Compare commits
No commits in common. "stream-pki-core-10.6-rhel-8.9.0" and "c8-stream-10.6" have entirely different histories.
stream-pki
...
c8-stream-
3
.gitignore
vendored
3
.gitignore
vendored
@ -1,2 +1 @@
|
||||
SOURCES/pki-10.14.3.tar.gz
|
||||
/pki-10.14.3.tar.gz
|
||||
SOURCES/pki-10.15.1.tar.gz
|
||||
|
1
.pki-core.metadata
Normal file
1
.pki-core.metadata
Normal file
@ -0,0 +1 @@
|
||||
cd9d17a0853ba94513f9622c675ea610bb209b48 SOURCES/pki-10.15.1.tar.gz
|
@ -1,332 +0,0 @@
|
||||
From 7d62105c676fc79e0c32766c41cd034655a524ff Mon Sep 17 00:00:00 2001
|
||||
From: "Endi S. Dewata" <edewata@redhat.com>
|
||||
Date: Tue, 25 Jan 2022 16:29:53 -0600
|
||||
Subject: [PATCH] Fix pki-healthcheck for clones
|
||||
|
||||
Previously the ClonesConnectivyAndDataCheck.check_kra_clones()
|
||||
was trying to check KRA clone status by retrieving a key using
|
||||
the subsystem cert. This operation did not work since the user
|
||||
associated with the cert did not have access to the keys. The
|
||||
code has been changed to get the status from GetStatus service
|
||||
instead. The original code might be moved into IPA later so it
|
||||
could run with IPA's RA agent credentials which would allow
|
||||
access to the keys.
|
||||
|
||||
Previously the ClonesPlugin.contact_subsystem_using_sslget()
|
||||
used sslget to call GetStatus service and returned the entire
|
||||
output which was then incorrectly processed in XML format. The
|
||||
method has been renamed to get_status() and changed to use
|
||||
PKIConnection and process the response in either JSON or XML
|
||||
format, then only return the subsystem status. All callers
|
||||
have been updated accordingly.
|
||||
|
||||
The ClonesPlugin.contact_subsystem_using_pki() is no longer
|
||||
used so it has been removed.
|
||||
---
|
||||
.../clones/connectivity_and_data.py | 130 ++++++++----------
|
||||
.../pki/server/healthcheck/clones/plugin.py | 75 ++++------
|
||||
base/server/python/pki/server/__init__.py | 8 +-
|
||||
3 files changed, 91 insertions(+), 122 deletions(-)
|
||||
|
||||
diff --git a/base/server/healthcheck/pki/server/healthcheck/clones/connectivity_and_data.py b/base/server/healthcheck/pki/server/healthcheck/clones/connectivity_and_data.py
|
||||
index ca5d6dae48..d9bb480f7f 100644
|
||||
--- a/base/server/healthcheck/pki/server/healthcheck/clones/connectivity_and_data.py
|
||||
+++ b/base/server/healthcheck/pki/server/healthcheck/clones/connectivity_and_data.py
|
||||
@@ -46,93 +46,83 @@ class ClonesConnectivyAndDataCheck(ClonesPlugin):
|
||||
|
||||
def check_kra_clones(self):
|
||||
for host in self.clone_kras:
|
||||
- cur_clone_msg = ' Host: ' + host.Hostname + ' Port: ' + host.SecurePort
|
||||
- # Reach out and get some keys or requests , to serve as a data and connectivity check
|
||||
+
|
||||
+ url = 'https://' + host.Hostname + ':' + host.SecurePort
|
||||
+
|
||||
try:
|
||||
- client_nick = self.security_domain.config.get('ca.connector.KRA.nickName')
|
||||
-
|
||||
- output = self.contact_subsystem_using_pki(
|
||||
- host.SecurePort, host.Hostname, client_nick,
|
||||
- self.passwd, self.db_dir, 'kra-key-show', ['0x01'])
|
||||
-
|
||||
- # check to see if we either got a key or a key not found exception
|
||||
- # of which either will imply a successful connection
|
||||
- if output is not None:
|
||||
- key_found = output.find('Key ID:')
|
||||
- key_not_found = output.find('KeyNotFoundException:')
|
||||
- if key_found >= 0:
|
||||
- logger.info('Key material found from kra clone.')
|
||||
-
|
||||
- if key_not_found >= 0:
|
||||
- logger.info('key not found, possibly empty kra')
|
||||
-
|
||||
- if key_not_found == -1 and key_found == -1:
|
||||
- logger.info('Failure to get key material from kra')
|
||||
- raise BaseException('KRA clone problem detected ' + cur_clone_msg)
|
||||
- else:
|
||||
- raise BaseException('No data obtained from KRA clone.' + cur_clone_msg)
|
||||
+ status = self.get_status(
|
||||
+ host.Hostname,
|
||||
+ host.SecurePort,
|
||||
+ '/kra/admin/kra/getStatus')
|
||||
|
||||
- except BaseException as e:
|
||||
- logger.error("Internal error testing KRA clone. %s", e)
|
||||
- raise BaseException('Internal error testing KRA clone.' + cur_clone_msg)
|
||||
+ logger.info('KRA at %s is %s', url, status)
|
||||
|
||||
- return
|
||||
+ if status != 'running':
|
||||
+ raise Exception('KRA at %s is %s' % (url, status))
|
||||
+
|
||||
+ except Exception as e:
|
||||
+ logger.error('Unable to reach KRA at %s: %s', url, e)
|
||||
+ raise Exception('Unable to reach KRA at %s: %s' % (url, e))
|
||||
|
||||
def check_ocsp_clones(self):
|
||||
for host in self.clone_ocsps:
|
||||
- cur_clone_msg = ' Host: ' + host.Hostname + ' Port: ' + host.SecurePort
|
||||
- # Reach out to the ocsp clones
|
||||
+
|
||||
+ url = 'https://' + host.Hostname + ':' + host.SecurePort
|
||||
+
|
||||
try:
|
||||
- output = self.contact_subsystem_using_sslget(
|
||||
- host.SecurePort, host.Hostname, None,
|
||||
- self.passwd, self.db_dir, None, '/ocsp/admin/ocsp/getStatus')
|
||||
-
|
||||
- good_status = output.find('<State>1</State>')
|
||||
- if good_status == -1:
|
||||
- raise BaseException('OCSP clone problem detected.' + cur_clone_msg)
|
||||
- logger.info('good_status %s ', good_status)
|
||||
- except BaseException as e:
|
||||
- logger.error("Internal error testing OCSP clone. %s", e)
|
||||
- raise BaseException('Internal error testing OCSP clone.' + cur_clone_msg)
|
||||
+ status = self.get_status(
|
||||
+ host.Hostname,
|
||||
+ host.SecurePort,
|
||||
+ '/ocsp/admin/ocsp/getStatus')
|
||||
|
||||
- return
|
||||
+ logger.info('OCSP at %s is %s', url, status)
|
||||
+
|
||||
+ if status != 'running':
|
||||
+ raise Exception('OCSP at %s is %s' % (url, status))
|
||||
+
|
||||
+ except Exception as e:
|
||||
+ logger.error('Unable to reach OCSP at %s: %s', url, e)
|
||||
+ raise Exception('Unable to reach OCSP at %s: %s' % (url, e))
|
||||
|
||||
def check_tks_clones(self):
|
||||
for host in self.clone_tkss:
|
||||
- cur_clone_msg = ' Host: ' + host.Hostname + ' Port: ' + host.SecurePort
|
||||
- # Reach out to the tks clones
|
||||
+
|
||||
+ url = 'https://' + host.Hostname + ':' + host.SecurePort
|
||||
+
|
||||
try:
|
||||
- output = self.contact_subsystem_using_sslget(
|
||||
- host.SecurePort, host.Hostname, None,
|
||||
- self.passwd, self.db_dir, None, '/tks/admin/tks/getStatus')
|
||||
-
|
||||
- good_status = output.find('<State>1</State>')
|
||||
- if good_status == -1:
|
||||
- raise BaseException('TKS clone problem detected.' + cur_clone_msg)
|
||||
- logger.info('good_status %s ', good_status)
|
||||
- except BaseException as e:
|
||||
- logger.error("Internal error testing TKS clone. %s", e)
|
||||
- raise BaseException('Internal error testing TKS clone.' + cur_clone_msg)
|
||||
+ status = self.get_status(
|
||||
+ host.Hostname,
|
||||
+ host.SecurePort,
|
||||
+ '/tks/admin/tks/getStatus')
|
||||
|
||||
- return
|
||||
+ logger.info('TKS at %s is %s', url, status)
|
||||
+
|
||||
+ if status != 'running':
|
||||
+ raise Exception('TKS at %s is %s' % (url, status))
|
||||
+
|
||||
+ except Exception as e:
|
||||
+ logger.error('Unable to reach TKS at %s: %s', url, e)
|
||||
+ raise Exception('Unable to reach TKS at %s: %s' % (url, e))
|
||||
|
||||
def check_tps_clones(self):
|
||||
for host in self.clone_tpss:
|
||||
- cur_clone_msg = ' Host: ' + host.Hostname + ' Port: ' + host.SecurePort
|
||||
- # Reach out to the tps clones
|
||||
+
|
||||
+ url = 'https://' + host.Hostname + ':' + host.SecurePort
|
||||
+
|
||||
try:
|
||||
- output = self.contact_subsystem_using_sslget(
|
||||
- host.SecurePort, host.Hostname, None,
|
||||
- self.passwd, self.db_dir, None, '/tps/admin/tps/getStatus')
|
||||
-
|
||||
- good_status = output.find('<State>1</State>')
|
||||
- if good_status == -1:
|
||||
- raise BaseException('TPS clone problem detected.' + cur_clone_msg)
|
||||
- logger.info('good_status %s ', good_status)
|
||||
- except BaseException as e:
|
||||
- logger.error("Internal error testing TPS clone. %s", e)
|
||||
- raise BaseException('Internal error testing TPS clone.' + cur_clone_msg)
|
||||
- return
|
||||
+ status = self.get_status(
|
||||
+ host.Hostname,
|
||||
+ host.SecurePort,
|
||||
+ '/tps/admin/tps/getStatus')
|
||||
+
|
||||
+ logger.info('TPS at %s is %s', url, status)
|
||||
+
|
||||
+ if status != 'running':
|
||||
+ raise Exception('TPS at %s is %s' % (url, status))
|
||||
+
|
||||
+ except Exception as e:
|
||||
+ logger.error('Unable to reach TPS at %s: %s', url, e)
|
||||
+ raise Exception('Unable to reach TPS at %s: %s' % (url, e))
|
||||
|
||||
@duration
|
||||
def check(self):
|
||||
diff --git a/base/server/healthcheck/pki/server/healthcheck/clones/plugin.py b/base/server/healthcheck/pki/server/healthcheck/clones/plugin.py
|
||||
index 2472f35b5b..824c36a1a9 100644
|
||||
--- a/base/server/healthcheck/pki/server/healthcheck/clones/plugin.py
|
||||
+++ b/base/server/healthcheck/pki/server/healthcheck/clones/plugin.py
|
||||
@@ -6,6 +6,10 @@
|
||||
# SPDX-License-Identifier: GPL-2.0-or-later
|
||||
#
|
||||
|
||||
+import json
|
||||
+import logging
|
||||
+import xml.etree.ElementTree as ET
|
||||
+
|
||||
from ipahealthcheck.core.plugin import Plugin, Registry
|
||||
from pki.server.instance import PKIInstance
|
||||
from pki.client import PKIConnection
|
||||
@@ -13,9 +17,6 @@ from pki.system import SecurityDomainClient
|
||||
|
||||
from pki.server.healthcheck.core.main import merge_dogtag_config
|
||||
|
||||
-import logging
|
||||
-import subprocess
|
||||
-
|
||||
logger = logging.getLogger(__name__)
|
||||
|
||||
# Temporary workaround to skip VERBOSE data. Fix already pushed to upstream
|
||||
@@ -46,60 +47,36 @@ class ClonesPlugin(Plugin):
|
||||
|
||||
self.instance = PKIInstance(self.config.instance_name)
|
||||
|
||||
- def contact_subsystem_using_pki(
|
||||
- self, subport, subhost, subsystemnick,
|
||||
- token_pwd, db_path, cmd, exts=None):
|
||||
- command = ["/usr/bin/pki",
|
||||
- "-p", str(subport),
|
||||
- "-h", subhost,
|
||||
- "-n", subsystemnick,
|
||||
- "-P", "https",
|
||||
- "-d", db_path,
|
||||
- "-c", token_pwd,
|
||||
- cmd]
|
||||
-
|
||||
- if exts is not None:
|
||||
- command.extend(exts)
|
||||
-
|
||||
- output = None
|
||||
- try:
|
||||
- output = subprocess.check_output(command, stderr=subprocess.STDOUT)
|
||||
- except subprocess.CalledProcessError as e:
|
||||
- output = e.output.decode('utf-8')
|
||||
- return output
|
||||
+ def get_status(self, host, port, path):
|
||||
|
||||
- output = output.decode('utf-8')
|
||||
+ self.instance.export_ca_cert()
|
||||
|
||||
- return output
|
||||
+ connection = PKIConnection(
|
||||
+ protocol='https',
|
||||
+ hostname=host,
|
||||
+ port=port,
|
||||
+ cert_paths=self.instance.ca_cert)
|
||||
|
||||
- def contact_subsystem_using_sslget(
|
||||
- self, port, host, subsystemnick,
|
||||
- token_pwd, db_path, params, url):
|
||||
+ response = connection.get(path)
|
||||
|
||||
- command = ["/usr/bin/sslget"]
|
||||
+ content_type = response.headers['Content-Type']
|
||||
+ content = response.text
|
||||
+ logger.info('Content:\n%s', content)
|
||||
|
||||
- if subsystemnick is not None:
|
||||
- command.extend(["-n", subsystemnick])
|
||||
+ # https://github.com/dogtagpki/pki/wiki/GetStatus-Service
|
||||
+ if content_type == 'application/json':
|
||||
+ json_response = json.loads(content)
|
||||
+ status = json_response['Response']['Status']
|
||||
|
||||
- command.extend(["-p", token_pwd, "-d", db_path])
|
||||
-
|
||||
- if params is not None:
|
||||
- command.extend(["-e", params])
|
||||
-
|
||||
- command.extend([
|
||||
- "-r", url, host + ":" + port])
|
||||
-
|
||||
- logger.info(' command : %s ', command)
|
||||
- output = None
|
||||
- try:
|
||||
- output = subprocess.check_output(command, stderr=subprocess.STDOUT)
|
||||
- except subprocess.CalledProcessError as e:
|
||||
- output = e.output.decode('utf-8')
|
||||
- return output
|
||||
+ elif content_type == 'application/xml':
|
||||
+ root = ET.fromstring(content)
|
||||
+ status = root.findtext('Status')
|
||||
|
||||
- output = output.decode('utf-8')
|
||||
+ else:
|
||||
+ raise Exception('Unsupported content-type: %s' % content_type)
|
||||
|
||||
- return output
|
||||
+ logger.info('Status: %s', status)
|
||||
+ return status
|
||||
|
||||
def get_security_domain_data(self, host, port):
|
||||
domain_data = None
|
||||
diff --git a/base/server/python/pki/server/__init__.py b/base/server/python/pki/server/__init__.py
|
||||
index 4fbb74684b..0515bbb197 100644
|
||||
--- a/base/server/python/pki/server/__init__.py
|
||||
+++ b/base/server/python/pki/server/__init__.py
|
||||
@@ -241,6 +241,10 @@ class PKIServer(object):
|
||||
def jss_conf(self):
|
||||
return os.path.join(self.conf_dir, 'jss.conf')
|
||||
|
||||
+ @property
|
||||
+ def ca_cert(self):
|
||||
+ return os.path.join(self.nssdb_dir, 'ca.crt')
|
||||
+
|
||||
def is_valid(self):
|
||||
return self.exists()
|
||||
|
||||
@@ -259,8 +263,6 @@ class PKIServer(object):
|
||||
|
||||
def export_ca_cert(self):
|
||||
|
||||
- ca_path = os.path.join(self.nssdb_dir, 'ca.crt')
|
||||
-
|
||||
token = pki.nssdb.INTERNAL_TOKEN_NAME
|
||||
nickname = self.get_sslserver_cert_nickname()
|
||||
|
||||
@@ -272,7 +274,7 @@ class PKIServer(object):
|
||||
nssdb = self.open_nssdb(token=token)
|
||||
|
||||
try:
|
||||
- nssdb.extract_ca_cert(ca_path, nickname)
|
||||
+ nssdb.extract_ca_cert(self.ca_cert, nickname)
|
||||
finally:
|
||||
nssdb.close()
|
||||
|
||||
--
|
||||
2.33.1
|
||||
|
@ -12,10 +12,10 @@ License: GPLv2 and LGPLv2
|
||||
|
||||
# For development (i.e. unsupported) releases, use x.y.z-0.n.<phase>.
|
||||
# For official (i.e. supported) releases, use x.y.z-r where r >=1.
|
||||
%global release_number 2
|
||||
Version: 10.14.3
|
||||
%global release_number 1
|
||||
Version: 10.15.1
|
||||
Release: %{?release_number}%{?_timestamp}%{?_commit_id}%{?dist}
|
||||
#global _phase
|
||||
#global _phase -alpha1
|
||||
|
||||
# To create a tarball from a version tag:
|
||||
# $ git archive \
|
||||
@ -34,7 +34,6 @@ Source: https://github.com/dogtagpki/pki/archive/v%{version}%{?_phase}/pki-%{ver
|
||||
|
||||
# md2man isn't available on i686. Additionally, we aren't generally multi-lib
|
||||
# compatible (https://fedoraproject.org/wiki/Packaging:Java)
|
||||
# md2man has now also been dropped in RHEL 8 so exlcude from RHEL 8+
|
||||
%if ! 0%{?rhel} || 0%{?rhel} >= 8
|
||||
ExcludeArch: i686
|
||||
%endif
|
||||
@ -175,7 +174,7 @@ BuildRequires: zip
|
||||
BuildRequires: %{java_devel}
|
||||
BuildRequires: javapackages-tools
|
||||
BuildRequires: redhat-rpm-config
|
||||
BuildRequires: ldapjdk >= 4.23.0, ldapjdk < 5.0.0
|
||||
BuildRequires: ldapjdk >= 4.24.0, ldapjdk < 5.0.0
|
||||
BuildRequires: apache-commons-cli
|
||||
BuildRequires: apache-commons-codec
|
||||
BuildRequires: apache-commons-io
|
||||
@ -214,8 +213,8 @@ BuildRequires: tomcat
|
||||
|
||||
BuildRequires: junit
|
||||
BuildRequires: jpackage-utils >= 0:1.7.5-10
|
||||
BuildRequires: jss >= 4.9.0, jss < 5.0.0
|
||||
BuildRequires: tomcatjss >= 7.7.0, tomcatjss < 8.0.0
|
||||
BuildRequires: jss >= 4.11.0, jss < 5.0.0
|
||||
BuildRequires: tomcatjss >= 7.8.0, tomcatjss < 8.0.0
|
||||
|
||||
BuildRequires: systemd-units
|
||||
|
||||
@ -334,7 +333,7 @@ Provides: pki-symkey = %{version}-%{release}
|
||||
|
||||
Requires: %{java_headless}
|
||||
Requires: jpackage-utils >= 0:1.7.5-10
|
||||
Requires: jss >= 4.9.0, jss < 5.0.0
|
||||
Requires: jss >= 4.11.0, jss < 5.0.0
|
||||
Requires: nss >= 3.38.0
|
||||
|
||||
# Ensure we end up with a useful installation
|
||||
@ -422,8 +421,8 @@ Requires: glassfish-jaxb-api
|
||||
Requires: slf4j
|
||||
Requires: slf4j-jdk14
|
||||
Requires: jpackage-utils >= 0:1.7.5-10
|
||||
Requires: jss >= 4.9.0, jss < 5.0.0
|
||||
Requires: ldapjdk >= 4.23.0, ldapjdk < 5.0.0
|
||||
Requires: jss >= 4.11.0, jss < 5.0.0
|
||||
Requires: ldapjdk >= 4.24.0, ldapjdk < 5.0.0
|
||||
Requires: %{product_id}-base = %{version}-%{release}
|
||||
|
||||
%if 0%{?rhel} && 0%{?rhel} <= 8
|
||||
@ -511,7 +510,7 @@ Requires(post): systemd-units
|
||||
Requires(preun): systemd-units
|
||||
Requires(postun): systemd-units
|
||||
Requires(pre): shadow-utils
|
||||
Requires: tomcatjss >= 7.7.0, tomcatjss < 8.0.0
|
||||
Requires: tomcatjss >= 7.8.0, tomcatjss < 8.0.0
|
||||
|
||||
# pki-healthcheck depends on the following library
|
||||
%if 0%{?rhel}
|
||||
@ -776,9 +775,9 @@ BuildArch: noarch
|
||||
Obsoletes: pki-console < %{version}-%{release}
|
||||
Provides: pki-console = %{version}-%{release}
|
||||
|
||||
BuildRequires: idm-console-framework >= 1.2.0, idm-console-framework < 2.0.0
|
||||
BuildRequires: idm-console-framework >= 1.4.0, idm-console-framework < 2.0.0
|
||||
|
||||
Requires: idm-console-framework >= 1.2.0, idm-console-framework < 2.0.0
|
||||
Requires: idm-console-framework >= 1.4.0, idm-console-framework < 2.0.0
|
||||
Requires: %{product_id}-base-java = %{version}-%{release}
|
||||
Requires: %{product_id}-console-theme = %{version}-%{release}
|
||||
|
||||
@ -1395,8 +1394,18 @@ fi
|
||||
|
||||
################################################################################
|
||||
%changelog
|
||||
* Thu Mar 21 2024 Red Hat PKI Team <rhcs-maint@redhat.com> 10.14.3-2
|
||||
- RHEL-30063: Replace pki-servlet-engine with tomcat
|
||||
* Fri Jun 14 2024 Red Hat PKI Team <rhcs-maint@redhat.com> 10.15.1-1
|
||||
- Rebase to PKI 10.15.1
|
||||
- Fix CVE 2023-4727
|
||||
|
||||
* Thu Feb 08 2024 Red Hat PKI Team <rhcs-maint@redhat.com> 10.15.0-1
|
||||
- Rebase to PKI 10.15.0
|
||||
|
||||
* Tue Jan 16 2024 Red Hat PKI Team <rhcs-maint@redhat.com> 10.15.0-0.1
|
||||
- Rebase to PKI 10.15.0-alpha1
|
||||
|
||||
* Mon Jan 15 2024 Red Hat PKI Team <rhcs-maint@redhat.com> 10.14.3-2
|
||||
- Replace pki-servlet-engine with tomcat
|
||||
|
||||
* Fri Feb 03 2023 Red Hat PKI Team <rhcs-maint@redhat.com> 10.14.3-1
|
||||
- Rebase to PKI 10.14.3
|
@ -1,9 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
REPO=$1
|
||||
|
||||
if [ "$REPO" == "" ]; then
|
||||
REPO="pki-10.6"
|
||||
fi
|
||||
|
||||
fedpkg copr-build --nowait $REPO
|
@ -1,8 +0,0 @@
|
||||
# recipients: rhcs-team
|
||||
--- !Policy
|
||||
product_versions:
|
||||
- rhel-9
|
||||
decision_context: osci_compose_gate
|
||||
rules:
|
||||
- !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}
|
||||
- !PassingTestCaseRule {test_case_name: idm-ci.brew-build.tier1.functional}
|
@ -1,4 +0,0 @@
|
||||
addFilter('W: spelling-error')
|
||||
addFilter('W: dangling-symlink')
|
||||
addFilter('W: no-manual-page-for-binary')
|
||||
addFilter('W: log-files-without-logrotate')
|
@ -1,6 +0,0 @@
|
||||
---
|
||||
specname:
|
||||
match: suffix
|
||||
runpath:
|
||||
allowed_paths:
|
||||
- /usr/lib64/tps
|
1
sources
1
sources
@ -1 +0,0 @@
|
||||
SHA512 (pki-10.14.3.tar.gz) = ffdd8240bcbfc1c3cd28fecc4eb092767d8afab2df7a9354264081f9c5449f12eb06726045758515b1a27f32af622dca557cc8d370d6c5f5eaaf8d8117b94773
|
@ -1,7 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
SOURCE=$1
|
||||
TARGET=`basename $1`
|
||||
|
||||
cp $SOURCE $TARGET
|
||||
sha512sum --tag $TARGET > sources
|
@ -1,25 +0,0 @@
|
||||
[DEFAULT]
|
||||
pki_server_database_password=Secret.123
|
||||
|
||||
[CA]
|
||||
pki_admin_email=caadmin@example.com
|
||||
pki_admin_name=caadmin
|
||||
pki_admin_nickname=caadmin
|
||||
pki_admin_password=Secret.123
|
||||
pki_admin_uid=caadmin
|
||||
|
||||
pki_client_database_password=Secret.123
|
||||
pki_client_database_purge=False
|
||||
pki_client_pkcs12_password=Secret.123
|
||||
|
||||
pki_ds_base_dn=dc=ca,dc=pki,dc=example,dc=com
|
||||
pki_ds_database=ca
|
||||
pki_ds_password=Secret.123
|
||||
|
||||
pki_security_domain_name=EXAMPLE
|
||||
|
||||
pki_ca_signing_nickname=ca_signing
|
||||
pki_ocsp_signing_nickname=ca_ocsp_signing
|
||||
pki_audit_signing_nickname=ca_audit_signing
|
||||
pki_sslserver_nickname=sslserver
|
||||
pki_subsystem_nickname=subsystem
|
@ -1,24 +0,0 @@
|
||||
#!/bin/bash -ex
|
||||
|
||||
# This command needs to be executed as it pulls the machine name
|
||||
# dynamically.
|
||||
dscreate create-template /tmp/test_dir/ds.inf
|
||||
|
||||
sed -i \
|
||||
-e "s/;instance_name = .*/instance_name = localhost/g" \
|
||||
-e "s/;root_password = .*/root_password = Secret.123/g" \
|
||||
-e "s/;suffix = .*/suffix = dc=example,dc=com/g" \
|
||||
-e "s/;self_sign_cert = .*/self_sign_cert = False/g" \
|
||||
/tmp/test_dir/ds.inf
|
||||
|
||||
dscreate from-file /tmp/test_dir/ds.inf
|
||||
|
||||
ldapadd -h $HOSTNAME -x -D "cn=Directory Manager" -w Secret.123 << EOF
|
||||
dn: dc=example,dc=com
|
||||
objectClass: domain
|
||||
dc: example
|
||||
|
||||
dn: dc=pki,dc=example,dc=com
|
||||
objectClass: domain
|
||||
dc: pki
|
||||
EOF
|
@ -1,27 +0,0 @@
|
||||
[DEFAULT]
|
||||
pki_server_database_password=Secret.123
|
||||
|
||||
[KRA]
|
||||
pki_admin_email=kraadmin@example.com
|
||||
pki_admin_name=kraadmin
|
||||
pki_admin_nickname=kraadmin
|
||||
pki_admin_password=Secret.123
|
||||
pki_admin_uid=kraadmin
|
||||
|
||||
pki_client_database_password=Secret.123
|
||||
pki_client_database_purge=False
|
||||
pki_client_pkcs12_password=Secret.123
|
||||
|
||||
pki_ds_base_dn=dc=kra,dc=pki,dc=example,dc=com
|
||||
pki_ds_database=kra
|
||||
pki_ds_password=Secret.123
|
||||
|
||||
pki_security_domain_name=EXAMPLE
|
||||
pki_security_domain_user=caadmin
|
||||
pki_security_domain_password=Secret.123
|
||||
|
||||
pki_storage_nickname=kra_storage
|
||||
pki_transport_nickname=kra_transport
|
||||
pki_audit_signing_nickname=kra_audit_signing
|
||||
pki_sslserver_nickname=sslserver
|
||||
pki_subsystem_nickname=subsystem
|
@ -1,21 +0,0 @@
|
||||
---
|
||||
|
||||
- name: Install required packages
|
||||
dnf:
|
||||
name: >
|
||||
389-ds-base, pki-ca, pki-kra
|
||||
|
||||
- name: Creates directory
|
||||
file: path=/tmp/test_files state=directory
|
||||
|
||||
- name: Copying templates to /tmp folder
|
||||
copy : src=. dest=/tmp/test_dir
|
||||
|
||||
- name: Setup DS Service
|
||||
shell: sh /tmp/test_dir/ds-create.sh
|
||||
|
||||
- name: Install CA subsystem
|
||||
shell: pkispawn -f /tmp/test_dir/ca.cfg -s CA -v
|
||||
|
||||
- name: Install KRA subsystem
|
||||
shell: pkispawn -f /tmp/test_dir/kra.cfg -s KRA -v
|
@ -1,29 +0,0 @@
|
||||
- hosts: localhost
|
||||
remote_user: root
|
||||
tags:
|
||||
- classic
|
||||
roles:
|
||||
- role: Test_Setup
|
||||
- role: standard-test-basic
|
||||
tests:
|
||||
- verify_spawn_ca:
|
||||
dir: .
|
||||
run: "curl http://localhost:8080/ca/admin/ca/getStatus | grep '\"Status\" : \"running\"'"
|
||||
- verify_spawn_kra:
|
||||
dir: .
|
||||
run: "curl http://localhost:8080/kra/admin/kra/getStatus | grep '\"Status\" : \"running\"'"
|
||||
- destroy_kra:
|
||||
dir: .
|
||||
run: "pkidestroy -i pki-tomcat -s KRA && sleep 5"
|
||||
- verify_destroy_kra:
|
||||
dir: .
|
||||
run: "curl http://localhost:8080/kra/admin/kra/getStatus | grep 'HTTP Status 404'"
|
||||
- destroy_ca:
|
||||
dir: .
|
||||
run: "pkidestroy -i pki-tomcat -s CA"
|
||||
- verify_destroy_ca:
|
||||
dir: .
|
||||
run: "curl http://localhost:8080/ca/admin/ca/getStatus &> testfile.log || true && grep 'Connection refused' testfile.log"
|
||||
required_packages:
|
||||
- pki-ca
|
||||
- pki-kra
|
Loading…
Reference in New Issue
Block a user