private String remove_from_ldap(String dn) {
CMS.debug("UpdateDomainXML: delete_from_ldap: starting dn: " + dn);
String status = SUCCESS;
ILdapConnFactory connFactory = null;
LDAPConnection conn = null;
IConfigStore cs = CMS.getConfigStore();
try {
IConfigStore ldapConfig = cs.getSubStore("internaldb");
connFactory = CMS.getLdapBoundConnFactory("UpdateDomainXML");
connFactory.init(ldapConfig);
conn = connFactory.getConn();
conn.delete(dn);
} catch (LDAPException e) {
int resultCode = e.getLDAPResultCode();
if (resultCode != LDAPException.NO_SUCH_OBJECT) {
status = FAILED;
CMS.debug("Failed to delete entry" + e.toString());
}
} catch (Exception e) {
CMS.debug("Failed to delete entry" + e.toString());
} finally {
try {
if ((conn != null) && (connFactory != null)) {
CMS.debug("Releasing ldap connection");
connFactory.returnConn(conn);
}
} catch (Exception e) {
CMS.debug("Error releasing the ldap connection" + e.toString());
}
}
return status;
}
public boolean isPanelDone() {
IConfigStore cs = CMS.getConfigStore();
try {
String s = cs.getString("preop.cainfo.select", "");
if (s != null && !s.isEmpty()) {
return true;
}
} catch (EBaseException e) {
}
return false;
}
public void update(HttpServletRequest request, HttpServletResponse response, Context context)
throws IOException {
IConfigStore config = CMS.getConfigStore();
String subsystemNick;
try {
subsystemNick = config.getString("preop.cert.subsystem.nickname");
} catch (EBaseException e1) {
e1.printStackTrace();
throw new IOException("Failed to get subsystem certificate nickname");
}
String url = HttpInput.getString(request, "urls");
URI caUri = null;
String parsedURI = url.substring(url.lastIndexOf("http"));
try {
caUri = new URI(parsedURI);
} catch (URISyntaxException e) {
throw new IOException("Invalid URI " + parsedURI);
}
// TODO: get installer from session
TPSInstaller installer = new TPSInstaller();
installer.configureCAConnector(caUri, subsystemNick);
String host = caUri.getHost();
int port = caUri.getPort();
// Note -
// list contains EE port. If admin port is different, it needs to
// be obtained from security domain and used to get the cert chain
/* int admin_port = ConfigurationUtils.getPortFromSecurityDomain(domainXML,
host, port, "CA", "SecurePort", "SecureAdminPort");
*/
try {
ConfigurationUtils.importCertChain(host, port, "/ca/admin/ca/getCertChain", "ca");
} catch (CertificateException
| SAXException
| ParserConfigurationException
| NotInitializedException
| TokenException
| EBaseException e) {
e.printStackTrace();
throw new IOException("Failed to import certificate chain from CA");
}
context.put("updateStatus", "success");
}
private String add_to_ldap(LDAPEntry entry, String dn) {
CMS.debug("UpdateDomainXML: add_to_ldap: starting");
String status = SUCCESS;
ILdapConnFactory connFactory = null;
LDAPConnection conn = null;
IConfigStore cs = CMS.getConfigStore();
try {
IConfigStore ldapConfig = cs.getSubStore("internaldb");
connFactory = CMS.getLdapBoundConnFactory("UpdateDomainXML");
connFactory.init(ldapConfig);
conn = connFactory.getConn();
conn.add(entry);
} catch (LDAPException e) {
if (e.getLDAPResultCode() == LDAPException.ENTRY_ALREADY_EXISTS) {
CMS.debug("UpdateDomainXML: Entry already exists");
try {
conn.delete(dn);
conn.add(entry);
} catch (LDAPException ee) {
CMS.debug("UpdateDomainXML: Error when replacing existing entry " + ee.toString());
status = FAILED;
}
} else {
CMS.debug("UpdateDomainXML: Failed to update ldap domain info. Exception: " + e.toString());
status = FAILED;
}
} catch (Exception e) {
CMS.debug("Failed to add entry" + e.toString());
} finally {
try {
if ((conn != null) && (connFactory != null)) {
CMS.debug("Releasing ldap connection");
connFactory.returnConn(conn);
}
} catch (Exception e) {
CMS.debug("Error releasing the ldap connection" + e.toString());
}
}
return status;
}
public void display(HttpServletRequest request, HttpServletResponse response, Context context) {
String errorString = "";
context.put("title", "CA Information");
context.put("panel", "admin/console/config/cainfopanel.vm");
IConfigStore config = CMS.getConfigStore();
if (isPanelDone()) {
// TODO - put the selected URL in selection box.
// String s = config.getString("preop.cainfo.select");
}
// get CA URLs
Vector<String> v;
try {
v = null;
v = ConfigurationUtils.getUrlListFromSecurityDomain(config, "CA", "SecurePort");
if (v == null) {
errorString =
"No CA found. CA, TKS and optionally DRM "
+ " must be installed prior to TPS installation";
context.put("errorString", errorString);
context.put("preop.cainfo.errorString", errorString);
return;
}
config.putString("preop.ca.list", StringUtils.join(v, ","));
config.commit(false);
} catch (EBaseException | IOException | SAXException | ParserConfigurationException e) {
e.printStackTrace();
errorString = "Failed to get CA information from security domain. " + e;
context.put("errorString", errorString);
context.put("preop.cainfo.errorString", errorString);
return;
}
context.put("urls", v);
context.put("urls_size", v.size());
context.put("errorString", "");
context.put("preop.cainfo.errorString", "");
}
/**
* Process the HTTP request.
*
* <ul>
* <li>http.param op 'downloadBIN' - return the binary certificate chain
* <li>http.param op 'displayIND' - display pretty-print of certificate chain components
* </ul>
*
* @param cmsReq the object holding the request and response information
*/
protected void process(CMSRequest cmsReq) throws EBaseException {
CMS.debug("UpdateDomainXML: processing...");
String status = SUCCESS;
String status2 = SUCCESS;
HttpServletRequest httpReq = cmsReq.getHttpReq();
HttpServletResponse httpResp = cmsReq.getHttpResp();
CMS.debug("UpdateDomainXML process: authentication starts");
IAuthToken authToken = null;
try {
authToken = authenticate(cmsReq);
} catch (Exception e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_ERR_BAD_SERV_OUT_STREAM", "", e.toString()));
outputError(httpResp, AUTH_FAILURE, "Error: Not authenticated", null);
return;
}
if (authToken == null) {
CMS.debug("UpdateDomainXML process: authToken is null");
outputError(httpResp, AUTH_FAILURE, "Error: not authenticated", null);
return;
}
CMS.debug("UpdateDomainXML process: authentication done");
AuthzToken authzToken = null;
try {
authzToken = authorize(mAclMethod, authToken, mAuthzResourceName, "modify");
} catch (EAuthzAccessDenied e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString()));
outputError(httpResp, "Error: Not authorized");
return;
} catch (Exception e) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString()));
outputError(httpResp, "Error: Encountered problem during authorization.");
return;
}
if (authzToken == null) {
CMS.debug("UpdateDomainXML process: authorization error");
outputError(httpResp, "Error: Not authorized");
return;
}
String list = httpReq.getParameter("list");
String type = httpReq.getParameter("type");
String host = httpReq.getParameter("host");
String name = httpReq.getParameter("name");
String sport = httpReq.getParameter("sport");
String agentsport = httpReq.getParameter("agentsport");
String adminsport = httpReq.getParameter("adminsport");
String eecaport = httpReq.getParameter("eeclientauthsport");
String httpport = httpReq.getParameter("httpport");
String domainmgr = httpReq.getParameter("dm");
String clone = httpReq.getParameter("clone");
String operation = httpReq.getParameter("operation");
// ensure required parameters are present
// especially important for DS syntax checking
String missing = "";
if ((host == null) || host.equals("")) {
missing += " host ";
}
if ((name == null) || name.equals("")) {
missing += " name ";
}
if ((sport == null) || sport.equals("")) {
missing += " sport ";
}
if ((type == null) || type.equals("")) {
missing += " type ";
}
if ((clone == null) || clone.equals("")) {
clone = "false";
}
if (!missing.equals("")) {
CMS.debug(
"UpdateDomainXML process: required parameters:" + missing + "not provided in request");
outputError(httpResp, "Error: required parameters: " + missing + "not provided in request");
return;
}
String auditMessage = null;
String auditSubjectID = auditSubjectID();
String auditParams =
"host;;"
+ host
+ "+name;;"
+ name
+ "+sport;;"
+ sport
+ "+clone;;"
+ clone
+ "+type;;"
+ type;
if (operation != null) {
auditParams += "+operation;;" + operation;
} else {
auditParams += "+operation;;add";
}
String basedn = null;
String secstore = null;
IConfigStore cs = CMS.getConfigStore();
try {
basedn = cs.getString("internaldb.basedn");
secstore = cs.getString("securitydomain.store");
} catch (Exception e) {
CMS.debug(
"Unable to determine security domain name or basedn. Please run the domaininfo migration script");
}
if ((basedn != null) && (secstore != null) && (secstore.equals("ldap"))) {
// update in ldap
LDAPEntry entry = null;
String listName = type + "List";
String cn = host + ":";
if ((adminsport != null) && (adminsport != "")) {
cn += adminsport;
} else {
cn += sport;
}
String dn = "cn=" + cn + ",cn=" + listName + ",ou=Security Domain," + basedn;
CMS.debug("UpdateDomainXML: updating LDAP entry: " + dn);
LDAPAttributeSet attrs = null;
attrs = new LDAPAttributeSet();
attrs.add(new LDAPAttribute("objectclass", "top"));
attrs.add(new LDAPAttribute("objectclass", "pkiSubsystem"));
attrs.add(new LDAPAttribute("cn", cn));
attrs.add(new LDAPAttribute("Host", host));
attrs.add(new LDAPAttribute("SecurePort", sport));
if ((agentsport != null) && (!agentsport.equals(""))) {
attrs.add(new LDAPAttribute("SecureAgentPort", agentsport));
}
if ((adminsport != null) && (!adminsport.equals(""))) {
attrs.add(new LDAPAttribute("SecureAdminPort", adminsport));
}
if ((httpport != null) && (!httpport.equals(""))) {
attrs.add(new LDAPAttribute("UnSecurePort", httpport));
}
if ((eecaport != null) && (!eecaport.equals(""))) {
attrs.add(new LDAPAttribute("SecureEEClientAuthPort", eecaport));
}
if ((domainmgr != null) && (!domainmgr.equals(""))) {
attrs.add(new LDAPAttribute("DomainManager", domainmgr.toUpperCase()));
}
attrs.add(new LDAPAttribute("clone", clone.toUpperCase()));
attrs.add(new LDAPAttribute("SubsystemName", name));
entry = new LDAPEntry(dn, attrs);
if ((operation != null) && (operation.equals("remove"))) {
status = remove_from_ldap(dn);
String adminUserDN;
if ((agentsport != null) && (!agentsport.equals(""))) {
adminUserDN = "uid=" + type + "-" + host + "-" + agentsport + ",ou=People," + basedn;
} else {
adminUserDN = "uid=" + type + "-" + host + "-" + sport + ",ou=People," + basedn;
}
String userAuditParams =
"Scope;;users+Operation;;OP_DELETE+source;;UpdateDomainXML"
+ "+resource;;"
+ adminUserDN;
if (status.equals(SUCCESS)) {
// remove the user for this subsystem's admin
status2 = remove_from_ldap(adminUserDN);
if (status2.equals(SUCCESS)) {
auditMessage =
CMS.getLogMessage(
LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
auditSubjectID,
ILogger.SUCCESS,
userAuditParams);
audit(auditMessage);
// remove this user from the subsystem group
userAuditParams =
"Scope;;groups+Operation;;OP_DELETE_USER"
+ "+source;;UpdateDomainXML"
+ "+resource;;Subsystem Group+user;;"
+ adminUserDN;
dn = "cn=Subsystem Group, ou=groups," + basedn;
LDAPModification mod =
new LDAPModification(
LDAPModification.DELETE, new LDAPAttribute("uniqueMember", adminUserDN));
status2 = modify_ldap(dn, mod);
if (status2.equals(SUCCESS)) {
auditMessage =
CMS.getLogMessage(
LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
auditSubjectID,
ILogger.SUCCESS,
userAuditParams);
} else {
auditMessage =
CMS.getLogMessage(
LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
auditSubjectID,
ILogger.FAILURE,
userAuditParams);
}
audit(auditMessage);
} else { // error deleting user
auditMessage =
CMS.getLogMessage(
LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
auditSubjectID,
ILogger.FAILURE,
userAuditParams);
audit(auditMessage);
}
}
} else {
status = add_to_ldap(entry, dn);
}
} else {
// update the domain.xml file
String path = CMS.getConfigStore().getString("instanceRoot", "") + "/conf/domain.xml";
CMS.debug("UpdateDomainXML: got path=" + path);
try {
// using domain.xml file
CMS.debug("UpdateDomainXML: Inserting new domain info");
XMLObject parser = new XMLObject(new FileInputStream(path));
Node n = parser.getContainer(list);
int count = 0;
if ((operation != null) && (operation.equals("remove"))) {
// delete node
Document doc = parser.getDocument();
NodeList nodeList = doc.getElementsByTagName(type);
int len = nodeList.getLength();
for (int i = 0; i < len; i++) {
Node nn = nodeList.item(i);
Vector<String> v_name = parser.getValuesFromContainer(nn, "SubsystemName");
Vector<String> v_host = parser.getValuesFromContainer(nn, "Host");
Vector<String> v_adminport = parser.getValuesFromContainer(nn, "SecureAdminPort");
if ((v_name.elementAt(0).equals(name))
&& (v_host.elementAt(0).equals(host))
&& (v_adminport.elementAt(0).equals(adminsport))) {
Node parent = nn.getParentNode();
parent.removeChild(nn);
count--;
break;
}
}
} else {
// add node
Node parent = parser.createContainer(n, type);
parser.addItemToContainer(parent, "SubsystemName", name);
parser.addItemToContainer(parent, "Host", host);
parser.addItemToContainer(parent, "SecurePort", sport);
parser.addItemToContainer(parent, "SecureAgentPort", agentsport);
parser.addItemToContainer(parent, "SecureAdminPort", adminsport);
parser.addItemToContainer(parent, "SecureEEClientAuthPort", eecaport);
parser.addItemToContainer(parent, "UnSecurePort", httpport);
parser.addItemToContainer(parent, "DomainManager", domainmgr.toUpperCase());
parser.addItemToContainer(parent, "Clone", clone.toUpperCase());
count++;
}
// update count
String countS = "";
NodeList nlist = n.getChildNodes();
Node countnode = null;
for (int i = 0; i < nlist.getLength(); i++) {
Element nn = (Element) nlist.item(i);
String tagname = nn.getTagName();
if (tagname.equals("SubsystemCount")) {
countnode = nn;
NodeList nlist1 = nn.getChildNodes();
Node nn1 = nlist1.item(0);
countS = nn1.getNodeValue();
break;
}
}
CMS.debug("UpdateDomainXML process: SubsystemCount=" + countS);
try {
count += Integer.parseInt(countS);
} catch (Exception ee) {
}
n.removeChild(countnode);
parser.addItemToContainer(n, "SubsystemCount", "" + count);
// recreate domain.xml
CMS.debug("UpdateDomainXML: Recreating domain.xml");
byte[] b = parser.toByteArray();
FileOutputStream fos = new FileOutputStream(path);
fos.write(b);
fos.close();
} catch (Exception e) {
CMS.debug("Failed to update domain.xml file" + e.toString());
status = FAILED;
}
}
if (status.equals(SUCCESS)) {
auditMessage =
CMS.getLogMessage(
LOGGING_SIGNED_AUDIT_SECURITY_DOMAIN_UPDATE,
auditSubjectID,
ILogger.SUCCESS,
auditParams);
} else {
// what if already exists or already deleted
auditMessage =
CMS.getLogMessage(
LOGGING_SIGNED_AUDIT_SECURITY_DOMAIN_UPDATE,
auditSubjectID,
ILogger.FAILURE,
auditParams);
}
audit(auditMessage);
if (status.equals(SUCCESS) && status2.equals(SUCCESS)) {
status = SUCCESS;
} else {
status = FAILED;
}
try {
// send success status back to the requestor
CMS.debug("UpdateDomainXML: Sending response");
XMLObject xmlObj = new XMLObject();
Node root = xmlObj.createRoot("XMLResponse");
xmlObj.addItemToContainer(root, "Status", status);
byte[] cb = xmlObj.toByteArray();
outputResult(httpResp, "application/xml", cb);
} catch (Exception e) {
CMS.debug("UpdateDomainXML: Failed to send the XML output" + e.toString());
}
}
public void cleanUp() throws IOException {
IConfigStore cs = CMS.getConfigStore();
cs.putString("preop.cainfo.select", "");
}
public CAApplication() {
// account
classes.add(AccountService.class);
// installer
classes.add(CAInstallerService.class);
// sub-ca management
classes.add(AuthorityService.class);
// certs and requests
classes.add(CertService.class);
classes.add(CertRequestService.class);
// profile management
classes.add(ProfileService.class);
// selftests
classes.add(SelfTestService.class);
// user and group management
classes.add(GroupService.class);
classes.add(UserService.class);
// system certs
classes.add(SystemCertService.class);
// kra connector
classes.add(KRAConnectorService.class);
// features
classes.add(FeatureService.class);
// security domain
IConfigStore cs = CMS.getConfigStore();
// check server state
int state;
try {
state = cs.getInteger("cs.state");
} catch (EBaseException e) {
CMS.debug(e);
throw new RuntimeException(e);
}
// if server is configured, check security domain selection
if (state == 1) {
String select;
try {
select = cs.getString("securitydomain.select");
} catch (EBaseException e) {
CMS.debug(e);
throw new RuntimeException(e);
}
// if it's a new security domain, register the service
if ("new".equals(select)) {
classes.add(SecurityDomainService.class);
}
}
// exception mapper
classes.add(PKIExceptionMapper.class);
// interceptors
singletons.add(new SessionContextInterceptor());
singletons.add(new AuthMethodInterceptor());
singletons.add(new ACLInterceptor());
singletons.add(new MessageFormatInterceptor());
}
