From a2db6f68eec7a15af1030efa9ebff174c4a35188 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Tue, 22 Oct 2024 18:05:34 -0500 Subject: [PATCH] Add installation params for range DNs The pki__number_range_dn params have been added to provide a way to customize the subtrees used to store the range objects for certs and requests in CA. The SubsystemDBInitCLI has been modified to initialize the database based on the range DN configuration. The hard-coded subtrees in the create.ldif have been removed. The Repository.getNextRangeDN() has been added to return the DN of the entry holding the nextRange attribute. The methods in SubsystemRangeUpdateCLI have also been modified to take the DN of the entry holding the nextRange attribute. These changes will make it easier to change the location of the nextRange attribute in the future. --- base/ca/database/ds/create.ldif | 10 ------- base/kra/database/ds/create.ldif | 10 ------- base/server/etc/default.cfg | 2 ++ .../python/pki/server/deployment/__init__.py | 8 ++++++ .../cms/servlet/csadmin/LDAPConfigurator.java | 12 +++++++++ .../com/netscape/cmscore/dbs/Repository.java | 23 +++++++++++----- .../server/cli/SubsystemDBInitCLI.java | 19 +++++++++++++ .../server/cli/SubsystemRangeUpdateCLI.java | 27 ++++++++++--------- 8 files changed, 72 insertions(+), 39 deletions(-) diff --git a/base/ca/database/ds/create.ldif b/base/ca/database/ds/create.ldif index 704b8d11be7..6da245266ef 100644 --- a/base/ca/database/ds/create.ldif +++ b/base/ca/database/ds/create.ldif @@ -150,16 +150,6 @@ objectClass: top objectClass: organizationalUnit ou: replica -dn: ou=requests, ou=ranges,{rootSuffix} -objectClass: top -objectClass: organizationalUnit -ou: requests - -dn: ou=certificateRepository, ou=ranges,{rootSuffix} -objectClass: top -objectClass: organizationalUnit -ou: certificateRepository - dn: ou=certificateProfiles,ou=ca,{rootSuffix} objectClass: top objectClass: organizationalUnit diff --git a/base/kra/database/ds/create.ldif b/base/kra/database/ds/create.ldif index 61054458e3e..a49ca0cf6b0 100644 --- a/base/kra/database/ds/create.ldif +++ b/base/kra/database/ds/create.ldif @@ -107,13 +107,3 @@ objectClass: top objectClass: organizationalUnit ou: replica -dn: ou=requests, ou=ranges,{rootSuffix} -objectClass: top -objectClass: organizationalUnit -ou: requests - -dn: ou=keyRepository, ou=ranges,{rootSuffix} -objectClass: top -objectClass: organizationalUnit -ou: certificateRepository - diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg index f73cb60fd69..5a56110914c 100644 --- a/base/server/etc/default.cfg +++ b/base/server/etc/default.cfg @@ -354,12 +354,14 @@ pki_serial_number_range_end= pki_serial_number_range_increment= pki_serial_number_range_minimum= pki_serial_number_range_transfer= +pki_serial_number_range_dn= pki_request_number_range_start= pki_request_number_range_end= pki_request_number_range_increment= pki_request_number_range_minimum= pki_request_number_range_transfer= +pki_request_number_range_dn= pki_replica_number_range_start= pki_replica_number_range_end= diff --git a/base/server/python/pki/server/deployment/__init__.py b/base/server/python/pki/server/deployment/__init__.py index 2929ad4e4da..8c60fbcb8fa 100644 --- a/base/server/python/pki/server/deployment/__init__.py +++ b/base/server/python/pki/server/deployment/__init__.py @@ -1207,6 +1207,10 @@ def configure_ca(self, subsystem): if request_transfer: subsystem.set_config('dbs.requestCloneTransferNumber', request_transfer) + request_dn = self.mdict.get('pki_request_number_range_dn') + if request_dn: + subsystem.set_config('dbs.requestRangeDN', request_dn) + cert_id_generator = self.mdict['pki_cert_id_generator'] if cert_id_generator == 'random': @@ -1245,6 +1249,10 @@ def configure_ca(self, subsystem): if serial_transfer: subsystem.set_config('dbs.serialCloneTransferNumber', serial_transfer) + serial_dn = self.mdict.get('pki_serial_number_range_dn') + if serial_dn: + subsystem.set_config('dbs.serialRangeDN', serial_dn) + replica_number_range_start = self.mdict.get('pki_replica_number_range_start') if replica_number_range_start: subsystem.set_config('dbs.beginReplicaNumber', replica_number_range_start) diff --git a/base/server/src/main/java/com/netscape/cms/servlet/csadmin/LDAPConfigurator.java b/base/server/src/main/java/com/netscape/cms/servlet/csadmin/LDAPConfigurator.java index 98dcba0d5cf..c392ef2268c 100644 --- a/base/server/src/main/java/com/netscape/cms/servlet/csadmin/LDAPConfigurator.java +++ b/base/server/src/main/java/com/netscape/cms/servlet/csadmin/LDAPConfigurator.java @@ -238,6 +238,18 @@ public LDAPEntry getEntry(String dn) throws Exception { } } + public void createEntry(String dn, String[] objectClasses) throws Exception { + + logger.info("Adding " + dn); + + LDAPAttributeSet attrs = new LDAPAttributeSet(); + attrs.add(new LDAPAttribute("objectClass", objectClasses)); + + LDAPEntry entry = new LDAPEntry(dn, attrs); + + connection.add(entry); + } + public void validateDatabaseOwnership(String database, String baseDN) throws Exception { logger.info("Validating database " + database + " is owned by " + baseDN); diff --git a/base/server/src/main/java/com/netscape/cmscore/dbs/Repository.java b/base/server/src/main/java/com/netscape/cmscore/dbs/Repository.java index a86a3d9fccd..4f1a01929b5 100644 --- a/base/server/src/main/java/com/netscape/cmscore/dbs/Repository.java +++ b/base/server/src/main/java/com/netscape/cmscore/dbs/Repository.java @@ -460,6 +460,14 @@ private void switchToNextRange() throws EBaseException { cs.commit(false); } + /** + * This method returns the DN of the entry that holds the nextRange attribute. + */ + public String getNextRangeDN() { + // currently the nextRange is stored in repository's base DN + return mBaseDN; + } + /** * Gets start of next range from database. * Increments the nextRange attribute and allocates @@ -476,15 +484,17 @@ public String getNextRange() throws EBaseException { try { LDAPConnection conn = session.getConnection(); - logger.info("Repository: Reading entry " + mBaseDN); - LDAPEntry entry = conn.read(mBaseDN); + String nextRangeDN = getNextRangeDN(); + logger.info("Repository: Getting " + DBSubsystem.PROP_NEXT_RANGE + " from " + nextRangeDN); + LDAPEntry entry = conn.read(nextRangeDN); LDAPAttribute attr = entry.getAttribute(DBSubsystem.PROP_NEXT_RANGE); if (attr == null) { - throw new Exception("Missing attribute" + DBSubsystem.PROP_NEXT_RANGE); + throw new Exception("Missing " + DBSubsystem.PROP_NEXT_RANGE + " attribute"); } String nextRange = attr.getStringValues().nextElement(); + logger.info("Repository: Current " + DBSubsystem.PROP_NEXT_RANGE + ": " + nextRange); // parse nextRange as decimal BigInteger nextRangeNo = new BigInteger(nextRange); @@ -493,12 +503,11 @@ public String getNextRange() throws EBaseException { // generate new nextRange in decimal String newNextRange = newNextRangeNo.toString(); + logger.info("Repository: New " + DBSubsystem.PROP_NEXT_RANGE + ": " + newNextRange); // generate endRange in decimal String endRange = newNextRangeNo.subtract(BigInteger.ONE).toString(); - logger.info("Repository: Updating " + DBSubsystem.PROP_NEXT_RANGE + " from " + nextRange + " to " + newNextRange); - // To make sure attrNextRange always increments, first delete the current value and then increment. // Two operations in the same transaction @@ -508,8 +517,8 @@ public String getNextRange() throws EBaseException { new LDAPModification(LDAPModification.ADD, attrNextRange) }; - logger.info("Repository: Modifying entry " + mBaseDN); - conn.modify(mBaseDN, mods); + logger.info("Repository: Updating " + DBSubsystem.PROP_NEXT_RANGE + " in " + nextRangeDN); + conn.modify(nextRangeDN, mods); // Add new range object diff --git a/base/server/src/main/java/org/dogtagpki/server/cli/SubsystemDBInitCLI.java b/base/server/src/main/java/org/dogtagpki/server/cli/SubsystemDBInitCLI.java index dcbef764f65..64d6f9c3cd0 100644 --- a/base/server/src/main/java/org/dogtagpki/server/cli/SubsystemDBInitCLI.java +++ b/base/server/src/main/java/org/dogtagpki/server/cli/SubsystemDBInitCLI.java @@ -7,12 +7,14 @@ import org.apache.commons.cli.CommandLine; import org.apache.commons.cli.Option; +import org.apache.commons.lang3.StringUtils; import org.dogtagpki.cli.CLI; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import com.netscape.cms.servlet.csadmin.LDAPConfigurator; import com.netscape.cmscore.apps.CMS; +import com.netscape.cmscore.apps.DatabaseConfig; import com.netscape.cmscore.apps.EngineConfig; import com.netscape.cmscore.ldapconn.LDAPConfig; import com.netscape.cmscore.ldapconn.LDAPConnectionConfig; @@ -68,6 +70,8 @@ public void execute(CommandLine cmd) throws Exception { String database = ldapConfig.getDatabase(); String baseDN = ldapConfig.getBaseDN(); + DatabaseConfig dbConfig = cs.getDatabaseConfig(); + logger.info("Initializing database " + database + " for " + baseDN); PasswordStoreConfig psc = cs.getPasswordStoreConfig(); @@ -105,6 +109,21 @@ public void execute(CommandLine cmd) throws Exception { if (!cmd.hasOption("skip-containers")) { ldapConfigurator.createContainers(subsystem); + + String requestRangeRDN = dbConfig.getRequestRangeDN(); + if (!StringUtils.isEmpty(requestRangeRDN)) { + ldapConfigurator.createEntry( + requestRangeRDN + "," + ldapConfig.getBaseDN(), + new String[] { "organizationalUnit" }); + } + + String serialRangeRDN = dbConfig.getSerialRangeDN(); + if (!StringUtils.isEmpty(serialRangeRDN)) { + ldapConfigurator.createEntry( + serialRangeRDN + "," + ldapConfig.getBaseDN(), + new String[] { "organizationalUnit" }); + } + ldapConfigurator.setupACL(subsystem); } diff --git a/base/server/src/main/java/org/dogtagpki/server/cli/SubsystemRangeUpdateCLI.java b/base/server/src/main/java/org/dogtagpki/server/cli/SubsystemRangeUpdateCLI.java index 90ce9ca8ab9..557766fb3eb 100644 --- a/base/server/src/main/java/org/dogtagpki/server/cli/SubsystemRangeUpdateCLI.java +++ b/base/server/src/main/java/org/dogtagpki/server/cli/SubsystemRangeUpdateCLI.java @@ -16,6 +16,7 @@ import com.netscape.cmscore.apps.CMS; import com.netscape.cmscore.apps.DatabaseConfig; import com.netscape.cmscore.apps.EngineConfig; +import com.netscape.cmscore.dbs.DBSubsystem; import com.netscape.cmscore.dbs.Repository.IDGenerator; import com.netscape.cmscore.ldapconn.LDAPConfig; import com.netscape.cmscore.ldapconn.LDAPConnectionConfig; @@ -84,19 +85,25 @@ public void execute(CommandLine cmd) throws Exception { DatabaseConfig dbConfig = cs.getDatabaseConfig(); + // currently the cert nextRange is stored in cert repository's base DN + String serialNextRangeDN = dbConfig.getSerialDN() + "," + baseDN; + updateSerialNumberRange( socketFactory, connInfo, authInfo, dbConfig, - baseDN); + serialNextRangeDN); + + // currently the request nextRange is stored in request repository's base DN + String requestNextRangeDN = dbConfig.getRequestDN() + "," + baseDN; updateRequestNumberRange( socketFactory, connInfo, authInfo, dbConfig, - baseDN); + requestNextRangeDN); } public void updateSerialNumberRange( @@ -104,7 +111,7 @@ public void updateSerialNumberRange( LdapConnInfo connInfo, LdapAuthInfo authInfo, DatabaseConfig dbConfig, - String baseDN) throws Exception { + String nextRangeDN) throws Exception { LdapBoundConnection conn = new LdapBoundConnection(socketFactory, connInfo, authInfo); @@ -116,14 +123,12 @@ public void updateSerialNumberRange( // generate nextRange in decimal String nextSerialNumber = endSerialNumber.add(BigInteger.ONE).toString(); - String serialDN = dbConfig.getSerialDN() + "," + baseDN; - // store nextRange as decimal - LDAPAttribute attrSerialNextRange = new LDAPAttribute("nextRange", nextSerialNumber); + LDAPAttribute attrSerialNextRange = new LDAPAttribute(DBSubsystem.PROP_NEXT_RANGE, nextSerialNumber); LDAPModification serialmod = new LDAPModification(LDAPModification.REPLACE, attrSerialNextRange); - conn.modify(serialDN, serialmod); + conn.modify(nextRangeDN, serialmod); } finally { conn.disconnect(); @@ -135,7 +140,7 @@ public void updateRequestNumberRange( LdapConnInfo connInfo, LdapAuthInfo authInfo, DatabaseConfig dbConfig, - String baseDN) throws Exception { + String nextRangeDN) throws Exception { String value = dbConfig.getString( RequestRepository.PROP_REQUEST_ID_GENERATOR, @@ -158,14 +163,12 @@ public void updateRequestNumberRange( // generate nextRange in decimal String nextRequestNumber = endRequestNumber.add(BigInteger.ONE).toString(); - String requestDN = dbConfig.getRequestDN() + "," + baseDN; - // store nextRange as decimal - LDAPAttribute attrRequestNextRange = new LDAPAttribute("nextRange", nextRequestNumber); + LDAPAttribute attrRequestNextRange = new LDAPAttribute(DBSubsystem.PROP_NEXT_RANGE, nextRequestNumber); LDAPModification requestmod = new LDAPModification(LDAPModification.REPLACE, attrRequestNextRange); - conn.modify(requestDN, requestmod); + conn.modify(nextRangeDN, requestmod); } finally { conn.disconnect();