From e9861835e3a2bf3456784be2a0f8b8f6b6a69fb2 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Mon, 11 Dec 2023 09:02:04 +0700 Subject: [PATCH] Update test for CA cloning with replicated DS The test for CA cloning with replicated DS has been updated to import the primary CA's system certs and keys into the secondary CA's NSS database prior to running pkispawn so it's no longer necessary to specify the PKCS #12 path and password for pkispawn. The ConfigurationFile.verify_predefined_configuration_file_data() and initialization.py have been modified such that the PKCS #12 path and password are no longer mandatory for cloning. --- .../workflows/ca-clone-replicated-ds-test.yml | 51 +++++++++++-------- .../python/pki/server/deployment/pkihelper.py | 10 ---- .../deployment/scriptlets/initialization.py | 16 ++---- 3 files changed, 35 insertions(+), 42 deletions(-) diff --git a/.github/workflows/ca-clone-replicated-ds-test.yml b/.github/workflows/ca-clone-replicated-ds-test.yml index 016c3594a2c..be7b57b40a0 100644 --- a/.github/workflows/ca-clone-replicated-ds-test.yml +++ b/.github/workflows/ca-clone-replicated-ds-test.yml @@ -69,6 +69,15 @@ jobs: --pkcs12-password Secret.123 docker exec primary pki -n caadmin ca-user-show caadmin + - name: Export system certs and keys from primary CA + run: | + docker exec primary pki-server ca-clone-prepare \ + --pkcs12-file $SHARED/ca-certs.p12 \ + --pkcs12-password Secret.123 + + docker exec primary pki-server cert-export ca_signing \ + --cert-file $SHARED/ca_signing.crt + - name: Set up secondary DS container run: | tests/bin/ds-container-create.sh secondaryds @@ -80,6 +89,28 @@ jobs: - name: Connect secondary DS container to network run: docker network connect example secondaryds --alias secondaryds.example.com + - name: Set up secondary PKI container + run: | + tests/bin/runner-init.sh secondary + env: + HOSTNAME: secondary.example.com + + - name: Connect secondary PKI container to network + run: docker network connect example secondary --alias secondary.example.com + + - name: Create secondary PKI server + run: | + docker exec secondary pki-server create + docker exec secondary pki-server nss-create --no-password + + - name: Import system certs and keys into secondary CA + run: | + docker exec secondary pki \ + -d /etc/pki/pki-tomcat/alias \ + pkcs12-import \ + --pkcs12 $SHARED/ca-certs.p12 \ + --password Secret.123 + # https://github.com/dogtagpki/389-ds-base/wiki/Configuring-DS-Replication-with-DS-Tools - name: Preparing DS backend run: | @@ -218,24 +249,6 @@ jobs: diff primaryds.dn secondaryds.dn - - name: Export certs and keys from primary CA - run: | - docker exec primary pki-server ca-clone-prepare \ - --pkcs12-file $SHARED/ca-certs.p12 \ - --pkcs12-password Secret.123 - - docker exec primary pki-server cert-export ca_signing \ - --cert-file $SHARED/ca_signing.crt - - - name: Set up secondary PKI container - run: | - tests/bin/runner-init.sh secondary - env: - HOSTNAME: secondary.example.com - - - name: Connect secondary PKI container to network - run: docker network connect example secondary --alias secondary.example.com - # https://github.com/dogtagpki/pki/wiki/Installing-CA-Clone-with-Existing-DS - name: Install secondary CA run: | @@ -246,8 +259,6 @@ jobs: -f /usr/share/pki/server/examples/installation/ca-clone.cfg \ -s CA \ -D pki_cert_chain_path=$SHARED/ca_signing.crt \ - -D pki_clone_pkcs12_path=$SHARED/ca-certs.p12 \ - -D pki_clone_pkcs12_password=Secret.123 \ -D pki_ds_url=ldap://secondaryds.example.com:3389 \ -D pki_ds_setup=False \ -v diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py index 2fbf13831a4..c6ea03c56f5 100644 --- a/base/server/python/pki/server/deployment/pkihelper.py +++ b/base/server/python/pki/server/deployment/pkihelper.py @@ -464,16 +464,6 @@ def verify_predefined_configuration_file_data(self): self.confirm_data_exists("pki_https_port") self.confirm_data_exists("pki_tomcat_server_port") - # Check clone parameters for non-HSM clone - if not config.str2bool(self.mdict['pki_hsm_enable']): - - # If system certificates are already provided via - # pki_server_pkcs12, there's no need to provide - # pki_clone_pkcs12. - if not self.mdict['pki_server_pkcs12_path']: - self.confirm_data_exists("pki_clone_pkcs12_path") - self.confirm_file_exists("pki_clone_pkcs12_path") - self.confirm_data_exists("pki_clone_replication_security") elif self.external: diff --git a/base/server/python/pki/server/deployment/scriptlets/initialization.py b/base/server/python/pki/server/deployment/scriptlets/initialization.py index 107553f8b3f..a67f6e2886a 100644 --- a/base/server/python/pki/server/deployment/scriptlets/initialization.py +++ b/base/server/python/pki/server/deployment/scriptlets/initialization.py @@ -73,19 +73,11 @@ def verify_sensitive_data(self, deployer): if configuration_file.clone: - # Verify existence of PKCS #12 Password (ONLY for non-HSM Clones) - if not config.str2bool(deployer.mdict['pki_hsm_enable']): - - # If system certificates are already provided via - # pki_server_pkcs12, there's no need to provide - # pki_clone_pkcs12. - if not deployer.mdict['pki_server_pkcs12_path']: - configuration_file.confirm_data_exists('pki_clone_pkcs12_password') - # Verify absence of all PKCS #12 clone parameters for HSMs - elif (os.path.exists(deployer.mdict['pki_clone_pkcs12_path']) or - ('pki_clone_pkcs12_password' in deployer.mdict and - len(deployer.mdict['pki_clone_pkcs12_password']))): + if config.str2bool(deployer.mdict['pki_hsm_enable']) and \ + (os.path.exists(deployer.mdict['pki_clone_pkcs12_path']) or + ('pki_clone_pkcs12_password' in deployer.mdict and + len(deployer.mdict['pki_clone_pkcs12_password']))): logger.error(log.PKIHELPER_HSM_CLONES_MUST_SHARE_HSM_MASTER_PRIVATE_KEYS) raise Exception( log.PKIHELPER_HSM_CLONES_MUST_SHARE_HSM_MASTER_PRIVATE_KEYS)