Clean up default security domain params

The default security domain params in CS.cfg have been moved into PKIDeployer.setup_security_domain_manager() such that they will be added only if security domain setup is enabled in pkispawn.
dogtagpki · Dec 5, 2023 · 370fb9b · 370fb9b
1 parent f793f0a
commit 370fb9b
Show file tree

Hide file tree

Showing 4 changed files with 13 additions and 20 deletions.
diff --git a/.github/workflows/kra-standalone-test.yml b/.github/workflows/kra-standalone-test.yml
@@ -60,15 +60,9 @@ jobs:
 
       - name: Check CA security domain
         run: |
-          # security domain should be disabled (i.e. no securitydomain.select=new)
-          cat > expected << EOF
-          securitydomain.checkIP=false
-          securitydomain.checkinterval=300000
-          securitydomain.flushinterval=86400000
-          securitydomain.source=ldap
-          EOF
+          # security domain should be disabled
           docker exec ca pki-server ca-config-find | grep ^securitydomain. | sort | tee actual
-          diff expected actual
+          diff /dev/null actual
 
           docker exec ca pki-server cert-export ca_signing --cert-file ${SHARED}/ca_signing.crt
           docker exec ca pki client-cert-import ca_signing --ca-cert ${SHARED}/ca_signing.crt

diff --git a/.github/workflows/ocsp-standalone-test.yml b/.github/workflows/ocsp-standalone-test.yml
@@ -61,15 +61,9 @@ jobs:
 
       - name: Check CA security domain
         run: |
-          # security domain should be disabled (i.e. no securitydomain.select=new)
-          cat > expected << EOF
-          securitydomain.checkIP=false
-          securitydomain.checkinterval=300000
-          securitydomain.flushinterval=86400000
-          securitydomain.source=ldap
-          EOF
+          # security domain should be disabled
           docker exec ca pki-server ca-config-find | grep ^securitydomain. | sort | tee actual
-          diff expected actual
+          diff /dev/null actual
 
           docker exec ca pki-server cert-export ca_signing --cert-file ${SHARED}/ca_signing.crt
           docker exec ca pki client-cert-import ca_signing --ca-cert ${SHARED}/ca_signing.crt

diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg
@@ -13,10 +13,6 @@ authType=pwd
 admin.interface.uri=ca/admin/console/config/wizard
 ee.interface.uri=ca/ee/ca
 agent.interface.uri=ca/agent/ca
-securitydomain.checkIP=false
-securitydomain.flushinterval=86400000
-securitydomain.source=ldap
-securitydomain.checkinterval=300000
 machineName=[pki_hostname]
 instanceId=[pki_instance_name]
 pidDir=/var/run/pki/tomcat

diff --git a/base/server/python/pki/server/deployment/__init__.py b/base/server/python/pki/server/deployment/__init__.py
@@ -2624,6 +2624,8 @@ def setup_security_domain_manager(self, subsystem):
 
             subsystem.create_security_domain(name=sd_name)
 
+            domain_manager = True
+
             logger.info('Adding security domain manager')
             subsystem.add_security_domain_subsystem(
                 self.mdict['pki_subsystem_name'],
@@ -2633,6 +2635,13 @@ def setup_security_domain_manager(self, subsystem):
                 secure_port=proxySecurePort,
                 domain_manager=True)
 
+        if domain_manager:
+            logger.info('Adding security domain sessions')
+            subsystem.config['securitydomain.checkIP'] = 'false'
+            subsystem.config['securitydomain.checkinterval'] = '300000'
+            subsystem.config['securitydomain.flushinterval'] = '86400000'
+            subsystem.config['securitydomain.source'] = 'ldap'
+
     def pki_connect(self):
 
         ca_cert = os.path.join(self.instance.nssdb_dir, "ca.crt")