+++ /dev/null
-#!/usr/bin/python
-#
-# Bootstraps the PLC database with a default administrator account and
-# a default site. Also generates the MA/SA API certificate.
-#
-# Mark Huang <mlhuang@cs.princeton.edu>
-# Copyright (C) 2006 The Trustees of Princeton University
-#
-# $Id: api-config,v 1.15 2006/07/11 20:57:25 mlhuang Exp $
-#
-
-from plc_config import PLCConfiguration
-import os
-import re
-import xml
-import CertOps, Certificate
-import Certificate
-import commands
-
-
-def main():
- cfg = PLCConfiguration()
- cfg.load()
- variables = cfg.variables()
-
- # Load variables into dictionaries
- for category_id, (category, variablelist) in variables.iteritems():
- globals()[category_id] = dict(zip(variablelist.keys(),
- [variable['value'] for variable in variablelist.values()]))
-
- # Get the issuer e-mail address and public key from the root CA certificate
- root_ca_email = commands.getoutput("openssl x509 -in %s -noout -email" % \
- plc_ma_sa['ca_ssl_crt'])
- root_ca_key_pub = commands.getoutput("openssl x509 -in %s -noout -pubkey" % \
- plc_ma_sa['ca_ssl_crt'])
-
- # Verify API certificate
- if os.path.exists(plc_ma_sa['api_crt']):
- print "Verifying API certificate '%s'" % plc_ma_sa['api_crt']
- try:
- cert_xml = file(plc_ma_sa['api_crt']).read().strip()
- # Verify root CA signature
- CertOps.authenticate_cert(cert_xml, {root_ca_email: root_ca_key_pub})
- # Check if MA/SA e-mail address has changed
- dom = xml.dom.minidom.parseString(cert_xml)
- for subject in dom.getElementsByTagName('subject'):
- if subject.getAttribute('email') != plc_mail['support_address']:
- raise Exception, "E-mail address '%s' in certificate '%s' does not match support address '%s'" % \
- (subject.getAttribute('email'), plc_ma_sa['api_crt'], plc_mail['support_address'])
- except Exception, e:
- # Delete invalid API certificate
- print "Warning: ", e
- os.unlink(plc_ma_sa['api_crt'])
-
- # Generate self-signed API certificate
- if not os.path.exists(plc_ma_sa['api_crt']):
- print "Generating new API certificate"
- try:
- cert = Certificate.Certificate('ticket-cert-0')
- ma_sa_ssl_key_pub = commands.getoutput("openssl x509 -in %s -noout -pubkey" % \
- plc_ma_sa['ssl_crt'])
- cert.add_subject_pubkey(pubkey = ma_sa_ssl_key_pub, email = plc_mail['support_address'])
- root_ca_subject = commands.getoutput("openssl x509 -in %s -noout -subject" % \
- plc_ma_sa['ssl_crt'])
- m = re.search('/CN=([^/]*).*', root_ca_subject)
- if m is None:
- root_ca_cn = plc['name'] + " Management and Slice Authority"
- else:
- root_ca_cn = m.group(1)
- cert.set_issuer(email = root_ca_email, cn = root_ca_cn)
- cert_xml = cert.sign(plc_ma_sa['ssl_key'])
- ma_sa_api_crt = file(plc_ma_sa['api_crt'], "w")
- ma_sa_api_crt.write(cert_xml)
- ma_sa_api_crt.close()
- except Exception, e:
- print "Warning: Could not generate API certificate: ", e
-
-if __name__ == '__main__':
- main()
# Mark Huang <mlhuang@cs.princeton.edu>
# Copyright (C) 2006 The Trustees of Princeton University
#
-# $Id: api,v 1.4 2006/06/23 21:41:31 mlhuang Exp $
+# $Id: api,v 1.5 2006/07/10 21:08:06 mlhuang Exp $
#
# Source function library and configuration
)
plc-config --category=plc_api --variable=maintenance_sources --value="$PLC_API_MAINTENANCE_SOURCES" --save
- # Generate old API configuration file
- api-config
- check
-
result "$MESSAGE"
;;
esac
# Mark Huang <mlhuang@cs.princeton.edu>
# Copyright (C) 2006 The Trustees of Princeton University
#
-# $Id: ssl,v 1.9 2006/07/17 21:28:55 mlhuang Exp $
+# $Id: ssl,v 1.10 2006/07/24 19:30:45 mlhuang Exp $
#
# Source function library and configuration
MESSAGE=$"Generating SSL certificates"
dialog "$MESSAGE"
- # Verify or generate MA/SA certificate if necessary. This
- # self-signed certificate may be overridden later.
- verify_or_generate_certificate \
- $PLC_MA_SA_SSL_CRT $PLC_MA_SA_SSL_KEY $PLC_MA_SA_CA_SSL_CRT \
- "$PLC_NAME Management and Slice Authority" \
- $PLC_MAIL_SUPPORT_ADDRESS
-
- # Make MA/SA key readable by apache so that the API can sign
- # certificates
- chown apache $PLC_MA_SA_SSL_KEY
- chmod 600 $PLC_MA_SA_SSL_KEY
-
- # Extract the public key of the root CA (if any) that signed
- # the MA/SA certificate.
- openssl x509 -in $PLC_MA_SA_CA_SSL_CRT -noout -pubkey >$PLC_MA_SA_CA_SSL_KEY_PUB
- check
- chmod 644 $PLC_MA_SA_CA_SSL_KEY_PUB
-
# Generate HTTPS certificates if necessary. We generate a
# certificate for each enabled server with a different
# hostname. These self-signed certificates may be overridden
Mark Huang <mlhuang@cs.princeton.edu>
Copyright (C) 2006 The Trustees of Princeton University
-$Id: plc_config.xml,v 1.16 2006/10/27 20:26:49 mlhuang Exp $
+$Id: plc_config.xml,v 1.17 2006/11/10 19:03:48 mlhuang Exp $
-->
<!DOCTYPE configuration PUBLIC "-//PlanetLab Central//DTD PLC configuration//EN" "plc_config.dtd">
</variablelist>
</category>
- <category id="plc_ma_sa">
- <name>Management and Slice Authority</name>
- <description>These variables control how your site interacts
- with other PlanetLab sites as a Management Authority (MA) and/or
- Slice Authority (SA).</description>
-
- <variablelist>
- <variable id="namespace" type="ip">
- <name>Namespace</name>
- <value>test</value>
- <description>The namespace of your MA/SA. This should be a
- globally unique value assigned by PlanetLab
- Central.</description>
- </variable>
-
- <variable id="ssl_key" type="file">
- <name>SSL Private Key</name>
- <value>/etc/planetlab/ma_sa_ssl.key</value>
- <description>The SSL private key used for signing documents
- with the signature of your MA/SA. If non-existent, one will
- be generated.</description>
- </variable>
-
- <variable id="ssl_crt" type="file">
- <name>SSL Public Certificate</name>
- <value>/etc/planetlab/ma_sa_ssl.crt</value>
- <description>The corresponding SSL public certificate. By
- default, this certificate is self-signed. You may replace
- the certificate later with one signed by the PLC root
- CA.</description>
- </variable>
-
- <variable id="ca_ssl_crt" type="file">
- <name>Root CA SSL Public Certificate</name>
- <value>/etc/planetlab/ma_sa_ca_ssl.crt</value>
- <description>If applicable, the certificate of the PLC root
- CA. If your MA/SA certificate is self-signed, then this file
- is the same as your MA/SA certificate.</description>
- </variable>
-
- <variable id="ca_ssl_key_pub" type="file">
- <name>Root CA SSL Public Key</name>
- <value>/etc/planetlab/ma_sa_ca_ssl.pub</value>
- <description>If applicable, the public key of the PLC root
- CA. If your MA/SA certificate is self-signed, then this file
- is the same as your MA/SA public key.</description>
- </variable>
-
- <variable id="api_crt" type="file">
- <name>API Certificate</name>
- <value>/etc/planetlab/ma_sa_api.xml</value>
- <description>The API Certificate is your MA/SA public key
- embedded in a digitally signed XML document. By default,
- this document is self-signed. You may replace this
- certificate later with one signed by the PLC root
- CA.</description>
- </variable>
- </variablelist>
- </category>
-
<category id="plc_net">
<name>Network</name>
<description>Network environment.</description>
<!-- API server uses a few non-standard packages -->
<packagereq type="mandatory">PLCAPI</packagereq>
<packagereq type="mandatory">PyXML</packagereq>
- <packagereq type="mandatory">PlanetLabAuth</packagereq>
<!-- API server uses SSL to sign tickets -->
<packagereq type="mandatory">xmlsec1</packagereq>