diff --git a/base/ca/src/main/java/com/netscape/cmscore/dbs/CertificateRepository.java b/base/ca/src/main/java/com/netscape/cmscore/dbs/CertificateRepository.java index b28dbda31d3..3634e290381 100644 --- a/base/ca/src/main/java/com/netscape/cmscore/dbs/CertificateRepository.java +++ b/base/ca/src/main/java/com/netscape/cmscore/dbs/CertificateRepository.java @@ -109,7 +109,7 @@ public CertificateRepository( try { this.mRadix = dbc.getInteger(PROP_CERT_ID_RADIX, HEX); logger.debug("CertificateRepository: number radix {}", this.mRadix); - + } catch (EBaseException ex) { logger.debug("CertificateRepository: error reading number radix config, using default {} for ", HEX); } @@ -219,6 +219,17 @@ public void initLegacyGenerator() throws Exception { } } + public String getNextRangeDN() { + + if (idGenerator == IDGenerator.LEGACY_2) { + // store nextRange in range subtree for SSNv2 + return rangeDN; + } + + // store nextRange in repository subtree for SSNv1 + return super.getNextRangeDN(); + } + public void setMinSerialConfig() throws EBaseException { DatabaseConfig dbConfig = dbSubsystem.getDBConfigStore(); diff --git a/base/ca/src/main/java/org/dogtagpki/server/ca/cli/CARangeUpdateCLI.java b/base/ca/src/main/java/org/dogtagpki/server/ca/cli/CARangeUpdateCLI.java index 23ae55354bd..df33c1abbe8 100644 --- a/base/ca/src/main/java/org/dogtagpki/server/ca/cli/CARangeUpdateCLI.java +++ b/base/ca/src/main/java/org/dogtagpki/server/ca/cli/CARangeUpdateCLI.java @@ -13,6 +13,7 @@ import com.netscape.cmscore.apps.DatabaseConfig; import com.netscape.cmscore.dbs.CertificateRepository; import com.netscape.cmscore.dbs.Repository.IDGenerator; +import com.netscape.cmscore.ldapconn.LDAPConfig; import com.netscape.cmscore.ldapconn.LdapAuthInfo; import com.netscape.cmscore.ldapconn.LdapConnInfo; import com.netscape.cmscore.ldapconn.PKISocketFactory; @@ -44,6 +45,7 @@ public void updateSerialNumberRange( PKISocketFactory socketFactory, LdapConnInfo connInfo, LdapAuthInfo authInfo, + LDAPConfig ldapConfig, DatabaseConfig dbConfig, String baseDN) throws Exception { @@ -58,6 +60,7 @@ public void updateSerialNumberRange( socketFactory, connInfo, authInfo, + ldapConfig, dbConfig, baseDN); } diff --git a/base/kra/src/main/java/org/dogtagpki/server/kra/cli/KRARangeUpdateCLI.java b/base/kra/src/main/java/org/dogtagpki/server/kra/cli/KRARangeUpdateCLI.java index d7420add681..fc83ceef42b 100644 --- a/base/kra/src/main/java/org/dogtagpki/server/kra/cli/KRARangeUpdateCLI.java +++ b/base/kra/src/main/java/org/dogtagpki/server/kra/cli/KRARangeUpdateCLI.java @@ -13,6 +13,7 @@ import com.netscape.cmscore.apps.DatabaseConfig; import com.netscape.cmscore.dbs.KeyRepository; import com.netscape.cmscore.dbs.Repository.IDGenerator; +import com.netscape.cmscore.ldapconn.LDAPConfig; import com.netscape.cmscore.ldapconn.LdapAuthInfo; import com.netscape.cmscore.ldapconn.LdapConnInfo; import com.netscape.cmscore.ldapconn.PKISocketFactory; @@ -44,6 +45,7 @@ public void updateSerialNumberRange( PKISocketFactory socketFactory, LdapConnInfo connInfo, LdapAuthInfo authInfo, + LDAPConfig ldapConfig, DatabaseConfig dbConfig, String baseDN) throws Exception { @@ -58,6 +60,7 @@ public void updateSerialNumberRange( socketFactory, connInfo, authInfo, + ldapConfig, dbConfig, baseDN); } diff --git a/base/server/src/main/java/com/netscape/cmscore/dbs/Repository.java b/base/server/src/main/java/com/netscape/cmscore/dbs/Repository.java index e8aa0676d84..f299a90ed3c 100644 --- a/base/server/src/main/java/com/netscape/cmscore/dbs/Repository.java +++ b/base/server/src/main/java/com/netscape/cmscore/dbs/Repository.java @@ -467,6 +467,11 @@ private void switchToNextRange() throws EBaseException { cs.commit(false); } + public String getNextRangeDN() { + // store nextRange in repository subtree for SSNv1 + return mBaseDN; + } + /** * Gets start of next range from database. * Increments the nextRange attribute and allocates @@ -483,12 +488,13 @@ public String getNextRange() throws EBaseException { try { LDAPConnection conn = session.getConnection(); - logger.info("Repository: Reading entry " + mBaseDN); - LDAPEntry entry = conn.read(mBaseDN); + String nextRangeDN = getNextRangeDN(); + logger.info("Repository: Reading next range from " + nextRangeDN); + LDAPEntry entry = conn.read(nextRangeDN); LDAPAttribute attr = entry.getAttribute(DBSubsystem.PROP_NEXT_RANGE); if (attr == null) { - throw new Exception("Missing attribute" + DBSubsystem.PROP_NEXT_RANGE); + throw new Exception("Missing attribute " + DBSubsystem.PROP_NEXT_RANGE); } String nextRange = attr.getStringValues().nextElement(); @@ -504,7 +510,8 @@ public String getNextRange() throws EBaseException { // generate endRange in decimal String endRange = newNextRangeNo.subtract(BigInteger.ONE).toString(); - logger.info("Repository: Updating " + DBSubsystem.PROP_NEXT_RANGE + " from " + nextRange + " to " + newNextRange); + logger.info("Repository: Updating next range in " + nextRangeDN); + logger.info("Repository: - " + DBSubsystem.PROP_NEXT_RANGE + ": " + nextRange + " -> " + newNextRange); // To make sure attrNextRange always increments, first delete the current value and then increment. // Two operations in the same transaction @@ -515,8 +522,7 @@ public String getNextRange() throws EBaseException { new LDAPModification(LDAPModification.ADD, attrNextRange) }; - logger.info("Repository: Modifying entry " + mBaseDN); - conn.modify(mBaseDN, mods); + conn.modify(nextRangeDN, mods); // Add new range object @@ -575,7 +581,7 @@ public boolean hasRangeConflict() throws EBaseException { logger.info("Repository: Searching for conflicting entries"); - String minSerial = idGenerator == IDGenerator.LEGACY_2 ? + String minSerial = idGenerator == IDGenerator.LEGACY_2 ? mMinSerialNo.toString() : mMinSerialNo.toString(mRadix); String filter = "(&(nsds5ReplConflict=*)(objectClass=pkiRange)(host= " + cs.getHostname() + ")(SecurePort=" + engine.getEESSLPort() + diff --git a/base/server/src/main/java/com/netscape/cmscore/request/RequestRepository.java b/base/server/src/main/java/com/netscape/cmscore/request/RequestRepository.java index ff9ba3c406d..d586b0c1d7d 100644 --- a/base/server/src/main/java/com/netscape/cmscore/request/RequestRepository.java +++ b/base/server/src/main/java/com/netscape/cmscore/request/RequestRepository.java @@ -83,7 +83,7 @@ public RequestRepository( try { this.mRadix = dbc.getInteger(PROP_REQUEST_ID_RADIX, DEC); logger.debug("CertificateRepository: number radix {}", this.mRadix); - + } catch (EBaseException ex) { logger.debug("CertificateRepository: error reading number radix config, using default {} for ", HEX); } @@ -202,6 +202,17 @@ public void initLegacyGenerator() throws Exception { } } + public String getNextRangeDN() { + + if (idGenerator == IDGenerator.LEGACY_2) { + // store nextRange in range subtree for SSNv2 + return rangeDN; + } + + // store nextRange in repository subtree for SSNv1 + return super.getNextRangeDN(); + } + public void setMinSerialConfig() throws EBaseException { DatabaseConfig dbConfig = dbSubsystem.getDBConfigStore(); diff --git a/base/server/src/main/java/org/dogtagpki/server/cli/SubsystemDBInitCLI.java b/base/server/src/main/java/org/dogtagpki/server/cli/SubsystemDBInitCLI.java index bdfd148ed57..271f27236e7 100644 --- a/base/server/src/main/java/org/dogtagpki/server/cli/SubsystemDBInitCLI.java +++ b/base/server/src/main/java/org/dogtagpki/server/cli/SubsystemDBInitCLI.java @@ -109,6 +109,15 @@ public void createRequestRangesSubtree( return; } + if (serialIDGenerator == IDGenerator.LEGACY_2) { + // create serial ranges subtree for SSNv2 + // use repository object class to support nextRange + ldapConfigurator.createEntry( + requestRangeRDN + "," + ldapConfig.getBaseDN(), + new String[] { "repository" }); + return; + } + // create ou=requests,ou=ranges for SSNv1 or // ou=requests,ou=ranges_v2 for SSNv2 ldapConfigurator.createEntry( @@ -125,15 +134,25 @@ public void createSerialRangesSubtree( if (StringUtils.isEmpty(serialRangeRDN)) { // dbs.serialRangeDN only exists in CA and KRA + // serial ranges subtree is not needed for other subsystems return; } if (serialIDGenerator == IDGenerator.RANDOM) { + // serial ranges subtree is not needed for RSNv3 + return; + } + + if (serialIDGenerator == IDGenerator.LEGACY_2) { + // create serial ranges subtree for SSNv2 + // use repository object class to support nextRange + ldapConfigurator.createEntry( + serialRangeRDN + "," + ldapConfig.getBaseDN(), + new String[] { "repository" }); return; } - // create ou=certificateRepository,ou=ranges for SSNv1 or - // ou=certificateRepository,ou=ranges_v2 for SSNv2 + // create serial ranges subtree for SSNv1 ldapConfigurator.createEntry( serialRangeRDN + "," + ldapConfig.getBaseDN(), new String[] { "organizationalUnit" }); diff --git a/base/server/src/main/java/org/dogtagpki/server/cli/SubsystemIdGeneratorUpdateCLI.java b/base/server/src/main/java/org/dogtagpki/server/cli/SubsystemIdGeneratorUpdateCLI.java index 97d061020c1..3ce9fd51e57 100644 --- a/base/server/src/main/java/org/dogtagpki/server/cli/SubsystemIdGeneratorUpdateCLI.java +++ b/base/server/src/main/java/org/dogtagpki/server/cli/SubsystemIdGeneratorUpdateCLI.java @@ -5,10 +5,19 @@ // package org.dogtagpki.server.cli; +import java.math.BigInteger; + +import org.apache.commons.cli.CommandLine; +import org.dogtagpki.cli.CLI; +import org.dogtagpki.util.logging.PKILogger; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + import com.netscape.certsrv.base.EBaseException; import com.netscape.cmscore.apps.CMS; import com.netscape.cmscore.apps.DatabaseConfig; import com.netscape.cmscore.apps.EngineConfig; +import com.netscape.cmscore.dbs.DBSubsystem; import com.netscape.cmscore.dbs.Repository; import com.netscape.cmscore.dbs.Repository.IDGenerator; import com.netscape.cmscore.ldapconn.LDAPConfig; @@ -21,7 +30,7 @@ import com.netscape.cmscore.request.RequestRepository; import com.netscape.cmsutil.password.PasswordStore; import com.netscape.cmsutil.password.PasswordStoreConfig; -import java.math.BigInteger; + import netscape.ldap.LDAPAttribute; import netscape.ldap.LDAPAttributeSet; import netscape.ldap.LDAPEntry; @@ -29,11 +38,6 @@ import netscape.ldap.LDAPModification; import netscape.ldap.LDAPSearchResults; import netscape.ldap.LDAPv3; -import org.apache.commons.cli.CommandLine; -import org.dogtagpki.cli.CLI; -import org.dogtagpki.util.logging.PKILogger; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; /** * @author Marco Fargetta {@literal } @@ -57,7 +61,7 @@ public void execute(CommandLine cmd) throws Exception { throw new Exception("Missing generator type."); } IDGenerator generator = IDGenerator.fromString(cmd.getOptionValue("type")); - + String newRangesName = generator == IDGenerator.LEGACY_2 ? "ranges_v2" : "ranges_new"; if (cmd.hasOption("range")) { newRangesName = cmd.getOptionValue("range"); @@ -126,7 +130,7 @@ public void execute(CommandLine cmd) throws Exception { getSecurePort(cs)); cs.commit(false); } else { - throw new EBaseException("Generator for " + generatorAtttirbute + " not supported."); + throw new EBaseException("Generator for " + generatorAtttirbute + " not supported."); } } finally { conn.disconnect(); @@ -137,7 +141,7 @@ public void execute(CommandLine cmd) throws Exception { protected void updateSerialNumberRangeGenerator(LdapBoundConnection conn, DatabaseConfig dbConfig, String baseDN, String newRangesName, IDGenerator newGenerator, String hostName, String securePort) throws Exception { - + if (newGenerator == IDGenerator.RANDOM && idGenerator != IDGenerator.RANDOM) { logger.debug("Remove serial ranges from configuration"); dbConfig.remove(DatabaseConfig.MIN_SERIAL_NUMBER); @@ -214,7 +218,8 @@ protected void updateSerialNumberRangeGenerator(LdapBoundConnection conn, dbConfig.setNextEndSerialNumber("0x" + nextEndSerial); endSerialNumber = nextEndSerial; } - updateCertificateRanges(dbConfig, conn, baseDN, rangeDN, newRangeDN, endSerialNumber, hostName, securePort); + + updateSerialRanges(conn, rangeDN, newRangeDN, endSerialNumber, hostName, securePort); return; } throw new EBaseException("Update to " + newGenerator + " not supported"); @@ -223,7 +228,7 @@ protected void updateSerialNumberRangeGenerator(LdapBoundConnection conn, protected void updateRequestNumberRangeGenerator(LdapBoundConnection conn, DatabaseConfig dbConfig, String baseDN, String newRangesName, IDGenerator newGenerator, String hostName, String securePort) throws Exception { - + String value = dbConfig.getString( RequestRepository.PROP_REQUEST_ID_GENERATOR, RequestRepository.DEFAULT_REQUEST_ID_GENERATOR); @@ -241,27 +246,88 @@ protected void updateRequestNumberRangeGenerator(LdapBoundConnection conn, dbConfig.put(RequestRepository.PROP_REQUEST_ID_LENGTH, "128"); return; } + if (newGenerator == IDGenerator.LEGACY_2 && idGenerator == IDGenerator.LEGACY) { + + logger.info("Updating request range configuration"); + dbConfig.put(RequestRepository.PROP_REQUEST_ID_GENERATOR, newGenerator.toString()); dbConfig.put(RequestRepository.PROP_REQUEST_ID_RADIX, Integer.toString(Repository.DEC)); - String rangeDN = dbConfig.getRequestRangeDN() + "," + baseDN; + String rangeDN = dbConfig.getRequestRangeDN() + "," + baseDN; String newRangeDN = createRangesEntry(conn, "requests", newRangesName, baseDN); dbConfig.setRequestRangeDN(newRangeDN); newRangeDN = newRangeDN + "," + baseDN; - updateRequestRanges(conn, rangeDN, newRangeDN, hostName, securePort); + String requestIncrement = dbConfig.getRequestIncrement(); + BigInteger increment = new BigInteger(requestIncrement); + + String beginRequestNumber = dbConfig.getBeginRequestNumber(); + BigInteger beginRequestNo = new BigInteger(beginRequestNumber); + + String endRequestNumber = dbConfig.getEndRequestNumber(); + BigInteger endRequestNo = new BigInteger(endRequestNumber); + + if (endRequestNo.equals(beginRequestNo.add(increment).subtract(BigInteger.ONE))) { + try { + LDAPEntry entryRequest = conn.read("cn=" + beginRequestNumber+"," + rangeDN); + LDAPAttribute attrEnd = entryRequest.getAttribute("endRange"); + if (attrEnd != null) { + endRequestNumber = attrEnd.getStringValues().nextElement(); + } + } catch (LDAPException ldae) { + if (ldae.getLDAPResultCode() == 32) { + logger.info("No range available, using config values"); + } else { + logger.error("LDAP error: " + ldae.getMessage(), ldae); + return; + } + + } + } + + dbConfig.setEndRequestNumber(endRequestNumber); + + String nextBeginRequest = dbConfig.getNextBeginRequestNumber(); + String nextEndRequest = dbConfig.getNextEndRequestNumber(); + + if (nextBeginRequest != null && !nextBeginRequest.equals("-1")) { + try { + LDAPEntry entryNextRequest = conn.read("cn=" + nextBeginRequest + "," + rangeDN); + LDAPAttribute attrNextEnd = entryNextRequest.getAttribute("endRange"); + if (attrNextEnd != null) { + nextEndRequest = attrNextEnd.getStringValues().nextElement(); + } + } catch (LDAPException ldae) { + if (ldae.getLDAPResultCode() == 32) { + logger.info("No range available, using config values"); + } else { + logger.error("LDAP error: " + ldae.getMessage(), ldae); + return; + } + + } + dbConfig.setNextEndRequestNumber(nextEndRequest); + endRequestNumber = nextEndRequest; + } + + updateRequestRanges(conn, rangeDN, newRangeDN, endRequestNumber, hostName, securePort); return; } throw new EBaseException("Update to " + newGenerator + " not supported"); } - - private void updateCertificateRanges(DatabaseConfig dbConfig, LdapBoundConnection conn, - String baseDN, String rangeDN, String newRangeDN, String configEndSerialNumber, - String hostName, String securePort) throws Exception{ + + private void updateSerialRanges( + LdapBoundConnection conn, + String rangeDN, + String newRangeDN, + String configEndSerialNumber, + String hostName, + String securePort) throws Exception{ + LDAPSearchResults instanceRanges = conn.search(rangeDN, LDAPv3.SCOPE_SUB, "(&(objectClass=pkiRange)(host= " + hostName + ")(SecurePort=" + securePort + "))", null, false); - + // update all ranges associated to the CA to update to decimal while (instanceRanges.hasMoreElements()) { LDAPEntry entry = instanceRanges.next(); @@ -269,23 +335,27 @@ private void updateCertificateRanges(DatabaseConfig dbConfig, LdapBoundConnectio BigInteger beginRangeNo = new BigInteger(beginRange, 16); String endRange = entry.getAttribute("endRange").getStringValues().nextElement(); BigInteger endRangeNo = new BigInteger(endRange, 16); + + String dn = "cn=" + beginRangeNo.toString() + "," + newRangeDN; + logger.info("Creating serial range " + dn); + LDAPAttributeSet attrs = new LDAPAttributeSet(); attrs.add(new LDAPAttribute("objectClass", "top")); attrs.add(new LDAPAttribute("objectClass", "pkiRange")); // store beginRange as decimal + logger.info("- begin range: " + beginRangeNo.toString() + " (0x" + beginRangeNo.toString(16) + ")"); attrs.add(new LDAPAttribute("beginRange", beginRangeNo.toString())); // store endRange as decimal + logger.info("- end range: " + endRangeNo.toString() + " (0x" + endRangeNo.toString(16) + ")"); attrs.add(new LDAPAttribute("endRange", endRangeNo.toString())); attrs.add(new LDAPAttribute("cn", beginRangeNo.toString())); attrs.add(new LDAPAttribute("host", hostName)); attrs.add(new LDAPAttribute("securePort", securePort)); - String dn = "cn=" + beginRangeNo.toString() + "," + newRangeDN; LDAPEntry rangeEntry = new LDAPEntry(dn, attrs); - logger.info("SubsystemRangeGeneratorUpdateCLI.updateRanges: Adding entry " + dn); conn.add(rangeEntry); } @@ -294,7 +364,7 @@ private void updateCertificateRanges(DatabaseConfig dbConfig, LdapBoundConnectio BigInteger lastUsedSerial = BigInteger.ZERO; boolean nextRangeToUpdate = true; // Search for the last range entry. If it is associated to the CA to update or ranges are not defined - // then the nextRange is + // then the nextRange is while (ranges.hasMoreElements()) { LDAPEntry entry = ranges.next(); String endRange = entry.getAttribute("endRange").getStringValues().nextElement(); @@ -304,57 +374,112 @@ private void updateCertificateRanges(DatabaseConfig dbConfig, LdapBoundConnectio if (lastUsedSerial.compareTo(next) < 0) { lastUsedSerial = next; nextRangeToUpdate = host.equals(hostName) && port.equals(securePort); - } } if (nextRangeToUpdate) { + + logger.info("Updating serial next range in " + newRangeDN); + // nextRange is updated using last range entry or, if no ranges, the configured endSerialNumber if (lastUsedSerial == BigInteger.ZERO) { lastUsedSerial = new BigInteger(configEndSerialNumber, 16); } BigInteger nextSerialNumber = lastUsedSerial.add(BigInteger.ONE); - String serialDN = dbConfig.getSerialDN() + "," + baseDN; + // store nextRange as decimal - LDAPAttribute attrSerialNextRange = new LDAPAttribute("nextRange", nextSerialNumber.toString()); + logger.info("- next range: " + nextSerialNumber.toString() + " (0x" + nextSerialNumber.toString(16) + ")"); + LDAPAttribute attrSerialNextRange = new LDAPAttribute(DBSubsystem.PROP_NEXT_RANGE, nextSerialNumber.toString()); LDAPModification serialmod = new LDAPModification(LDAPModification.REPLACE, attrSerialNextRange); - conn.modify(serialDN, serialmod); + conn.modify(newRangeDN, serialmod); } } - private void updateRequestRanges(LdapBoundConnection conn, String rangeDN, String newRangeDN, - String hostName, String securePort) throws Exception{ + + private void updateRequestRanges( + LdapBoundConnection conn, + String rangeDN, + String newRangeDN, + String configEndRequestNumber, + String hostName, + String securePort) throws Exception{ + LDAPSearchResults instanceRanges = conn.search(rangeDN, LDAPv3.SCOPE_SUB, "(&(objectClass=pkiRange)(host= " + hostName + ")(SecurePort=" + securePort + "))", null, false); - + // update all ranges associated to the CA to update to decimal while (instanceRanges.hasMoreElements()) { LDAPEntry entry = instanceRanges.next(); String beginRange = entry.getAttribute("beginRange").getStringValues().nextElement(); String endRange = entry.getAttribute("endRange").getStringValues().nextElement(); + + String dn = "cn=" + beginRange + "," + newRangeDN; + logger.info("Creating request range " + dn); + LDAPAttributeSet attrs = new LDAPAttributeSet(); attrs.add(new LDAPAttribute("objectClass", "top")); attrs.add(new LDAPAttribute("objectClass", "pkiRange")); // store beginRange as decimal + logger.info("- begin range: " + beginRange); attrs.add(new LDAPAttribute("beginRange", beginRange)); // store endRange as decimal + logger.info("- end range: " + endRange); attrs.add(new LDAPAttribute("endRange", endRange)); attrs.add(new LDAPAttribute("cn", beginRange)); attrs.add(new LDAPAttribute("host", hostName)); attrs.add(new LDAPAttribute("securePort", securePort)); - String dn = "cn=" + beginRange + "," + newRangeDN; LDAPEntry rangeEntry = new LDAPEntry(dn, attrs); - logger.info("SubsystemRangeGeneratorUpdateCLI.updateRanges: Adding entry " + dn); conn.add(rangeEntry); } + + LDAPSearchResults ranges = conn.search(newRangeDN, LDAPv3.SCOPE_SUB, "(objectClass=pkiRange)", null, false); + + BigInteger lastUsedNumber = BigInteger.ZERO; + boolean nextRangeToUpdate = true; + + // Search for the last range entry. If it is associated to the CA to update or ranges are not defined + // then the nextRange is + while (ranges.hasMoreElements()) { + LDAPEntry entry = ranges.next(); + + String endRange = entry.getAttribute("endRange").getStringValues().nextElement(); + String host = entry.getAttribute("host").getStringValues().nextElement(); + String port = entry.getAttribute("securePort").getStringValues().nextElement(); + BigInteger next = new BigInteger(endRange); + + if (lastUsedNumber.compareTo(next) < 0) { + lastUsedNumber = next; + nextRangeToUpdate = host.equals(hostName) && port.equals(securePort); + } + } + + if (nextRangeToUpdate) { + + logger.info("Updating request next range in " + newRangeDN); + + // nextRange is updated using last range entry or, if no ranges, the configured endRequestNumber + if (lastUsedNumber == BigInteger.ZERO) { + lastUsedNumber = new BigInteger(configEndRequestNumber); + } + BigInteger nextRequestNumber = lastUsedNumber.add(BigInteger.ONE); + + // store nextRange as decimal + logger.info("- next range: " + nextRequestNumber.toString()); + LDAPAttribute attrRequestNextRange = new LDAPAttribute(DBSubsystem.PROP_NEXT_RANGE, nextRequestNumber.toString()); + + LDAPModification mods = new LDAPModification(LDAPModification.REPLACE, attrRequestNextRange); + + conn.modify(newRangeDN, mods); + } } - + private String createRangesEntry(LdapBoundConnection conn, String newRangeObject, String ranges, String baseDN) throws Exception { + String baseRanges = "ou=" + ranges; String baseRangesDN = baseRanges + "," + baseDN; try { @@ -371,14 +496,14 @@ private String createRangesEntry(LdapBoundConnection conn, String newRangeObject } logger.debug("SubsystemRangeGeneratorUpdateCLI: entry {} already exist", baseRangesDN); } - + String newRangeEntry = "ou=" + newRangeObject + "," + baseRanges; String newRangeEntryDN = newRangeEntry + "," + baseDN; logger.debug("SubsystemRangeGeneratorUpdateCLI: Create range entry: {}", newRangeEntryDN); try { LDAPAttributeSet attrs = new LDAPAttributeSet(); attrs.add(new LDAPAttribute("objectClass", "top")); - attrs.add(new LDAPAttribute("objectClass", "organizationalUnit")); + attrs.add(new LDAPAttribute("objectClass", "repository")); attrs.add(new LDAPAttribute("ou", newRangeObject)); LDAPEntry rangeEntry = new LDAPEntry(newRangeEntryDN, attrs); conn.add(rangeEntry); @@ -386,7 +511,7 @@ private String createRangesEntry(LdapBoundConnection conn, String newRangeObject if (ldae.getLDAPResultCode() != 68) { throw new EBaseException("Impossible access object in ranges: " + ldae.getMessage(), ldae); } - logger.debug("SubsystemRangeGeneratorUpdateCLI: entry {} already exist", baseRangesDN); + logger.debug("SubsystemRangeGeneratorUpdateCLI: entry {} already exist", baseRangesDN); } return newRangeEntry; } diff --git a/base/server/src/main/java/org/dogtagpki/server/cli/SubsystemRangeUpdateCLI.java b/base/server/src/main/java/org/dogtagpki/server/cli/SubsystemRangeUpdateCLI.java index 0a3f5c05e2e..23e8cb668c5 100644 --- a/base/server/src/main/java/org/dogtagpki/server/cli/SubsystemRangeUpdateCLI.java +++ b/base/server/src/main/java/org/dogtagpki/server/cli/SubsystemRangeUpdateCLI.java @@ -16,6 +16,7 @@ import com.netscape.cmscore.apps.CMS; import com.netscape.cmscore.apps.DatabaseConfig; import com.netscape.cmscore.apps.EngineConfig; +import com.netscape.cmscore.dbs.DBSubsystem; import com.netscape.cmscore.dbs.Repository.IDGenerator; import com.netscape.cmscore.ldapconn.LDAPConfig; import com.netscape.cmscore.ldapconn.LDAPConnectionConfig; @@ -65,6 +66,32 @@ public void init(DatabaseConfig dbConfig) throws Exception { requestIDGenerator = IDGenerator.fromString(value); } + public String getRequestNextRangeDN( + LDAPConfig ldapConfig, + DatabaseConfig dbConfig) throws Exception { + + if (requestIDGenerator == IDGenerator.LEGACY_2) { + // the request nextRange is stored in request repository's range DN + return dbConfig.getRequestRangeDN() + "," + ldapConfig.getBaseDN(); + } + + // the request nextRange is stored in request repository's base DN + return dbConfig.getRequestDN() + "," + ldapConfig.getBaseDN(); + } + + public String getSerialNextRangeDN( + LDAPConfig ldapConfig, + DatabaseConfig dbConfig) throws Exception { + + if (serialIDGenerator == IDGenerator.LEGACY_2) { + // the cert/key nextRange is stored in cert/key repository's range DN + return dbConfig.getSerialRangeDN() + "," + ldapConfig.getBaseDN(); + } + + // the cert/key nextRange is stored in cert/key repository's base DN + return dbConfig.getSerialDN() + "," + ldapConfig.getBaseDN(); + } + @Override public void execute(CommandLine cmd) throws Exception { @@ -100,6 +127,7 @@ public void execute(CommandLine cmd) throws Exception { socketFactory, connInfo, authInfo, + ldapConfig, dbConfig, baseDN); @@ -107,6 +135,7 @@ public void execute(CommandLine cmd) throws Exception { socketFactory, connInfo, authInfo, + ldapConfig, dbConfig, baseDN); } @@ -115,6 +144,7 @@ public void updateSerialNumberRange( PKISocketFactory socketFactory, LdapConnInfo connInfo, LdapAuthInfo authInfo, + LDAPConfig ldapConfig, DatabaseConfig dbConfig, String baseDN) throws Exception { @@ -126,6 +156,9 @@ public void updateSerialNumberRange( LdapBoundConnection conn = new LdapBoundConnection(socketFactory, connInfo, authInfo); try { + String nextRangeDN = getSerialNextRangeDN(ldapConfig, dbConfig); + logger.info("Updating serial next range in " + nextRangeDN); + BigInteger endSerialNumber; if (serialIDGenerator == IDGenerator.LEGACY_2) { endSerialNumber = dbConfig.getBigInteger(DatabaseConfig.MAX_SERIAL_NUMBER); @@ -136,14 +169,13 @@ public void updateSerialNumberRange( } BigInteger nextSerialNumber = endSerialNumber.add(BigInteger.ONE); - String serialDN = dbConfig.getSerialDN() + "," + baseDN; - // store nextRange as decimal - LDAPAttribute attrSerialNextRange = new LDAPAttribute("nextRange", nextSerialNumber.toString()); + logger.info("- next range: " + nextSerialNumber.toString() + " (0x" + nextSerialNumber.toString(16) + ")"); + LDAPAttribute attrSerialNextRange = new LDAPAttribute(DBSubsystem.PROP_NEXT_RANGE, nextSerialNumber.toString()); LDAPModification serialmod = new LDAPModification(LDAPModification.REPLACE, attrSerialNextRange); - conn.modify(serialDN, serialmod); + conn.modify(nextRangeDN, serialmod); } finally { conn.disconnect(); @@ -154,6 +186,7 @@ public void updateRequestNumberRange( PKISocketFactory socketFactory, LdapConnInfo connInfo, LdapAuthInfo authInfo, + LDAPConfig ldapConfig, DatabaseConfig dbConfig, String baseDN) throws Exception { @@ -165,7 +198,8 @@ public void updateRequestNumberRange( LdapBoundConnection conn = new LdapBoundConnection(socketFactory, connInfo, authInfo); try { - logger.info("Updating request ID range"); + String nextRangeDN = getRequestNextRangeDN(ldapConfig, dbConfig); + logger.info("Updating request ID next range in " + nextRangeDN); BigInteger endRequestNumber; if (requestIDGenerator == IDGenerator.LEGACY_2) { @@ -176,14 +210,12 @@ public void updateRequestNumberRange( } BigInteger nextRequestNumber = endRequestNumber.add(BigInteger.ONE); - String requestDN = dbConfig.getRequestDN() + "," + baseDN; - // store nextRange as decimal - LDAPAttribute attrRequestNextRange = new LDAPAttribute("nextRange", nextRequestNumber.toString()); + LDAPAttribute attrRequestNextRange = new LDAPAttribute(DBSubsystem.PROP_NEXT_RANGE, nextRequestNumber.toString()); LDAPModification requestmod = new LDAPModification(LDAPModification.REPLACE, attrRequestNextRange); - conn.modify(requestDN, requestmod); + conn.modify(nextRangeDN, requestmod); } finally { conn.disconnect();