Update test for CA cloning with replicated DS

The test for CA cloning with replicated DS has been updated to
import the primary CA's system certs and keys into the secondary
CA's NSS database prior to running pkispawn so it's no longer
necessary to specify the PKCS #12 path and password for pkispawn.

The ConfigurationFile.verify_predefined_configuration_file_data()
and initialization.py have been modified such that the PKCS #12
path and password are no longer mandatory for cloning.

.github/workflows/ca-clone-replicated-ds-test.yml

@@ -69,6 +69,15 @@ jobs:
               --pkcs12-password Secret.123
           docker exec primary pki -n caadmin ca-user-show caadmin
 
+      - name: Export system certs and keys from primary CA
+        run: |
+          docker exec primary pki-server ca-clone-prepare \
+              --pkcs12-file $SHARED/ca-certs.p12 \
+              --pkcs12-password Secret.123
+
+          docker exec primary pki-server cert-export ca_signing \
+              --cert-file $SHARED/ca_signing.crt
+
       - name: Set up secondary DS container
         run: |
           tests/bin/ds-container-create.sh secondaryds
@@ -80,6 +89,28 @@ jobs:
       - name: Connect secondary DS container to network
         run: docker network connect example secondaryds --alias secondaryds.example.com
 
+      - name: Set up secondary PKI container
+        run: |
+          tests/bin/runner-init.sh secondary
+        env:
+          HOSTNAME: secondary.example.com
+
+      - name: Connect secondary PKI container to network
+        run: docker network connect example secondary --alias secondary.example.com
+
+      - name: Create secondary PKI server
+        run: |
+          docker exec secondary pki-server create
+          docker exec secondary pki-server nss-create --no-password
+
+      - name: Import system certs and keys into secondary CA
+        run: |
+          docker exec secondary pki \
+              -d /etc/pki/pki-tomcat/alias \
+              pkcs12-import \
+              --pkcs12 $SHARED/ca-certs.p12 \
+              --password Secret.123
+
       # https://github.com/dogtagpki/389-ds-base/wiki/Configuring-DS-Replication-with-DS-Tools
       - name: Preparing DS backend
         run: |
@@ -218,24 +249,6 @@ jobs:
 
           diff primaryds.dn secondaryds.dn
 
-      - name: Export certs and keys from primary CA
-        run: |
-          docker exec primary pki-server ca-clone-prepare \
-              --pkcs12-file $SHARED/ca-certs.p12 \
-              --pkcs12-password Secret.123
-
-          docker exec primary pki-server cert-export ca_signing \
-              --cert-file $SHARED/ca_signing.crt
-
-      - name: Set up secondary PKI container
-        run: |
-          tests/bin/runner-init.sh secondary
-        env:
-          HOSTNAME: secondary.example.com
-
-      - name: Connect secondary PKI container to network
-        run: docker network connect example secondary --alias secondary.example.com
-
       # https://github.com/dogtagpki/pki/wiki/Installing-CA-Clone-with-Existing-DS
       - name: Install secondary CA
         run: |
@@ -246,8 +259,6 @@ jobs:
               -f /usr/share/pki/server/examples/installation/ca-clone.cfg \
               -s CA \
               -D pki_cert_chain_path=$SHARED/ca_signing.crt \
-              -D pki_clone_pkcs12_path=$SHARED/ca-certs.p12 \
-              -D pki_clone_pkcs12_password=Secret.123 \
               -D pki_ds_url=ldap://secondaryds.example.com:3389 \
               -D pki_ds_setup=False \
               -v

base/server/python/pki/server/deployment/pkihelper.py

@@ -464,16 +464,6 @@ def verify_predefined_configuration_file_data(self):
             self.confirm_data_exists("pki_https_port")
             self.confirm_data_exists("pki_tomcat_server_port")
 
-            # Check clone parameters for non-HSM clone
-            if not config.str2bool(self.mdict['pki_hsm_enable']):
-
-                # If system certificates are already provided via
-                # pki_server_pkcs12, there's no need to provide
-                # pki_clone_pkcs12.
-                if not self.mdict['pki_server_pkcs12_path']:
-                    self.confirm_data_exists("pki_clone_pkcs12_path")
-                    self.confirm_file_exists("pki_clone_pkcs12_path")
-
             self.confirm_data_exists("pki_clone_replication_security")
 
         elif self.external:

base/server/python/pki/server/deployment/scriptlets/initialization.py

@@ -73,19 +73,11 @@ def verify_sensitive_data(self, deployer):
 
         if configuration_file.clone:
 
-            # Verify existence of PKCS #12 Password (ONLY for non-HSM Clones)
-            if not config.str2bool(deployer.mdict['pki_hsm_enable']):
-
-                # If system certificates are already provided via
-                # pki_server_pkcs12, there's no need to provide
-                # pki_clone_pkcs12.
-                if not deployer.mdict['pki_server_pkcs12_path']:
-                    configuration_file.confirm_data_exists('pki_clone_pkcs12_password')
-
             # Verify absence of all PKCS #12 clone parameters for HSMs
-            elif (os.path.exists(deployer.mdict['pki_clone_pkcs12_path']) or
-                    ('pki_clone_pkcs12_password' in deployer.mdict and
-                     len(deployer.mdict['pki_clone_pkcs12_password']))):
+            if config.str2bool(deployer.mdict['pki_hsm_enable']) and \
+                    (os.path.exists(deployer.mdict['pki_clone_pkcs12_path']) or
+                     ('pki_clone_pkcs12_password' in deployer.mdict and
+                      len(deployer.mdict['pki_clone_pkcs12_password']))):
                 logger.error(log.PKIHELPER_HSM_CLONES_MUST_SHARE_HSM_MASTER_PRIVATE_KEYS)
                 raise Exception(
                     log.PKIHELPER_HSM_CLONES_MUST_SHARE_HSM_MASTER_PRIVATE_KEYS)