diff --git a/base/ca/database/ds/create.ldif b/base/ca/database/ds/create.ldif index 704b8d11be7..6da245266ef 100644 --- a/base/ca/database/ds/create.ldif +++ b/base/ca/database/ds/create.ldif @@ -150,16 +150,6 @@ objectClass: top objectClass: organizationalUnit ou: replica -dn: ou=requests, ou=ranges,{rootSuffix} -objectClass: top -objectClass: organizationalUnit -ou: requests - -dn: ou=certificateRepository, ou=ranges,{rootSuffix} -objectClass: top -objectClass: organizationalUnit -ou: certificateRepository - dn: ou=certificateProfiles,ou=ca,{rootSuffix} objectClass: top objectClass: organizationalUnit diff --git a/base/kra/database/ds/create.ldif b/base/kra/database/ds/create.ldif index 61054458e3e..a49ca0cf6b0 100644 --- a/base/kra/database/ds/create.ldif +++ b/base/kra/database/ds/create.ldif @@ -107,13 +107,3 @@ objectClass: top objectClass: organizationalUnit ou: replica -dn: ou=requests, ou=ranges,{rootSuffix} -objectClass: top -objectClass: organizationalUnit -ou: requests - -dn: ou=keyRepository, ou=ranges,{rootSuffix} -objectClass: top -objectClass: organizationalUnit -ou: certificateRepository - diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg index f73cb60fd69..5a56110914c 100644 --- a/base/server/etc/default.cfg +++ b/base/server/etc/default.cfg @@ -354,12 +354,14 @@ pki_serial_number_range_end= pki_serial_number_range_increment= pki_serial_number_range_minimum= pki_serial_number_range_transfer= +pki_serial_number_range_dn= pki_request_number_range_start= pki_request_number_range_end= pki_request_number_range_increment= pki_request_number_range_minimum= pki_request_number_range_transfer= +pki_request_number_range_dn= pki_replica_number_range_start= pki_replica_number_range_end= diff --git a/base/server/python/pki/server/deployment/__init__.py b/base/server/python/pki/server/deployment/__init__.py index 2929ad4e4da..8c60fbcb8fa 100644 --- a/base/server/python/pki/server/deployment/__init__.py +++ b/base/server/python/pki/server/deployment/__init__.py @@ -1207,6 +1207,10 @@ def configure_ca(self, subsystem): if request_transfer: subsystem.set_config('dbs.requestCloneTransferNumber', request_transfer) + request_dn = self.mdict.get('pki_request_number_range_dn') + if request_dn: + subsystem.set_config('dbs.requestRangeDN', request_dn) + cert_id_generator = self.mdict['pki_cert_id_generator'] if cert_id_generator == 'random': @@ -1245,6 +1249,10 @@ def configure_ca(self, subsystem): if serial_transfer: subsystem.set_config('dbs.serialCloneTransferNumber', serial_transfer) + serial_dn = self.mdict.get('pki_serial_number_range_dn') + if serial_dn: + subsystem.set_config('dbs.serialRangeDN', serial_dn) + replica_number_range_start = self.mdict.get('pki_replica_number_range_start') if replica_number_range_start: subsystem.set_config('dbs.beginReplicaNumber', replica_number_range_start) diff --git a/base/server/src/main/java/com/netscape/cms/servlet/csadmin/LDAPConfigurator.java b/base/server/src/main/java/com/netscape/cms/servlet/csadmin/LDAPConfigurator.java index 98dcba0d5cf..c392ef2268c 100644 --- a/base/server/src/main/java/com/netscape/cms/servlet/csadmin/LDAPConfigurator.java +++ b/base/server/src/main/java/com/netscape/cms/servlet/csadmin/LDAPConfigurator.java @@ -238,6 +238,18 @@ public LDAPEntry getEntry(String dn) throws Exception { } } + public void createEntry(String dn, String[] objectClasses) throws Exception { + + logger.info("Adding " + dn); + + LDAPAttributeSet attrs = new LDAPAttributeSet(); + attrs.add(new LDAPAttribute("objectClass", objectClasses)); + + LDAPEntry entry = new LDAPEntry(dn, attrs); + + connection.add(entry); + } + public void validateDatabaseOwnership(String database, String baseDN) throws Exception { logger.info("Validating database " + database + " is owned by " + baseDN); diff --git a/base/server/src/main/java/com/netscape/cmscore/dbs/Repository.java b/base/server/src/main/java/com/netscape/cmscore/dbs/Repository.java index a86a3d9fccd..4f1a01929b5 100644 --- a/base/server/src/main/java/com/netscape/cmscore/dbs/Repository.java +++ b/base/server/src/main/java/com/netscape/cmscore/dbs/Repository.java @@ -460,6 +460,14 @@ private void switchToNextRange() throws EBaseException { cs.commit(false); } + /** + * This method returns the DN of the entry that holds the nextRange attribute. + */ + public String getNextRangeDN() { + // currently the nextRange is stored in repository's base DN + return mBaseDN; + } + /** * Gets start of next range from database. * Increments the nextRange attribute and allocates @@ -476,15 +484,17 @@ public String getNextRange() throws EBaseException { try { LDAPConnection conn = session.getConnection(); - logger.info("Repository: Reading entry " + mBaseDN); - LDAPEntry entry = conn.read(mBaseDN); + String nextRangeDN = getNextRangeDN(); + logger.info("Repository: Getting " + DBSubsystem.PROP_NEXT_RANGE + " from " + nextRangeDN); + LDAPEntry entry = conn.read(nextRangeDN); LDAPAttribute attr = entry.getAttribute(DBSubsystem.PROP_NEXT_RANGE); if (attr == null) { - throw new Exception("Missing attribute" + DBSubsystem.PROP_NEXT_RANGE); + throw new Exception("Missing " + DBSubsystem.PROP_NEXT_RANGE + " attribute"); } String nextRange = attr.getStringValues().nextElement(); + logger.info("Repository: Current " + DBSubsystem.PROP_NEXT_RANGE + ": " + nextRange); // parse nextRange as decimal BigInteger nextRangeNo = new BigInteger(nextRange); @@ -493,12 +503,11 @@ public String getNextRange() throws EBaseException { // generate new nextRange in decimal String newNextRange = newNextRangeNo.toString(); + logger.info("Repository: New " + DBSubsystem.PROP_NEXT_RANGE + ": " + newNextRange); // generate endRange in decimal String endRange = newNextRangeNo.subtract(BigInteger.ONE).toString(); - logger.info("Repository: Updating " + DBSubsystem.PROP_NEXT_RANGE + " from " + nextRange + " to " + newNextRange); - // To make sure attrNextRange always increments, first delete the current value and then increment. // Two operations in the same transaction @@ -508,8 +517,8 @@ public String getNextRange() throws EBaseException { new LDAPModification(LDAPModification.ADD, attrNextRange) }; - logger.info("Repository: Modifying entry " + mBaseDN); - conn.modify(mBaseDN, mods); + logger.info("Repository: Updating " + DBSubsystem.PROP_NEXT_RANGE + " in " + nextRangeDN); + conn.modify(nextRangeDN, mods); // Add new range object diff --git a/base/server/src/main/java/org/dogtagpki/server/cli/SubsystemDBInitCLI.java b/base/server/src/main/java/org/dogtagpki/server/cli/SubsystemDBInitCLI.java index dcbef764f65..64d6f9c3cd0 100644 --- a/base/server/src/main/java/org/dogtagpki/server/cli/SubsystemDBInitCLI.java +++ b/base/server/src/main/java/org/dogtagpki/server/cli/SubsystemDBInitCLI.java @@ -7,12 +7,14 @@ import org.apache.commons.cli.CommandLine; import org.apache.commons.cli.Option; +import org.apache.commons.lang3.StringUtils; import org.dogtagpki.cli.CLI; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import com.netscape.cms.servlet.csadmin.LDAPConfigurator; import com.netscape.cmscore.apps.CMS; +import com.netscape.cmscore.apps.DatabaseConfig; import com.netscape.cmscore.apps.EngineConfig; import com.netscape.cmscore.ldapconn.LDAPConfig; import com.netscape.cmscore.ldapconn.LDAPConnectionConfig; @@ -68,6 +70,8 @@ public void execute(CommandLine cmd) throws Exception { String database = ldapConfig.getDatabase(); String baseDN = ldapConfig.getBaseDN(); + DatabaseConfig dbConfig = cs.getDatabaseConfig(); + logger.info("Initializing database " + database + " for " + baseDN); PasswordStoreConfig psc = cs.getPasswordStoreConfig(); @@ -105,6 +109,21 @@ public void execute(CommandLine cmd) throws Exception { if (!cmd.hasOption("skip-containers")) { ldapConfigurator.createContainers(subsystem); + + String requestRangeRDN = dbConfig.getRequestRangeDN(); + if (!StringUtils.isEmpty(requestRangeRDN)) { + ldapConfigurator.createEntry( + requestRangeRDN + "," + ldapConfig.getBaseDN(), + new String[] { "organizationalUnit" }); + } + + String serialRangeRDN = dbConfig.getSerialRangeDN(); + if (!StringUtils.isEmpty(serialRangeRDN)) { + ldapConfigurator.createEntry( + serialRangeRDN + "," + ldapConfig.getBaseDN(), + new String[] { "organizationalUnit" }); + } + ldapConfigurator.setupACL(subsystem); } diff --git a/base/server/src/main/java/org/dogtagpki/server/cli/SubsystemRangeUpdateCLI.java b/base/server/src/main/java/org/dogtagpki/server/cli/SubsystemRangeUpdateCLI.java index 90ce9ca8ab9..557766fb3eb 100644 --- a/base/server/src/main/java/org/dogtagpki/server/cli/SubsystemRangeUpdateCLI.java +++ b/base/server/src/main/java/org/dogtagpki/server/cli/SubsystemRangeUpdateCLI.java @@ -16,6 +16,7 @@ import com.netscape.cmscore.apps.CMS; import com.netscape.cmscore.apps.DatabaseConfig; import com.netscape.cmscore.apps.EngineConfig; +import com.netscape.cmscore.dbs.DBSubsystem; import com.netscape.cmscore.dbs.Repository.IDGenerator; import com.netscape.cmscore.ldapconn.LDAPConfig; import com.netscape.cmscore.ldapconn.LDAPConnectionConfig; @@ -84,19 +85,25 @@ public void execute(CommandLine cmd) throws Exception { DatabaseConfig dbConfig = cs.getDatabaseConfig(); + // currently the cert nextRange is stored in cert repository's base DN + String serialNextRangeDN = dbConfig.getSerialDN() + "," + baseDN; + updateSerialNumberRange( socketFactory, connInfo, authInfo, dbConfig, - baseDN); + serialNextRangeDN); + + // currently the request nextRange is stored in request repository's base DN + String requestNextRangeDN = dbConfig.getRequestDN() + "," + baseDN; updateRequestNumberRange( socketFactory, connInfo, authInfo, dbConfig, - baseDN); + requestNextRangeDN); } public void updateSerialNumberRange( @@ -104,7 +111,7 @@ public void updateSerialNumberRange( LdapConnInfo connInfo, LdapAuthInfo authInfo, DatabaseConfig dbConfig, - String baseDN) throws Exception { + String nextRangeDN) throws Exception { LdapBoundConnection conn = new LdapBoundConnection(socketFactory, connInfo, authInfo); @@ -116,14 +123,12 @@ public void updateSerialNumberRange( // generate nextRange in decimal String nextSerialNumber = endSerialNumber.add(BigInteger.ONE).toString(); - String serialDN = dbConfig.getSerialDN() + "," + baseDN; - // store nextRange as decimal - LDAPAttribute attrSerialNextRange = new LDAPAttribute("nextRange", nextSerialNumber); + LDAPAttribute attrSerialNextRange = new LDAPAttribute(DBSubsystem.PROP_NEXT_RANGE, nextSerialNumber); LDAPModification serialmod = new LDAPModification(LDAPModification.REPLACE, attrSerialNextRange); - conn.modify(serialDN, serialmod); + conn.modify(nextRangeDN, serialmod); } finally { conn.disconnect(); @@ -135,7 +140,7 @@ public void updateRequestNumberRange( LdapConnInfo connInfo, LdapAuthInfo authInfo, DatabaseConfig dbConfig, - String baseDN) throws Exception { + String nextRangeDN) throws Exception { String value = dbConfig.getString( RequestRepository.PROP_REQUEST_ID_GENERATOR, @@ -158,14 +163,12 @@ public void updateRequestNumberRange( // generate nextRange in decimal String nextRequestNumber = endRequestNumber.add(BigInteger.ONE).toString(); - String requestDN = dbConfig.getRequestDN() + "," + baseDN; - // store nextRange as decimal - LDAPAttribute attrRequestNextRange = new LDAPAttribute("nextRange", nextRequestNumber); + LDAPAttribute attrRequestNextRange = new LDAPAttribute(DBSubsystem.PROP_NEXT_RANGE, nextRequestNumber); LDAPModification requestmod = new LDAPModification(LDAPModification.REPLACE, attrRequestNextRange); - conn.modify(requestDN, requestmod); + conn.modify(nextRangeDN, requestmod); } finally { conn.disconnect();