summaryrefslogtreecommitdiff
path: root/cpp
diff options
context:
space:
mode:
Diffstat (limited to 'cpp')
-rw-r--r--cpp/demo/IceGrid/secure/README23
-rw-r--r--cpp/demo/IceGrid/secure/config.glacier22
-rw-r--r--cpp/demo/IceGrid/secure/config.node2
-rw-r--r--cpp/demo/IceGrid/secure/config.registry8
-rwxr-xr-xcpp/demo/IceGrid/secure/makecerts.py39
-rw-r--r--cpp/src/ca/Makefile13
-rw-r--r--cpp/src/ca/Makefile.mak21
-rwxr-xr-xcpp/src/ca/iceca77
8 files changed, 84 insertions, 101 deletions
diff --git a/cpp/demo/IceGrid/secure/README b/cpp/demo/IceGrid/secure/README
index 6c003199b5c..b9f7dd6e1eb 100644
--- a/cpp/demo/IceGrid/secure/README
+++ b/cpp/demo/IceGrid/secure/README
@@ -20,20 +20,15 @@ Run the makecerts.py script to create the certificates:
$ makecerts.py
-And follow the instructions from the script. You should use the node
-name "All" to create the node certificate, the server name "Glacier2
-Admin" for the glacier2 certificate, "All" for the server certificate
-and "IceGrid Admin" for the admin certificate.
-
-You will also be prompted for a password to protect the Java Key
-Store, use "password" if you want to use the IceGrid Admin GUI with
-the config.admin configuration file.
-
-For simplicity, the certificate authority and certificates created by
-makecerts.py are not protected with passwords. In a real world
-deployment, you would typically use passwords to ensure that only
-people knowning the passwords can create new certificates or start the
-IceGrid components.
+And follow the instructions from the script. For Java Key Store it
+is recommended that you use the password "password". If you do
+otherwise, you'll need to edit the config.admin configuration file.
+
+For simplicity, the certificates created by makecerts.py are not
+protected with a password. In a real world deployment, you would
+typically use a password on all certifications to ensure that only
+priviledged users can create new certificates and start the IceGrid
+components.
Once the certificates are generated, you can start the IceGrid
registry, node and Glacier2 router:
diff --git a/cpp/demo/IceGrid/secure/config.glacier2 b/cpp/demo/IceGrid/secure/config.glacier2
index 10194483534..e16a92605e1 100644
--- a/cpp/demo/IceGrid/secure/config.glacier2
+++ b/cpp/demo/IceGrid/secure/config.glacier2
@@ -23,4 +23,4 @@ IceSSL.CertFile=glacier2_cert.pem
IceSSL.KeyFile=glacier2_key.pem
IceSSL.TrustOnly.Client=CN="IceGrid Registry"
-IceSSL.TrustOnly.Server.Glacier2.Server.Endpoints=CN="IceGrid Registry";CN="Ice Server All"
+IceSSL.TrustOnly.Server.Glacier2.Server.Endpoints=CN="IceGrid Registry";CN="Server"
diff --git a/cpp/demo/IceGrid/secure/config.node b/cpp/demo/IceGrid/secure/config.node
index 54122bf246f..d8175c48e6e 100644
--- a/cpp/demo/IceGrid/secure/config.node
+++ b/cpp/demo/IceGrid/secure/config.node
@@ -27,5 +27,5 @@ IceSSL.CertFile=node_cert.pem
IceSSL.KeyFile=node_key.pem
IceSSL.DefaultDir=certs
-IceSSL.TrustOnly.Client=CN="Ice Server All";CN="IceGrid Registry";CN="Ice Server Glacier2 Admin"
+IceSSL.TrustOnly.Client=CN="Server";CN="IceGrid Registry";CN="Glacier2"
IceSSL.TrustOnly.Server=CN="IceGrid Registry"
diff --git a/cpp/demo/IceGrid/secure/config.registry b/cpp/demo/IceGrid/secure/config.registry
index 260d10bdaac..784fb7c31d9 100644
--- a/cpp/demo/IceGrid/secure/config.registry
+++ b/cpp/demo/IceGrid/secure/config.registry
@@ -34,7 +34,7 @@ IceSSL.CertFile=registry_cert.pem
IceSSL.KeyFile=registry_key.pem
IceSSL.DefaultDir=certs
-IceSSL.TrustOnly.Client=CN="IceGrid Registry";CN="IceGrid Node All";CN="Ice Server Glacier2 Admin"
-IceSSL.TrustOnly.Server.IceGrid.Registry.Server=CN="Ice Server All"
-IceSSL.TrustOnly.Server.IceGrid.Registry.Internal=CN="IceGrid Node All";CN="IceGrid Registry"
-IceSSL.TrustOnly.Server.IceGrid.Registry.AdminSessionManager=CN="Ice Server Glacier2 Admin"
+IceSSL.TrustOnly.Client=CN="IceGrid Registry";CN="IceGrid Node";CN="Glacier2"
+IceSSL.TrustOnly.Server.IceGrid.Registry.Server=CN="Server"
+IceSSL.TrustOnly.Server.IceGrid.Registry.Internal=CN="IceGrid Node";CN="IceGrid Registry"
+IceSSL.TrustOnly.Server.IceGrid.Registry.AdminSessionManager=CN="Glacier2"
diff --git a/cpp/demo/IceGrid/secure/makecerts.py b/cpp/demo/IceGrid/secure/makecerts.py
index f7c13c4ecac..b88df6d3430 100755
--- a/cpp/demo/IceGrid/secure/makecerts.py
+++ b/cpp/demo/IceGrid/secure/makecerts.py
@@ -20,27 +20,13 @@ def iceca(args):
if os.system(cmd):
sys.exit(1)
-def createCertificate(type, filename = None):
-
- if not filename:
- filename = type
+def createCertificate(filename, cn):
print "======= Creating " + filename + " certificate ======="
- # Generate the certificate in a temporary directory
- os.mkdir("tmpcerts")
- os.chdir("tmpcerts")
- iceca("request --" + type + nopassword)
- iceca("sign --in " + type + "_req.pem --out " + type + "_cert.pem")
- os.chdir("..")
-
- # Move and rename the generated certificate
- os.rename(os.path.join("tmpcerts", type + "_key.pem"), filename + "_key.pem")
- os.rename(os.path.join("tmpcerts", type + "_cert.pem"), filename + "_cert.pem")
-
- # Remove the temporary directory
- os.remove(os.path.join("tmpcerts", type + "_req.pem"))
- os.rmdir("tmpcerts")
+ iceca("request --no-password --overwrite %s \"%s\"" % (filename, cn))
+ iceca("sign --in %s_req.pem --out %s_cert.pem" % (filename, filename))
+ os.remove("%s_req.pem" % filename)
print
print
@@ -52,7 +38,6 @@ if not os.path.exists("certs") or os.path.basename(cwd) != "secure":
sys.exit(1)
os.environ["ICE_CA_HOME"] = os.path.abspath("certs")
-nopassword = " --no-password"
os.chdir("certs")
@@ -60,18 +45,22 @@ os.chdir("certs")
# First, create the certificate authority.
#
print "======= Creating Certificate Authority ======="
-iceca("init --overwrite" + nopassword)
+iceca("init --overwrite --no-password")
print
print
-createCertificate("registry")
-createCertificate("node")
-createCertificate("server", "glacier2")
-createCertificate("server")
-createCertificate("server", "admin")
+createCertificate("registry", "IceGrid Registry")
+createCertificate("node", "IceGrid Node")
+createCertificate("glacier2", "Glacier2")
+createCertificate("server", "Server")
+createCertificate("admin", "Admin")
print "======= Creating Java Key Store ======="
+try:
+ os.remove("certs.jks")
+except OSError:
+ pass
iceca("import --java admin admin_cert.pem admin_key.pem certs.jks")
os.chdir("..")
diff --git a/cpp/src/ca/Makefile b/cpp/src/ca/Makefile
index 0c50a567eb0..57df5e43454 100644
--- a/cpp/src/ca/Makefile
+++ b/cpp/src/ca/Makefile
@@ -9,11 +9,20 @@
top_srcdir = ../..
+CA_FILES = iceca
+
+CLASS_FILES = ImportKey.class
+
+TARGETS = $(top_srcdir)/bin/iceca \
+ $(top_srcdir)/lib/ImportKey.class
+
include $(top_srcdir)/config/Make.rules
-CA_FILES = iceca
+$(top_srcdir)/bin/iceca: iceca
+ cp iceca $@
-CLASS_FILES = ImportKey.class
+$(top_srcdir)/lib/ImportKey.class: ImportKey.class
+ cp ImportKey.class $@
install::
@for subdir in $(prefix)/bin $(prefix)/lib; \
diff --git a/cpp/src/ca/Makefile.mak b/cpp/src/ca/Makefile.mak
index a0e46327c58..e5149fd0500 100644
--- a/cpp/src/ca/Makefile.mak
+++ b/cpp/src/ca/Makefile.mak
@@ -9,12 +9,25 @@
top_srcdir = ..\..
-!include $(top_srcdir)/config/Make.rules.mak
+CA_FILES = iceca \
+ iceca.bat
-CA_FILES = iceca \
- iceca.bat
+CLASS_FILES = ImportKey.class
-CLASS_FILES=ImportKey.class
+TARGETS = $(top_srcdir)\bin\iceca \
+ $(top_srcdir)\bin\iceca.bat \
+ $(top_srcdir)\lib\ImportKey.class
+
+!include $(top_srcdir)\config\Make.rules.mak
+
+$(top_srcdir)\bin\iceca: iceca
+ copy iceca $@
+
+$(top_srcdir)\bin\iceca.bat: iceca.bat
+ copy iceca.bat $@
+
+$(top_srcdir)\lib\ImportKey.class: ImportKey.class
+ copy ImportKey.class $@
install::
@for %i in ( $(CA_FILES) ) do \
diff --git a/cpp/src/ca/iceca b/cpp/src/ca/iceca
index 3053bc21ef7..c4d17f27d10 100755
--- a/cpp/src/ca/iceca
+++ b/cpp/src/ca/iceca
@@ -72,7 +72,7 @@ if sys.argv[script] == "import":
sys.exit(1)
try:
- opts, args = getopt.getopt(sys.argv[2:], "", [ "overwrite", "java", "cs"])
+ opts, args = getopt.getopt(sys.argv[script+1:], "", [ "overwrite", "java", "cs"])
except getopt.GetoptError:
usage()
@@ -166,6 +166,7 @@ if sys.argv[script] == "import":
alias + " -passout file:" + keypassfile1 + " -certfile " + os.path.join(home, "ca_cert.pem")
print "converting to pkcs12 format... ",
+ sys.stdout.flush()
if verbose: print cmd
status = os.system(cmd)
if status != 0:
@@ -184,6 +185,7 @@ if sys.argv[script] == "import":
#print cmd
print "importing into the keystore...",
+ sys.stdout.flush()
if verbose: print cmd
status = os.system(cmd)
if status != 0:
@@ -234,6 +236,7 @@ if sys.argv[script] == "import":
cmd = "openssl pkcs12 -in " + cert + " -inkey " + key + " -export -out " + pkcs12cert + " -passout pass:"
print "converting to pkcs12 format...",
+ sys.stdout.flush()
if verbose: print cmd
status = os.system(cmd)
if keypassfile1 != None:
@@ -463,6 +466,7 @@ keyUsage = nonRepudiation, digitalSignature, keyEncipherment\n\
print "Generating configuration files... ",
print "ca.cnf",
+ sys.stdout.flush()
temp, cacnfname = tempfile.mkstemp(".cnf", "ca")
os.write(temp, config["ca.cnf"])
for k,v in DNelements.iteritems():
@@ -472,6 +476,7 @@ keyUsage = nonRepudiation, digitalSignature, keyEncipherment\n\
file = 'sign.cnf'
print " " + file,
+ sys.stdout.flush()
cnf = open(os.path.join(caroot, file), "w")
cnf.write(config[file])
cnf.write("[ ca_policy ]\n");
@@ -486,6 +491,7 @@ keyUsage = nonRepudiation, digitalSignature, keyEncipherment\n\
file = "req.cnf"
print file,
+ sys.stdout.flush()
cnf = open(os.path.join(home, file), "w")
cnf.write(config[file])
for k,v in DNelements.iteritems():
@@ -528,71 +534,42 @@ keyUsage = nonRepudiation, digitalSignature, keyEncipherment\n\
if sys.argv[script] == "request":
def usage():
- print "usage: " + sys.argv[script] + " [--overwrite] [--node|--registry|--server|--user] [--no-password]"
+ print "usage: " + sys.argv[script] + " [--overwrite] [--no-password] file common-name [email]"
sys.exit(1)
- def setType(type):
- keyfile = type + "_key.pem"
- reqfile = type + "_req.pem"
- if not overwrite:
- if os.path.exists(keyfile):
- print keyfile + ": exists"
- sys.exit(1)
- if os.path.exists(reqfile):
- print reqfile + ": exists"
- sys.exit(1)
- return type, keyfile, reqfile
-
try:
- opts, args = getopt.getopt(sys.argv[script+1:], "", \
- [ "overwrite", "node", "registry", "server", "user", "no-password" ])
+ opts, args = getopt.getopt(sys.argv[script+1:], "", [ "overwrite", "no-password" ])
except getopt.GetoptError:
usage()
- if args:
- usage()
-
- type = None
- commonName = None
- email = None
nopassphrase = False
overwrite = False
for o, a in opts:
if o == "--overwrite":
overwrite = True
- if o == "--node":
- if type != None:
- usage()
- type, keyfile, reqfile = setType("node")
- while not commonName or len(commonName) == 0:
- commonName = raw_input("Enter the node name: ")
- commonName = "IceGrid Node " + commonName
- elif o == "--registry":
- if type != None:
- usage()
- type, keyfile, reqfile = setType("registry")
- commonName = "IceGrid Registry"
- elif o == "--server":
- if type != None:
- usage()
- type, keyfile, reqfile = setType("server")
- while not commonName or len(commonName) == 0:
- commonName = raw_input("Enter the server name: ")
- commonName = "Ice Server " + commonName
- elif o == "--user":
- if type != None:
- usage()
- type, keyfile, reqfile = setType("user")
- while not commonName or len(commonName) == 0:
- commonName = raw_input("Enter the user's full name: ")
- while not email or len(email) == 0:
- email = raw_input("Enter the user's email address: ")
elif o == "--no-password":
nopassphrase = True
- if not type:
+ if len(args) < 2 or len(args) > 3:
usage()
+ keyfile = args[0] + "_key.pem"
+ reqfile = args[0] + "_req.pem"
+ if not overwrite:
+ if os.path.exists(keyfile):
+ print keyfile + ": exists"
+ sys.exit(1)
+ if os.path.exists(reqfile):
+ print reqfile + ": exists"
+ sys.exit(1)
+
+ commonName = args[1]
+
+ if len(args) == 3:
+ email = args[2]
+ else:
+ email = None
+
#
# Create a temporary configuration file.
#
generated by cgit v1.2.3 (git 2.46.0) at 2025-08-04 16:38:14 +0000