001: /*************************************************************************
002: * *
003: * EJBCA: The OpenSource Certificate Authority *
004: * *
005: * This software is free software; you can redistribute it and/or *
006: * modify it under the terms of the GNU Lesser General Public *
007: * License as published by the Free Software Foundation; either *
008: * version 2.1 of the License, or any later version. *
009: * *
010: * See terms of license at gnu.org. *
011: * *
012: *************************************************************************/package org.ejbca.ui.cli;
013:
014: import java.io.BufferedReader;
015: import java.io.FileReader;
016: import java.util.ArrayList;
017:
018: import javax.naming.Context;
019: import javax.naming.NamingException;
020:
021: import org.ejbca.core.ejb.authorization.IAuthorizationSessionHome;
022: import org.ejbca.core.ejb.authorization.IAuthorizationSessionRemote;
023: import org.ejbca.core.ejb.ca.caadmin.ICAAdminSessionHome;
024: import org.ejbca.core.ejb.ca.caadmin.ICAAdminSessionRemote;
025: import org.ejbca.core.ejb.hardtoken.IHardTokenSessionHome;
026: import org.ejbca.core.ejb.hardtoken.IHardTokenSessionRemote;
027: import org.ejbca.core.ejb.ra.IUserAdminSessionHome;
028: import org.ejbca.core.ejb.ra.IUserAdminSessionRemote;
029: import org.ejbca.core.ejb.ra.raadmin.IRaAdminSessionHome;
030: import org.ejbca.core.ejb.ra.raadmin.IRaAdminSessionRemote;
031: import org.ejbca.core.model.SecConst;
032: import org.ejbca.core.model.authorization.AdminEntity;
033: import org.ejbca.core.model.hardtoken.HardTokenIssuer;
034: import org.ejbca.core.model.hardtoken.profiles.IPINEnvelopeSettings;
035: import org.ejbca.core.model.hardtoken.profiles.SwedishEIDProfile;
036: import org.ejbca.core.model.log.Admin;
037: import org.ejbca.core.model.ra.raadmin.EndEntityProfile;
038: import org.ejbca.core.model.ra.raadmin.GlobalConfiguration;
039:
040: /** Class used for easy setup primecard server.
041: *
042: * This isn't used as a commande line but used from withing it's run by the command
043: * ejbca.sh/cmd setup initializehardtokenissuing
044: *
045: * It's main method run sets up:
046: * 1. Sets the global setting use hard token funtionality to true.
047: * 2. A default 'Administrator Token' Hard Profile Token
048: * 3. A default 'Local' Hard Token Issuer with the 'Temporate Super Admin Group' as admin group.
049: * 4. Adds a 'Administrator Token End Entity Profile' End Entity Profile with the following fields:
050: * * CN, required
051: * * 'Administrator Token' as default and available tokens
052: * * 'local' as default and available issuers
053: * * default available CA is taken from parameter to run method
054: *
055: * 5. Adds a user SuperAdminToken with CN=SuperAdminToken with issuer local
056: * 6. Adds SuperAdminToken to Temporate Super Admin Group
057: *
058: * After run have been executed should it be easy to run primecard locally to just issue the first card.
059: *
060: * @author Philip Vendil
061: * @version $Id: InitializeHardTokenIssuing.java,v 1.3 2007/01/03 14:49:35 anatom Exp $
062: *
063: */
064: public class InitializeHardTokenIssuing extends BaseAdminCommand {
065:
066: private static final String SVGPINFILENAME = "src/cli/admincard_pintemplate.svg";
067:
068: private static final String ADMINTOKENPROFILENAME = "Administrator Token Profile";
069:
070: private static final String ISSUERALIAS = "local";
071:
072: private static final String SUPERADMINTOKENNAME = "SuperAdminToken";
073:
074: private static final String ADMINTOKENENDENTITYPROFILE = "Administration Token End Entity Profile";
075:
076: private IRaAdminSessionRemote raadminsession;
077: private IAuthorizationSessionRemote authorizationsession;
078: private IHardTokenSessionRemote hardtokensession;
079: private IUserAdminSessionRemote useradminsession;
080:
081: private ICAAdminSessionRemote caadminsession;
082:
083: public InitializeHardTokenIssuing(String[] args) {
084: super (args, Admin.TYPE_CACOMMANDLINE_USER, "cli");
085: }
086:
087: public void execute() throws IllegalAdminCommandException,
088: ErrorAdminCommandException {
089: if (args.length < 2) {
090: throw new IllegalAdminCommandException(
091: "Usage: SETUP initializehardtokenissuing <caname>\n");
092:
093: }
094: String caname = args[1];
095: try {
096: runSetup(caname);
097: } catch (Exception e) {
098: throw new ErrorAdminCommandException(e);
099: }
100: }
101:
102: /**
103: * See class header for explaination.
104: *
105: */
106: private void runSetup(String caname) throws Exception {
107: getOutputStream().println(
108: "Adding Hard Token Super Administrator .....\n\n");
109: int caid = this .getCAAdminSession().getCAInfo(administrator,
110: caname).getCAId();
111: int admingroupid = getAuthorizationSession().getAdminGroup(
112: administrator, "Temporary Super Administrator Group",
113: caid).getAdminGroupId();
114:
115: configureGlobalConfiguration();
116: createAdministratorTokenProfile();
117: createLocalHardTokenIssuer(caid, admingroupid);
118: createAdminTokenEndEntityProfile(caid);
119: createSuperAdminTokenUser(caid);
120: addSuperAdminTokenUserToTemporarySuperAdminGroup(caid);
121:
122: getOutputStream()
123: .print(
124: "A hard token Administrator have been added.\n\n"
125: + "In order to issue the card. Startup PrimeCard in local mode using\n"
126: + "the alias 'local'. Then insert an empty token.\n"
127: + "This Administrator is also a super administrator for the EJBCA installation.\n");
128: }
129:
130: /**
131: * Sets the Issue Hard Tokens flag to true in the system configuration.
132: *
133: * @throws Exception
134: */
135: private void configureGlobalConfiguration() throws Exception {
136: GlobalConfiguration config = getRAAdminSession()
137: .loadGlobalConfiguration(administrator);
138: config.setIssueHardwareTokens(true);
139: this .getRAAdminSession().saveGlobalConfiguration(administrator,
140: config);
141: }
142:
143: /**
144: * Creates the 'Administrator Token' Hard Token Profile
145: *
146: * @throws Exception
147: */
148: private void createAdministratorTokenProfile() throws Exception {
149: SwedishEIDProfile admintokenprofile = new SwedishEIDProfile();
150:
151: admintokenprofile
152: .setPINEnvelopeType(IPINEnvelopeSettings.PINENVELOPETYPE_GENERALENVELOBE);
153:
154: BufferedReader br = new BufferedReader(new FileReader(
155: SVGPINFILENAME));
156: String filecontent = "";
157: String nextline = "";
158: while (nextline != null) {
159: nextline = br.readLine();
160: if (nextline != null)
161: filecontent += nextline + "\n";
162: }
163: ((IPINEnvelopeSettings) admintokenprofile)
164: .setPINEnvelopeData(filecontent);
165: ((IPINEnvelopeSettings) admintokenprofile)
166: .setPINEnvelopeTemplateFilename(SVGPINFILENAME);
167:
168: this .getHardTokenSession().addHardTokenProfile(administrator,
169: ADMINTOKENPROFILENAME, admintokenprofile);
170: }
171:
172: /**
173: * Creates the 'Local' Hard Token Issuer
174: *
175: * @throws Exception
176: */
177: private void createLocalHardTokenIssuer(int caid, int admingroupid)
178: throws Exception {
179: HardTokenIssuer localissuer = new HardTokenIssuer();
180:
181: localissuer
182: .setDescription("Issuer created by installation script, used to create the first administration token");
183:
184: ArrayList availableprofiles = new ArrayList();
185: availableprofiles.add(new Integer(getHardTokenSession()
186: .getHardTokenProfileId(administrator,
187: ADMINTOKENPROFILENAME)));
188: localissuer.setAvailableHardTokenProfiles(availableprofiles);
189:
190: this .getHardTokenSession().addHardTokenIssuer(administrator,
191: ISSUERALIAS, admingroupid, localissuer);
192:
193: }
194:
195: /**
196: * Creates the End Entity Profile used for issuing the superadmintoken
197: *
198: * @throws Exception
199: */
200: private void createAdminTokenEndEntityProfile(int caid)
201: throws Exception {
202: int tokenid = getHardTokenSession().getHardTokenProfileId(
203: administrator, ADMINTOKENPROFILENAME);
204: int hardtokenissuerid = getHardTokenSession()
205: .getHardTokenIssuerId(administrator, ISSUERALIAS);
206: EndEntityProfile profile = new EndEntityProfile();
207:
208: // Set autogenerated password
209: profile.setUse(EndEntityProfile.PASSWORD, 0, false);
210:
211: // Batch
212: profile.setUse(EndEntityProfile.CLEARTEXTPASSWORD, 0, true);
213: profile
214: .setRequired(EndEntityProfile.CLEARTEXTPASSWORD, 0,
215: true);
216: profile.setValue(EndEntityProfile.CLEARTEXTPASSWORD, 0,
217: EndEntityProfile.TRUE);
218:
219: // Set CA
220: profile.setValue(EndEntityProfile.DEFAULTCA, 0, "" + caid);
221: profile.setValue(EndEntityProfile.AVAILCAS, 0, "" + caid);
222:
223: profile.setValue(EndEntityProfile.DEFAULTCERTPROFILE, 0, ""
224: + SecConst.CERTPROFILE_FIXED_ENDUSER);
225: profile.setValue(EndEntityProfile.AVAILCERTPROFILES, 0, ""
226: + SecConst.CERTPROFILE_FIXED_ENDUSER + ";"
227: + SecConst.CERTPROFILE_FIXED_HARDTOKENAUTH + ";"
228: + SecConst.CERTPROFILE_FIXED_HARDTOKENAUTHENC + ";"
229: + SecConst.CERTPROFILE_FIXED_HARDTOKENSIGN + ";"
230: + SecConst.CERTPROFILE_FIXED_HARDTOKENENC);
231:
232: // Set Default Token Type
233: profile.setValue(EndEntityProfile.DEFKEYSTORE, 0, "" + tokenid);
234: profile.setValue(EndEntityProfile.AVAILKEYSTORE, 0, ""
235: + tokenid);
236:
237: // Set Default Issuers
238: profile.setUse(EndEntityProfile.AVAILTOKENISSUER, 0, true);
239:
240: profile.setValue(EndEntityProfile.DEFAULTTOKENISSUER, 0, ""
241: + hardtokenissuerid);
242: profile.setValue(EndEntityProfile.AVAILTOKENISSUER, 0, ""
243: + hardtokenissuerid);
244:
245: // Set Administrator Flag
246: profile.setUse(EndEntityProfile.ADMINISTRATOR, 0, true);
247: profile.setRequired(EndEntityProfile.ADMINISTRATOR, 0, true);
248: profile.setValue(EndEntityProfile.ADMINISTRATOR, 0,
249: EndEntityProfile.TRUE);
250:
251: // Save Profile
252: this .getRAAdminSession().addEndEntityProfile(administrator,
253: ADMINTOKENENDENTITYPROFILE, profile);
254: }
255:
256: /**
257: * Adds a new superadmintoken user to the user database and puts it to the local issuer queue.
258: *
259: * @throws Exception
260: */
261: private void createSuperAdminTokenUser(int caid) throws Exception {
262: int endentityprofileid = getRAAdminSession()
263: .getEndEntityProfileId(administrator,
264: ADMINTOKENENDENTITYPROFILE);
265: int certificateprofileid = SecConst.CERTPROFILE_FIXED_ENDUSER;
266: int tokenid = getHardTokenSession().getHardTokenProfileId(
267: administrator, ADMINTOKENPROFILENAME);
268: int hardtokenissuerid = getHardTokenSession()
269: .getHardTokenIssuerId(administrator, ISSUERALIAS);
270:
271: this .getUserAdminSession().addUser(administrator,
272: SUPERADMINTOKENNAME, null, "CN=" + SUPERADMINTOKENNAME,
273: null, null, true, endentityprofileid,
274: certificateprofileid, 65, tokenid, hardtokenissuerid,
275: caid);
276: }
277:
278: /**
279: * Adds the new superadmintoken user to the Temporary Super Admin Group
280: *
281: * @throws Exception
282: */
283: private void addSuperAdminTokenUserToTemporarySuperAdminGroup(
284: int caid) throws Exception {
285: ArrayList adminentities = new ArrayList();
286: adminentities.add(new AdminEntity(AdminEntity.WITH_COMMONNAME,
287: AdminEntity.TYPE_EQUALCASEINS, SUPERADMINTOKENNAME,
288: caid));
289: getAuthorizationSession().addAdminEntities(administrator,
290: "Temporary Super Administrator Group", caid,
291: adminentities);
292: }
293:
294: private IHardTokenSessionRemote getHardTokenSession()
295: throws Exception {
296: debug(">getHardTokenSession()");
297: try {
298: if (hardtokensession == null) {
299: Context jndiContext = getInitialContext();
300: Object obj1 = jndiContext.lookup("HardTokenSession");
301: IHardTokenSessionHome homesession = (IHardTokenSessionHome) javax.rmi.PortableRemoteObject
302: .narrow(obj1, IHardTokenSessionHome.class);
303: hardtokensession = homesession.create();
304: }
305: debug("<getHardTokenSession()");
306: return hardtokensession;
307: } catch (NamingException e) {
308: error("Can't get hardtoken session", e);
309: throw e;
310: }
311: }
312:
313: private IRaAdminSessionRemote getRAAdminSession() throws Exception {
314: debug(">getRaAdminSession()");
315: try {
316: if (raadminsession == null) {
317: Context jndiContext = getInitialContext();
318: Object obj1 = jndiContext.lookup("RaAdminSession");
319: IRaAdminSessionHome raadminHomesession = (IRaAdminSessionHome) javax.rmi.PortableRemoteObject
320: .narrow(obj1, IRaAdminSessionHome.class);
321: raadminsession = raadminHomesession.create();
322: }
323: debug("<getRaAdminSession()");
324: return raadminsession;
325: } catch (NamingException e) {
326: error("Can't get RaAdmin session", e);
327: throw e;
328: }
329: }
330:
331: private IAuthorizationSessionRemote getAuthorizationSession()
332: throws Exception {
333: debug(">getAuthorizationSession()");
334: try {
335: if (authorizationsession == null) {
336: Context jndiContext = getInitialContext();
337: Object obj1 = jndiContext
338: .lookup("AuthorizationSession");
339: IAuthorizationSessionHome homesession = (IAuthorizationSessionHome) javax.rmi.PortableRemoteObject
340: .narrow(obj1, IAuthorizationSessionHome.class);
341: authorizationsession = homesession.create();
342: }
343: debug("<getAuthorizationSession()");
344: return authorizationsession;
345: } catch (NamingException e) {
346: error("Can't get authorization session", e);
347: throw e;
348: }
349: }
350:
351: private IUserAdminSessionRemote getUserAdminSession()
352: throws Exception {
353: debug(">getUserAdminSession()");
354: try {
355: if (useradminsession == null) {
356: Context jndiContext = getInitialContext();
357: Object obj1 = jndiContext.lookup("UserAdminSession");
358: IUserAdminSessionHome homesession = (IUserAdminSessionHome) javax.rmi.PortableRemoteObject
359: .narrow(obj1, IUserAdminSessionHome.class);
360: useradminsession = homesession.create();
361: }
362: debug("<getUserAdminSession()");
363: return useradminsession;
364: } catch (NamingException e) {
365: error("Can't get user admin session", e);
366: throw e;
367: }
368: }
369:
370: private ICAAdminSessionRemote getCAAdminSession() throws Exception {
371: debug(">getCAAdminSession()");
372: try {
373: if (caadminsession == null) {
374: Context jndiContext = getInitialContext();
375: Object obj1 = jndiContext.lookup("CAAdminSession");
376: ICAAdminSessionHome homesession = (ICAAdminSessionHome) javax.rmi.PortableRemoteObject
377: .narrow(obj1, ICAAdminSessionHome.class);
378: caadminsession = homesession.create();
379: }
380: debug("<getCAAdminSession()");
381: return caadminsession;
382: } catch (NamingException e) {
383: error("Can't get user admin session", e);
384: throw e;
385: }
386: }
387:
388: }
|