From b60268503c61671baf4b8ef688f1466854d8e2f2 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Tue, 22 Oct 2024 18:05:34 -0500 Subject: [PATCH] Relocate SSNv2 range objects for new CA instances pkispawn has been modified to create ou=ranges subtree for SSNv1 and optionally ou=ranges_v2 subtree for SSNv2 if it's enabled for new CA instances. The pki-server -db-init and -range-update commands have been updated to use the proper subtree to store the range objects. Hard-coded subtrees in the create.ldif have been removed. Similar changes are made to KRA as well, but since there are no tests for KRA with SSNv2 it's not officially supported yet. --- base/ca/database/ds/create.ldif | 10 -- .../org/dogtagpki/server/ca/cli/CADBCLI.java | 3 +- .../dogtagpki/server/ca/cli/CADBInitCLI.java | 38 ++++++++ .../server/ca/cli/CARangeUpdateCLI.java | 18 ++-- base/kra/database/ds/create.ldif | 10 -- .../org/dogtagpki/server/kra/cli/KRACLI.java | 3 +- .../dogtagpki/server/kra/cli/KRADBCLI.java | 39 ++++++++ .../server/kra/cli/KRADBInitCLI.java | 38 ++++++++ .../server/kra/cli/KRARangeUpdateCLI.java | 18 ++-- .../python/pki/server/deployment/__init__.py | 28 +++++- .../cms/servlet/csadmin/LDAPConfigurator.java | 12 +++ .../server/cli/SubsystemDBInitCLI.java | 91 +++++++++++++++++++ .../server/cli/SubsystemRangeUpdateCLI.java | 28 ++++-- 13 files changed, 287 insertions(+), 49 deletions(-) create mode 100644 base/ca/src/main/java/org/dogtagpki/server/ca/cli/CADBInitCLI.java create mode 100644 base/kra/src/main/java/org/dogtagpki/server/kra/cli/KRADBCLI.java create mode 100644 base/kra/src/main/java/org/dogtagpki/server/kra/cli/KRADBInitCLI.java diff --git a/base/ca/database/ds/create.ldif b/base/ca/database/ds/create.ldif index 704b8d11be7..6da245266ef 100644 --- a/base/ca/database/ds/create.ldif +++ b/base/ca/database/ds/create.ldif @@ -150,16 +150,6 @@ objectClass: top objectClass: organizationalUnit ou: replica -dn: ou=requests, ou=ranges,{rootSuffix} -objectClass: top -objectClass: organizationalUnit -ou: requests - -dn: ou=certificateRepository, ou=ranges,{rootSuffix} -objectClass: top -objectClass: organizationalUnit -ou: certificateRepository - dn: ou=certificateProfiles,ou=ca,{rootSuffix} objectClass: top objectClass: organizationalUnit diff --git a/base/ca/src/main/java/org/dogtagpki/server/ca/cli/CADBCLI.java b/base/ca/src/main/java/org/dogtagpki/server/ca/cli/CADBCLI.java index fd78a5fd86d..b81537f838d 100644 --- a/base/ca/src/main/java/org/dogtagpki/server/ca/cli/CADBCLI.java +++ b/base/ca/src/main/java/org/dogtagpki/server/ca/cli/CADBCLI.java @@ -24,7 +24,6 @@ import org.dogtagpki.server.cli.SubsystemDBEmptyCLI; import org.dogtagpki.server.cli.SubsystemDBIndexCLI; import org.dogtagpki.server.cli.SubsystemDBInfoCLI; -import org.dogtagpki.server.cli.SubsystemDBInitCLI; import org.dogtagpki.server.cli.SubsystemDBRemoveCLI; import org.dogtagpki.server.cli.SubsystemDBReplicationCLI; import org.dogtagpki.server.cli.SubsystemDBVLVCLI; @@ -39,7 +38,7 @@ public CADBCLI(CLI parent) { addModule(new SubsystemDBInfoCLI(this)); addModule(new SubsystemDBCreateCLI(this)); - addModule(new SubsystemDBInitCLI(this)); + addModule(new CADBInitCLI(this)); addModule(new SubsystemDBEmptyCLI(this)); addModule(new SubsystemDBRemoveCLI(this)); addModule(new CADBUpgradeCLI(this)); diff --git a/base/ca/src/main/java/org/dogtagpki/server/ca/cli/CADBInitCLI.java b/base/ca/src/main/java/org/dogtagpki/server/ca/cli/CADBInitCLI.java new file mode 100644 index 00000000000..bc2f0fc1d01 --- /dev/null +++ b/base/ca/src/main/java/org/dogtagpki/server/ca/cli/CADBInitCLI.java @@ -0,0 +1,38 @@ +// +// Copyright Red Hat, Inc. +// +// SPDX-License-Identifier: GPL-2.0-or-later +// +package org.dogtagpki.server.ca.cli; + +import org.dogtagpki.cli.CLI; +import org.dogtagpki.server.cli.SubsystemDBInitCLI; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import com.netscape.cmscore.apps.DatabaseConfig; +import com.netscape.cmscore.dbs.CertificateRepository; +import com.netscape.cmscore.dbs.Repository.IDGenerator; + +/** + * @author Endi S. Dewata + */ +public class CADBInitCLI extends SubsystemDBInitCLI { + + public static Logger logger = LoggerFactory.getLogger(CADBInitCLI.class); + + public CADBInitCLI(CLI parent) { + super("init", "Initialize CA database", parent); + } + + @Override + public void init(DatabaseConfig dbConfig) throws Exception { + + super.init(dbConfig); + + String value = dbConfig.getString( + CertificateRepository.PROP_CERT_ID_GENERATOR, + CertificateRepository.DEFAULT_CERT_ID_GENERATOR); + serialIDGenerator = IDGenerator.fromString(value); + } +} diff --git a/base/ca/src/main/java/org/dogtagpki/server/ca/cli/CARangeUpdateCLI.java b/base/ca/src/main/java/org/dogtagpki/server/ca/cli/CARangeUpdateCLI.java index 1f10bd92fe3..23ae55354bd 100644 --- a/base/ca/src/main/java/org/dogtagpki/server/ca/cli/CARangeUpdateCLI.java +++ b/base/ca/src/main/java/org/dogtagpki/server/ca/cli/CARangeUpdateCLI.java @@ -28,6 +28,17 @@ public CARangeUpdateCLI(CLI parent) { super(parent); } + @Override + public void init(DatabaseConfig dbConfig) throws Exception { + + super.init(dbConfig); + + String value = dbConfig.getString( + CertificateRepository.PROP_CERT_ID_GENERATOR, + CertificateRepository.DEFAULT_CERT_ID_GENERATOR); + serialIDGenerator = IDGenerator.fromString(value); + } + @Override public void updateSerialNumberRange( PKISocketFactory socketFactory, @@ -36,12 +47,7 @@ public void updateSerialNumberRange( DatabaseConfig dbConfig, String baseDN) throws Exception { - String value = dbConfig.getString( - CertificateRepository.PROP_CERT_ID_GENERATOR, - CertificateRepository.DEFAULT_CERT_ID_GENERATOR); - idGenerator = IDGenerator.fromString(value); - - if (idGenerator == IDGenerator.RANDOM) { + if (serialIDGenerator == IDGenerator.RANDOM) { logger.info("No need to update certificate ID range"); return; } diff --git a/base/kra/database/ds/create.ldif b/base/kra/database/ds/create.ldif index 61054458e3e..a49ca0cf6b0 100644 --- a/base/kra/database/ds/create.ldif +++ b/base/kra/database/ds/create.ldif @@ -107,13 +107,3 @@ objectClass: top objectClass: organizationalUnit ou: replica -dn: ou=requests, ou=ranges,{rootSuffix} -objectClass: top -objectClass: organizationalUnit -ou: requests - -dn: ou=keyRepository, ou=ranges,{rootSuffix} -objectClass: top -objectClass: organizationalUnit -ou: certificateRepository - diff --git a/base/kra/src/main/java/org/dogtagpki/server/kra/cli/KRACLI.java b/base/kra/src/main/java/org/dogtagpki/server/kra/cli/KRACLI.java index 08c2427866b..63655b81e37 100644 --- a/base/kra/src/main/java/org/dogtagpki/server/kra/cli/KRACLI.java +++ b/base/kra/src/main/java/org/dogtagpki/server/kra/cli/KRACLI.java @@ -20,7 +20,6 @@ import org.dogtagpki.cli.CLI; import org.dogtagpki.server.cli.SDCLI; -import org.dogtagpki.server.cli.SubsystemDBCLI; import org.dogtagpki.server.cli.SubsystemGroupCLI; import org.dogtagpki.server.cli.SubsystemUserCLI; @@ -32,7 +31,7 @@ public class KRACLI extends CLI { public KRACLI(CLI parent) { super("kra", "KRA subsystem management commands", parent); - addModule(new SubsystemDBCLI(this)); + addModule(new KRADBCLI(this)); addModule(new SubsystemGroupCLI(this)); addModule(new KRARangeCLI(this)); addModule(new KRAIdCLI(this)); diff --git a/base/kra/src/main/java/org/dogtagpki/server/kra/cli/KRADBCLI.java b/base/kra/src/main/java/org/dogtagpki/server/kra/cli/KRADBCLI.java new file mode 100644 index 00000000000..bdca2d08567 --- /dev/null +++ b/base/kra/src/main/java/org/dogtagpki/server/kra/cli/KRADBCLI.java @@ -0,0 +1,39 @@ +// +// Copyright Red Hat, Inc. +// +// SPDX-License-Identifier: GPL-2.0-or-later +// +package org.dogtagpki.server.kra.cli; + +import org.dogtagpki.cli.CLI; +import org.dogtagpki.server.cli.SubsystemDBAccessCLI; +import org.dogtagpki.server.cli.SubsystemDBCreateCLI; +import org.dogtagpki.server.cli.SubsystemDBEmptyCLI; +import org.dogtagpki.server.cli.SubsystemDBIndexCLI; +import org.dogtagpki.server.cli.SubsystemDBInfoCLI; +import org.dogtagpki.server.cli.SubsystemDBRemoveCLI; +import org.dogtagpki.server.cli.SubsystemDBReplicationCLI; +import org.dogtagpki.server.cli.SubsystemDBUpgradeCLI; +import org.dogtagpki.server.cli.SubsystemDBVLVCLI; + +/** + * @author Endi S. Dewata + */ +public class KRADBCLI extends CLI { + + public KRADBCLI(CLI parent) { + super("db", "KRA database management commands", parent); + + addModule(new SubsystemDBInfoCLI(this)); + addModule(new SubsystemDBCreateCLI(this)); + addModule(new KRADBInitCLI(this)); + addModule(new SubsystemDBEmptyCLI(this)); + addModule(new SubsystemDBRemoveCLI(this)); + addModule(new SubsystemDBUpgradeCLI(this)); + + addModule(new SubsystemDBAccessCLI(this)); + addModule(new SubsystemDBIndexCLI(this)); + addModule(new SubsystemDBReplicationCLI(this)); + addModule(new SubsystemDBVLVCLI(this)); + } +} diff --git a/base/kra/src/main/java/org/dogtagpki/server/kra/cli/KRADBInitCLI.java b/base/kra/src/main/java/org/dogtagpki/server/kra/cli/KRADBInitCLI.java new file mode 100644 index 00000000000..aa5508401e7 --- /dev/null +++ b/base/kra/src/main/java/org/dogtagpki/server/kra/cli/KRADBInitCLI.java @@ -0,0 +1,38 @@ +// +// Copyright Red Hat, Inc. +// +// SPDX-License-Identifier: GPL-2.0-or-later +// +package org.dogtagpki.server.kra.cli; + +import org.dogtagpki.cli.CLI; +import org.dogtagpki.server.cli.SubsystemDBInitCLI; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import com.netscape.cmscore.apps.DatabaseConfig; +import com.netscape.cmscore.dbs.KeyRepository; +import com.netscape.cmscore.dbs.Repository.IDGenerator; + +/** + * @author Endi S. Dewata + */ +public class KRADBInitCLI extends SubsystemDBInitCLI { + + public static Logger logger = LoggerFactory.getLogger(KRADBInitCLI.class); + + public KRADBInitCLI(CLI parent) { + super("init", "Initialize KRA database", parent); + } + + @Override + public void init(DatabaseConfig dbConfig) throws Exception { + + super.init(dbConfig); + + String value = dbConfig.getString( + KeyRepository.PROP_KEY_ID_GENERATOR, + KeyRepository.DEFAULT_KEY_ID_GENERATOR); + serialIDGenerator = IDGenerator.fromString(value); + } +} diff --git a/base/kra/src/main/java/org/dogtagpki/server/kra/cli/KRARangeUpdateCLI.java b/base/kra/src/main/java/org/dogtagpki/server/kra/cli/KRARangeUpdateCLI.java index d5b7ea09dd7..d7420add681 100644 --- a/base/kra/src/main/java/org/dogtagpki/server/kra/cli/KRARangeUpdateCLI.java +++ b/base/kra/src/main/java/org/dogtagpki/server/kra/cli/KRARangeUpdateCLI.java @@ -28,6 +28,17 @@ public KRARangeUpdateCLI(CLI parent) { super(parent); } + @Override + public void init(DatabaseConfig dbConfig) throws Exception { + + super.init(dbConfig); + + String value = dbConfig.getString( + KeyRepository.PROP_KEY_ID_GENERATOR, + KeyRepository.DEFAULT_KEY_ID_GENERATOR); + serialIDGenerator = IDGenerator.fromString(value); + } + @Override public void updateSerialNumberRange( PKISocketFactory socketFactory, @@ -36,12 +47,7 @@ public void updateSerialNumberRange( DatabaseConfig dbConfig, String baseDN) throws Exception { - String value = dbConfig.getString( - KeyRepository.PROP_KEY_ID_GENERATOR, - KeyRepository.DEFAULT_KEY_ID_GENERATOR); - IDGenerator idGenerator = IDGenerator.fromString(value); - - if (idGenerator == IDGenerator.RANDOM) { + if (serialIDGenerator == IDGenerator.RANDOM) { logger.info("No need to update key ID range"); return; } diff --git a/base/server/python/pki/server/deployment/__init__.py b/base/server/python/pki/server/deployment/__init__.py index 7ec81f72c20..ca8d9052a41 100644 --- a/base/server/python/pki/server/deployment/__init__.py +++ b/base/server/python/pki/server/deployment/__init__.py @@ -1186,7 +1186,6 @@ def configure_ca(self, subsystem): subsystem.set_config('dbs.requestIncrement', '10000000') # decimal subsystem.set_config('dbs.requestLowWaterMark', '2000000') # decimal subsystem.set_config('dbs.requestCloneTransferNumber', '10000') # decimal - subsystem.set_config('dbs.requestRangeDN', 'ou=requests,ou=ranges') request_number_range_start = self.mdict.get('pki_request_number_range_start') if request_number_range_start: @@ -1208,6 +1207,12 @@ def configure_ca(self, subsystem): if request_transfer: subsystem.set_config('dbs.requestCloneTransferNumber', request_transfer) + if request_id_generator == 'legacy2': + request_dn = 'ou=requests,ou=ranges_v2' + else: + request_dn = 'ou=requests,ou=ranges' + subsystem.set_config('dbs.requestRangeDN', request_dn) + cert_id_generator = self.mdict['pki_cert_id_generator'] subsystem.set_config('dbs.cert.id.generator', cert_id_generator) @@ -1221,7 +1226,6 @@ def configure_ca(self, subsystem): subsystem.set_config('dbs.serialIncrement', '10000000') # hex subsystem.set_config('dbs.serialLowWaterMark', '2000000') # hex subsystem.set_config('dbs.serialCloneTransferNumber', '10000') # hex - subsystem.set_config('dbs.serialRangeDN', 'ou=certificateRepository,ou=ranges') if config.str2bool(self.mdict['pki_random_serial_numbers_enable']): subsystem.set_config('dbs.enableRandomSerialNumbers', 'true') @@ -1247,6 +1251,12 @@ def configure_ca(self, subsystem): if serial_transfer: subsystem.set_config('dbs.serialCloneTransferNumber', serial_transfer) + if cert_id_generator == 'legacy2': + serial_dn = 'ou=certificateRepository,ou=ranges_v2' + else: + serial_dn = 'ou=certificateRepository,ou=ranges' + subsystem.set_config('dbs.serialRangeDN', serial_dn) + replica_number_range_start = self.mdict.get('pki_replica_number_range_start') if replica_number_range_start: subsystem.set_config('dbs.beginReplicaNumber', replica_number_range_start) @@ -1277,7 +1287,12 @@ def configure_kra(self, subsystem): subsystem.set_config('dbs.requestIncrement', '10000000') # decimal subsystem.set_config('dbs.requestLowWaterMark', '2000000') # decimal subsystem.set_config('dbs.requestCloneTransferNumber', '10000') # decimal - subsystem.set_config('dbs.requestRangeDN', 'ou=requests,ou=ranges') + + if request_id_generator == 'legacy2': + request_dn = 'ou=requests,ou=ranges_v2' + else: + request_dn = 'ou=requests,ou=ranges' + subsystem.set_config('dbs.requestRangeDN', request_dn) key_id_generator = self.mdict['pki_key_id_generator'] @@ -1292,7 +1307,12 @@ def configure_kra(self, subsystem): subsystem.set_config('dbs.serialIncrement', '10000000') # hex subsystem.set_config('dbs.serialLowWaterMark', '2000000') # hex subsystem.set_config('dbs.serialCloneTransferNumber', '10000') # hex - subsystem.set_config('dbs.serialRangeDN', 'ou=keyRepository,ou=ranges') + + if key_id_generator == 'legacy2': + serial_dn = 'ou=keyRepository,ou=ranges_v2' + else: + serial_dn = 'ou=keyRepository,ou=ranges' + subsystem.set_config('dbs.serialRangeDN', serial_dn) if config.str2bool(self.mdict['pki_kra_ephemeral_requests']): logger.debug('Setting ephemeral requests to true') diff --git a/base/server/src/main/java/com/netscape/cms/servlet/csadmin/LDAPConfigurator.java b/base/server/src/main/java/com/netscape/cms/servlet/csadmin/LDAPConfigurator.java index 98dcba0d5cf..c392ef2268c 100644 --- a/base/server/src/main/java/com/netscape/cms/servlet/csadmin/LDAPConfigurator.java +++ b/base/server/src/main/java/com/netscape/cms/servlet/csadmin/LDAPConfigurator.java @@ -238,6 +238,18 @@ public LDAPEntry getEntry(String dn) throws Exception { } } + public void createEntry(String dn, String[] objectClasses) throws Exception { + + logger.info("Adding " + dn); + + LDAPAttributeSet attrs = new LDAPAttributeSet(); + attrs.add(new LDAPAttribute("objectClass", objectClasses)); + + LDAPEntry entry = new LDAPEntry(dn, attrs); + + connection.add(entry); + } + public void validateDatabaseOwnership(String database, String baseDN) throws Exception { logger.info("Validating database " + database + " is owned by " + baseDN); diff --git a/base/server/src/main/java/org/dogtagpki/server/cli/SubsystemDBInitCLI.java b/base/server/src/main/java/org/dogtagpki/server/cli/SubsystemDBInitCLI.java index dcbef764f65..bdfd148ed57 100644 --- a/base/server/src/main/java/org/dogtagpki/server/cli/SubsystemDBInitCLI.java +++ b/base/server/src/main/java/org/dogtagpki/server/cli/SubsystemDBInitCLI.java @@ -7,13 +7,16 @@ import org.apache.commons.cli.CommandLine; import org.apache.commons.cli.Option; +import org.apache.commons.lang3.StringUtils; import org.dogtagpki.cli.CLI; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import com.netscape.cms.servlet.csadmin.LDAPConfigurator; import com.netscape.cmscore.apps.CMS; +import com.netscape.cmscore.apps.DatabaseConfig; import com.netscape.cmscore.apps.EngineConfig; +import com.netscape.cmscore.dbs.Repository.IDGenerator; import com.netscape.cmscore.ldapconn.LDAPConfig; import com.netscape.cmscore.ldapconn.LDAPConnectionConfig; import com.netscape.cmscore.ldapconn.LdapAuthInfo; @@ -21,6 +24,7 @@ import com.netscape.cmscore.ldapconn.LdapConnInfo; import com.netscape.cmscore.ldapconn.PKISocketConfig; import com.netscape.cmscore.ldapconn.PKISocketFactory; +import com.netscape.cmscore.request.RequestRepository; import com.netscape.cmsutil.password.PasswordStore; import com.netscape.cmsutil.password.PasswordStoreConfig; @@ -31,10 +35,17 @@ public class SubsystemDBInitCLI extends SubsystemCLI { public static Logger logger = LoggerFactory.getLogger(SubsystemDBInitCLI.class); + protected IDGenerator requestIDGenerator; + protected IDGenerator serialIDGenerator; + public SubsystemDBInitCLI(CLI parent) { super("init", "Initialize " + parent.getParent().getName().toUpperCase() + " database", parent); } + public SubsystemDBInitCLI(String name, String description, CLI parent) { + super(name, description, parent); + } + @Override public void createOptions() { @@ -56,6 +67,78 @@ public void createOptions() { options.addOption(null, "help", false, "Show help message."); } + public void init(DatabaseConfig dbConfig) throws Exception { + + String value = dbConfig.getString( + RequestRepository.PROP_REQUEST_ID_GENERATOR, + RequestRepository.DEFAULT_REQUEST_ID_GENERATOR); + requestIDGenerator = IDGenerator.fromString(value); + } + + public void createRangesSubtree( + LDAPConfig ldapConfig, + LDAPConfigurator ldapConfigurator) throws Exception { + + if (requestIDGenerator == IDGenerator.LEGACY_2 || + serialIDGenerator == IDGenerator.LEGACY_2) { + + // create ou=ranges_v2 for SSNv2 + ldapConfigurator.createEntry( + "ou=ranges_v2," + ldapConfig.getBaseDN(), + new String[] { "organizationalUnit" }); + return; + } + + // ou=ranges for SSNv1 is defined in create.ldif so it will + // be created automatically + } + + public void createRequestRangesSubtree( + LDAPConfig ldapConfig, + DatabaseConfig dbConfig, + LDAPConfigurator ldapConfigurator) throws Exception { + + String requestRangeRDN = dbConfig.getRequestRangeDN(); + + if (StringUtils.isEmpty(requestRangeRDN)) { + // dbs.requestRangeDN only exists in CA and KRA + return; + } + + if (requestIDGenerator == IDGenerator.RANDOM) { + return; + } + + // create ou=requests,ou=ranges for SSNv1 or + // ou=requests,ou=ranges_v2 for SSNv2 + ldapConfigurator.createEntry( + requestRangeRDN + "," + ldapConfig.getBaseDN(), + new String[] { "organizationalUnit" }); + } + + public void createSerialRangesSubtree( + LDAPConfig ldapConfig, + DatabaseConfig dbConfig, + LDAPConfigurator ldapConfigurator) throws Exception { + + String serialRangeRDN = dbConfig.getSerialRangeDN(); + + if (StringUtils.isEmpty(serialRangeRDN)) { + // dbs.serialRangeDN only exists in CA and KRA + return; + } + + if (serialIDGenerator == IDGenerator.RANDOM) { + return; + } + + // create ou=certificateRepository,ou=ranges for SSNv1 or + // ou=certificateRepository,ou=ranges_v2 for SSNv2 + ldapConfigurator.createEntry( + serialRangeRDN + "," + ldapConfig.getBaseDN(), + new String[] { "organizationalUnit" }); + } + @Override public void execute(CommandLine cmd) throws Exception { @@ -90,6 +173,9 @@ public void execute(CommandLine cmd) throws Exception { LdapBoundConnection conn = new LdapBoundConnection(socketFactory, connInfo, authInfo); LDAPConfigurator ldapConfigurator = new LDAPConfigurator(conn, ldapConfig); + DatabaseConfig dbConfig = cs.getDatabaseConfig(); + init(dbConfig); + try { if (!cmd.hasOption("skip-config")) { ldapConfigurator.configureServer(); @@ -105,6 +191,11 @@ public void execute(CommandLine cmd) throws Exception { if (!cmd.hasOption("skip-containers")) { ldapConfigurator.createContainers(subsystem); + + createRangesSubtree(ldapConfig, ldapConfigurator); + createRequestRangesSubtree(ldapConfig, dbConfig, ldapConfigurator); + createSerialRangesSubtree(ldapConfig, dbConfig, ldapConfigurator); + ldapConfigurator.setupACL(subsystem); } diff --git a/base/server/src/main/java/org/dogtagpki/server/cli/SubsystemRangeUpdateCLI.java b/base/server/src/main/java/org/dogtagpki/server/cli/SubsystemRangeUpdateCLI.java index 3578dabeeed..0a3f5c05e2e 100644 --- a/base/server/src/main/java/org/dogtagpki/server/cli/SubsystemRangeUpdateCLI.java +++ b/base/server/src/main/java/org/dogtagpki/server/cli/SubsystemRangeUpdateCLI.java @@ -38,7 +38,8 @@ public class SubsystemRangeUpdateCLI extends SubsystemCLI { public static final Logger logger = LoggerFactory.getLogger(SubsystemRangeUpdateCLI.class); - protected IDGenerator idGenerator; + protected IDGenerator requestIDGenerator; + protected IDGenerator serialIDGenerator; public SubsystemRangeUpdateCLI(CLI parent) { super("update", "Update " + parent.getParent().getName().toUpperCase() + " ranges", parent); @@ -56,6 +57,14 @@ public void createOptions() { options.addOption(option); } + public void init(DatabaseConfig dbConfig) throws Exception { + + String value = dbConfig.getString( + RequestRepository.PROP_REQUEST_ID_GENERATOR, + RequestRepository.DEFAULT_REQUEST_ID_GENERATOR); + requestIDGenerator = IDGenerator.fromString(value); + } + @Override public void execute(CommandLine cmd) throws Exception { @@ -85,6 +94,7 @@ public void execute(CommandLine cmd) throws Exception { socketFactory.init(socketConfig); DatabaseConfig dbConfig = cs.getDatabaseConfig(); + init(dbConfig); updateSerialNumberRange( socketFactory, @@ -108,11 +118,16 @@ public void updateSerialNumberRange( DatabaseConfig dbConfig, String baseDN) throws Exception { + if (serialIDGenerator == IDGenerator.RANDOM) { + logger.info("No need to update serial number range"); + return; + } + LdapBoundConnection conn = new LdapBoundConnection(socketFactory, connInfo, authInfo); try { BigInteger endSerialNumber; - if (idGenerator == IDGenerator.LEGACY_2) { + if (serialIDGenerator == IDGenerator.LEGACY_2) { endSerialNumber = dbConfig.getBigInteger(DatabaseConfig.MAX_SERIAL_NUMBER); } else { // parse the end of current cert range as decimal @@ -142,12 +157,7 @@ public void updateRequestNumberRange( DatabaseConfig dbConfig, String baseDN) throws Exception { - String value = dbConfig.getString( - RequestRepository.PROP_REQUEST_ID_GENERATOR, - RequestRepository.DEFAULT_REQUEST_ID_GENERATOR); - idGenerator = IDGenerator.fromString(value); - - if (idGenerator == IDGenerator.RANDOM) { + if (requestIDGenerator == IDGenerator.RANDOM) { logger.info("No need to update request ID range"); return; } @@ -158,7 +168,7 @@ public void updateRequestNumberRange( logger.info("Updating request ID range"); BigInteger endRequestNumber; - if (idGenerator == IDGenerator.LEGACY_2) { + if (requestIDGenerator == IDGenerator.LEGACY_2) { endRequestNumber = dbConfig.getBigInteger(DatabaseConfig.MAX_REQUEST_NUMBER); } else { // parse the end of current range as decimal