Add installation params for range DNs

The pki_<object>_number_range_dn params have been added to
provide a way to customize the subtrees used to store the
range objects for certs and requests in CA.

The SubsystemDBInitCLI has been modified to initialize the
database based on the range DN configuration. The hard-coded
subtrees in the create.ldif have been removed.

The Repository.getNextRangeDN() has been added to return the
DN of the entry holding the nextRange attribute. The methods
in SubsystemRangeUpdateCLI have also been modified to take
the DN of the entry holding the nextRange attribute. These
changes will make it easier to change the location of the
nextRange attribute in the future.

base/ca/database/ds/create.ldif

@@ -150,16 +150,6 @@ objectClass: top
 objectClass: organizationalUnit
 ou: replica
 
-dn: ou=requests, ou=ranges,{rootSuffix}
-objectClass: top
-objectClass: organizationalUnit
-ou: requests
-
-dn: ou=certificateRepository, ou=ranges,{rootSuffix}
-objectClass: top
-objectClass: organizationalUnit
-ou: certificateRepository
-
 dn: ou=certificateProfiles,ou=ca,{rootSuffix}
 objectClass: top
 objectClass: organizationalUnit

base/kra/database/ds/create.ldif

@@ -107,13 +107,3 @@ objectClass: top
 objectClass: organizationalUnit
 ou: replica
 
-dn: ou=requests, ou=ranges,{rootSuffix}
-objectClass: top
-objectClass: organizationalUnit
-ou: requests
-
-dn: ou=keyRepository, ou=ranges,{rootSuffix}
-objectClass: top
-objectClass: organizationalUnit
-ou: certificateRepository
-

base/server/etc/default.cfg

@@ -354,12 +354,14 @@ pki_serial_number_range_end=
 pki_serial_number_range_increment=
 pki_serial_number_range_minimum=
 pki_serial_number_range_transfer=
+pki_serial_number_range_dn=
 
 pki_request_number_range_start=
 pki_request_number_range_end=
 pki_request_number_range_increment=
 pki_request_number_range_minimum=
 pki_request_number_range_transfer=
+pki_request_number_range_dn=
 
 pki_replica_number_range_start=
 pki_replica_number_range_end=

base/server/python/pki/server/deployment/__init__.py

@@ -1207,6 +1207,10 @@ def configure_ca(self, subsystem):
             if request_transfer:
                 subsystem.set_config('dbs.requestCloneTransferNumber', request_transfer)
 
+            request_dn = self.mdict.get('pki_request_number_range_dn')
+            if request_dn:
+                subsystem.set_config('dbs.requestRangeDN', request_dn)
+
         cert_id_generator = self.mdict['pki_cert_id_generator']
 
         if cert_id_generator == 'random':
@@ -1245,6 +1249,10 @@ def configure_ca(self, subsystem):
             if serial_transfer:
                 subsystem.set_config('dbs.serialCloneTransferNumber', serial_transfer)
 
+            serial_dn = self.mdict.get('pki_serial_number_range_dn')
+            if serial_dn:
+                subsystem.set_config('dbs.serialRangeDN', serial_dn)
+
         replica_number_range_start = self.mdict.get('pki_replica_number_range_start')
         if replica_number_range_start:
             subsystem.set_config('dbs.beginReplicaNumber', replica_number_range_start)

base/server/src/main/java/com/netscape/cms/servlet/csadmin/LDAPConfigurator.java

@@ -238,6 +238,18 @@ public LDAPEntry getEntry(String dn) throws Exception {
         }
     }
 
+    public void createEntry(String dn, String[] objectClasses) throws Exception {
+
+        logger.info("Adding " + dn);
+
+        LDAPAttributeSet attrs = new LDAPAttributeSet();
+        attrs.add(new LDAPAttribute("objectClass", objectClasses));
+
+        LDAPEntry entry = new LDAPEntry(dn, attrs);
+
+        connection.add(entry);
+    }
+
     public void validateDatabaseOwnership(String database, String baseDN) throws Exception {
 
         logger.info("Validating database " + database + " is owned by " + baseDN);

base/server/src/main/java/com/netscape/cmscore/dbs/Repository.java

@@ -460,6 +460,14 @@ private void switchToNextRange() throws EBaseException {
         cs.commit(false);
     }
 
+    /**
+     * This method returns the DN of the entry that holds the nextRange attribute.
+     */
+    public String getNextRangeDN() {
+        // currently the nextRange is stored in repository's base DN
+        return mBaseDN;
+    }
+
     /**
      * Gets start of next range from database.
      * Increments the nextRange attribute and allocates
@@ -476,15 +484,17 @@ public String getNextRange() throws EBaseException {
         try {
             LDAPConnection conn = session.getConnection();
 
-            logger.info("Repository: Reading entry " + mBaseDN);
-            LDAPEntry entry = conn.read(mBaseDN);
+            String nextRangeDN = getNextRangeDN();
+            logger.info("Repository: Getting " + DBSubsystem.PROP_NEXT_RANGE + " from " + nextRangeDN);
+            LDAPEntry entry = conn.read(nextRangeDN);
 
             LDAPAttribute attr = entry.getAttribute(DBSubsystem.PROP_NEXT_RANGE);
             if (attr == null) {
-                throw new Exception("Missing attribute" + DBSubsystem.PROP_NEXT_RANGE);
+                throw new Exception("Missing " + DBSubsystem.PROP_NEXT_RANGE + " attribute");
             }
 
             String nextRange = attr.getStringValues().nextElement();
+            logger.info("Repository: Current " + DBSubsystem.PROP_NEXT_RANGE + ": " + nextRange);
 
             // parse nextRange as decimal
             BigInteger nextRangeNo = new BigInteger(nextRange);
@@ -493,12 +503,11 @@ public String getNextRange() throws EBaseException {
 
             // generate new nextRange in decimal
             String newNextRange = newNextRangeNo.toString();
+            logger.info("Repository: New " + DBSubsystem.PROP_NEXT_RANGE + ": " + newNextRange);
 
             // generate endRange in decimal
             String endRange = newNextRangeNo.subtract(BigInteger.ONE).toString();
 
-            logger.info("Repository: Updating " + DBSubsystem.PROP_NEXT_RANGE + " from " + nextRange + " to " + newNextRange);
-
             // To make sure attrNextRange always increments, first delete the current value and then increment.
             // Two operations in the same transaction
 
@@ -508,8 +517,8 @@ public String getNextRange() throws EBaseException {
                     new LDAPModification(LDAPModification.ADD, attrNextRange)
             };
 
-            logger.info("Repository: Modifying entry " + mBaseDN);
-            conn.modify(mBaseDN, mods);
+            logger.info("Repository: Updating " + DBSubsystem.PROP_NEXT_RANGE + " in " + nextRangeDN);
+            conn.modify(nextRangeDN, mods);
 
             // Add new range object
 

base/server/src/main/java/org/dogtagpki/server/cli/SubsystemDBInitCLI.java

@@ -7,12 +7,14 @@
 
 import org.apache.commons.cli.CommandLine;
 import org.apache.commons.cli.Option;
+import org.apache.commons.lang3.StringUtils;
 import org.dogtagpki.cli.CLI;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 import com.netscape.cms.servlet.csadmin.LDAPConfigurator;
 import com.netscape.cmscore.apps.CMS;
+import com.netscape.cmscore.apps.DatabaseConfig;
 import com.netscape.cmscore.apps.EngineConfig;
 import com.netscape.cmscore.ldapconn.LDAPConfig;
 import com.netscape.cmscore.ldapconn.LDAPConnectionConfig;
@@ -68,6 +70,8 @@ public void execute(CommandLine cmd) throws Exception {
         String database = ldapConfig.getDatabase();
         String baseDN = ldapConfig.getBaseDN();
 
+        DatabaseConfig dbConfig = cs.getDatabaseConfig();
+
         logger.info("Initializing database " + database + " for " + baseDN);
 
         PasswordStoreConfig psc = cs.getPasswordStoreConfig();
@@ -105,6 +109,21 @@ public void execute(CommandLine cmd) throws Exception {
 
             if (!cmd.hasOption("skip-containers")) {
                 ldapConfigurator.createContainers(subsystem);
+
+                String requestRangeRDN = dbConfig.getRequestRangeDN();
+                if (!StringUtils.isEmpty(requestRangeRDN)) {
+                    ldapConfigurator.createEntry(
+                            requestRangeRDN + "," + ldapConfig.getBaseDN(),
+                            new String[] { "organizationalUnit" });
+                }
+
+                String serialRangeRDN = dbConfig.getSerialRangeDN();
+                if (!StringUtils.isEmpty(serialRangeRDN)) {
+                    ldapConfigurator.createEntry(
+                            serialRangeRDN + "," + ldapConfig.getBaseDN(),
+                            new String[] { "organizationalUnit" });
+                }
+
                 ldapConfigurator.setupACL(subsystem);
             }
 

base/server/src/main/java/org/dogtagpki/server/cli/SubsystemRangeUpdateCLI.java

@@ -16,6 +16,7 @@
 import com.netscape.cmscore.apps.CMS;
 import com.netscape.cmscore.apps.DatabaseConfig;
 import com.netscape.cmscore.apps.EngineConfig;
+import com.netscape.cmscore.dbs.DBSubsystem;
 import com.netscape.cmscore.dbs.Repository.IDGenerator;
 import com.netscape.cmscore.ldapconn.LDAPConfig;
 import com.netscape.cmscore.ldapconn.LDAPConnectionConfig;
@@ -84,27 +85,33 @@ public void execute(CommandLine cmd) throws Exception {
 
         DatabaseConfig dbConfig = cs.getDatabaseConfig();
 
+        // currently the cert nextRange is stored in cert repository's base DN
+        String serialNextRangeDN = dbConfig.getSerialDN() + "," + baseDN;
+
         updateSerialNumberRange(
                 socketFactory,
                 connInfo,
                 authInfo,
                 dbConfig,
-                baseDN);
+                serialNextRangeDN);
+
+        // currently the request nextRange is stored in request repository's base DN
+        String requestNextRangeDN = dbConfig.getRequestDN() + "," + baseDN;
 
         updateRequestNumberRange(
                 socketFactory,
                 connInfo,
                 authInfo,
                 dbConfig,
-                baseDN);
+                requestNextRangeDN);
     }
 
     public void updateSerialNumberRange(
             PKISocketFactory socketFactory,
             LdapConnInfo connInfo,
             LdapAuthInfo authInfo,
             DatabaseConfig dbConfig,
-            String baseDN) throws Exception {
+            String nextRangeDN) throws Exception {
 
         LdapBoundConnection conn = new LdapBoundConnection(socketFactory, connInfo, authInfo);
 
@@ -116,14 +123,12 @@ public void updateSerialNumberRange(
             // generate nextRange in decimal
             String nextSerialNumber = endSerialNumber.add(BigInteger.ONE).toString();
 
-            String serialDN = dbConfig.getSerialDN() + "," + baseDN;
-
             // store nextRange as decimal
-            LDAPAttribute attrSerialNextRange = new LDAPAttribute("nextRange", nextSerialNumber);
+            LDAPAttribute attrSerialNextRange = new LDAPAttribute(DBSubsystem.PROP_NEXT_RANGE, nextSerialNumber);
 
             LDAPModification serialmod = new LDAPModification(LDAPModification.REPLACE, attrSerialNextRange);
 
-            conn.modify(serialDN, serialmod);
+            conn.modify(nextRangeDN, serialmod);
 
         } finally {
             conn.disconnect();
@@ -135,7 +140,7 @@ public void updateRequestNumberRange(
             LdapConnInfo connInfo,
             LdapAuthInfo authInfo,
             DatabaseConfig dbConfig,
-            String baseDN) throws Exception {
+            String nextRangeDN) throws Exception {
 
         String value = dbConfig.getString(
                 RequestRepository.PROP_REQUEST_ID_GENERATOR,
@@ -158,14 +163,12 @@ public void updateRequestNumberRange(
             // generate nextRange in decimal
             String nextRequestNumber = endRequestNumber.add(BigInteger.ONE).toString();
 
-            String requestDN = dbConfig.getRequestDN() + "," + baseDN;
-
             // store nextRange as decimal
-            LDAPAttribute attrRequestNextRange = new LDAPAttribute("nextRange", nextRequestNumber);
+            LDAPAttribute attrRequestNextRange = new LDAPAttribute(DBSubsystem.PROP_NEXT_RANGE, nextRequestNumber);
 
             LDAPModification requestmod = new LDAPModification(LDAPModification.REPLACE, attrRequestNextRange);
 
-            conn.modify(requestDN, requestmod);
+            conn.modify(nextRangeDN, requestmod);
 
         } finally {
             conn.disconnect();