
--cert-file $SHARED/ca_signing.crt
- name: Set up secondary PKI container
run: |
tests/bin/runner-init.sh secondary
env:
HOSTNAME: secondary.example.com

- name: Connect secondary PKI container to network
run: docker network connect example secondary --alias secondary.example.com

# https://github.com/dogtagpki/pki/wiki/Installing-CA-Clone-with-Existing-DS
- name: Install secondary CA
run: |
Expand All @@ -246,8 +259,6 @@ jobs:
-f /usr/share/pki/server/examples/installation/ca-clone.cfg \
-s CA \
-D pki_cert_chain_path=$SHARED/ca_signing.crt \
-D pki_clone_pkcs12_path=$SHARED/ca-certs.p12 \
-D pki_clone_pkcs12_password=Secret.123 \
-D pki_ds_url=ldap://secondaryds.example.com:3389 \
-D pki_ds_setup=False \
-v
Expand Down
10 changes: 0 additions & 10 deletions base/server/python/pki/server/deployment/pkihelper.py
Original file line number Diff line number Diff line change
Expand Up @@ -464,16 +464,6 @@ def verify_predefined_configuration_file_data(self):
self.confirm_data_exists("pki_https_port")
self.confirm_data_exists("pki_tomcat_server_port")

# Check clone parameters for non-HSM clone
if not config.str2bool(self.mdict['pki_hsm_enable']):

# If system certificates are already provided via
# pki_server_pkcs12, there's no need to provide
# pki_clone_pkcs12.
if not self.mdict['pki_server_pkcs12_path']:
self.confirm_data_exists("pki_clone_pkcs12_path")
self.confirm_file_exists("pki_clone_pkcs12_path")

self.confirm_data_exists("pki_clone_replication_security")

elif self.external:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -73,19 +73,11 @@ def verify_sensitive_data(self, deployer):

if configuration_file.clone:

# Verify existence of PKCS #12 Password (ONLY for non-HSM Clones)
if not config.str2bool(deployer.mdict['pki_hsm_enable']):

# If system certificates are already provided via
# pki_server_pkcs12, there's no need to provide
# pki_clone_pkcs12.
if not deployer.mdict['pki_server_pkcs12_path']:
configuration_file.confirm_data_exists('pki_clone_pkcs12_password')

# Verify absence of all PKCS #12 clone parameters for HSMs
elif (os.path.exists(deployer.mdict['pki_clone_pkcs12_path']) or
('pki_clone_pkcs12_password' in deployer.mdict and
len(deployer.mdict['pki_clone_pkcs12_password']))):
if config.str2bool(deployer.mdict['pki_hsm_enable']) and \
(os.path.exists(deployer.mdict['pki_clone_pkcs12_path']) or
('pki_clone_pkcs12_password' in deployer.mdict and
len(deployer.mdict['pki_clone_pkcs12_password']))):
logger.error(log.PKIHELPER_HSM_CLONES_MUST_SHARE_HSM_MASTER_PRIVATE_KEYS)
raise Exception(
log.PKIHELPER_HSM_CLONES_MUST_SHARE_HSM_MASTER_PRIVATE_KEYS)
Expand Down

0 comments on commit 24c2422

Please sign in to comment.