Alon Bar-Lev has uploaded a new change for review.
Change subject: pki: move configuration from vdc_options to LocalConfig
......................................................................
pki: move configuration from vdc_options to LocalConfig
root application serves pki resources, in order to support variable
location we need to be able to access these without accessing the
database.
in addition, there is no point in storing file locations within
database, as if we use cluster we have no grantee to have these at the
other node.
handling the root application is not included in this patch.
Change-Id: I1764d9ca7a8c677401f721b3d89f45deff9c1f26
Signed-off-by: Alon Bar-Lev <alo...@redhat.com>
---
M backend/manager/conf/engine.conf.defaults.in
M backend/manager/dbscripts/upgrade/pre_upgrade/0000_config.sql
M
backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/AddVdsCommand.java
D
backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/GetCACertificateQuery.java
M
backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/VdsDeploy.java
D
backend/manager/modules/bll/src/test/java/org/ovirt/engine/core/bll/GetCACertificateQueryTest.java
D
backend/manager/modules/bll/src/test/java/org/ovirt/engine/core/bll/VdsDeployTest.java
M
backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/config/Config.java
M
backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/config/ConfigValues.java
M
backend/manager/modules/dal/src/main/java/org/ovirt/engine/core/dal/dbbroker/DbFacadeUtils.java
M
backend/manager/modules/dal/src/main/java/org/ovirt/engine/core/dal/dbbroker/generic/DBConfigUtils.java
M
backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/LocalConfig.java
M
backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/hostinstall/OpenSslCAWrapper.java
M
backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/ssh/EngineSSHDialog.java
M
backend/manager/modules/vdsbroker/src/main/java/org/ovirt/engine/core/vdsbroker/VdsManager.java
M
backend/manager/modules/vdsbroker/src/main/java/org/ovirt/engine/core/vdsbroker/xmlrpc/XmlRpcUtils.java
M
backend/manager/tools/src/main/java/org/ovirt/engine/core/config/entity/helper/PasswordValueHelper.java
M
backend/manager/tools/src/main/java/org/ovirt/engine/core/notifier/EngineMonitorService.java
M
backend/manager/tools/src/main/java/org/ovirt/engine/core/notifier/utils/NotificationProperties.java
M packaging/fedora/setup/basedefs.py
M packaging/fedora/setup/common_utils.py
M packaging/fedora/setup/engine-config-install.properties
M packaging/fedora/setup/engine-setup.py
M packaging/fedora/setup/engine-upgrade.py
24 files changed, 156 insertions(+), 336 deletions(-)
git pull ssh://gerrit.ovirt.org:29418/ovirt-engine refs/changes/33/14333/1
diff --git a/backend/manager/conf/engine.conf.defaults.in
b/backend/manager/conf/engine.conf.defaults.in
index 7e88117..ae51923 100644
--- a/backend/manager/conf/engine.conf.defaults.in
+++ b/backend/manager/conf/engine.conf.defaults.in
@@ -159,3 +159,15 @@
# database connectivity checks:
#
ENGINE_DB_CHECK_INTERVAL=1000
+
+#
+# PKI
+#
+ENGINE_PKI=/etc/pki/ovirt-engine
+ENGINE_PKI_CA=${ENGINE_PKI}/ca.pem
+ENGINE_PKI_ENGINE_CERT=${ENGINE_PKI}/certs/engine.cer
+ENGINE_PKI_TRUST_STORE=${ENGINE_PKI}/.truststore
+ENGINE_PKI_TRUST_STORE_PASSWORD=
+ENGINE_PKI_ENGINE_STORE=${ENGINE_PKI}/keys/engine.p12
+ENGINE_PKI_ENGINE_STORE_PASSWORD=
+ENGINE_PKI_ENGINE_STORE_ALIAS=1
diff --git a/backend/manager/dbscripts/upgrade/pre_upgrade/0000_config.sql
b/backend/manager/dbscripts/upgrade/pre_upgrade/0000_config.sql
index 61a8b46..e6935d6 100644
--- a/backend/manager/dbscripts/upgrade/pre_upgrade/0000_config.sql
+++ b/backend/manager/dbscripts/upgrade/pre_upgrade/0000_config.sql
@@ -64,14 +64,6 @@
select
fn_db_add_config_value('AutoRegistrationDefaultVdsGroupID','99408929-82CF-4DC7-A532-9D998063FA95','general');
select fn_db_add_config_value('AutoRepoDomainRefreshTime','60','general');
select
fn_db_add_config_value('BlockMigrationOnSwapUsagePercentage','0','general');
---Handling CA Base Directory
-select fn_db_add_config_value('CABaseDirectory','','general');
---Handling CA certificate path
-select fn_db_add_config_value('CACertificatePath','ca/certs.pem','general');
---Handling Certificate alias
-select fn_db_add_config_value('CertAlias','1','general');
---Handling Certificate File Name
-select fn_db_add_config_value('CertificateFileName','','general');
select fn_db_add_config_value('CipherSuite','DEFAULT','general');
--Handling Configuration directory for ENGINE
select fn_db_add_config_value('ConfigDir','/etc/engine','general');
@@ -256,9 +248,7 @@
select fn_db_add_config_value('IsMultilevelAdministrationOn','true','general');
select fn_db_add_config_value('JobCleanupRateInMinutes','10','general');
select fn_db_add_config_value('JobPageSize','100','general');
-select fn_db_add_config_value('keystorePass','','general');
--Handling Keystore URL
-select fn_db_add_config_value('keystoreUrl','','general');
select fn_db_add_config_value('LdapQueryPageSize','1000','general');
select fn_db_add_config_value('LDAPQueryTimeout','30','general');
select fn_db_add_config_value('LDAPConnectTimeout','30','general');
@@ -410,7 +400,6 @@
select fn_db_add_config_value('ShareableDiskEnabled','true','3.3');
select fn_db_add_config_value('SignCertTimeoutInSeconds','30','general');
--Handling Script name for signing
-select fn_db_add_config_value('SignScriptName','SignReq.sh','general');
select fn_db_add_config_value('SpiceDriverNameInGuest','RHEV-Spice','general');
select fn_db_add_config_value('SpiceReleaseCursorKeys','shift+f12','general');
select
fn_db_add_config_value('SpiceToggleFullScreenKeys','shift+f11','general');
@@ -461,9 +450,6 @@
select
fn_db_add_config_value('ThrottlerMaxWaitForVdsUpdateInMillis','10000','general');
select fn_db_add_config_value('TimeoutToResetVdsInSeconds','60','general');
select
fn_db_add_config_value('TimeToReduceFailedRunOnVdsInMinutes','30','general');
-select fn_db_add_config_value('TruststorePass','NoSoup4U','general');
---Handling Truststore URL
-select fn_db_add_config_value('TruststoreUrl','.truststore','general');
select fn_db_add_config_value('UknownTaskPrePollingLapse','60000','general');
select fn_db_add_config_value('UserDefinedVMProperties','','3.0');
select fn_db_add_config_value('UserDefinedVMProperties','','3.1');
@@ -535,7 +521,6 @@
select fn_db_update_config_value('AutoRecoveryAllowedTypes','{\"storage
domains\":\"true\",\"hosts\":\"true\"}','general');
select
fn_db_update_config_value('BootstrapMinimalVdsmVersion','4.9','general');
-select fn_db_update_config_value('CertAlias','1','general');
select fn_db_update_config_value('DBEngine','Postgres','general');
select fn_db_update_config_value('DefaultTimeZone','(GMT) GMT Standard
Time','general');
select
fn_db_update_config_value('FenceAgentDefaultParams','ilo3:lanplus,power_wait=4;ilo4:lanplus,power_wait=4','general');
@@ -602,7 +587,6 @@
-A INPUT -p tcp -m tcp --dport 49152:49251 -j ACCEPT
','general');
select
fn_db_update_config_value('IsMultilevelAdministrationOn','true','general');
-select fn_db_update_config_value('keystoreUrl','keys/engine.p12','general');
select fn_db_update_config_value('MaxNumOfVmCpus','64','3.0');
select fn_db_update_config_value('MaxNumOfVmCpus','160','3.1');
select fn_db_update_config_value('MaxNumOfVmCpus','160','3.2');
@@ -623,7 +607,6 @@
select
fn_db_update_config_value('SupportedClusterLevels','3.0,3.1,3.2,3.3','general');
select
fn_db_update_config_value('SupportedStorageFormats','0,2,3','3.1,3.2,3.3');
select fn_db_update_config_value('SupportedVDSMVersions','4.9,4.10','general');
-select fn_db_update_config_value('TruststoreUrl','.truststore','general');
select fn_db_update_config_value('VdcVersion','3.3.0.0','general');
select fn_db_update_config_value('ProductRPMVersion','3.3.0.0','general');
select
fn_db_update_config_value('VdsFenceOptionMapping','apc:secure=secure,port=ipport,slot=port;apc_snmp:secure=secure,port=ipport,slot=port;bladecenter:secure=secure,port=ipport,slot=port;cisco_ucs:secure=ssl,slot=port;drac5:secure=secure,slot=port;eps:slot=port;ilo:secure=ssl,port=ipport;ipmilan:;ilo2:secure=ssl,port=ipport;ipmilan:;ilo3:;ilo4:;rsa:secure=secure,port=ipport;rsb:;wti:secure=secure,port=ipport,slot=port','general');
@@ -660,10 +643,14 @@
select
fn_db_delete_config_value('AsyncPollingCyclesBeforeRefreshSuspend','general');
select fn_db_delete_config_value('AutoMode','general');
select fn_db_delete_config_value('AutoSuspendTimeInMinutes','general');
+select fn_db_delete_config_value('CABaseDirectory','general');
+select fn_db_delete_config_value('CACertificatePath','general');
select fn_db_delete_config_value('CAEngineKey','general');
select fn_db_delete_config_value('CBCCertificateScriptName','general');
select fn_db_delete_config_value('CBCCloseCertificateScriptName','general');
select fn_db_delete_config_value('CbcCheckOnVdsChange','general');
+select fn_db_delete_config_value('CertAlias','general');
+select fn_db_delete_config_value('CertificateFileName','general');
select fn_db_delete_config_value('CertificateFingerPrint','general');
select fn_db_delete_config_value('CertificatePassword','general');
select fn_db_delete_config_value('CustomPublicConfig_AppsWebSite','general');
@@ -680,6 +667,8 @@
select fn_db_delete_config_value('FreeSpaceCriticalLow','general');
select fn_db_delete_config_value('HotPlugSupportedOsList','general');
select fn_db_delete_config_value('ImagesSyncronizationTimeout','general');
+select fn_db_delete_config_value('keystorePass','general');
+select fn_db_delete_config_value('keystoreUrl','general');
select fn_db_delete_config_value('LdapServers','3.0');
select fn_db_delete_config_value('LicenseCertificateFingerPrint','general');
select fn_db_delete_config_value('LogDBCommands','general');
@@ -713,6 +702,7 @@
select
fn_db_delete_config_value('RenewGuestIpOnVdsSubnetChangeOnParseError','general');
select fn_db_delete_config_value('RpmsRepositoryUrl','general');
select fn_db_delete_config_value('SignLockFile','general');
+select fn_db_delete_config_value('SignScriptName','general');
select fn_db_delete_config_value('SQLServerI18NPrefix','general');
select fn_db_delete_config_value('SQLServerLikeSyntax','general');
select fn_db_delete_config_value('SQLServerPagingSyntax','general');
@@ -722,6 +712,8 @@
select fn_db_delete_config_value('SearchesRefreshRateInSeconds','general');
select fn_db_delete_config_value('SelectCommandTimeout','general');
select fn_db_delete_config_value('SysPrep3.0Path','general');
+select fn_db_delete_config_value('TruststorePass','general');
+select fn_db_delete_config_value('TruststoreUrl','general');
select fn_db_delete_config_value('UseENGINERepositoryRPMs','general');
select fn_db_delete_config_value('UseVdsBrokerInProc','general');
select fn_db_delete_config_value('VM64BitMaxMemorySizeInMB','general');
diff --git
a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/AddVdsCommand.java
b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/AddVdsCommand.java
index 25876a7..753ec05 100644
---
a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/AddVdsCommand.java
+++
b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/AddVdsCommand.java
@@ -1,6 +1,5 @@
package org.ovirt.engine.core.bll;
-import java.io.File;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
@@ -50,6 +49,7 @@
import org.ovirt.engine.core.dal.VdcBllMessages;
import org.ovirt.engine.core.dal.dbbroker.DbFacade;
import org.ovirt.engine.core.dal.job.ExecutionMessageDirector;
+import org.ovirt.engine.core.utils.LocalConfig;
import org.ovirt.engine.core.utils.gluster.GlusterUtil;
import org.ovirt.engine.core.utils.ssh.SSHClient;
import org.ovirt.engine.core.utils.threadpool.ThreadPoolUtil;
@@ -320,7 +320,7 @@
returnValue = returnValue &&
validateSingleHostAttachedToLocalStorage();
if (Config.<Boolean>
GetValue(ConfigValues.UseSecureConnectionWithServers)
- && !new
File(Config.resolveCertificatePath()).exists()) {
+ &&
!LocalConfig.getInstance().getPKIEngineStore().exists()) {
addCanDoActionMessage(VdcBllMessages.VDS_TRY_CREATE_SECURE_CERTIFICATE_NOT_FOUND);
returnValue = false;
} else if (!getParameters().getAddPending()
diff --git
a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/GetCACertificateQuery.java
b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/GetCACertificateQuery.java
deleted file mode 100644
index 9c67e57..0000000
---
a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/GetCACertificateQuery.java
+++ /dev/null
@@ -1,29 +0,0 @@
-package org.ovirt.engine.core.bll;
-
-import java.io.File;
-import java.io.IOException;
-
-import org.ovirt.engine.core.common.config.Config;
-import org.ovirt.engine.core.common.queries.VdcQueryParametersBase;
-import org.ovirt.engine.core.utils.FileUtil;
-
-public class GetCACertificateQuery<P extends VdcQueryParametersBase> extends
QueriesCommandBase<P> {
- public GetCACertificateQuery(P parameters) {
- super(parameters);
- }
-
- @Override
- protected void executeQueryCommand() {
- getQueryReturnValue().setSucceeded(false);
- String path = Config.resolveCACertificatePath();
- if (new File(path).exists()) {
- try {
-
getQueryReturnValue().setReturnValue(FileUtil.readAllText(path));
- } catch (IOException e) {
- getQueryReturnValue().setExceptionString(e.getMessage());
- return;
- }
- getQueryReturnValue().setSucceeded(true);
- }
- }
-}
diff --git
a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/VdsDeploy.java
b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/VdsDeploy.java
index 63b5394..f50ec76 100644
---
a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/VdsDeploy.java
+++
b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/VdsDeploy.java
@@ -198,9 +198,10 @@
* @return ssh public key.
*/
protected static String _getEngineSSHPublicKey() {
- final String keystoreFile =
Config.<String>GetValue(ConfigValues.keystoreUrl);
- final String alias = Config.<String>GetValue(ConfigValues.CertAlias);
- final char[] password =
Config.<String>GetValue(ConfigValues.keystorePass).toCharArray();
+ final LocalConfig config = LocalConfig.getInstance();
+ final String keystoreFile =
config.getPKIEngineStore().getAbsolutePath();
+ final char[] password =
config.getPKIEngineStorePassword().toCharArray();
+ final String alias = config.getPKIEngineStoreAlias();
InputStream in = null;
try {
diff --git
a/backend/manager/modules/bll/src/test/java/org/ovirt/engine/core/bll/GetCACertificateQueryTest.java
b/backend/manager/modules/bll/src/test/java/org/ovirt/engine/core/bll/GetCACertificateQueryTest.java
deleted file mode 100644
index a3ba30d..0000000
---
a/backend/manager/modules/bll/src/test/java/org/ovirt/engine/core/bll/GetCACertificateQueryTest.java
+++ /dev/null
@@ -1,28 +0,0 @@
-package org.ovirt.engine.core.bll;
-
-import static org.junit.Assert.assertEquals;
-import static org.ovirt.engine.core.utils.MockConfigRule.mockConfig;
-
-import org.junit.ClassRule;
-import org.junit.Test;
-import org.ovirt.engine.core.common.config.ConfigValues;
-import org.ovirt.engine.core.common.queries.VdcQueryParametersBase;
-import org.ovirt.engine.core.utils.MockConfigRule;
-
-public class GetCACertificateQueryTest extends
-AbstractQueryTest<VdcQueryParametersBase,
GetCACertificateQuery<VdcQueryParametersBase>> {
-
- @ClassRule
- public static MockConfigRule mcr = new MockConfigRule(
- mockConfig(ConfigValues.ConfigDir, "src/test/resources"),
- mockConfig(ConfigValues.CABaseDirectory, "ca"),
- mockConfig(ConfigValues.CACertificatePath, "certs/ca.pem"));
-
- @Test
- public void testExecuteQuery() {
- getQuery().executeQueryCommand();
- Object result = getQuery().getQueryReturnValue().getReturnValue();
- assertEquals ("Wrong text read from ca file", "dummy text for
testing", result);
- }
-
-}
diff --git
a/backend/manager/modules/bll/src/test/java/org/ovirt/engine/core/bll/VdsDeployTest.java
b/backend/manager/modules/bll/src/test/java/org/ovirt/engine/core/bll/VdsDeployTest.java
deleted file mode 100644
index 93ba74e..0000000
---
a/backend/manager/modules/bll/src/test/java/org/ovirt/engine/core/bll/VdsDeployTest.java
+++ /dev/null
@@ -1,20 +0,0 @@
-package org.ovirt.engine.core.bll;
-
-import org.junit.Assert;
-import org.junit.ClassRule;
-import org.junit.Test;
-import org.ovirt.engine.core.common.config.ConfigValues;
-import org.ovirt.engine.core.utils.MockConfigRule;
-
-public class VdsDeployTest {
- @ClassRule
- public static MockConfigRule configRule = new
MockConfigRule(MockConfigRule.mockConfig(ConfigValues.keystoreUrl,
- "src/test/resources/engine.p12"),
- MockConfigRule.mockConfig(ConfigValues.CertAlias, "1"),
- MockConfigRule.mockConfig(ConfigValues.keystorePass, "mypass"));
-
- @Test
- public void getEngineSSHPublicKey() {
- Assert.assertNotNull(VdsDeploy._getEngineSSHPublicKey());
- }
-}
diff --git
a/backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/config/Config.java
b/backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/config/Config.java
index 331a059..aec31b7 100644
---
a/backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/config/Config.java
+++
b/backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/config/Config.java
@@ -33,65 +33,4 @@
Config.<String>
GetValue(ConfigValues.oVirtISOsRepositoryPath));
}
- /**
- * Fetch the CABaseDirectory configuration value and, if it is not an
absolute path, resolve it relative to the
- * CABaseDirectory configuration value.
- *
- * @return an absolute path for CABaseDirectory
- */
- public static String resolveCABasePath() {
- return ConfigUtil.resolvePath(Config.<String>
GetValue(ConfigValues.ConfigDir),
- Config.<String> GetValue(ConfigValues.CABaseDirectory));
- }
-
- /**
- * Fetch the CACertificatePath configuration value and, if it is not an
absolute path, resolve it relative to the
- * CABaseDirectory configuration value.
- *
- * @return an absolute path for CACertificatePath
- */
- public static String resolveCACertificatePath() {
- return ConfigUtil.resolvePath(resolveCABasePath(), Config.<String>
GetValue(ConfigValues.CACertificatePath));
- }
-
- /**
- * Fetch the CertificateFileName configuration value and, if it is not an
absolute path, resolve it relative to the
- * CABaseDirectory configuration value.
- *
- * @return an absolute path for CertificateFileName
- */
- public static String resolveCertificatePath() {
- return ConfigUtil.resolvePath(resolveCABasePath(), Config.<String>
GetValue(ConfigValues.CertificateFileName));
- }
-
- /**
- * Fetch the SignScriptName configuration value and, if it is not an
absolute path, resolve it relative to the
- * CABaseDirectory configuration value.
- *
- * @return an absolute path for SignScriptName
- */
- public static String resolveSignScriptPath() {
- return ConfigUtil.resolvePath(resolveCABasePath(), Config.<String>
GetValue(ConfigValues.SignScriptName));
- }
-
- /**
- * Fetch the keystoreUrl configuration value and, if it is not an absolute
path, resolve it relative to the
- * CABaseDirectory configuration value.
- *
- * @return an absolute path for keystoreUrl
- */
- public static String resolveKeyStorePath() {
- return ConfigUtil.resolvePath(resolveCABasePath(), Config.<String>
GetValue(ConfigValues.keystoreUrl));
- }
-
- /**
- * Fetch the TruststoreUrl configuration value and, if it is not an
absolute path, resolve it relative to the
- * CABaseDirectory configuration value.
- *
- * @return an absolute path for TruststoreUrl
- */
- public static String resolveTrustStorePath() {
- return ConfigUtil.resolvePath(resolveCABasePath(), Config.<String>
GetValue(ConfigValues.TruststoreUrl));
- }
-
}
diff --git
a/backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/config/ConfigValues.java
b/backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/config/ConfigValues.java
index 20346a2..db4978b 100644
---
a/backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/config/ConfigValues.java
+++
b/backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/config/ConfigValues.java
@@ -303,16 +303,6 @@
@TypeConverterAttribute(Integer.class)
@DefaultValueAttribute("60")
AutoRepoDomainRefreshTime(99),
- @TypeConverterAttribute(String.class)
- @DefaultValueAttribute("certs/ca.pem")
- CACertificatePath(100),
- @TypeConverterAttribute(String.class)
- @DefaultValueAttribute("ca")
- CABaseDirectory(101),
- @Reloadable
- @TypeConverterAttribute(String.class)
- @DefaultValueAttribute("certs/engine.cer")
- CertificateFileName(102),
@TypeConverterAttribute(Boolean.class)
@DefaultValueAttribute("true")
InstallVds(108),
@@ -603,26 +593,6 @@
@DefaultValueAttribute("100")
OvfItemsCountPerUpdate(232),
- // JTODO - temporarily using values from 256 for Java specific options
- @TypeConverterAttribute(String.class)
- @DefaultValueAttribute("keys/engine.p12")
- keystoreUrl(256),
-
- // TODO: handle password behavior
- @TypeConverterAttribute(String.class)
- @DefaultValueAttribute("NoSoup4U")
- // @OptionBehaviourAttribute(behaviour = OptionBehaviour.Password)
- keystorePass(257),
-
- @TypeConverterAttribute(String.class)
- @DefaultValueAttribute(".truststore")
- TruststoreUrl(258),
-
- @TypeConverterAttribute(String.class)
- @DefaultValueAttribute("NoSoup4U")
- @OptionBehaviourAttribute(behaviour = OptionBehaviour.Password)
- TruststorePass(259),
-
@TypeConverterAttribute(String.class)
@DefaultValueAttribute("(GMT) GMT Standard Time")
DefaultTimeZone(260),
@@ -630,17 +600,6 @@
@TypeConverterAttribute(Integer.class)
@DefaultValueAttribute("389")
LDAPServerPort(263),
-
- @Reloadable
- @TypeConverterAttribute(String.class)
- @DefaultValueAttribute("SignReq.bat")
- SignScriptName(264),
-
- // PKCS#12 store contains only one key
- // Alias is almost always "1"
- @TypeConverterAttribute(String.class)
- @DefaultValueAttribute("1")
- CertAlias(265),
@Reloadable
@TypeConverterAttribute(Boolean.class)
diff --git
a/backend/manager/modules/dal/src/main/java/org/ovirt/engine/core/dal/dbbroker/DbFacadeUtils.java
b/backend/manager/modules/dal/src/main/java/org/ovirt/engine/core/dal/dbbroker/DbFacadeUtils.java
index 9c85fd9..8d52d83 100644
---
a/backend/manager/modules/dal/src/main/java/org/ovirt/engine/core/dal/dbbroker/DbFacadeUtils.java
+++
b/backend/manager/modules/dal/src/main/java/org/ovirt/engine/core/dal/dbbroker/DbFacadeUtils.java
@@ -5,9 +5,7 @@
import java.util.List;
import org.apache.commons.lang.StringUtils;
-import org.ovirt.engine.core.common.config.Config;
-import org.ovirt.engine.core.common.config.ConfigCommon;
-import org.ovirt.engine.core.common.config.ConfigValues;
+import org.ovirt.engine.core.utils.LocalConfig;
import org.ovirt.engine.core.utils.crypt.EncryptionUtils;
import org.ovirt.engine.core.utils.log.Log;
import org.ovirt.engine.core.utils.log.LogFactory;
@@ -30,9 +28,10 @@
if (StringUtils.isEmpty(password)) {
return password;
}
- String keyFile = Config.resolveKeyStorePath();
- String passwd = Config.<String> GetValue(ConfigValues.keystorePass,
ConfigCommon.defaultConfigurationVersion);
- String alias = Config.<String> GetValue(ConfigValues.CertAlias,
ConfigCommon.defaultConfigurationVersion);
+ LocalConfig config = LocalConfig.getInstance();
+ String keyFile = config.getPKIEngineStore().getAbsolutePath();
+ String passwd = config.getPKIEngineStorePassword();
+ String alias = config.getPKIEngineStoreAlias();
try {
return EncryptionUtils.encrypt(password, keyFile, passwd, alias);
} catch (Exception e) {
@@ -44,9 +43,10 @@
if (StringUtils.isEmpty(password)) {
return password;
}
- String keyFile = Config.resolveKeyStorePath();
- String passwd = Config.<String> GetValue(ConfigValues.keystorePass,
ConfigCommon.defaultConfigurationVersion);
- String alias = Config.<String> GetValue(ConfigValues.CertAlias,
ConfigCommon.defaultConfigurationVersion);
+ LocalConfig config = LocalConfig.getInstance();
+ String keyFile = config.getPKIEngineStore().getAbsolutePath();
+ String passwd = config.getPKIEngineStorePassword();
+ String alias = config.getPKIEngineStoreAlias();
try {
return EncryptionUtils.decrypt(password, keyFile, passwd, alias);
} catch (Exception e) {
diff --git
a/backend/manager/modules/dal/src/main/java/org/ovirt/engine/core/dal/dbbroker/generic/DBConfigUtils.java
b/backend/manager/modules/dal/src/main/java/org/ovirt/engine/core/dal/dbbroker/generic/DBConfigUtils.java
index 9df8c0d..ea52454 100644
---
a/backend/manager/modules/dal/src/main/java/org/ovirt/engine/core/dal/dbbroker/generic/DBConfigUtils.java
+++
b/backend/manager/modules/dal/src/main/java/org/ovirt/engine/core/dal/dbbroker/generic/DBConfigUtils.java
@@ -18,6 +18,7 @@
import org.ovirt.engine.core.dao.VdcOptionDAO;
import org.ovirt.engine.core.utils.crypt.EncryptionUtils;
import org.ovirt.engine.core.utils.ConfigUtilsBase;
+import org.ovirt.engine.core.utils.LocalConfig;
import org.ovirt.engine.core.utils.log.Log;
import org.ovirt.engine.core.utils.log.LogFactory;
import org.ovirt.engine.core.utils.serialization.json.JsonObjectDeserializer;
@@ -96,6 +97,7 @@
}
if (optionBehaviour != null) {
+ LocalConfig config = LocalConfig.getInstance();
Map<String, Object> values = null;
switch (optionBehaviour.behaviour()) {
// split string by comma for List<string> constructor
@@ -104,9 +106,9 @@
break;
case Password:
try {
- String keyFile =
getValueFromDBDefault(ConfigValues.keystoreUrl);
- String passwd =
getValueFromDBDefault(ConfigValues.keystorePass);
- String alias =
getValueFromDBDefault(ConfigValues.CertAlias);
+ String keyFile =
config.getPKIEngineStore().getAbsolutePath();
+ String passwd = config.getPKIEngineStorePassword();
+ String alias = config.getPKIEngineStoreAlias();
result = EncryptionUtils.decrypt((String) result,
keyFile, passwd, alias);
} catch (Exception e) {
log.errorFormat("Failed to decrypt value for property
{0} will be used encrypted value",
@@ -114,9 +116,9 @@
}
break;
case DomainsPasswordMap:
- String keyFile =
getValueFromDBDefault(ConfigValues.keystoreUrl);
- String passwd =
getValueFromDBDefault(ConfigValues.keystorePass);
- String alias =
getValueFromDBDefault(ConfigValues.CertAlias);
+ String keyFile =
config.getPKIEngineStore().getAbsolutePath();
+ String passwd = config.getPKIEngineStorePassword();
+ String alias = config.getPKIEngineStoreAlias();
result = new DomainsPasswordMap((String) result, keyFile,
passwd, alias);
break;
case ValueDependent:
diff --git
a/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/LocalConfig.java
b/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/LocalConfig.java
index 2c366b0..62579e0 100644
---
a/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/LocalConfig.java
+++
b/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/LocalConfig.java
@@ -368,6 +368,38 @@
return getFile("ENGINE_CACHE");
}
+ public File getPKIDir() {
+ return getFile("ENGINE_PKI");
+ }
+
+ public File getPKICACert() {
+ return getFile("ENGINE_PKI_CA");
+ }
+
+ public File getPKIEngineCert() {
+ return getFile("ENGINE_PKI_ENGINE_CERT");
+ }
+
+ public File getPKITrustStore() {
+ return getFile("ENGINE_PKI_TRUST_STORE");
+ }
+
+ public String getPKITrustStorePassword() {
+ return getProperty("ENGINE_PKI_TRUST_STORE_PASSWORD");
+ }
+
+ public File getPKIEngineStore() {
+ return getFile("ENGINE_PKI_ENGINE_STORE");
+ }
+
+ public String getPKIEngineStorePassword() {
+ return getProperty("ENGINE_PKI_ENGINE_STORE_PASSWORD");
+ }
+
+ public String getPKIEngineStoreAlias() {
+ return getProperty("ENGINE_PKI_ENGINE_STORE_ALIAS");
+ }
+
/**
* Gets the port number where the engine can be contacted using HTTP from
* external hosts. This will usually be the proxy HTTP port if the proxy is
diff --git
a/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/hostinstall/OpenSslCAWrapper.java
b/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/hostinstall/OpenSslCAWrapper.java
index d303442..fb77309 100644
---
a/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/hostinstall/OpenSslCAWrapper.java
+++
b/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/hostinstall/OpenSslCAWrapper.java
@@ -19,6 +19,7 @@
import org.ovirt.engine.core.common.config.Config;
import org.ovirt.engine.core.common.config.ConfigValues;
import org.ovirt.engine.core.utils.FileUtil;
+import org.ovirt.engine.core.utils.LocalConfig;
import org.ovirt.engine.core.utils.log.Log;
import org.ovirt.engine.core.utils.log.LogFactory;
@@ -29,7 +30,7 @@
InputStream in = null;
try {
- in = new FileInputStream(Config.resolveCACertificatePath());
+ in = new FileInputStream(LocalConfig.getInstance().getPKICACert());
final CertificateFactory cf =
CertificateFactory.getInstance("X.509");
final Certificate certificate = cf.generateCertificate(in);
@@ -61,8 +62,10 @@
String label,
String hostname
) throws IOException {
- File pkicertdir = new File(Config.resolveCABasePath(), "certs");
- File pkireqdir = new File(Config.resolveCABasePath(), "requests");
+ LocalConfig config = LocalConfig.getInstance();
+ File pkicertdir = new File(config.getPKIDir(), "certs");
+ File pkireqdir = new File(config.getPKIDir(), "requests");
+ File signRequestBatch = new File(config.getPKIDir(), "SignReq.sh");
String reqFileName = String.format("%1$sreq.pem", label);
String certFileName = String.format("%1$scert.pem", label);
@@ -92,7 +95,8 @@
reqFileName,
hostname,
Config.<Integer>
GetValue(ConfigValues.VdsCertificateValidityInYears) * 365,
- certFileName
+ certFileName,
+ signRequestBatch
)
) {
throw new RuntimeException("Certificate enrollment failed");
@@ -105,16 +109,16 @@
String requestFileName,
String hostname,
int days,
- String signedCertificateFileName
+ String signedCertificateFileName,
+ File signRequestBatch
) {
log.debug("Entered signCertificateRequest");
boolean returnValue = true;
- String signRequestBatch = Config.resolveSignScriptPath();
- if (new File(signRequestBatch).exists()) {
+ if (signRequestBatch.exists()) {
String organization = Config.<String>
GetValue(ConfigValues.OrganizationName);
Integer signatureTimeout = Config.<Integer>
GetValue(ConfigValues.SignCertTimeoutInSeconds);
String[] command_array =
- createCommandArray(signatureTimeout, signRequestBatch,
requestFileName,
+ createCommandArray(signatureTimeout,
signRequestBatch.getAbsolutePath(), requestFileName,
hostname, organization, days,
signedCertificateFileName);
returnValue = runCommandArray(command_array, signatureTimeout);
@@ -226,8 +230,9 @@
int days,
String signedCertificateFileName) {
log.debug("Building command array for Sign Certificate request
script");
- String baseDirectoryPath = Config.resolveCABasePath();
- String keystorePass = Config.<String>
GetValue(ConfigValues.keystorePass);
+ LocalConfig config = LocalConfig.getInstance();
+ String baseDirectoryPath = config.getPKIDir().getAbsolutePath();
+ String keystorePass = config.getPKIEngineStorePassword();
Calendar yesterday = Calendar.getInstance();
yesterday.add(Calendar.DATE, -1);
SimpleDateFormat format = new SimpleDateFormat("yyMMddHHmmssZ");
diff --git
a/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/ssh/EngineSSHDialog.java
b/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/ssh/EngineSSHDialog.java
index 446fb5f..7b8a77f 100644
---
a/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/ssh/EngineSSHDialog.java
+++
b/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/ssh/EngineSSHDialog.java
@@ -1,5 +1,6 @@
package org.ovirt.engine.core.utils.ssh;
+import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.io.InputStream;
@@ -14,6 +15,7 @@
import org.ovirt.engine.core.common.config.Config;
import org.ovirt.engine.core.common.config.ConfigValues;
+import org.ovirt.engine.core.utils.LocalConfig;
import org.ovirt.engine.core.utils.crypt.OpenSSHUtils;
/**
@@ -58,9 +60,10 @@
* Use default engine ssh key.
*/
public void useDefaultKeyPair() throws KeyStoreException {
- final String alias = Config.<String>GetValue(ConfigValues.CertAlias);
- final String p12 = Config.<String>GetValue(ConfigValues.keystoreUrl);
- final char[] password =
Config.<String>GetValue(ConfigValues.keystorePass).toCharArray();
+ LocalConfig config = LocalConfig.getInstance();
+ final File p12 = config.getPKIEngineStore();
+ final char[] password =
config.getPKIEngineStorePassword().toCharArray();
+ final String alias = config.getPKIEngineStoreAlias();
KeyStore.PrivateKeyEntry entry;
InputStream in = null;
diff --git
a/backend/manager/modules/vdsbroker/src/main/java/org/ovirt/engine/core/vdsbroker/VdsManager.java
b/backend/manager/modules/vdsbroker/src/main/java/org/ovirt/engine/core/vdsbroker/VdsManager.java
index eb0bd2c..f2bc486 100644
---
a/backend/manager/modules/vdsbroker/src/main/java/org/ovirt/engine/core/vdsbroker/VdsManager.java
+++
b/backend/manager/modules/vdsbroker/src/main/java/org/ovirt/engine/core/vdsbroker/VdsManager.java
@@ -1,6 +1,5 @@
package org.ovirt.engine.core.vdsbroker;
-import java.io.File;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashSet;
@@ -34,6 +33,7 @@
import org.ovirt.engine.core.dal.dbbroker.DbFacade;
import org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector;
import org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogableBase;
+import org.ovirt.engine.core.utils.LocalConfig;
import org.ovirt.engine.core.utils.lock.EngineLock;
import org.ovirt.engine.core.utils.lock.LockManagerFactory;
import org.ovirt.engine.core.utils.log.Log;
@@ -146,7 +146,7 @@
}
// if ssl is on and no certificate file
if (Config.<Boolean>
GetValue(ConfigValues.UseSecureConnectionWithServers)
- && !new File(Config.resolveCertificatePath()).exists()) {
+ && !LocalConfig.getInstance().getPKIEngineStore().exists()) {
if (_vds.getStatus() != VDSStatus.Maintenance && _vds.getStatus()
!= VDSStatus.InstallFailed) {
setStatus(VDSStatus.NonResponsive, _vds);
UpdateDynamicData(_vds.getDynamicData());
diff --git
a/backend/manager/modules/vdsbroker/src/main/java/org/ovirt/engine/core/vdsbroker/xmlrpc/XmlRpcUtils.java
b/backend/manager/modules/vdsbroker/src/main/java/org/ovirt/engine/core/vdsbroker/xmlrpc/XmlRpcUtils.java
index a45143e..fefc9ec 100644
---
a/backend/manager/modules/vdsbroker/src/main/java/org/ovirt/engine/core/vdsbroker/xmlrpc/XmlRpcUtils.java
+++
b/backend/manager/modules/vdsbroker/src/main/java/org/ovirt/engine/core/vdsbroker/xmlrpc/XmlRpcUtils.java
@@ -31,6 +31,7 @@
import org.ovirt.engine.core.common.config.Config;
import org.ovirt.engine.core.common.config.ConfigValues;
import org.ovirt.engine.core.common.utils.Pair;
+import org.ovirt.engine.core.utils.LocalConfig;
import org.ovirt.engine.core.utils.ThreadLocalParamsContainer;
import org.ovirt.engine.core.utils.log.Log;
import org.ovirt.engine.core.utils.log.LogFactory;
@@ -47,10 +48,11 @@
if (Config.<Boolean>
GetValue(ConfigValues.UseSecureConnectionWithServers)) {
URL keystoreUrl;
try {
- keystoreUrl = new URL("file://" +
Config.resolveKeyStorePath());
- String keystorePassword = Config.<String>
GetValue(ConfigValues.keystorePass);
- URL truststoreUrl = new URL("file://" +
Config.resolveTrustStorePath());
- String truststorePassword = Config.<String>
GetValue(ConfigValues.TruststorePass);
+ LocalConfig config = LocalConfig.getInstance();
+ keystoreUrl = new URL("file://" +
config.getPKIEngineStore().getAbsolutePath());
+ String keystorePassword = config.getPKIEngineStorePassword();
+ URL truststoreUrl = new URL("file://" +
config.getPKITrustStore().getAbsolutePath());
+ String truststorePassword = config.getPKITrustStorePassword();
// registering the https protocol with a socket factory that
// provides client authentication.
diff --git
a/backend/manager/tools/src/main/java/org/ovirt/engine/core/config/entity/helper/PasswordValueHelper.java
b/backend/manager/tools/src/main/java/org/ovirt/engine/core/config/entity/helper/PasswordValueHelper.java
index 4c89f5d..455baea 100644
---
a/backend/manager/tools/src/main/java/org/ovirt/engine/core/config/entity/helper/PasswordValueHelper.java
+++
b/backend/manager/tools/src/main/java/org/ovirt/engine/core/config/entity/helper/PasswordValueHelper.java
@@ -12,8 +12,8 @@
import org.ovirt.engine.core.config.EngineConfigLogic;
import org.ovirt.engine.core.config.db.ConfigDAO;
import org.ovirt.engine.core.config.entity.ConfigKey;
-import org.ovirt.engine.core.config.entity.ConfigKeyFactory;
import org.ovirt.engine.core.tools.ToolConsole;
+import org.ovirt.engine.core.utils.LocalConfig;
import org.ovirt.engine.core.utils.crypt.EncryptionUtils;
public class PasswordValueHelper implements ValueHelper {
@@ -23,7 +23,6 @@
// The console:
private static final ToolConsole console = ToolConsole.getInstance();
- private static ConfigDAO configDAO;
private static String certAlias;
private static String keyStoreURL;
private static String keyStorePass;
@@ -32,17 +31,10 @@
static {
try {
- configDAO =
EngineConfig.getInstance().getEngineConfigLogic().getConfigDAO();
- ConfigKeyFactory keyFactory = ConfigKeyFactory.getInstance();
- certAlias =
-
configDAO.getKey(keyFactory.generateBlankConfigKey("CertAlias", "String"))
- .getValue();
- keyStoreURL =
-
configDAO.getKey(keyFactory.generateBlankConfigKey("keystoreUrl", "String"))
- .getValue();
- keyStorePass =
-
configDAO.getKey(keyFactory.generateBlankConfigKey("keystorePass", "String"))
- .getValue();
+ LocalConfig config = LocalConfig.getInstance();
+ keyStoreURL = config.getPKIEngineStore().getAbsolutePath();
+ keyStorePass = config.getPKIEngineStorePassword();
+ certAlias = config.getPKIEngineStoreAlias();
}
catch (Exception exception) {
String msg = "Error loading private key.";
diff --git
a/backend/manager/tools/src/main/java/org/ovirt/engine/core/notifier/EngineMonitorService.java
b/backend/manager/tools/src/main/java/org/ovirt/engine/core/notifier/EngineMonitorService.java
index 2a87948..825f9e2 100644
---
a/backend/manager/tools/src/main/java/org/ovirt/engine/core/notifier/EngineMonitorService.java
+++
b/backend/manager/tools/src/main/java/org/ovirt/engine/core/notifier/EngineMonitorService.java
@@ -203,15 +203,9 @@
* @throws NotificationServiceException
*/
private void createConcreteSSLSocketFactory() throws
NotificationServiceException {
- String keystorePass =
- getConfigurationProperty(ConfigValues.keystorePass.name(),
- prop.get(NotificationProperties.keystorePassVersion));
- String keystoreUrl =
- getConfigurationProperty(ConfigValues.keystoreUrl.name(),
- prop.get(NotificationProperties.keystoreUrlVersion));
-
- validateConfigurationProperty(keystorePass);
- validateConfigurationProperty(keystoreUrl);
+ LocalConfig config = LocalConfig.getInstance();
+ String keystorePass = config.getPKIEngineStorePassword();
+ String keystoreUrl = config.getPKIEngineStore().getAbsolutePath();
try {
String sslProtocol = prop.get(NotificationProperties.SSL_PROTOCOL);
@@ -272,15 +266,6 @@
}
catch (MalformedURLException exception) {
throw new NotificationServiceException("Can't get engine health
servlet URL.", exception);
- }
- }
-
- private void validateConfigurationProperty(String propertyValue) throws
NotificationServiceException {
- final String MISSING_PROPERTY_ERROR = "Empty or missing property '%s'
from vdc_options table";
- if (StringUtils.isEmpty(propertyValue)) {
- String errorMessage = String.format(MISSING_PROPERTY_ERROR,
ConfigValues.keystorePass.name());
- log.error(errorMessage);
- throw new NotificationServiceException(errorMessage);
}
}
@@ -481,55 +466,6 @@
catch (SQLException exception) {
throw new NotificationServiceException("Failed to obtain database
connectivity", exception);
}
- }
-
- /**
- * Retrieves property from vdc_option table by its name
- * @param propertyName
- * property name to retrieve
- * @param propertyVersion
- * the property version
- * @return the property value or null if doesn't exists or failed to
retrieve
- */
- private String getConfigurationProperty(String propertyName, String
propertyVersion) {
- final String GET_CONFIGURATION_PROPERTY_SQL =
- "select option_value from vdc_options where option_name = ?
and version = ?";
- Connection connection = null;
- PreparedStatement pStmt = null;
- String propertyValue = null;
- ResultSet rs = null;
-
- if (StringUtils.isEmpty(propertyVersion)) {
- propertyVersion = ConfigCommon.defaultConfigurationVersion;
- }
-
- try {
- connection = ds.getConnection();
- pStmt =
connection.prepareStatement(GET_CONFIGURATION_PROPERTY_SQL);
- pStmt.setString(1, propertyName);
- pStmt.setString(2, propertyVersion);
- rs = pStmt.executeQuery();
- if (rs.next()) {
- propertyValue = rs.getString(1);
- }
- if (propertyValue == null &&
!ConfigCommon.defaultConfigurationVersion.equals(propertyVersion)) {
- rs.close();
- pStmt.setString(1, propertyName);
- pStmt.setString(2, ConfigCommon.defaultConfigurationVersion);
- rs = pStmt.executeQuery();
- if (rs.next()) {
- propertyValue = rs.getString(1);
- }
- log.warn(MessageFormat.format("Property {0} does not exists on
vdc_option with version {1}. Trying to obtain it with default version.",
- propertyName,
- propertyVersion));
- }
- } catch (Exception e) {
- log.error(MessageFormat.format("Failed to retrieve property {0}
from the database", propertyName), e);
- } finally {
- DbUtils.closeQuietly(rs,pStmt,connection);
- }
- return propertyValue;
}
}
diff --git
a/backend/manager/tools/src/main/java/org/ovirt/engine/core/notifier/utils/NotificationProperties.java
b/backend/manager/tools/src/main/java/org/ovirt/engine/core/notifier/utils/NotificationProperties.java
index 29866f7..e65fe6a 100644
---
a/backend/manager/tools/src/main/java/org/ovirt/engine/core/notifier/utils/NotificationProperties.java
+++
b/backend/manager/tools/src/main/java/org/ovirt/engine/core/notifier/utils/NotificationProperties.java
@@ -41,8 +41,6 @@
public static final String ENGINE_MONITOR_RETRIES =
"ENGINE_MONITOR_RETRIES";
public static final String SSL_IGNORE_CERTIFICATE_ERRORS =
"SSL_IGNORE_CERTIFICATE_ERRORS";
public static final String SSL_IGNORE_HOST_VERIFICATION =
"SSL_IGNORE_HOST_VERIFICATION";
- public static final String keystoreUrlVersion = "keystoreUrlVersion";
- public static final String keystorePassVersion = "keystorePassVersion";
public static final String ENGINE_PID = "ENGINE_PID";
public static final String DEFAULT_ENGINE_PID =
"/var/run/ovirt-engine.pid";
diff --git a/packaging/fedora/setup/basedefs.py
b/packaging/fedora/setup/basedefs.py
index eec4b93..ebb8b5b 100644
--- a/packaging/fedora/setup/basedefs.py
+++ b/packaging/fedora/setup/basedefs.py
@@ -144,6 +144,9 @@
# File containing the setup generated java configuration of the engine:
FILE_ENGINE_CONF_JAVA="%s/50-setup-java.conf" % DIR_ENGINE_CONF
+# File containing the setup generated java configuration of the engine:
+FILE_ENGINE_CONF_PKI="%s/50-setup-pki.conf" % DIR_ENGINE_CONF
+
# This file will be automatically created when the engine goes into
# maintenance mode during upgrades and automatically removed when the
# engine goes back into normal mode once the upgrade is finished:
diff --git a/packaging/fedora/setup/common_utils.py
b/packaging/fedora/setup/common_utils.py
index a923319..00fba20 100755
--- a/packaging/fedora/setup/common_utils.py
+++ b/packaging/fedora/setup/common_utils.py
@@ -1244,6 +1244,32 @@
logging.debug("Engine has been configured")
handler.close()
+def editEngineSysconfigPKI(
+ pkidir,
+ caCerticate,
+ enigneStore,
+ engineStorePassword,
+ engineStoreAlias,
+ engineCerticate,
+ trustStore,
+ trustStorePassword,
+):
+ # Load the file:
+ handler = TextConfigFileHandler(basedefs.FILE_ENGINE_CONF_PKI,
readExisting=False)
+ handler.open()
+ handler.editParam("ENGINE_PKI", pkidir)
+ handler.editParam("ENGINE_PKI_CA", caCerticate)
+ handler.editParam("ENGINE_PKI_ENGINE_CERT", engineCerticate)
+ handler.editParam("ENGINE_PKI_ENGINE_STORE", enigneStore)
+ handler.editParam("ENGINE_PKI_ENGINE_STORE_PASSWORD", engineStorePassword)
+ handler.editParam("ENGINE_PKI_ENGINE_STORE_ALIAS", engineStoreAlias)
+ handler.editParam("ENGINE_PKI_TRUST_STORE", trustStore)
+ handler.editParam("ENGINE_PKI_TRUST_STORE_PASSWORD", trustStorePassword)
+ handler.close()
+
+ chownToEngine(basedefs.FILE_ENGINE_CONF_PKI)
+ os.chmod(basedefs.FILE_ENGINE_CONF_PKI, 0o640)
+
def encryptEngineDBPass(password, maskList):
"""
Encryptes the jboss postgres db password
diff --git a/packaging/fedora/setup/engine-config-install.properties
b/packaging/fedora/setup/engine-config-install.properties
index 95a2728..63f2a78 100644
--- a/packaging/fedora/setup/engine-config-install.properties
+++ b/packaging/fedora/setup/engine-config-install.properties
@@ -2,26 +2,18 @@
include=/etc/ovirt-engine/engine-config/engine-config.properties
OrganizationName=
-CertAlias=
InstallVds=
-TruststoreUrl=
ENGINEEARLib=
ScriptsPath=
UseSecureConnectionWithServers=
VdsErrorsFileName=
DataDir=
-keystoreUrl=
-keystorePass=
PostgresI18NPrefix=
PostgresLinkSyntax=
PostgresPagingSyntax=
PostgresPagingType=
PostgresSearchTemplate=
ConfigDir=
-SignScriptName=
-CAEngineKey=
-CACertificatePath=
-TruststorePass=
AdUserId=
VdcVersion=
LdapServers=
diff --git a/packaging/fedora/setup/engine-setup.py
b/packaging/fedora/setup/engine-setup.py
index 93e2cc2..a624879 100755
--- a/packaging/fedora/setup/engine-setup.py
+++ b/packaging/fedora/setup/engine-setup.py
@@ -120,7 +120,7 @@
{ 'title' :
output_messages.INFO_FIND_JAVA,
'functions' : [_findJavaHome,
_editSysconfigJava]},
{ 'title' :
output_messages.INFO_CREATE_CA,
- 'functions' : [_createCA]},
+ 'functions' : [_createCA,
_editSysconfigPKI]},
{ 'title' :
output_messages.INFO_UPD_ENGINE_CONF,
'functions' :
[_editSysconfigProtocols] },
{ 'title' :
output_messages.INFO_SET_DB_CONFIGURATION,
@@ -1264,17 +1264,9 @@
#1st we update the keystore and CA related paths, only then we can set the
passwords and the rest options
options = (
{
- "CABaseDirectory":[basedefs.DIR_OVIRT_PKI, 'text'],
- "keystoreUrl":[basedefs.FILE_ENGINE_KEYSTORE, 'text'],
- "CertificateFileName":[basedefs.FILE_ENGINE_CERT, 'text'],
- "TruststoreUrl":[basedefs.FILE_TRUSTSTORE, 'text'],
"ENGINEEARLib":["%s/engine.ear" %(basedefs.DIR_ENGINE), 'text'],
- "CACertificatePath":[basedefs.FILE_CA_CRT_SRC, 'text'],
- "CertAlias":["1", 'text'],
- "keystorePass":[basedefs.CONST_KEY_PASS, 'text'],
},
{
- "TruststorePass":[basedefs.CONST_CA_PASS, 'text'],
"LocalAdminPassword":[controller.CONF["AUTH_PASS"], 'pass'],
"SSLEnabled":[ "true", 'text'],
"UseSecureConnectionWithServers":[ "true", 'text'],
@@ -1292,7 +1284,6 @@
"InstallVds":["true", 'text'],
"ConfigDir":["/etc/ovirt-engine", 'text'],
"DataDir":["/usr/share/ovirt-engine", 'text'],
- "SignScriptName":["SignReq.sh", 'text'],
"OrganizationName":[controller.CONF["ORG_NAME"], 'text'],
"ProductRPMVersion":[utils.getEngineVersion(), 'text'],
"AdminPassword":[controller.CONF["AUTH_PASS"], 'pass']
@@ -2144,6 +2135,18 @@
def _editSysconfigJava():
utils.editEngineSysconfigJava(javaHome=controller.CONF["JAVA_HOME"])
+def _editSysconfigPKI():
+ utils.editEngineSysconfigPKI(
+ pkidir=basedefs.DIR_OVIRT_PKI,
+ caCerticate=basedefs.FILE_CA_CRT_SRC,
+ enigneStore=basedefs.FILE_ENGINE_KEYSTORE,
+ engineStorePassword=basedefs.CONST_KEY_PASS,
+ engineStoreAlias="1",
+ engineCerticate=basedefs.FILE_ENGINE_CERT,
+ trustStore=basedefs.FILE_TRUSTSTORE,
+ trustStorePassword=basedefs.CONST_KEY_PASS,
+ )
+
def startRhevmDbRelatedServices():
"""
bring back any service we stopped
diff --git a/packaging/fedora/setup/engine-upgrade.py
b/packaging/fedora/setup/engine-upgrade.py
index cfb6a2d..0f0cbf6 100755
--- a/packaging/fedora/setup/engine-upgrade.py
+++ b/packaging/fedora/setup/engine-upgrade.py
@@ -1136,7 +1136,7 @@
startEngineService = [startEngine]
preupgradeFunc = [preupgradeUUIDCheck]
upgradeFunc = [rhyum.update, generateEngineConf, setupVarPrivileges,
- updateHttpdConf,
+ updateHttpdConf, basedefs.editEngineSysconfigPKI,
]
postFunc = [modifyUUIDs, ca.commit, runPost, deleteEngineSysconfig]
engineService = basedefs.ENGINE_SERVICE_NAME
--
To view, visit http://gerrit.ovirt.org/14333
To unsubscribe, visit http://gerrit.ovirt.org/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I1764d9ca7a8c677401f721b3d89f45deff9c1f26
Gerrit-PatchSet: 1
Gerrit-Project: ovirt-engine
Gerrit-Branch: master
Gerrit-Owner: Alon Bar-Lev <alo...@redhat.com>
_______________________________________________
Engine-patches mailing list
Engine-patches@ovirt.org
http://lists.ovirt.org/mailman/listinfo/engine-patches
