Compare commits

...

No commits in common. 'c8-stream-10.6' and 'stream-pki-core-10.6-rhel-8.10.0' have entirely different histories.

@ -0,0 +1,3 @@
# pki-core
The pki-core package

@ -0,0 +1,8 @@
--- !Policy
product_versions:
- rhel-8
decision_context: osci_compose_gate_modules
subject_type: redhat-module
rules:
- !PassingTestCaseRule {test_case_name: baseos-ci.redhat-module.tier0.functional}
- !PassingTestCaseRule {test_case_name: idm-ci.redhat-module.tier1.functional}

@ -24,19 +24,24 @@ data:
tracker: https://github.com/dogtagpki/pki/issues
components:
rpms:
resteasy:
rationale: RESTEasy packages
ref: stream-pki-core-10.6-rhel-8.10.0
buildorder: 30
jss:
rationale: JSS packages
ref: stream-pki-10.6-rhel-8.8.0
ref: stream-pki-core-10.6-rhel-8.10.0
buildorder: 50
tomcatjss:
rationale: TomcatJSS packages
ref: stream-pki-core-10.6-rhel-8.10.0
buildorder: 51
ldapjdk:
rationale: LDAP JDK packages
ref: stream-pki-10.6-rhel-8.8.0
buildorder: 1
ref: stream-pki-core-10.6-rhel-8.10.0
buildorder: 52
pki-core:
rationale: PKI Core packages
ref: stream-pki-10.6-rhel-8.8.0
buildorder: 2
tomcatjss:
rationale: TomcatJSS packages
ref: stream-pki-10.6-rhel-8.8.0
buildorder: 1
ref: stream-pki-core-10.6-rhel-8.10.0
buildorder: 53
...

@ -0,0 +1,56 @@
#common to all subsystems
MASTER_HOSTNAME = 'pki1.example.com'
CLONE_HOSTNAME = 'pki2.example.com'
CLIENT_PKCS12_PASSWORD = 'SECret.123'
CLIENT_DIR_PASSWORD = 'SECret.123'
BACKUP_PASSWORD = 'SECret.123'
CLIENT_DATABASE_PASSWORD = 'SECret.123'
NSSDB = '/opt/pki/certdb'
#CA Instance
CA_HTTPS_PORT = '20443'
CA_HTTP_PORT = '20080'
CA_AJP_PORT = '20009'
CA_TOMCAT_PORT = '20005'
CA_CLIENT_DIR = '/opt/topology-CA'
CA_INSTANCE_NAME = 'topology-CA'
SECURITY_DOMAIN_PASSWORD = 'SECret.123'
CA_PASSWORD = 'SECret.123'
CA_SECURITY_DOMAIN_NAME = 'topology_Foobarmaster.org'
CA_ADMIN_USERNAME = 'caadmin'
CA_ADMIN_NICK = 'PKI CA Administrator for Example.Org'
#KRA Instance
KRA_INSTANCE_NAME = 'topology-KRA'
KRA_HTTPS_PORT = 21443
KRA_HTTP_PORT = 21080
KRA_AJP_PORT = 21009
KRA_TOMCAT_PORT = 21005
KRA_PASSWORD = 'SECret.123'
KRA_CLIENT_DIR = '/opt/topology-KRA'
KRA_ADMIN_NICK = 'PKI KRA Administrator for Example.Org'
#OCSP Instance
OCSP_INSTANCE_NAME = 'topology-OCSP'
OCSP_HTTPS_PORT = 22443
OCSP_HTTP_PORT = 22080
OCSP_AJP_PORT = 22009
OCSP_TOMCAT_PORT = 22005
OCSP_PASSWORD = 'SECret.123'
OCSP_CLIENT_DIR = '/opt/topology-OCSP'
OCSP_ADMIN_NICK = 'PKI OCSP Administrator for Example.Org'
#TKS Instance
TKS_INSTANCE_NAME = 'topology-TKS'
TKS_HTTPS_PORT = 23443
TKS_HTTP_PORT = 23080
TKS_AJP_PORT = 23009
TKS_TOMCAT_PORT = 23005
TKS_PASSWORD = 'SECret.123'
TKS_CLIENT_DIR = '/opt/topology-TKS'
#TPS instance
TPS_INSTANCE_NAME = 'topology-TPS'
TPS_HTTPS_PORT = '25443'
TPS_HTTP_PORT = '25080'
TPS_AJP_PORT = '25009'
TPS_TOMCAT_PORT = '25005'
TPS_PASSWORD = 'SECret.123'
TPS_CLIENT_DIR = '/opt/topology-TPS'
TPS_ADMIN_NICK = 'PKI TPS Administrator for Example.Org'

@ -0,0 +1,79 @@
#!/bin/sh
#Generate Noise using Openssl
echo "Defining variables "
tks_password="/tmp/tkspassword.txt"
tps_password="/tmp/tpspassword.txt"
tks_alias="/var/lib/pki/$1-TKS/alias"
tps_alias="/var/lib/pki/$1-TPS/alias"
tks_noise="/tmp/tks_noise"
tks_shared_secret="sharedSecret"
tks_conf="/var/lib/pki/$1-TKS/tks/conf/CS.cfg"
tps_conf="/var/lib/pki/$1-TPS/tps/conf/CS.cfg"
tps_input_file="/tmp/tps-input.txt"
tks_secret_output="/tmp/secret"
tks_input_file="/tmp/tks-input.txt"
tks_input="proceed\r\n"
tks_secret_output="/tmp/sharedSecret.out"
tps_key_import_status="/tmp/sharedSecretImport.out"
echo "proceed\r\n" > $tks_input_file
echo "Generate Noise using OpenSSL"
openssl rand -hex 2048 | perl -p -e 's/\n//' > $tks_noise
cat /var/lib/pki/$1-TKS/conf/password.conf | sed 's/^internal=//' > $tks_password
cat /var/lib/pki/$1-TPS/conf/password.conf | sed 's/^internal=//' > $tps_password
echo "Stopping TKS & TPS instance"
systemctl stop pki-tomcatd@$1-TKS.service
systemctl stop pki-tomcatd@$1-TPS.service
echo "Generating shared secret"
/usr/bin/tkstool -D -d $tks_alias -n "TPS-`hostname`-25443 sharedSecret" -f $tks_password
/usr/bin/tkstool -T -d $tks_alias -n $tks_shared_secret -f $tks_password -z $tks_noise > $tks_secret_output < $tks_input_file
/usr/bin/tkstool -L -d $tks_alias -n $tks_shared_secret -f $tks_password > /tmp/sharedSecretList1.out
grep "$tks_shared_secret" /tmp/sharedSecretList1.out
first_session_tmp1=$(cat $tks_secret_output | grep -A1 "first\ssession\skey\sshare:")
first_session_tmp2=$(echo $first_session_tmp1 | sed 's/^first session key share://')
first_session_key=$(echo ${first_session_tmp2%% })
first_session_KCV_tmp1=$(cat $tks_secret_output | grep "first\ssession\skey\sshare\sKCV:")
first_session_KCV_tmp2=$(echo $first_session_KCV_tmp1 | sed 's/^first session key share KCV://')
first_session_KCV_key=$(echo ${first_session_KCV_tmp2%% })
second_session_tmp1=$(cat $tks_secret_output | grep -A1 "second\ssession\skey\sshare:")
second_session_tmp2=$(echo $second_session_tmp1 | sed 's/^second session key share://')
second_session_key=$(echo ${second_session_tmp2%% })
second_session_KCV_tmp1=$(cat $tks_secret_output | grep "second\ssession\skey\sshare\sKCV:")
second_session_KCV_tmp2=$(echo $second_session_KCV_tmp1 | sed 's/^second session key share KCV://')
second_session_KCV_key=$(echo ${second_session_KCV_tmp2%% })
third_session_tmp1=$(cat $tks_secret_output | grep -A1 "third\ssession\skey\sshare:")
third_session_tmp2=$(echo $third_session_tmp1 | sed 's/^third session key share://')
third_session_key=$(echo ${third_session_tmp2%% })
third_session_KCV_tmp1=$(cat $tks_secret_output | grep "third\ssession\skey\sshare\sKCV:")
third_session_KCV_tmp2=$(echo $third_session_KCV_tmp1 | sed 's/^third session key share KCV://')
third_session_KCV_key=$(echo ${third_session_KCV_tmp2%% })
sed -i -e "/tps.0.nickname=/s/=.*/=$tks_shared_secret/g" $tks_conf
sed -i -e "/tks.tksSharedSymKeyName=/s/=.*/=$tks_shared_secret/g" $tks_conf
echo "Restart $1-TKS instance"
systemctl restart pki-tomcatd@$1-TKS.service
echo "proceed\r\n" > $tps_input_file
echo "$first_session_key\r\n" >> $tps_input_file
echo "\r\n" >> $tps_input_file
echo "$first_session_KCV_key\r\n" >> $tps_input_file
echo "proceed\r\n" >> $tps_input_file
echo "proceed\r\n" >> $tps_input_file
echo "$second_session_key\r\n" >> $tps_input_file
echo "\r\n" >> $tps_input_file
echo "$second_session_KCV_key\r\n" >> $tps_input_file
echo "proceed\r\n" >> $tps_input_file
echo "proceed\r\n" >> $tps_input_file
echo "$third_session_key\r\n" >> $tps_input_file
echo "\r\n" >> $tps_input_file
echo "$third_session_KCV_key\r\n" >> $tps_input_file
echo "proceed\r\n" >> $tps_input_file
/usr/bin/tkstool -I -d $tps_alias -n $tks_shared_secret -f $tps_password < $tps_input_file > $tps_key_import_status
/usr/bin/tkstool -L -d $tps_alias -n $tks_shared_secret -f $tps_password > /tmp/sharedSecretList2.out
grep "$tks_shared_secret" /tmp/sharedSecretList2.out
sed -i -e "/tps.connector.tks1.tksSharedSymKeyName=/s/=.*/=$tks_shared_secret/g" $tps_conf
sed -i -e "/conn.tks1.tksSharedSymKeyName=/s/=.*/=$tks_shared_secret/g" $tps_conf
echo "Restart $1-TPS instance"
systemctl restart pki-tomcatd@$1-TPS.service

@ -0,0 +1,56 @@
#common to all subsystems
MASTER_HOSTNAME = 'pki1.example.com'
CLONE_HOSTNAME = 'pki2.example.com'
CLIENT_PKCS12_PASSWORD = 'SECret.123'
CLIENT_DIR_PASSWORD = 'SECret.123'
BACKUP_PASSWORD = 'SECret.123'
CLIENT_DATABASE_PASSWORD = 'SECret.123'
NSSDB = '/opt/pki/certdb'
#CA Instance
CA_HTTPS_PORT = '20443'
CA_HTTP_PORT = '20080'
CA_AJP_PORT = '20009'
CA_TOMCAT_PORT = '20005'
CA_CLIENT_DIR = '/opt/topology-CA'
CA_INSTANCE_NAME = 'topology-CA'
SECURITY_DOMAIN_PASSWORD = 'SECret.123'
CA_PASSWORD = 'SECret.123'
CA_SECURITY_DOMAIN_NAME = 'topology_Foobarmaster.org'
CA_ADMIN_USERNAME = 'caadmin'
CA_ADMIN_NICK = 'PKI CA Administrator for Example.Org'
#KRA Instance
KRA_INSTANCE_NAME = 'topology-KRA'
KRA_HTTPS_PORT = 21443
KRA_HTTP_PORT = 21080
KRA_AJP_PORT = 21009
KRA_TOMCAT_PORT = 21005
KRA_PASSWORD = 'SECret.123'
KRA_CLIENT_DIR = '/opt/topology-KRA'
KRA_ADMIN_NICK = 'PKI KRA Administrator for Example.Org'
#OCSP Instance
OCSP_INSTANCE_NAME = 'topology-OCSP'
OCSP_HTTPS_PORT = 22443
OCSP_HTTP_PORT = 22080
OCSP_AJP_PORT = 22009
OCSP_TOMCAT_PORT = 22005
OCSP_PASSWORD = 'SECret.123'
OCSP_CLIENT_DIR = '/opt/topology-OCSP'
OCSP_ADMIN_NICK = 'PKI OCSP Administrator for Example.Org'
#TKS Instance
TKS_INSTANCE_NAME = 'topology-TKS'
TKS_HTTPS_PORT = 23443
TKS_HTTP_PORT = 23080
TKS_AJP_PORT = 23009
TKS_TOMCAT_PORT = 23005
TKS_PASSWORD = 'SECret.123'
TKS_CLIENT_DIR = '/opt/topology-TKS'
#TPS instance
TPS_INSTANCE_NAME = 'topology-TPS'
TPS_HTTPS_PORT = '25443'
TPS_HTTP_PORT = '25080'
TPS_AJP_PORT = '25009'
TPS_TOMCAT_PORT = '25005'
TPS_PASSWORD = 'SECret.123'
TPS_CLIENT_DIR = '/opt/topology-TPS'
TPS_ADMIN_NICK = 'PKI TPS Administrator for Example.Org'

@ -0,0 +1,3 @@
- name: Inclue pki-core handlers
include: pki-core.yml
tags: pki-core

@ -0,0 +1,54 @@
- name: STOPCA
service:
name: pki-tomcatd@{{ topology }}-CA
state: stopped
- name: STARTCA
service:
name: pki-tomcatd@{{ topology }}-CA
state: started
- name: STOPKRA
service:
name: pki-tomcatd@{{ topology }}-KRA
state: stopped
- name: STARTKRA
service:
name: pki-tomcatd@{{ topology }}-KRA
state: started
- name: STOPOCSP
service:
name: pki-tomcatd@{{ topology }}-OCSP
state: stopped
- name: STARTOCSP
service:
name: pki-tomcatd@{{ topology }}-OCSP
state: started
- name: STOPTKS
service:
name: pki-tomcatd@{{ topology }}-TKS
state: stopped
- name: STARTTKS
service:
name: pki-tomcatd@{{ topology }}-TKS
state: started
- name: STOPTPS
service:
name: pki-tomcatd@{{ topology }}-TPS
state: stopped
- name: STARTTPS
service:
name: pki-tomcatd@{{ topology }}-TPS
state: started
- name: INC_CONSTANTS
include_vars:
file: /tmp/test_dir/constants.yml
name: variable

@ -0,0 +1,18 @@
- name: Install CA master
shell: pkispawn -s CA -f /tmp/test_dir/ca.cfg
- name : Stopping CA Subsystem
shell: systemctl stop pki-tomcatd@{{ topology }}-CA.service
- name: Enable SignedAudit for Subsystem
replace: dest=/etc/pki/{{ topology }}-CA/ca/CS.cfg regexp="log.instance.SignedAudit.logSigning=false" replace="log.instance.SignedAudit.logSigning=true"
- name: Getting certificate nickname for CA CS.cfg
shell: grep "ca.ocsp_signing.nickname" /etc/pki/{{ topology }}-CA/ca/CS.cfg |awk -F"=" ' { print $2 } '
register: nickname_ocsp
- name: Importing client certificate for OCSP
shell: certutil -L -d /var/lib/pki/{{ topology }}-CA/alias -n "{{ nickname_ocsp.stdout }}" -a > /tmp/test_dir/ocsp_signing.crt
- name : Starting CA Subsystem
shell: systemctl start pki-tomcatd@{{ topology }}-CA.service

@ -0,0 +1,80 @@
- name: Disable firewalld before LDAP and Subsystem installation
systemd: state=stopped name=firewalld
when: ansible_distribution == "RedHat" and ansible_distribution_version <= '7.4'
- name : Set hostname for machines Bydefault we choose pki1 for master and pki2 for clones.
hostname: name=pki1.example.com
tags: platform-ci
- name: Install a required package for modify hostname task below
dnf: pkg={{item}} state=latest
with_items:
- libselinux-python
when: ansible_distribution == "Fedora"
- name : Modify hostname for master in /etc/hosts
lineinfile: dest=/etc/hosts regexp='.*{{ inventory_hostname }}$' create=yes insertafter=EOF line="{{ inventory_hostname }} {{ansible_fqdn}}" state=present
tags: platform-ci
- name: install 389-ds-base module rhel8
shell: dnf module enable 389-ds:1.4 -y
when: ansible_distribution == "RedHat" and ansible_distribution_major_version == '8'
- name: install 389-ds-base
shell: dnf -y install 389-ds-base 389-ds-base-snmp 389-ds-base-legacy-tools
when: ansible_distribution == "RedHat" and ansible_distribution_major_version == '8'
- name: install pki-core module rhel8
shell: dnf module enable pki-core:10.6 -y
when: ansible_distribution == "RedHat" and ansible_distribution_major_version == '8'
- name: install pki-core module rhel8
shell: dnf install pki-ca pki-kra -y
when: ansible_distribution == "RedHat" and ansible_distribution_major_version == '8'
- name: Install list of packages for CS Master for Redhat
yum : pkg={{item}} state=latest
with_items:
- redhat-pki
- redhat-pki-console-theme
- redhat-pki-server-theme
- pki-console
- 389-ds-base
- pki-ca
- pki-kra
- pki-ocsp
- pki-tks
- pki-tps
- policycoreutils-python
- expect
- libselinux-python
when: ansible_distribution == "RedHat" and ansible_distribution_version <= '7.6'
tags: platform-ci
- name: Install list of packages for CS Master for Fedora
dnf : pkg={{item}} state=latest
with_items:
- 389-ds-base
- dogtag-pki
- dogtag-pki-console-theme
- dogtag-pki-server-theme
- policycoreutils-python
- expect
when: ansible_distribution == "Fedora"
tags: platform-ci
- name: Check for Removed dependency from mod_revocator and mod_nss.If failes refer BZ 1295276
command: rpm -q {{item}}
with_items:
- mod_revocator
- mod_nss
register: rpm_check
failed_when: "rpm_check.rc == 0"
- name: Check for Removed dependency of perl from pki-server.If fails, refer BZ 1305769
command: rpm -qR pki-server | grep perl
register: rpm_check
failed_when: "rpm_check.rc == 0"
- name: Making constants.py file compatable for including as vars.
shell: sed -e "s/ =/:/g;s/'//g" /tmp/test_dir/constants.py > /tmp/test_dir/constants.yml

@ -0,0 +1,36 @@
- name: Install KRA master
shell: pkispawn -s KRA -f /tmp/test_dir/kra.cfg
- name : Stopping KRA Subsystem
shell: echo "Stopping Subsystem for enabling Audit logging"
notify:
- STOPKRA
- INC_CONSTANTS
- meta: flush_handlers
- name: Enable SignedAudit
replace: dest=/etc/pki/{{ topology }}-KRA/kra/CS.cfg regexp="log.instance.SignedAudit.logSigning=false" replace="log.instance.SignedAudit.logSigning=true"
- name: Enable OCSP for KRA
replace: dest=/etc/pki/{{ topology }}-KRA/server.xml regexp='enableOCSP="false"' replace='enableOCSP="true"'
- name: Pointing KRA to correct OCSP port
replace: dest=/etc/pki/{{ topology }}-KRA/server.xml regexp='([0-9]+)/ca/ocsp' replace={{ variable.CA_HTTP_PORT }}/ca/ocsp
- name: Picking the password in run-time from password.conf of KRA
shell: grep -i "internal=" /etc/pki/{{ topology }}-KRA/password.conf | awk -F"=" ' { print $2 } ' > /tmp/test_dir/certutil_password
- name: Importing OCSP certificate in kra nssdb
shell: certutil -A -d /etc/pki/{{ topology }}-KRA/alias -n "ocspSigningCert cert-pki-ca" -t "C,," -i /tmp/test_dir/ocsp_signing.crt -f /tmp/test_dir/certutil_password
notify:
- STARTKRA
- name: Removing file generated with password
file:
path: "{{ item }}"
state: absent
with_items:
- /tmp/test_dir/certutil_password

@ -0,0 +1,26 @@
- name: add nondefault port to selinux context
shell: |
semanage port -a -t ldap_port_t -p tcp 3389
semanage port -a -t ldap_port_t -p udp 3389
semanage port -l | grep ldap_port_t
when: topology == "topology-02"
- name: Setup DS Service
shell: setup-ds.pl --silent --file=/tmp/test_dir/ldap.cfg
when: topology == "topology-01" or topology == "topology-02" or topology == "topology-03" or topology == "topology-04" or topology == "topology-05" or topology == "topology-ecc"
- name: Setup DS Service
shell: setup-ds.pl --silent --file=/tmp/test_dir/ldap_kra.cfg
when: topology == "topology-05"
- name: Setup DS Service
shell: setup-ds.pl --silent --file=/tmp/test_dir/ldap_ocsp.cfg
when: topology == "topology-05"
- name: Setup DS Service
shell: setup-ds.pl --silent --file=/tmp/test_dir/ldap_tks.cfg
when: topology == "topology-05"
- name: Setup DS Service
shell: setup-ds.pl --silent --file=/tmp/test_dir/ldap_tps.cfg
when: topology == "topology-05"

@ -0,0 +1,35 @@
- name: sleep
shell: sleep 5s
- name: Install OCSP master
shell: pkispawn -s OCSP -f /tmp/test_dir/ocsp.cfg
- name : Stopping OCSP Subsystem
shell: echo "Stopping Subsystem for enabling Audit logging"
notify:
- STOPOCSP
- name: Enable SignedAudit
replace: dest=/etc/pki/{{ topology }}-OCSP/ocsp/CS.cfg regexp="log.instance.SignedAudit.logSigning=false" replace="log.instance.SignedAudit.logSigning=true"
notify:
- STARTOCSP
- meta: flush_handlers
- name: Enable OCSP
replace: dest=/etc/pki/{{ topology }}-OCSP/server.xml regexp='enableOCSP="false"' replace='enableOCSP="true"'
- name: Picking the password in run-time from password.conf of OCSP.
shell: grep -i "internal=" /etc/pki/{{ topology }}-OCSP/password.conf | awk -F"=" ' { print $2 } ' > /tmp/test_dir/certutil_password
- name: Importing OCSP certificate in ocsp nssdb
shell: certutil -A -d /etc/pki/{{ topology }}-OCSP/alias -n "ocspSigningCert cert-pki-ca" -t "C,," -i /tmp/test_dir/ocsp_signing.crt -f /tmp/test_dir/certutil_password
notify:
- STARTOCSP
- name: Removing file generated with password
file:
path: "{{ item }}"
state: absent
with_items:
- /tmp/test_dir/certutil_password

@ -0,0 +1,19 @@
- name: Install CA master
shell: pkispawn -s CA -f /tmp/test_dir/ca.cfg
- name: Install KRA master
shell: pkispawn -s KRA -f /tmp/test_dir/kra.cfg
- name : Stopping pki-tomcat Instance
shell: systemctl stop pki-tomcatd@pki-tomcat.service
# notify:
# - INC_CONSTANTS
- name: Enable SignedAudit for all subsystem
replace: dest=/etc/pki/pki-tomcat/{{ item }}/CS.cfg regexp="log.instance.SignedAudit.logSigning=false" replace="log.instance.SignedAudit.logSigning=true"
with_items:
- ca
- kra
- name : Starting pki-tomcat Instance
shell: systemctl start pki-tomcatd@pki-tomcat.service

@ -0,0 +1,4 @@
- name: Shared Secret sharing between TPS and TKS
script: test/script {{ topology }}
when: topology == "topology-02" or topology == "topology-05"
tags: platform-ci

@ -0,0 +1,39 @@
- name: Install TKS master
shell: pkispawn -s TKS -f /tmp/test_dir/tks.cfg
- name : Stopping TKS Subsystem
shell: echo "Stopping Subsystem for enabling Audit logging"
notify:
- STOPTKS
- INC_CONSTANTS
- meta: flush_handlers
- name: Enable SignedAudit
replace: dest=/etc/pki/{{ topology }}-TKS/tks/CS.cfg regexp="log.instance.SignedAudit.logSigning=false" replace="log.instance.SignedAudit.logSigning=true"
- name: Enable OCSP for TKS
replace: dest=/etc/pki/{{ topology }}-TKS/server.xml regexp='enableOCSP="false"' replace='enableOCSP="true"'
- name: Pointing TKS to correct OCSP port
replace: dest=/etc/pki/{{ topology }}-TKS/server.xml regexp='([0-9]+)/ca/ocsp' replace={{ variable.CA_HTTP_PORT }}/ca/ocsp
- name: Picking the password in run-time from password.conf of TKS
shell: grep -i "internal=" /etc/pki/{{ topology }}-TKS/password.conf | awk -F"=" ' { print $2 } ' > /tmp/test_dir/certutil_password
- name: Importing OCSP certificate in TKS nssdb
shell: certutil -A -d /etc/pki/{{ topology }}-TKS/alias -n "ocspSigningCert cert-pki-ca" -t "C,," -i /tmp/test_dir/ocsp_signing.crt -f /tmp/test_dir/certutil_password
notify:
- STARTTKS
- meta: flush_handlers
- name: Sleep for a while to start TKS
shell: sleep 3s
- name: Removing file generated with password
file:
path: "{{ item }}"
state: absent
with_items:
- /tmp/test_dir/certutil_password

@ -0,0 +1,34 @@
- name: Install TPS master
shell: pkispawn -s TPS -f /tmp/test_dir/tps.cfg
- name : Stopping TPS Subsystem
shell: echo "Stopping Subsystem for enabling Audit logging"
notify:
- STOPTPS
- INC_CONSTANTS
- meta: flush_handlers
- name: Enable SignedAudit
replace: dest=/etc/pki/{{ topology }}-TPS/tps/CS.cfg regexp="log.instance.SignedAudit.logSigning=false" replace="log.instance.SignedAudit.logSigning=true"
- name: Enable OCSP for TPS
replace: dest=/etc/pki/{{ topology }}-TPS/server.xml regexp='enableOCSP="false"' replace='enableOCSP="true"'
- name: Pointing TPS to correct OCSP port
replace: dest=/etc/pki/{{ topology }}-TPS/server.xml regexp='([0-9]+)/ca/ocsp' replace={{ variable.CA_HTTP_PORT }}/ca/ocsp
- name: Picking the password in run-time from password.conf of TPS
shell: grep -i "internal=" /etc/pki/{{ topology }}-TPS/password.conf | awk -F"=" ' { print $2 } ' > /tmp/test_dir/certutil_password
- name: Importing OCSP certificate in tps nssdb
shell: certutil -A -d /etc/pki/{{ topology }}-TPS/alias -n "ocspSigningCert cert-pki-ca" -t "C,," -i /tmp/test_dir/ocsp_signing.crt -f /tmp/test_dir/certutil_password
notify:
- STARTTPS
- name: Removing file generated with password
file:
path: "{{ item }}"
state: absent
with_items:
- /tmp/test_dir/certutil_password

@ -0,0 +1,11 @@
---
- include: configure_common.yml
when: topology == "topology-00" or topology == "topology-01" or topology == "topology-02" or topology == "topology-03" or topology == "topology-04" or topology == "topology-05" or topology == "topology-ecc"
- include: configure_ldap.yml
when: topology == "topology-01" or topology == "topology-02" or topology == "topology-03" or topology == "topology-04" or topology == "topology-05" or topology == "topology-ecc"
- include: configure_shared.yml
when: topology == "topology-01"
- include: configure_ca.yml
when: topology == "topology-02" or topology == "topology-03" or topology == "topology-04" or topology == "topology-05" or topology == "topology-ecc"
- include: configure_kra.yml
when: topology == "topology-02" or topology == "topology-03" or topology == "topology-04" or topology == "topology-05" or topology == "topology-ecc"

@ -0,0 +1,75 @@
#common to all subsystems
MASTER_HOSTNAME = 'pki1.example.com'
CLONE_HOSTNAME = 'pki2.example.com'
CLIENT_PKCS12_PASSWORD = 'SECret.123'
CLIENT_DIR_PASSWORD = 'SECret.123'
BACKUP_PASSWORD = 'SECret.123'
CLIENT_DATABASE_PASSWORD = 'SECret.123'
NSSDB = '/opt/pki/certdb'
#CA Instance
CA_HTTPS_PORT = '20443'
CA_HTTP_PORT = '20080'
CA_AJP_PORT = '20009'
CA_TOMCAT_PORT = '20005'
CA_CLIENT_DIR = '/opt/topology-CA'
CA_INSTANCE_NAME = 'topology-CA'
SECURITY_DOMAIN_PASSWORD = 'SECret.123'
CA_PASSWORD = 'SECret.123'
CA_SECURITY_DOMAIN_NAME = 'topology_Foobarmaster.org'
CA_ADMIN_USERNAME = 'caadmin'
CA_ADMIN_NICK = 'PKI CA Administrator for Example.Org'
#KRA Instance
KRA_INSTANCE_NAME = 'topology-KRA'
KRA_HTTPS_PORT = 21443
KRA_HTTP_PORT = 21080
KRA_AJP_PORT = 21009
KRA_TOMCAT_PORT = 21005
KRA_PASSWORD = 'SECret.123'
KRA_CLIENT_DIR = '/opt/topology-KRA'
KRA_ADMIN_NICK = 'PKI KRA Administrator for Example.Org'
#OCSP Instance
OCSP_INSTANCE_NAME = 'topology-OCSP'
OCSP_HTTPS_PORT = 22443
OCSP_HTTP_PORT = 22080
OCSP_AJP_PORT = 22009
OCSP_TOMCAT_PORT = 22005
OCSP_PASSWORD = 'SECret.123'
OCSP_CLIENT_DIR = '/opt/topology-OCSP'
OCSP_ADMIN_NICK = 'PKI OCSP Administrator for Example.Org'
#TKS Instance
TKS_INSTANCE_NAME = 'topology-TKS'
TKS_HTTPS_PORT = 23443
TKS_HTTP_PORT = 23080
TKS_AJP_PORT = 23009
TKS_TOMCAT_PORT = 23005
TKS_PASSWORD = 'SECret.123'
TKS_CLIENT_DIR = '/opt/topology-TKS'
#TPS instance
TPS_INSTANCE_NAME = 'topology-TPS'
TPS_HTTPS_PORT = '25443'
TPS_HTTP_PORT = '25080'
TPS_AJP_PORT = '25009'
TPS_TOMCAT_PORT = '25005'
TPS_PASSWORD = 'SECret.123'
TPS_CLIENT_DIR = '/opt/topology-TPS'
TPS_ADMIN_NICK = 'PKI TPS Administrator for Example.Org'
#LDAP Details
LDAP_PORT = 'ldapServerPort'
LDAP_BIND_DN = 'cn=Directory Manager'
LDAP_PASSWD = 'SECret.123'
LDAP_BASE_DN = 'dc=example,dc=org'
LDAP_KRA_PORT = 'ldapkraServerPort'
LDAP_OCSP_PORT = 'ldapocspServerPort'
LDAP_TKS_PORT = 'ldaptksServerPort'
LDAP_TPS_PORT = 'ldaptpsServerPort'
LDAP_USER = 'foobar'
LDAP_USER_ENROLL = 'testuser'
CUID = '40906145C76224192D2B'
CUID_01 = '40906145C76224192D11'
TPS_OPERATION = 'ra_enroll'
#Details for tps-activity cli automation
LDAP_USER1 = 'jdoe'
TOKEN_FORMAT = 'ra_format'
TOKEN_RESET_PIN = 'ra_reset_pin'
TOKEN_CUID = '40000000000000000002'

@ -0,0 +1,55 @@
[DEFAULT]
pki_instance_name = topology-CA
pki_https_port = capki_https_port
pki_http_port = capki_http_port
pki_token_password = SECret.123
pki_admin_password = SECret.123
pki_admin_key_type=rsa
pki_admin_key_size=2048
pki_admin_key_algorithm=SHA512withRSA
pki_hostname = SERVERNAME
pki_security_domain_name = topology_Foobarmaster.org
pki_security_domain_password = SECret.123
pki_client_dir = /opt/topology-CA
pki_client_pkcs12_password = SECret.123
pki_backup_keys = True
pki_backup_password = SECret.123
pki_ds_password = SECret.123
pki_ds_ldap_port = ldapServerPort
pki_sslserver_key_algorithm=SHA512withRSA
pki_sslserver_key_size=2048
pki_sslserver_key_type=rsa
pki_subsystem_key_type=rsa
pki_subsystem_key_size=2048
pki_subsystem_key_algorithm=SHA512withRSA
pki_audit_signing_key_algorithm=SHA512withRSA
pki_audit_signing_key_size=2048
pki_audit_signing_key_type=rsa
pki_audit_signing_signing_algorithm=SHA512withRSA
[Tomcat]
pki_ajp_port = capki_ajp_port
pki_tomcat_server_port = capki_tomcat_port
[CA]
pki_import_admin_cert = False
pki_ds_hostname = SERVERNAME
pki_admin_nickname = PKI CA Administrator for Example.Org
pki_ca_signing_key_algorithm=SHA512withRSA
pki_ca_signing_key_size=2048
pki_ca_signing_key_type=rsa
pki_ca_signing_signing_algorithm=SHA512withRSA
pki_ocsp_signing_key_algorithm=SHA512withRSA
pki_ocsp_signing_key_size=2048
pki_ocsp_signing_key_type=rsa
pki_ocsp_signing_signing_algorithm=SHA512withRSA

@ -0,0 +1,76 @@
#common to all subsystems
MASTER_HOSTNAME = 'pki1.example.com'
CLONE_HOSTNAME = 'pki2.example.com'
CLIENT_PKCS12_PASSWORD = 'SECret.123'
CLIENT_DIR_PASSWORD = 'SECret.123'
BACKUP_PASSWORD = 'SECret.123'
CLIENT_DATABASE_PASSWORD = 'SECret.123'
NSSDB = '/opt/pki/certdb'
#CA Instance
CA_HTTPS_PORT = 'capki_https_port'
CA_HTTP_PORT = 'capki_http_port'
CA_AJP_PORT = 'capki_ajp_port'
CA_TOMCAT_PORT = 'capki_tomcat_port'
CA_CLIENT_DIR = '/opt/topology-CA'
CA_INSTANCE_NAME = 'topology-CA'
SECURITY_DOMAIN_PASSWORD = 'SECret.123'
CA_PASSWORD = 'SECret.123'
CA_SECURITY_DOMAIN_NAME = 'topology_Foobarmaster.org'
CA_ADMIN_USERNAME = 'caadmin'
CA_ADMIN_NICK = 'PKI CA Administrator for Example.Org'
#KRA Instance
KRA_INSTANCE_NAME = 'topology-KRA'
KRA_HTTPS_PORT = 'krapki_https_port'
KRA_HTTP_PORT = 'krapki_http_port'
KRA_AJP_PORT = 'krapki_ajp_port'
KRA_TOMCAT_PORT = 'krapki_tomcat_server_port'
KRA_PASSWORD = 'SECret.123'
KRA_CLIENT_DIR = '/opt/topology-KRA'
KRA_ADMIN_NICK = 'PKI KRA Administrator for Example.Org'
#OCSP Instance
OCSP_INSTANCE_NAME = 'topology-OCSP'
OCSP_HTTPS_PORT = 'ocsppki_https_port'
OCSP_HTTP_PORT = 'ocsppki_http_port'
OCSP_AJP_PORT = 'ocsppki_ajp_port'
OCSP_TOMCAT_PORT = 'ocsppki_tomcat_server_port'
OCSP_PASSWORD = 'SECret.123'
OCSP_CLIENT_DIR = '/opt/topology-OCSP'
OCSP_ADMIN_NICK = 'PKI OCSP Administrator for Example.Org'
#TKS Instance
TKS_INSTANCE_NAME = 'topology-TKS'
TKS_HTTPS_PORT = 'tkspki_https_port'
TKS_HTTP_PORT = 'tkspki_http_port'
TKS_AJP_PORT = 'tkspki_ajp_port'
TKS_TOMCAT_PORT = 'tkspki_tomcat_server_port'
TKS_PASSWORD = 'SECret.123'
TKS_CLIENT_DIR = '/opt/topology-TKS'
TKS_ADMIN_NICK = 'PKI TKS Administrator for Example.Org'
#TPS instance
TPS_INSTANCE_NAME = 'topology-TPS'
TPS_HTTPS_PORT = 'tpspki_https_port'
TPS_HTTP_PORT = 'tpspki_http_port'
TPS_AJP_PORT = 'tpspki_ajp_port'
TPS_TOMCAT_PORT = 'tpspki_tomcat_server_port'
TPS_PASSWORD = 'SECret.123'
TPS_CLIENT_DIR = '/opt/topology-TPS'
TPS_ADMIN_NICK = 'PKI TPS Administrator for Example.Org'
#LDAP Details
LDAP_PORT = 'ldapServerPort'
LDAP_BIND_DN = 'cn=Directory Manager'
LDAP_PASSWD = 'SECret.123'
LDAP_BASE_DN = 'dc=example,dc=org'
LDAP_KRA_PORT = 'ldapkraServerPort'
LDAP_OCSP_PORT = 'ldapocspServerPort'
LDAP_TKS_PORT = 'ldaptksServerPort'
LDAP_TPS_PORT = 'ldaptpsServerPort'
LDAP_USER = 'foobar'
LDAP_USER_ENROLL = 'testuser'
CUID = '40906145C76224192D2B'
CUID_01 = '40906145C76224192D11'
TPS_OPERATION = 'ra_enroll'
#Details for tps-activity cli automation
LDAP_USER1 = 'jdoe'
TOKEN_FORMAT = 'ra_format'
TOKEN_RESET_PIN = 'ra_reset_pin'
TOKEN_CUID = '40000000000000000002'

@ -0,0 +1,61 @@
[DEFAULT]
pki_instance_name = topology-KRA
pki_https_port = krapki_https_port
pki_http_port = krapki_http_port
pki_token_password = SECret.123
pki_admin_password = SECret.123
pki_admin_key_type=rsa
pki_admin_key_size=2048
pki_admin_key_algorithm=SHA512withRSA
pki_hostname = SERVERNAME
pki_security_domain_hostname = SERVERNAME
pki_security_domain_https_port = secure_domain_port
pki_security_domain_name = topology_Foobarmaster.org
pki_security_domain_password = SECret.123
pki_client_dir = /opt/topology-KRA
pki_client_pkcs12_password = SECret.123
pki_client_database_password = SECret.123
pki_backup_keys = True
pki_backup_password = SECret.123
pki_ds_password = SECret.123
pki_ds_ldap_port = ldapServerPort
pki_sslserver_key_algorithm=SHA512withRSA
pki_sslserver_key_size=2048
pki_sslserver_key_type=rsa
pki_subsystem_key_algorithm=SHA512withRSA
pki_subsystem_key_size=2048
pki_subsystem_key_type=rsa
pki_audit_signing_key_algorithm=SHA512withRSA
pki_audit_signing_key_size=2048
pki_audit_signing_key_type=rsa
pki_audit_signing_signing_algorithm=SHA512withRSA
[Tomcat]
pki_ajp_port = krapki_ajp_port
pki_tomcat_server_port = krapki_tomcat_server_port
[KRA]
pki_import_admin_cert = False
pki_admin_nickname = PKI KRA Administrator for Example.Org
pki_ds_hostname = SERVERNAME
pki_storage_key_algorithm=SHA512withRSA
pki_storage_key_size=2048
pki_storage_key_type=rsa
pki_storage_signing_algorithm=SHA512withRSA
pki_transport_key_algorithm=SHA512withRSA
pki_transport_key_size=2048
pki_transport_key_type=rsa
pki_transport_signing_algorithm=SHA512withRSA

@ -0,0 +1,12 @@
[General]
FullMachineName = SERVERNAME
SuiteSpotUserID = nobody
SuiteSpotGroup = nobody
ConfigDirectoryAdminID = admin
[slapd]
ServerIdentifier = topology-testingmaster
ServerPort = ldapServerPort
Suffix = dc=example,dc=com
RootDN = CN=Directory Manager
RootDNPwd = SECret.123

@ -0,0 +1,56 @@
[DEFAULT]
pki_instance_name = topology-OCSP
pki_https_port = ocsppki_https_port
pki_http_port = ocsppki_http_port
pki_token_password = SECret.123
pki_admin_password = SECret.123
pki_admin_key_type=rsa
pki_admin_key_size=2048
pki_admin_key_algorithm=SHA512withRSA
pki_hostname = SERVERNAME
pki_security_domain_hostname = SERVERNAME
pki_security_domain_name = topology_Foobarmaster.org
pki_security_domain_password = SECret.123
pki_security_domain_https_port = secure_domain_port
pki_client_dir = /opt/topology-OCSP
pki_client_pkcs12_password = SECret.123
pki_client_database_password = SECret.123
pki_backup_keys = True
pki_backup_password = SECret.123
pki_ds_password = SECret.123
pki_ds_ldap_port = ldapServerPort
pki_sslserver_key_algorithm=SHA512withRSA
pki_sslserver_key_size=2048
pki_sslserver_key_type=rsa
pki_subsystem_key_algorithm=SHA512withRSA
pki_subsystem_key_size=2048
pki_subsystem_key_type=rsa
pki_audit_signing_key_type=rsa
pki_audit_signing_key_size=2048
pki_audit_signing_key_algorithm=SHA512withRSA
pki_audit_signing_signing_algorithm=SHA512withRSA
[Tomcat]
pki_ajp_port = ocsppki_ajp_port
pki_tomcat_server_port = ocsppki_tomcat_server_port
[OCSP]
pki_import_admin_cert = False
pki_admin_nickname= PKI OCSP Administrator for Example.Org
pki_ds_hostname = SERVERNAME
pki_ocsp_signing_key_algorithm=SHA512withRSA
pki_ocsp_signing_key_size=2048
pki_ocsp_signing_key_type=rsa
pki_ocsp_signing_signing_algorithm=SHA512withRSA

@ -0,0 +1,79 @@
#!/bin/sh
#Generate Noise using Openssl
echo "Defining variables "
tks_password="/tmp/tkspassword.txt"
tps_password="/tmp/tpspassword.txt"
tks_alias="/var/lib/pki/$1-TKS/alias"
tps_alias="/var/lib/pki/$1-TPS/alias"
tks_noise="/tmp/tks_noise"
tks_shared_secret="sharedSecret"
tks_conf="/var/lib/pki/$1-TKS/tks/conf/CS.cfg"
tps_conf="/var/lib/pki/$1-TPS/tps/conf/CS.cfg"
tps_input_file="/tmp/tps-input.txt"
tks_secret_output="/tmp/secret"
tks_input_file="/tmp/tks-input.txt"
tks_input="proceed\r\n"
tks_secret_output="/tmp/sharedSecret.out"
tps_key_import_status="/tmp/sharedSecretImport.out"
echo "proceed\r\n" > $tks_input_file
echo "Generate Noise using OpenSSL"
openssl rand -hex 2048 | perl -p -e 's/\n//' > $tks_noise
cat /var/lib/pki/$1-TKS/conf/password.conf | sed 's/^internal=//' > $tks_password
cat /var/lib/pki/$1-TPS/conf/password.conf | sed 's/^internal=//' > $tps_password
echo "Stopping TKS & TPS instance"
systemctl stop pki-tomcatd@$1-TKS.service
systemctl stop pki-tomcatd@$1-TPS.service
echo "Generating shared secret"
/usr/bin/tkstool -D -d $tks_alias -n "TPS-`hostname`-25443 sharedSecret" -f $tks_password
/usr/bin/tkstool -T -d $tks_alias -n $tks_shared_secret -f $tks_password -z $tks_noise > $tks_secret_output < $tks_input_file
/usr/bin/tkstool -L -d $tks_alias -n $tks_shared_secret -f $tks_password > /tmp/sharedSecretList1.out
grep "$tks_shared_secret" /tmp/sharedSecretList1.out
first_session_tmp1=$(cat $tks_secret_output | grep -A1 "first\ssession\skey\sshare:")
first_session_tmp2=$(echo $first_session_tmp1 | sed 's/^first session key share://')
first_session_key=$(echo ${first_session_tmp2%% })
first_session_KCV_tmp1=$(cat $tks_secret_output | grep "first\ssession\skey\sshare\sKCV:")
first_session_KCV_tmp2=$(echo $first_session_KCV_tmp1 | sed 's/^first session key share KCV://')
first_session_KCV_key=$(echo ${first_session_KCV_tmp2%% })
second_session_tmp1=$(cat $tks_secret_output | grep -A1 "second\ssession\skey\sshare:")
second_session_tmp2=$(echo $second_session_tmp1 | sed 's/^second session key share://')
second_session_key=$(echo ${second_session_tmp2%% })
second_session_KCV_tmp1=$(cat $tks_secret_output | grep "second\ssession\skey\sshare\sKCV:")
second_session_KCV_tmp2=$(echo $second_session_KCV_tmp1 | sed 's/^second session key share KCV://')
second_session_KCV_key=$(echo ${second_session_KCV_tmp2%% })
third_session_tmp1=$(cat $tks_secret_output | grep -A1 "third\ssession\skey\sshare:")
third_session_tmp2=$(echo $third_session_tmp1 | sed 's/^third session key share://')
third_session_key=$(echo ${third_session_tmp2%% })
third_session_KCV_tmp1=$(cat $tks_secret_output | grep "third\ssession\skey\sshare\sKCV:")
third_session_KCV_tmp2=$(echo $third_session_KCV_tmp1 | sed 's/^third session key share KCV://')
third_session_KCV_key=$(echo ${third_session_KCV_tmp2%% })
sed -i -e "/tps.0.nickname=/s/=.*/=$tks_shared_secret/g" $tks_conf
sed -i -e "/tks.tksSharedSymKeyName=/s/=.*/=$tks_shared_secret/g" $tks_conf
echo "Restart $1-TKS instance"
systemctl restart pki-tomcatd@$1-TKS.service
echo "proceed\r\n" > $tps_input_file
echo "$first_session_key\r\n" >> $tps_input_file
echo "\r\n" >> $tps_input_file
echo "$first_session_KCV_key\r\n" >> $tps_input_file
echo "proceed\r\n" >> $tps_input_file
echo "proceed\r\n" >> $tps_input_file
echo "$second_session_key\r\n" >> $tps_input_file
echo "\r\n" >> $tps_input_file
echo "$second_session_KCV_key\r\n" >> $tps_input_file
echo "proceed\r\n" >> $tps_input_file
echo "proceed\r\n" >> $tps_input_file
echo "$third_session_key\r\n" >> $tps_input_file
echo "\r\n" >> $tps_input_file
echo "$third_session_KCV_key\r\n" >> $tps_input_file
echo "proceed\r\n" >> $tps_input_file
/usr/bin/tkstool -I -d $tps_alias -n $tks_shared_secret -f $tps_password < $tps_input_file > $tps_key_import_status
/usr/bin/tkstool -L -d $tps_alias -n $tks_shared_secret -f $tps_password > /tmp/sharedSecretList2.out
grep "$tks_shared_secret" /tmp/sharedSecretList2.out
sed -i -e "/tps.connector.tks1.tksSharedSymKeyName=/s/=.*/=$tks_shared_secret/g" $tps_conf
sed -i -e "/conn.tks1.tksSharedSymKeyName=/s/=.*/=$tks_shared_secret/g" $tps_conf
echo "Restart $1-TPS instance"
systemctl restart pki-tomcatd@$1-TPS.service

@ -0,0 +1,52 @@
[DEFAULT]
pki_instance_name = topology-TKS
pki_https_port = tkspki_https_port
pki_http_port = tkspki_http_port
pki_token_password = SECret.123
pki_admin_password = SECret.123
pki_admin_key_type=rsa
pki_admin_key_size=2048
pki_admin_key_algorithm=SHA512withRSA
pki_hostname = SERVERNAME
pki_security_domain_hostname = SERVERNAME
pki_security_domain_name = topology_Foobarmaster.org
pki_security_domain_password = SECret.123
pki_security_domain_https_port = secure_domain_port
pki_client_dir = /opt/topology-TKS
pki_client_pkcs12_password = SECret.123
pki_client_database_password = SECret.123
pki_backup_keys = True
pki_backup_password = SECret.123
pki_ds_password = SECret.123
pki_ds_ldap_port = ldapServerPort
pki_subsystem_key_type=rsa
pki_subsystem_key_size=2048
pki_subsystem_key_algorithm=SHA512withRSA
pki_subsystem_signing_algorithm=SHA512withRSA
pki_sslserver_key_type=rsa
pki_sslserver_key_size=2048
pki_sslserver_key_algorithm=SHA512withRSA
pki_sslserver_signing_algorithm=SHA512withRSA
[Tomcat]
pki_ajp_port = tkspki_ajp_port
pki_tomcat_server_port = tkspki_tomcat_server_port
[TKS]
pki_import_admin_cert = False
pki_admin_nickname= PKI TKS Administrator for Example.Org
pki_ds_hostname = SERVERNAME
pki_audit_signing_key_algorithm=SHA512withRSA
pki_audit_signing_key_size=2048
pki_audit_signing_key_type=rsa
pki_audit_signing_signing_algorithm=SHA512withRSA

@ -0,0 +1,34 @@
[DEFAULT]
pki_instance_name = topology-TPS
pki_https_port = tpspki_https_port
pki_http_port = tpspki_http_port
pki_token_password = SECret.123
pki_admin_password = SECret.123
pki_hostname = SERVERNAME
pki_security_domain_hostname = SERVERNAME
pki_security_domain_https_port = secure_domain_port
pki_security_domain_name = topology_Foobarmaster.org
pki_security_domain_password = SECret.123
pki_client_dir = /opt/topology-TPS
pki_client_pkcs12_password = SECret.123
pki_backup_keys = True
pki_backup_password = SECret.123
pki_ds_password = SECret.123
pki_ds_ldap_port = ldapServerPort
pki_client_database_password = SECret.123
[Tomcat]
pki_ajp_port = tpspki_ajp_port
pki_tomcat_server_port = tpspki_tomcat_server_port
[TPS]
pki_import_admin_cert = False
pki_ds_hostname = SERVERNAME
pki_authdb_basedn = ou=People,dc=example,dc=org
pki_authdb_hostname=SERVERNAME
pki_authdb_port=3389
pki_ca_uri=https://SERVERNAME:capki_https_port
pki_tks_uri=https://SERVERNAME:tkspki_https_port
pki_kra_uri=https://SERVERNAME:krapki_https_port
pki_admin_nickname=PKI TPS Administrator for Example.Org
pki_enable_server_side_keygen=True

@ -0,0 +1,24 @@
- name: Replace CA specific changes
replace: dest={{item}} regexp="capki_https_port" replace={{capki_https_port}}
with_items:
- /tmp/test_dir/ca.cfg
- /tmp/test_dir/constants.py
- name: Replace http port for CA.
replace: dest={{item}} regexp="capki_http_port" replace={{capki_http_port}}
with_items:
- /tmp/test_dir/ca.cfg
- /tmp/test_dir/constants.py
- name: Replace ajp port for CA
replace: dest={{item}} regexp="capki_ajp_port" replace={{capki_ajp_port}}
with_items:
- /tmp/test_dir/ca.cfg
- /tmp/test_dir/constants.py
- name : Replace tomcat port for CA
replace: dest={{item}} regexp="capki_tomcat_port" replace={{capki_tomcat_port}}
with_items:
- /tmp/test_dir/ca.cfg
- /tmp/test_dir/constants.py

@ -0,0 +1,145 @@
- name: Pick constants based on {{topology}}
include_vars: "{{ item }}"
with_items:
- "{{ playbook_dir }}/vars/ldap_shared.yml"
- "{{ playbook_dir }}/vars/ca_shared.yml"
when: topology == "topology-01"
- name: Pick constants based on {{topology}}
include_vars: "{{ item }}"
with_items:
- "{{ playbook_dir }}/vars/ldap.yml"
- "{{ playbook_dir }}/vars/ca.yml"
- "{{ playbook_dir }}/vars/kra.yml"
- "{{ playbook_dir }}/vars/ocsp.yml"
- "{{ playbook_dir }}/vars/tks.yml"
- "{{ playbook_dir }}/vars/tps.yml"
when: topology == "topology-02"
- name: Pick constants based on {{topology}}
include_vars: "{{ item }}"
with_items:
- "{{ playbook_dir }}/vars/ldap.yml"
- "{{ playbook_dir }}/vars/ca.yml"
- "{{ playbook_dir }}/vars/kra.yml"
- "{{ playbook_dir }}/vars/ocsp.yml"
when: topology == "topology-03"
- name: Pick constants based on {{topology}}
include_vars: "{{ item }}"
with_items:
- "{{ playbook_dir }}/vars/ldap.yml"
- "{{ playbook_dir }}/vars/ca.yml"
- "{{ playbook_dir }}/vars/kra.yml"
- "{{ playbook_dir }}/vars/tks.yml"
- "{{ playbook_dir }}/vars/tps.yml"
when: topology == "topology-04"
- name: Pick constants based on {{topology}}
include_vars: "{{ item }}"
with_items:
- "{{ playbook_dir }}/vars/ldap.yml"
- "{{ playbook_dir }}/vars/ca.yml"
- "{{ playbook_dir }}/vars/kra.yml"
- "{{ playbook_dir }}/vars/ocsp.yml"
- "{{ playbook_dir }}/vars/tks.yml"
- "{{ playbook_dir }}/vars/tps.yml"
when: topology == "topology-05"
- name: Pick constants based on {{topology}}
include_vars: "{{ item }}"
with_items:
- "{{ playbook_dir }}/vars/ldap.yml"
- "{{ playbook_dir }}/vars/ca.yml"
- "{{ playbook_dir }}/vars/kra.yml"
- "{{ playbook_dir }}/vars/ocsp.yml"
- "{{ playbook_dir }}/vars/tks.yml"
- "{{ playbook_dir }}/vars/tps.yml"
when: topology == "topology-ecc"
- name: Creates directory
file: path=/tmp/test_files state=directory
- name: Copying templates to /tmp folder
copy : src=test/ dest=/tmp/test_dir
- name: Replace Ldap server port in all configuration files
replace: dest={{item}} regexp="ldapServerPort" replace={{ldapServerPort}}
with_items:
- /tmp/test_dir/ldap.cfg
- /tmp/test_dir/ca.cfg
- /tmp/test_dir/kra.cfg
- /tmp/test_dir/ocsp.cfg
- /tmp/test_dir/tks.cfg
- /tmp/test_dir/tps.cfg
- /tmp/test_dir/constants.py
- name: Replace topology in use in all configuration files
replace: dest={{item}} regexp="topology" replace={{topology}}
with_items:
- /tmp/test_dir/ldap.cfg
- /tmp/test_dir/ca.cfg
- /tmp/test_dir/kra.cfg
- /tmp/test_dir/ocsp.cfg
- /tmp/test_dir/tks.cfg
- /tmp/test_dir/tps.cfg
- /tmp/test_dir/constants.py
- name : Substitute SHA512withEC with SHA512withRSA when topology=topology-ecc
replace: dest={{item}} regexp="SHA512withRSA" replace="SHA512withEC"
with_items:
- /tmp/test_dir/ca.cfg
- /tmp/test_dir/kra.cfg
- /tmp/test_dir/ocsp.cfg
- /tmp/test_dir/tks.cfg
when: topology == "topology-ecc"
- name : Substitute ecc with rsa when topology=topology-ecc
replace: dest={{item}} regexp="rsa" replace="ecc"
with_items:
- /tmp/test_dir/ca.cfg
- /tmp/test_dir/kra.cfg
- /tmp/test_dir/ocsp.cfg
- /tmp/test_dir/tks.cfg
when: topology == "topology-ecc"
- name : Substitute keysize nistp521 with keysize 2048 when topology=topology-ecc
replace: dest={{item}} regexp="2048" replace="nistp521"
with_items:
- /tmp/test_dir/ca.cfg
- /tmp/test_dir/kra.cfg
- /tmp/test_dir/ocsp.cfg
- /tmp/test_dir/tks.cfg
when: topology == "topology-ecc"
- name : For topology-01
replace: dest={{item}} regexp="pki_instance_name" replace="#pki_instance_name"
with_items:
- /tmp/test_dir/ca.cfg
- /tmp/test_dir/kra.cfg
- /tmp/test_dir/ocsp.cfg
- /tmp/test_dir/tks.cfg
- /tmp/test_dir/tps.cfg
when:
- topology == "topology-01"
- name: Replace ServerName in all configuration files.
replace: dest={{item}} regexp="SERVERNAME" replace=pki1.example.com
with_items:
- /tmp/test_dir/ldap.cfg
- /tmp/test_dir/ca.cfg
- /tmp/test_dir/kra.cfg
- /tmp/test_dir/ocsp.cfg
- /tmp/test_dir/tks.cfg
- /tmp/test_dir/tps.cfg
- name: Replace ServerName in all configuration files.
replace: dest={{item}} regexp="SERVERNAME" replace=pki1.example.com
with_items:
- /tmp/test_dir/ldap_kra.cfg
- /tmp/test_dir/ldap_ocsp.cfg
- /tmp/test_dir/ldap_tks.cfg
- /tmp/test_dir/ldap_tps.cfg
when: topology == "topology-05"

@ -0,0 +1,28 @@
- name: Replace KRA specific changes
replace: dest={{item}} regexp="krapki_https_port" replace={{krapki_https_port}}
with_items:
- /tmp/test_dir/kra.cfg
- /tmp/test_dir/constants.py
- name: Replace http port for KRA.
replace: dest={{item}} regexp="krapki_http_port" replace={{krapki_http_port}}
with_items:
- /tmp/test_dir/kra.cfg
- /tmp/test_dir/constants.py
- name: Replace ajp port for KRA
replace: dest={{item}} regexp="krapki_ajp_port" replace={{krapki_ajp_port}}
with_items:
- /tmp/test_dir/kra.cfg
- /tmp/test_dir/constants.py
- name : Replace tomcat port for KRA
replace: dest={{item}} regexp="krapki_tomcat_server_port" replace={{krapki_tomcat_server_port}}
with_items:
- /tmp/test_dir/kra.cfg
- /tmp/test_dir/constants.py
- name : Replace tomcat port for KRA
replace: dest={{item}} regexp="secure_domain_port" replace={{capki_https_port}}
with_items:
- /tmp/test_dir/kra.cfg

@ -0,0 +1,47 @@
- name : Create different ldap files for ca,kra,ocsp,tks and tps.
shell : for i in kra ocsp tks tps ;do cp /tmp/test_dir/ldap.cfg /tmp/test_dir/ldap_$i.cfg ; sed -i "s/testingmaster/$i-testingmaster/" /tmp/test_dir/ldap_$i.cfg; done
when: topology == "topology-05"
- name : Conditional check before replacing values in ldap.cfg file.
replace: dest={{item}} regexp="3389" replace={{ldapkraServerPort}}
with_items:
- /tmp/test_dir/ldap_kra.cfg
- /tmp/test_dir/kra.cfg
when: topology == "topology-05"
- name : Conditional check before replacing values in ldap.cfg file.
replace: dest={{item}} regexp="3389" replace={{ldapocspServerPort}}
with_items:
- /tmp/test_dir/ldap_ocsp.cfg
- /tmp/test_dir/ocsp.cfg
when: topology == "topology-05"
- name : Conditional check before replacing values in ldap.cfg file.
replace: dest={{item}} regexp="3389" replace={{ldaptksServerPort}}
with_items:
- /tmp/test_dir/ldap_tks.cfg
- /tmp/test_dir/tks.cfg
when: topology == "topology-05"
- name : Conditional check before replacing values in ldap.cfg file.
replace: dest={{item}} regexp="3389" replace={{ldaptpsServerPort}}
with_items:
- /tmp/test_dir/ldap_tps.cfg
- /tmp/test_dir/tps.cfg
when: topology == "topology-05"
- name: Replace Ldap server port in all configuration files
replace: dest=/tmp/test_dir/constants.py regexp="ldapkraServerPort" replace={{ldapkraServerPort}}
when: topology == "topology-05"
- name: Replace Ldap server port in all configuration files
replace: dest=/tmp/test_dir/constants.py regexp="ldapocspServerPort" replace={{ldapocspServerPort}}
when: topology == "topology-05"
- name: Replace Ldap server port in all configuration files
replace: dest=/tmp/test_dir/constants.py regexp="ldaptksServerPort" replace={{ldaptksServerPort}}
when: topology == "topology-05"
- name: Replace Ldap server port in all configuration files
replace: dest=/tmp/test_dir/constants.py regexp="ldaptpsServerPort" replace={{ldaptpsServerPort}}
when: topology == "topology-05"

@ -0,0 +1,28 @@
- name: Replace OCSP specific changes
replace: dest={{item}} regexp="ocsppki_https_port" replace={{ocsppki_https_port}}
with_items:
- /tmp/test_dir/ocsp.cfg
- /tmp/test_dir/constants.py
- name: Replace http port for OCSP.
replace: dest={{item}} regexp="ocsppki_http_port" replace={{ocsppki_http_port}}
with_items:
- /tmp/test_dir/ocsp.cfg
- /tmp/test_dir/constants.py
- name: Replace ajp port for OCSP
replace: dest={{item}} regexp="ocsppki_ajp_port" replace={{ocsppki_ajp_port}}
with_items:
- /tmp/test_dir/ocsp.cfg
- /tmp/test_dir/constants.py
- name : Replace tomcat port for OCSP
replace: dest={{item}} regexp="ocsppki_tomcat_server_port" replace={{ocsppki_tomcat_server_port}}
with_items:
- /tmp/test_dir/ocsp.cfg
- /tmp/test_dir/constants.py
- name : Replace tomcat port for OCSP
replace: dest={{item}} regexp="secure_domain_port" replace={{capki_https_port}}
with_items:
- /tmp/test_dir/ocsp.cfg

@ -0,0 +1,28 @@
- name: Replace TKS specific changes
replace: dest={{item}} regexp="tkspki_https_port" replace={{tkspki_https_port}}
with_items:
- /tmp/test_dir/tks.cfg
- /tmp/test_dir/constants.py
- name: Replace http port for TKS.
replace: dest={{item}} regexp="tkspki_http_port" replace={{tkspki_http_port}}
with_items:
- /tmp/test_dir/tks.cfg
- /tmp/test_dir/constants.py
- name: Replace ajp port for TKS
replace: dest={{item}} regexp="tkspki_ajp_port" replace={{tkspki_ajp_port}}
with_items:
- /tmp/test_dir/tks.cfg
- /tmp/test_dir/constants.py
- name : Replace tomcat port for TKS
replace: dest={{item}} regexp="tkspki_tomcat_server_port" replace={{tkspki_tomcat_server_port}}
with_items:
- /tmp/test_dir/tks.cfg
- /tmp/test_dir/constants.py
- name : Replace tomcat port for TKS
replace: dest={{item}} regexp="secure_domain_port" replace={{capki_https_port}}
with_items:
- /tmp/test_dir/tks.cfg

@ -0,0 +1,39 @@
- name: Replace TPS specific changes
replace: dest={{item}} regexp="tpspki_https_port" replace={{tpspki_https_port}}
with_items:
- /tmp/test_dir/tps.cfg
- /tmp/test_dir/constants.py
- name: Replace http port for TPS.
replace: dest={{item}} regexp="tpspki_http_port" replace={{tpspki_http_port}}
with_items:
- /tmp/test_dir/tps.cfg
- /tmp/test_dir/constants.py
- name: Replace ajp port for TPS
replace: dest={{item}} regexp="tpspki_ajp_port" replace={{tpspki_ajp_port}}
with_items:
- /tmp/test_dir/tps.cfg
- /tmp/test_dir/constants.py
- name : Replace tomcat port for TPS
replace: dest={{item}} regexp="tpspki_tomcat_server_port" replace={{tpspki_tomcat_server_port}}
with_items:
- /tmp/test_dir/tps.cfg
- /tmp/test_dir/constants.py
- name : Replace tomcat port for TPS
replace: dest={{item}} regexp="secure_domain_port" replace={{capki_https_port}}
with_items:
- /tmp/test_dir/tps.cfg
- /tmp/test_dir/constants.py
- name : Replace ca uri for TPS
replace: dest=/tmp/test_dir/tps.cfg regexp="capki_https_port" replace={{capki_https_port}}
- name : Replace kra uri for TPS
replace: dest=/tmp/test_dir/tps.cfg regexp="krapki_https_port" replace={{krapki_https_port}}
- name : Replace tks uri for TPS
replace: dest=/tmp/test_dir/tps.cfg regexp="tkspki_https_port" replace={{tkspki_https_port}}

@ -0,0 +1,15 @@
---
- include: configure_common.yml
when: topology == "topology-01" or topology == "topology-02" or topology == "topology-03" or topology == "topology-04" or topology == "topology-05" or topology == "topology-ecc"
- include: configure_ca.yml
when: topology == "topology-01" or topology == "topology-02" or topology == "topology-03" or topology == "topology-04" or topology == "topology-05" or topology == "topology-ecc"
- include: configure_ldap.yml
when: topology == "topology-05"
- include: configure_kra.yml
when: topology == "topology-01" or topology == "topology-02" or topology == "topology-03" or topology == "topology-04" or topology == "topology-05" or topology == "topology-ecc"
- include: configure_ocsp.yml
when: topology == "topology-01" or topology == "topology-02" or topology == "topology-03" or topology == "topology-05" or topology == "topology-ecc"
- include: configure_tks.yml
when: topology == "topology-01" or topology == "topology-02" or topology == "topology-04" or topology == "topology-05"
- include: configure_tps.yml
when: topology == "topology-01" or topology == "topology-02" or topology == "topology-04" or topology == "topology-05"

@ -0,0 +1,32 @@
- hosts: localhost
vars:
- topology: 'topology-01'
remote_user: root
roles:
- role: Test_Trigger
- role: Test_Execution
- role: standard-test-basic
tags:
- classic
tests:
- verify_spawn_ca:
dir: .
run: "curl http://localhost:8080/ca/admin/ca/getStatus | grep '<Status>running</Status>'"
- verify_spawn_kra:
dir: .
run: "curl http://localhost:8080/kra/admin/kra/getStatus | grep '<Status>running</Status>'"
- destroy_kra:
dir: .
run: "pkidestroy -i pki-tomcat -s KRA && sleep 5"
- verify_destroy_kra:
dir: .
run: "curl http://localhost:8080/kra/admin/kra/getStatus | grep 'HTTP Status 404'"
- destroy_ca:
dir: .
run: "pkidestroy -i pki-tomcat -s CA"
- verify_destroy_ca:
dir: .
run: "curl http://localhost:8080/ca/admin/ca/getStatus &> testfile.log || true && grep 'Connection refused' testfile.log"
required_packages:
- pki-ca
- pki-kra

@ -0,0 +1,4 @@
capki_https_port: '20443'
capki_http_port: '20080'
capki_ajp_port: '20009'
capki_tomcat_port: '20005'

@ -0,0 +1,24 @@
capki_https_port: '8443'
capki_http_port: '8080'
capki_ajp_port: '8009'
capki_tomcat_port: '8005'
capki_https_port: '8443'
capki_http_port: '8080'
capki_ajp_port: '8009'
capki_tomcat_port: '8005'
krapki_https_port: '8443'
krapki_http_port: '8080'
krapki_ajp_port: '8009'
krapki_tomcat_server_port: '8005'
ocsppki_https_port: '8443'
ocsppki_http_port: '8080'
ocsppki_ajp_port: '8009'
ocsppki_tomcat_server_port: '8005'
tkspki_https_port: '8443'
tkspki_http_port: '8080'
tkspki_ajp_port: '8009'
tkspki_tomcat_server_port: '8005'
tpspki_https_port: '8443'
tpspki_http_port: '8080'
tpspki_ajp_port: '8009'
tpspki_tomcat_server_port: '8005'

@ -0,0 +1,4 @@
krapki_https_port: '21443'
krapki_http_port: '21080'
krapki_ajp_port: '21009'
krapki_tomcat_server_port: '21005'

@ -0,0 +1,8 @@
ldapServerPort: '3389'
ldapRootDN: CN=Directory Manager
ldapRootDNPwd: Secret123
ldapcaServerPort: '4389'
ldapkraServerPort: '5389'
ldapocspServerPort: '6389'
ldaptksServerPort: '7389'
ldaptpsServerPort: '8389'

@ -0,0 +1,3 @@
ldapServerPort: '2389'
ldapRootDN: CN=Directory Manager
ldapRootDNPwd: Secret123

@ -0,0 +1,4 @@
ocsppki_https_port: '22443'
ocsppki_http_port: '22080'
ocsppki_ajp_port: '22009'
ocsppki_tomcat_server_port: '22005'

@ -0,0 +1,4 @@
tkspki_https_port: '23443'
tkspki_http_port: '23080'
tkspki_ajp_port: '23009'
tkspki_tomcat_server_port: '23005'

@ -0,0 +1,4 @@
tpspki_https_port: '25443'
tpspki_http_port: '25080'
tpspki_ajp_port: '25009'
tpspki_tomcat_server_port: '25005'
Loading…
Cancel
Save