Move RA agent certificate file export to a different location

HTTPS connection to certificate server requires client authentication so we need a file with client certificate and private key prior to its first occurence which happens during migration of certificate profiles to LDAP. https://fedorahosted.org/freeipa/ticket/5695 https://fedorahosted.org/freeipa/ticket/6392 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2025-02-25 18:55:28 -06:00 · 2017-01-02 17:00:00 +01:00
parent dfd560a190
commit 2a1494c9ae
8 changed files with 17 additions and 19 deletions
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -64,7 +64,8 @@ from ipaserver.install import installutils
 from ipaserver.install import ldapupdate
 from ipaserver.install import replication
 from ipaserver.install import sysupgrade
-from ipaserver.install.dogtaginstance import DogtagInstance
+from ipaserver.install.dogtaginstance import (
+    DogtagInstance, export_ra_agent_pem)
 from ipaserver.plugins import ldap2

 # We need to reset the template because the CA uses the regular boot
@@ -414,6 +415,8 @@ class CAInstance(DogtagInstance):
                else:
                    self.step("importing RA certificate from PKCS #12 file",
                              lambda: self.import_ra_cert(ra_p12))
+                self.step("exporting RA agent cert", export_ra_agent_pem)
+
            if not ra_only:
                self.step("importing CA chain to RA certificate database", self.__import_ca_chain)
                self.step("setting up signing cert profile", self.__setup_sign_profile)
--- a/ipaserver/install/dogtaginstance.py
+++ b/ipaserver/install/dogtaginstance.py
@@ -72,7 +72,7 @@ def is_installing_replica(sys_type):
        return False


-def export_kra_agent_pem():
+def export_ra_agent_pem():
    """
    Export ipaCert with private key for client authentication.
    """
@@ -90,7 +90,7 @@ def export_kra_agent_pem():
    os.chown(filename, 0, pent.pw_gid)
    os.chmod(filename, 0o440)

-    os.rename(filename, paths.KRA_AGENT_PEM)
+    os.rename(filename, paths.RA_AGENT_PEM)


 class DogtagInstance(service.Service):
--- a/ipaserver/install/ipa_backup.py
+++ b/ipaserver/install/ipa_backup.py
@@ -158,7 +158,7 @@ class Backup(admintool.AdminTool):
        paths.SMB_CONF,
        paths.SAMBA_KEYTAB,
        paths.DOGTAG_ADMIN_P12,
-        paths.KRA_AGENT_PEM,
+        paths.RA_AGENT_PEM,
        paths.CACERT_P12,
        paths.KRACERT_P12,
        paths.KRB5KDC_KDC_CONF,
--- a/ipaserver/install/krainstance.py
+++ b/ipaserver/install/krainstance.py
@@ -36,8 +36,7 @@ from ipapython.dn import DN
 from ipaserver.install import cainstance
 from ipaserver.install import installutils
 from ipaserver.install import ldapupdate
-from ipaserver.install.dogtaginstance import (export_kra_agent_pem,
-                                              DogtagInstance)
+from ipaserver.install.dogtaginstance import DogtagInstance
 from ipaserver.plugins import ldap2
 from ipapython.ipa_log_manager import log_mgr

@@ -118,7 +117,6 @@ class KRAInstance(DogtagInstance):
            if not self.clone:
                self.step("create KRA agent",
                          self.__create_kra_agent)
-        self.step("exporting KRA agent cert", export_kra_agent_pem)
        if not ra_only:
            if promote:
                self.step("destroying installation admin user", self.teardown_admin)
@@ -285,9 +283,6 @@ class KRAInstance(DogtagInstance):
            os.remove(cfg_file)

        shutil.move(paths.KRA_BACKUP_KEYS_P12, paths.KRACERT_P12)
-
-        export_kra_agent_pem()
-
        self.log.debug("completed creating KRA instance")

    def __create_kra_agent(self):
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -44,7 +44,6 @@ from ipaserver.install import schemaupdate
 from ipaserver.install import custodiainstance
 from ipaserver.install import sysupgrade
 from ipaserver.install import dnskeysyncinstance
-from ipaserver.install import krainstance
 from ipaserver.install import dogtaginstance
 from ipaserver.install import krbinstance
 from ipaserver.install import adtrustinstance
@@ -1403,12 +1402,13 @@ def fix_trust_flags():
    sysupgrade.set_upgrade_state('http', 'fix_trust_flags', True)


-def export_kra_agent_pem():
+def export_ra_agent_pem():
    root_logger.info('[Exporting KRA agent PEM file]')

+    # export_kra_agent_pem is the original name of this function
    sysupgrade.remove_upgrade_state('http', 'export_kra_agent_pem')

-    if os.path.exists(paths.KRA_AGENT_PEM):
+    if os.path.exists(paths.RA_AGENT_PEM):
        root_logger.info("KRA agent PEM file already exported")
        return

@@ -1416,7 +1416,7 @@ def export_kra_agent_pem():
        root_logger.info("KRA is not enabled")
        return

-    krainstance.export_kra_agent_pem()
+    dogtaginstance.export_ra_agent_pem()
    installutils.remove_file(paths.OLD_KRA_AGENT_PEM)


@@ -1663,7 +1663,7 @@ def upgrade_configuration():
    update_mod_nss_protocol(http)
    update_mod_nss_cipher_suite(http)
    fix_trust_flags()
-    export_kra_agent_pem()
+    export_ra_agent_pem()
    update_http_keytab(http)
    http.configure_gssproxy()
    http.start()
--- a/ipaserver/plugins/dogtag.py
+++ b/ipaserver/plugins/dogtag.py
@@ -2026,7 +2026,7 @@ class kra(Backend):
            str(self.kra_port),
            'kra')

-        connection.set_authentication_cert(paths.KRA_AGENT_PEM)
+        connection.set_authentication_cert(paths.RA_AGENT_PEM)

        return KRAClient(connection, crypto)