Relocate SSNv2 nextRange attribute

The nextRange attribute for SSNv2 has been moved to
ou=requests,ou=ranges_v2 for requests and
ou=certificateRepository,ou=ranges_v2 for certs such that
the nextRange for SSNv1 is unchanged during migration.
This will simplify the recovery process in case there's
an issue during migration.

The SubsystemIdGeneratorUpdateCLI has been updated to
compute the request nextRange for SSNv2 with the same
process used to compute the cert nextRange for SSNv2.

base/ca/src/main/java/com/netscape/cmscore/dbs/CertificateRepository.java

@@ -109,7 +109,7 @@ public CertificateRepository(
         try {
             this.mRadix = dbc.getInteger(PROP_CERT_ID_RADIX, HEX);
             logger.debug("CertificateRepository: number radix {}", this.mRadix);
-            
+
         } catch (EBaseException ex) {
             logger.debug("CertificateRepository: error reading number radix config, using default {} for ", HEX);
         }
@@ -219,6 +219,17 @@ public void initLegacyGenerator() throws Exception {
         }
     }
 
+    public String getNextRangeDN() {
+
+        if (idGenerator == IDGenerator.LEGACY_2) {
+            // store nextRange in range subtree for SSNv2
+            return rangeDN;
+        }
+
+        // store nextRange in repository subtree for SSNv1
+        return super.getNextRangeDN();
+    }
+
     public void setMinSerialConfig() throws EBaseException {
 
         DatabaseConfig dbConfig = dbSubsystem.getDBConfigStore();

base/ca/src/main/java/org/dogtagpki/server/ca/cli/CARangeUpdateCLI.java

@@ -13,6 +13,7 @@
 import com.netscape.cmscore.apps.DatabaseConfig;
 import com.netscape.cmscore.dbs.CertificateRepository;
 import com.netscape.cmscore.dbs.Repository.IDGenerator;
+import com.netscape.cmscore.ldapconn.LDAPConfig;
 import com.netscape.cmscore.ldapconn.LdapAuthInfo;
 import com.netscape.cmscore.ldapconn.LdapConnInfo;
 import com.netscape.cmscore.ldapconn.PKISocketFactory;
@@ -44,6 +45,7 @@ public void updateSerialNumberRange(
             PKISocketFactory socketFactory,
             LdapConnInfo connInfo,
             LdapAuthInfo authInfo,
+            LDAPConfig ldapConfig,
             DatabaseConfig dbConfig,
             String baseDN) throws Exception {
 
@@ -58,6 +60,7 @@ public void updateSerialNumberRange(
                 socketFactory,
                 connInfo,
                 authInfo,
+                ldapConfig,
                 dbConfig,
                 baseDN);
     }

base/kra/src/main/java/org/dogtagpki/server/kra/cli/KRARangeUpdateCLI.java

@@ -13,6 +13,7 @@
 import com.netscape.cmscore.apps.DatabaseConfig;
 import com.netscape.cmscore.dbs.KeyRepository;
 import com.netscape.cmscore.dbs.Repository.IDGenerator;
+import com.netscape.cmscore.ldapconn.LDAPConfig;
 import com.netscape.cmscore.ldapconn.LdapAuthInfo;
 import com.netscape.cmscore.ldapconn.LdapConnInfo;
 import com.netscape.cmscore.ldapconn.PKISocketFactory;
@@ -44,6 +45,7 @@ public void updateSerialNumberRange(
             PKISocketFactory socketFactory,
             LdapConnInfo connInfo,
             LdapAuthInfo authInfo,
+            LDAPConfig ldapConfig,
             DatabaseConfig dbConfig,
             String baseDN) throws Exception {
 
@@ -58,6 +60,7 @@ public void updateSerialNumberRange(
                 socketFactory,
                 connInfo,
                 authInfo,
+                ldapConfig,
                 dbConfig,
                 baseDN);
     }

base/server/src/main/java/com/netscape/cmscore/dbs/Repository.java

@@ -467,6 +467,11 @@ private void switchToNextRange() throws EBaseException {
         cs.commit(false);
     }
 
+    public String getNextRangeDN() {
+        // store nextRange in repository subtree for SSNv1
+        return mBaseDN;
+    }
+
     /**
      * Gets start of next range from database.
      * Increments the nextRange attribute and allocates
@@ -483,12 +488,13 @@ public String getNextRange() throws EBaseException {
         try {
             LDAPConnection conn = session.getConnection();
 
-            logger.info("Repository: Reading entry " + mBaseDN);
-            LDAPEntry entry = conn.read(mBaseDN);
+            String nextRangeDN = getNextRangeDN();
+            logger.info("Repository: Reading next range from " + nextRangeDN);
+            LDAPEntry entry = conn.read(nextRangeDN);
 
             LDAPAttribute attr = entry.getAttribute(DBSubsystem.PROP_NEXT_RANGE);
             if (attr == null) {
-                throw new Exception("Missing attribute" + DBSubsystem.PROP_NEXT_RANGE);
+                throw new Exception("Missing attribute " + DBSubsystem.PROP_NEXT_RANGE);
             }
 
             String nextRange = attr.getStringValues().nextElement();
@@ -504,7 +510,8 @@ public String getNextRange() throws EBaseException {
             // generate endRange in decimal
             String endRange = newNextRangeNo.subtract(BigInteger.ONE).toString();
 
-            logger.info("Repository: Updating " + DBSubsystem.PROP_NEXT_RANGE + " from " + nextRange + " to " + newNextRange);
+            logger.info("Repository: Updating next range in " + nextRangeDN);
+            logger.info("Repository: - " + DBSubsystem.PROP_NEXT_RANGE + ": " + nextRange + " -> " + newNextRange);
 
             // To make sure attrNextRange always increments, first delete the current value and then increment.
             // Two operations in the same transaction
@@ -515,8 +522,7 @@ public String getNextRange() throws EBaseException {
                     new LDAPModification(LDAPModification.ADD, attrNextRange)
             };
 
-            logger.info("Repository: Modifying entry " + mBaseDN);
-            conn.modify(mBaseDN, mods);
+            conn.modify(nextRangeDN, mods);
 
             // Add new range object
 
@@ -575,7 +581,7 @@ public boolean hasRangeConflict() throws EBaseException {
 
             logger.info("Repository: Searching for conflicting entries");
 
-            String minSerial = idGenerator == IDGenerator.LEGACY_2 ? 
+            String minSerial = idGenerator == IDGenerator.LEGACY_2 ?
                     mMinSerialNo.toString() : mMinSerialNo.toString(mRadix);
             String filter = "(&(nsds5ReplConflict=*)(objectClass=pkiRange)(host= " +
                     cs.getHostname() + ")(SecurePort=" + engine.getEESSLPort() +

base/server/src/main/java/com/netscape/cmscore/request/RequestRepository.java

@@ -83,7 +83,7 @@ public RequestRepository(
         try {
             this.mRadix = dbc.getInteger(PROP_REQUEST_ID_RADIX, DEC);
             logger.debug("CertificateRepository: number radix {}", this.mRadix);
-            
+
         } catch (EBaseException ex) {
             logger.debug("CertificateRepository: error reading number radix config, using default {} for ", HEX);
         }
@@ -202,6 +202,17 @@ public void initLegacyGenerator() throws Exception {
         }
     }
 
+    public String getNextRangeDN() {
+
+        if (idGenerator == IDGenerator.LEGACY_2) {
+            // store nextRange in range subtree for SSNv2
+            return rangeDN;
+        }
+
+        // store nextRange in repository subtree for SSNv1
+        return super.getNextRangeDN();
+    }
+
     public void setMinSerialConfig() throws EBaseException {
 
         DatabaseConfig dbConfig = dbSubsystem.getDBConfigStore();

base/server/src/main/java/org/dogtagpki/server/cli/SubsystemDBInitCLI.java

@@ -109,6 +109,15 @@ public void createRequestRangesSubtree(
             return;
         }
 
+        if (serialIDGenerator == IDGenerator.LEGACY_2) {
+            // create serial ranges subtree for SSNv2
+            // use repository object class to support nextRange
+            ldapConfigurator.createEntry(
+                    requestRangeRDN + "," + ldapConfig.getBaseDN(),
+                    new String[] { "repository" });
+            return;
+        }
+
         // create ou=requests,ou=ranges for SSNv1 or
         // ou=requests,ou=ranges_v2 for SSNv2
         ldapConfigurator.createEntry(
@@ -125,15 +134,25 @@ public void createSerialRangesSubtree(
 
         if (StringUtils.isEmpty(serialRangeRDN)) {
             // dbs.serialRangeDN only exists in CA and KRA
+            // serial ranges subtree is not needed for other subsystems
             return;
         }
 
         if (serialIDGenerator == IDGenerator.RANDOM) {
+            // serial ranges subtree is not needed for RSNv3
+            return;
+        }
+
+        if (serialIDGenerator == IDGenerator.LEGACY_2) {
+            // create serial ranges subtree for SSNv2
+            // use repository object class to support nextRange
+            ldapConfigurator.createEntry(
+                    serialRangeRDN + "," + ldapConfig.getBaseDN(),
+                    new String[] { "repository" });
             return;
         }
 
-        // create ou=certificateRepository,ou=ranges for SSNv1 or
-        // ou=certificateRepository,ou=ranges_v2 for SSNv2
+        // create serial ranges subtree for SSNv1
         ldapConfigurator.createEntry(
                 serialRangeRDN + "," + ldapConfig.getBaseDN(),
                 new String[] { "organizationalUnit" });