IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Move CA installation code into single module.

Browse Source 
https://fedorahosted.org/freeipa/ticket/4468

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
This commit is contained in:
David Kupka
2015-06-08 05:23:56 +00:00
committed by Jan Cholasta
parent a57998f51e
commit 2acedb2d5d
5 changed files with 330 additions and 345 deletions
Download Patch File Download Diff File Expand all files Collapse all files

249
install/tools/ipa-ca-install
View File

@@ -21,26 +21,18 @@
import sys
import os
import shutil
from ConfigParser import RawConfigParser
from ipapython import ipautil
from ipaserver.install import installutils
from ipaserver.install import certs
from ipaserver.install.installutils import (HostnameLocalhost, ReplicaConfig,
expand_replica_info, read_replica_info, get_host_name, BadHostError,
private_ccache, read_replica_info_dogtag_port, load_external_cert,
create_replica_config)
from ipaserver.install import dsinstance, cainstance, bindinstance
from ipaserver.install.replication import replica_conn_check
from ipaserver.install.installutils import (private_ccache,
create_replica_config)
from ipaserver.install import dsinstance, ca
from ipapython import version
from ipalib import api, certstore, x509
from ipalib import api
from ipapython.dn import DN
from ipapython.config import IPAOptionParser
from ipapython import sysrestore
from ipapython import dogtag
from ipapython import certdb
from ipapython.ipa_log_manager import *
from ipaplatform import services
from ipaplatform.paths import paths
log_file_name = paths.IPAREPLICA_CA_INSTALL_LOG
@@ -86,6 +78,9 @@ def parse_options():
if len(args) != 1:
parser.error("you must provide a file generated by "
"ipa-replica-prepare")
options.external_ca = None
options.external_cert_files = None
else:
filename = None
@@ -106,31 +101,6 @@ def get_dirman_password():
"Directory Manager (existing master)", confirm=False, validate=False)
def check_ca():
if not cainstance.check_port():
print "IPA requires port 8443 for PKI but it is currently in use."
sys.exit(1)
def install_dns_records(config, options):
if not bindinstance.dns_container_exists(config.master_host_name,
ipautil.realm_to_suffix(config.realm_name),
dm_password=config.dirman_password):
return
bind = bindinstance.BindInstance(dm_password=config.dirman_password)
disconnect = False
try:
if not api.Backend.ldap2.isconnected():
api.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')),
bind_pw=config.dirman_password)
disconnect = True
bind.add_ipa_ca_dns_records(config.host_name, config.domain_name)
finally:
if api.Backend.ldap2.isconnected() and disconnect:
api.Backend.ldap2.disconnect()
def install_replica(safe_options, options, filename):
standard_logging_setup(log_file_name, debug=options.debug)
@@ -141,18 +111,12 @@ def install_replica(safe_options, options, filename):
if not ipautil.file_exists(filename):
sys.exit("Replica file %s does not exist" % filename)
global sstore
sstore = sysrestore.StateFile(paths.SYSRESTORE)
if not dsinstance.DsInstance().is_configured():
sys.exit("IPA server is not configured on this system.\n")
api.bootstrap(in_server=True)
api.finalize()
if api.env.ra_plugin == 'selfsign':
sys.exit('A selfsign CA can not be added')
# get the directory manager password
dirman_password = options.password
if not dirman_password:
@@ -174,48 +138,17 @@ def install_replica(safe_options, options, filename):
REPLICA_INFO_TOP_DIR = config.top_dir
config.setup_ca = True
if not ipautil.file_exists(config.dir + "/cacert.p12"):
print 'CA cannot be installed in CA-less setup.'
sys.exit(1)
api.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')),
bind_pw=dirman_password)
if not options.skip_conncheck:
replica_conn_check(
config.master_host_name, config.host_name, config.realm_name, True,
config.ca_ds_port, options.admin_password)
options.realm_name = config.realm_name
options.domain_name = config.domain_name
options.dm_password = config.dirman_password
options.host_name = config.host_name
options.subject = config.subject_base
if options.skip_schema_check:
root_logger.info("Skipping CA DS schema check")
else:
cainstance.replica_ca_install_check(config)
check_ca()
# Configure the CA if necessary
CA = cainstance.install_replica_ca(config, postinstall=True)
# We need to ldap_enable the CA now that DS is up and running
CA.ldap_enable('CA', config.host_name, config.dirman_password,
ipautil.realm_to_suffix(config.realm_name))
# This is done within stopped_service context, which restarts CA
CA.enable_client_auth_to_db(CA.dogtag_constants.CS_CFG_PATH)
# Install CA DNS records
install_dns_records(config, options)
# We need to restart apache as we drop a new config file in there
services.knownservices.httpd.restart(capture_output=True)
#update dogtag version in config file
try:
fd = open(paths.IPA_DEFAULT_CONF, "a")
fd.write(
"dogtag_version=%s\n" % dogtag.install_constants.DOGTAG_VERSION)
fd.close()
except IOError, e:
print "Failed to update /etc/ipa/default.conf"
root_logger.error(str(e))
sys.exit(1)
ca.install_check(True, config, options)
ca.install(True, config, options)
def install_master(safe_options, options):
@@ -225,9 +158,6 @@ def install_master(safe_options, options):
"%s was invoked with options: %s", sys.argv[0], safe_options)
root_logger.debug("IPA version %s", version.VENDOR_VERSION)
global sstore
sstore = sysrestore.StateFile(paths.SYSRESTORE)
if not dsinstance.DsInstance().is_configured():
sys.exit("IPA server is not configured on this system.\n")
@@ -248,150 +178,17 @@ def install_master(safe_options, options):
api.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')),
bind_pw=dm_password)
if api.Command.ca_is_enabled()['result']:
sys.exit("CA is already installed.\n")
config = api.Command['config_show']()['result']
subject_base = config['ipacertificatesubjectbase'][0]
if options.external_ca:
if cainstance.is_step_one_done():
print ("CA is already installed.\nRun the installer with "
"--external-cert-file.")
sys.exit(1)
elif options.external_cert_files:
if not cainstance.is_step_one_done():
print ("CA is not installed yet. To install with an external CA "
"is a two-stage process.\nFirst run the installer with "
"--external-ca.")
sys.exit(1)
options.realm_name = api.env.realm
options.domain_name = api.env.domain
options.dm_password = dm_password
options.host_name = api.env.host
options.subject = subject_base
external_cert_file, external_ca_file = load_external_cert(
options.external_cert_files, subject_base)
if options.external_cert_files:
external = 2
elif options.external_ca:
external = 1
else:
external = 0
realm_name = api.env.realm
domain_name = api.env.domain
host_name = api.env.host
if external != 2:
check_ca()
dirname = dsinstance.config_dirname(
installutils.realm_to_serverid(realm_name))
cadb = certs.CertDB(realm_name, subject_base=subject_base)
dsdb = certs.CertDB(realm_name, nssdir=dirname, subject_base=subject_base)
for db in (cadb, dsdb):
for nickname, trust_flags in db.list_certs():
if nickname in (certdb.get_ca_nickname(realm_name),
'ipaCert',
'Signing-Cert'):
print ("Certificate with nickname %s is present in %s, "
"cannot continue." % (nickname, db.secdir))
sys.exit(1)
cert = db.get_cert_from_db(nickname)
if not cert:
continue
subject = DN(str(x509.get_subject(cert)))
if subject in (DN('CN=Certificate Authority', subject_base),
DN('CN=IPA RA', subject_base),
DN('CN=Object Signing Cert', subject_base)):
print ("Certificate with subject %s is present in %s, "
"cannot continue." % (subject, db.secdir))
sys.exit(1)
ca = cainstance.CAInstance(
realm_name, certs.NSS_DIR,
dogtag_constants=dogtag.install_constants)
ca.create_ra_agent_db = False
if external == 0:
ca.configure_instance(host_name, domain_name, dm_password,
dm_password, subject_base=subject_base,
ca_signing_algorithm=options.ca_signing_algorithm)
elif external == 1:
ca.configure_instance(host_name, domain_name, dm_password,
dm_password, csr_file=paths.ROOT_IPA_CSR,
subject_base=subject_base,
ca_signing_algorithm=options.ca_signing_algorithm,
ca_type=options.external_ca_type)
else:
ca.configure_instance(host_name, domain_name, dm_password,
dm_password,
cert_file=external_cert_file.name,
cert_chain_file=external_ca_file.name,
subject_base=subject_base,
ca_signing_algorithm=options.ca_signing_algorithm)
ca.stop(ca.dogtag_constants.PKI_INSTANCE_NAME)
ca.ldap_enable('CA', host_name, dm_password,
ipautil.realm_to_suffix(realm_name), ['caRenewalMaster'])
ca.enable_client_auth_to_db(ca.dogtag_constants.CS_CFG_PATH)
# Install CA DNS records
config = ReplicaConfig()
config.realm_name = realm_name
config.domain_name = domain_name
config.host_name = config.master_host_name = host_name
config.dirman_password = dm_password
install_dns_records(config, options)
# We need to restart apache as we drop a new config file in there
services.knownservices.httpd.restart(capture_output=True)
# Update config file
parser = RawConfigParser()
parser.read(paths.IPA_DEFAULT_CONF)
parser.set('global', 'enable_ra', 'True')
parser.set('global', 'ra_plugin', 'dogtag')
parser.set('global', 'dogtag_version',
str(ca.dogtag_constants.DOGTAG_VERSION))
with open(paths.IPA_DEFAULT_CONF, 'w') as f:
parser.write(f)
# Store the new IPA CA cert chain in DS NSS database and LDAP
cadb = certs.CertDB(realm_name, subject_base=subject_base)
dsdb = certs.CertDB(realm_name, nssdir=dirname, subject_base=subject_base)
trust_flags = dict(reversed(cadb.list_certs()))
trust_chain = cadb.find_root_cert('ipaCert')[:-1]
for nickname in trust_chain[:-1]:
cert = cadb.get_cert_from_db(nickname, pem=False)
dsdb.add_cert(cert, nickname, trust_flags[nickname])
certstore.put_ca_cert_nss(api.Backend.ldap2, api.env.basedn,
cert, nickname, trust_flags[nickname])
nickname = trust_chain[-1]
cert = cadb.get_cert_from_db(nickname, pem=False)
dsdb.add_cert(cert, nickname, trust_flags[nickname])
certstore.put_ca_cert_nss(api.Backend.ldap2, api.env.basedn,
cert, nickname, trust_flags[nickname],
config_ipa=True, config_compat=True)
# Restart DS
ds = dsinstance.DsInstance()
ds.init_info(realm_name, host_name, domain_name, dm_password, subject_base,
1101, 1100, None)
ds.restart(ds.serverid)
# Store DS CA cert in Dogtag NSS database
dogtagdb = certs.CertDB(realm_name, nssdir=ca.dogtag_constants.ALIAS_DIR)
trust_flags = dict(reversed(dsdb.list_certs()))
server_certs = dsdb.find_server_certs()
trust_chain = dsdb.find_root_cert(server_certs[0][0])[:-1]
nickname = trust_chain[-1]
cert = dsdb.get_cert_from_db(nickname)
dogtagdb.add_cert(cert, nickname, trust_flags[nickname])
ca.start(ca.dogtag_constants.PKI_INSTANCE_NAME)
ca.install_check(True, None, options)
ca.install(True, None, options)
def main():

3
install/tools/ipa-replica-install
View File

@@ -128,6 +128,9 @@ def parse_options():
elif options.reverse_zones and options.no_reverse:
parser.error("You cannot specify a --reverse-zone option together with --no-reverse")
options.external_ca = None
options.external_cert_files = None
options.zonemgr = None
options.dnssec_master = False

267
ipaserver/install/ca.py Normal file
View File

@@ -0,0 +1,267 @@
#
# Copyright (C) 2015 FreeIPA Contributors see COPYING for license
#
import sys
import os.path
from ipaserver.install import cainstance, dsinstance, bindinstance
from ipapython import dogtag, ipautil, certdb
from ipaplatform import services
from ipaplatform.paths import paths
from ipaserver.install import installutils, certs
from ipaserver.install.replication import replica_conn_check
from ipalib import api, certstore, x509
from ConfigParser import RawConfigParser
from ipapython.dn import DN
from ipapython.ipa_log_manager import root_logger
def install_check(standalone, replica_config, options):
global external_cert_file
global external_ca_file
realm_name = options.realm_name
host_name = options.host_name
subject_base = options.subject
if replica_config is None and options.external_cert_files:
return
if replica_config is not None:
if standalone and api.env.ra_plugin == 'selfsign':
sys.exit('A selfsign CA can not be added')
if not ipautil.file_exists(replica_config.dir + "/cacert.p12"):
print 'CA cannot be installed in CA-less setup.'
sys.exit(1)
if standalone and not options.skip_conncheck:
replica_conn_check(
replica_config.master_host_name, host_name, realm_name, True,
replica_config.ca_ds_port, options.admin_password)
if options.skip_schema_check:
root_logger.info("Skipping CA DS schema check")
else:
cainstance.replica_ca_install_check(replica_config)
return
if standalone and api.Command.ca_is_enabled()['result']:
sys.exit("CA is already installed.\n")
if options.external_ca:
if cainstance.is_step_one_done():
print("CA is already installed.\nRun the installer with "
"--external-cert-file.")
sys.exit(1)
if ipautil.file_exists(paths.ROOT_IPA_CSR):
print("CA CSR file %s already exists.\nIn order to continue "
"remove the file and run the installer again." %
paths.ROOT_IPA_CSR)
sys.exit(1)
elif options.external_cert_files:
if not cainstance.is_step_one_done():
# This can happen if someone passes external_ca_file without
# already having done the first stage of the CA install.
print("CA is not installed yet. To install with an external CA "
"is a two-stage process.\nFirst run the installer with "
"--external-ca.")
sys.exit(1)
external_cert_file, external_ca_file = installutils.load_external_cert(
options.external_cert_files, options.subject)
if not cainstance.check_port():
print ("IPA requires port 8443 for PKI but it is currently in use.")
sys.exit("Aborting installation")
if standalone:
dirname = dsinstance.config_dirname(
installutils.realm_to_serverid(realm_name))
cadb = certs.CertDB(realm_name, subject_base=subject_base)
dsdb = certs.CertDB(realm_name, nssdir=dirname, subject_base=subject_base)
for db in (cadb, dsdb):
for nickname, trust_flags in db.list_certs():
if nickname in (certdb.get_ca_nickname(realm_name),
'ipaCert',
'Signing-Cert'):
print ("Certificate with nickname %s is present in %s, "
"cannot continue." % (nickname, db.secdir))
sys.exit(1)
cert = db.get_cert_from_db(nickname)
if not cert:
continue
subject = DN(str(x509.get_subject(cert)))
if subject in (DN('CN=Certificate Authority', subject_base),
DN('CN=IPA RA', subject_base),
DN('CN=Object Signing Cert', subject_base)):
print ("Certificate with subject %s is present in %s, "
"cannot continue." % (subject, db.secdir))
sys.exit(1)
def install(standalone, replica_config, options):
install_step_0(standalone, replica_config, options)
install_step_1(standalone, replica_config, options)
def install_step_0(standalone, replica_config, options):
realm_name = options.realm_name
domain_name = options.domain_name
dm_password = options.dm_password
host_name = options.host_name
subject_base = options.subject
dogtag_constants = dogtag.install_constants
if replica_config is not None:
# Configure the CA if necessary
if standalone:
postinstall = True
else:
postinstall = False
ca = cainstance.install_replica_ca(replica_config, postinstall)
if not standalone:
ca.configure_certmonger_renewal()
ca.import_ra_cert(replica_config.dir + "/ra.p12")
ca.fix_ra_perms()
return
if options.external_cert_files:
external = 2
elif options.external_ca:
external = 1
else:
external = 0
ca = cainstance.CAInstance(realm_name, certs.NSS_DIR,
dogtag_constants=dogtag_constants)
if standalone:
ca.create_ra_agent_db = False
if external == 0:
ca.configure_instance(host_name, domain_name, dm_password,
dm_password, subject_base=subject_base,
ca_signing_algorithm=options.ca_signing_algorithm)
elif external == 1:
ca.configure_instance(host_name, domain_name, dm_password,
dm_password, csr_file=paths.ROOT_IPA_CSR,
subject_base=subject_base,
ca_signing_algorithm=options.ca_signing_algorithm,
ca_type=options.external_ca_type)
else:
ca.configure_instance(host_name, domain_name, dm_password,
dm_password,
cert_file=external_cert_file.name,
cert_chain_file=external_ca_file.name,
subject_base=subject_base,
ca_signing_algorithm=options.ca_signing_algorithm)
def install_step_1(standalone, replica_config, options):
realm_name = options.realm_name
domain_name = options.domain_name
dm_password = options.dm_password
host_name = options.host_name
subject_base = options.subject
basedn = ipautil.realm_to_suffix(realm_name)
dogtag_constants = dogtag.install_constants
ca = cainstance.CAInstance(realm_name, certs.NSS_DIR,
dogtag_constants=dogtag_constants)
if standalone:
ca.stop(ca.dogtag_constants.PKI_INSTANCE_NAME)
# We need to ldap_enable the CA now that DS is up and running
ca.ldap_enable('CA', host_name, dm_password, basedn, ['caRenewalMaster'])
# This is done within stopped_service context, which restarts CA
ca.enable_client_auth_to_db(dogtag_constants.CS_CFG_PATH)
if standalone and replica_config is None:
serverid = installutils.realm_to_serverid(realm_name)
dirname = dsinstance.config_dirname(serverid)
# Store the new IPA CA cert chain in DS NSS database and LDAP
cadb = certs.CertDB(realm_name, subject_base=subject_base)
dsdb = certs.CertDB(realm_name, nssdir=dirname, subject_base=subject_base)
trust_flags = dict(reversed(cadb.list_certs()))
trust_chain = cadb.find_root_cert('ipaCert')[:-1]
for nickname in trust_chain[:-1]:
cert = cadb.get_cert_from_db(nickname, pem=False)
dsdb.add_cert(cert, nickname, trust_flags[nickname])
certstore.put_ca_cert_nss(api.Backend.ldap2, api.env.basedn,
cert, nickname, trust_flags[nickname])
nickname = trust_chain[-1]
cert = cadb.get_cert_from_db(nickname, pem=False)
dsdb.add_cert(cert, nickname, trust_flags[nickname])
certstore.put_ca_cert_nss(api.Backend.ldap2, api.env.basedn,
cert, nickname, trust_flags[nickname],
config_ipa=True, config_compat=True)
api.Backend.ldap2.disconnect()
# Restart DS
services.knownservices.dirsrv.restart(serverid)
api.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')),
bind_pw=dm_password)
# Store DS CA cert in Dogtag NSS database
dogtagdb = certs.CertDB(realm_name, nssdir=dogtag_constants.ALIAS_DIR)
trust_flags = dict(reversed(dsdb.list_certs()))
server_certs = dsdb.find_server_certs()
trust_chain = dsdb.find_root_cert(server_certs[0][0])[:-1]
nickname = trust_chain[-1]
cert = dsdb.get_cert_from_db(nickname)
dogtagdb.add_cert(cert, nickname, trust_flags[nickname])
if standalone:
ca.start(ca.dogtag_constants.PKI_INSTANCE_NAME)
# Update config file
try:
parser = RawConfigParser()
parser.read(paths.IPA_DEFAULT_CONF)
parser.set('global', 'enable_ra', 'True')
parser.set('global', 'ra_plugin', 'dogtag')
parser.set('global', 'dogtag_version',
str(dogtag_constants.DOGTAG_VERSION))
with open(paths.IPA_DEFAULT_CONF, 'w') as f:
parser.write(f)
except IOError, e:
print "Failed to update /etc/ipa/default.conf"
root_logger.error(str(e))
sys.exit(1)
# We need to restart apache as we drop a new config file in there
services.knownservices.httpd.restart(capture_output=True)
# Install CA DNS records
if bindinstance.dns_container_exists(host_name, basedn, dm_password):
bind = bindinstance.BindInstance(dm_password=dm_password)
bind.add_ipa_ca_dns_records(host_name, domain_name)
def uninstall(dogtag_constants):
if not dogtag_constants.SHARED_DB:
cads_instance = cainstance.CADSInstance(
dogtag_constants=dogtag_constants)
if cads_instance.is_configured():
cads_instance.uninstall()
ca_instance = cainstance.CAInstance(
api.env.realm, certs.NSS_DIR, dogtag_constants=dogtag_constants)
ca_instance.stop_tracking_certificates()
if ca_instance.is_configured():
ca_instance.uninstall()

101
ipaserver/install/server/install.py
View File

@@ -23,12 +23,12 @@ from ipalib.constants import CACERT
from ipalib.util import validate_domain_name
import ipaclient.ntpconf
from ipaserver.install import (
bindinstance, cainstance, certs, dns, dsinstance, httpinstance,
bindinstance, ca, cainstance, certs, dns, dsinstance, httpinstance,
installutils, kra, krbinstance, memcacheinstance, ntpinstance,
otpdinstance, replication, service, sysupgrade)
from ipaserver.install.installutils import (
IPA_MODULES, BadHostError, get_fqdn, get_server_ip_address,
is_ipa_configured, load_external_cert, load_pkcs12, private_ccache,
is_ipa_configured, load_pkcs12, private_ccache,
read_password, verify_fqdn)
from ipaserver.plugins.ldap2 import ldap2
try:
@@ -360,25 +360,6 @@ def install_check(options):
global sstore
sstore = sysrestore.StateFile(SYSRESTORE_DIR_PATH)
if options.external_ca:
if cainstance.is_step_one_done():
print("CA is already installed.\nRun the installer with "
"--external-cert-file.")
sys.exit(1)
if ipautil.file_exists(paths.ROOT_IPA_CSR):
print("CA CSR file %s already exists.\nIn order to continue "
"remove the file and run the installer again." %
paths.ROOT_IPA_CSR)
sys.exit(1)
elif options.external_cert_files:
if not cainstance.is_step_one_done():
# This can happen if someone passes external_ca_file without
# already having done the first stage of the CA install.
print("CA is not installed yet. To install with an external CA "
"is a two-stage process.\nFirst run the installer with "
"--external-ca.")
sys.exit(1)
# This will override any settings passed in on the cmdline
if ipautil.file_exists(paths.ROOT_IPA_CACHE):
if options.dm_password is not None:
@@ -392,10 +373,6 @@ def install_check(options):
except Exception, e:
sys.exit("Cannot process the cache file: %s" % str(e))
if options.external_cert_files:
external_cert_file, external_ca_file = load_external_cert(
options.external_cert_files, options.subject)
# We only set up the CA if the PKCS#12 options are not given.
if options.dirsrv_cert_files:
setup_ca = False
@@ -442,11 +419,7 @@ def install_check(options):
# Make sure the 389-ds ports are available
check_dirsrv(options.unattended)
if setup_ca:
if not cainstance.check_port():
print("IPA requires port 8443 for PKI but it is currently in "
"use.")
sys.exit("Aborting installation")
ca.install_check(False, None, options)
if options.conf_ntp:
try:
@@ -684,6 +657,8 @@ def install(options):
global ds
global installation_cleanup
dogtag_constants = dogtag.install_constants
# Installation has started. No IPA sysrestore items are restored in case of
# failure to enable root cause investigation
installation_cleanup = False
@@ -696,15 +671,6 @@ def install(options):
debug=options.debug
)
# Figure out what external CA step we're in. See cainstance.py for more
# info on the 3 states.
if options.external_cert_files:
external = 2
elif options.external_ca:
external = 1
else:
external = 0
# Create the management framework config file and finalize api
target_fname = paths.IPA_DEFAULT_CONF
fd = open(target_fname, "w")
@@ -719,8 +685,7 @@ def install(options):
if setup_ca:
fd.write("enable_ra=True\n")
fd.write("ra_plugin=dogtag\n")
fd.write("dogtag_version=%s\n" %
dogtag.install_constants.DOGTAG_VERSION)
fd.write("dogtag_version=%s\n" % dogtag_constants.DOGTAG_VERSION)
else:
fd.write("enable_ra=False\n")
fd.write("ra_plugin=none\n")
@@ -757,7 +722,7 @@ def install(options):
dsinstance.create_ds_user()
# Create a directory server instance
if external != 2:
if not options.external_cert_files:
# Configure ntpd
if options.conf_ntp:
ipaclient.ntpconf.force_ntpd(sstore)
@@ -789,14 +754,7 @@ def install(options):
options.subject, 1101, 1100, None)
if setup_ca:
ca = cainstance.CAInstance(realm_name, certs.NSS_DIR,
dogtag_constants=dogtag.install_constants)
if external == 0:
ca.configure_instance(
host_name, domain_name, dm_password, dm_password,
subject_base=options.subject,
ca_signing_algorithm=options.ca_signing_algorithm)
elif external == 1:
if options.external_ca:
# stage 1 of external CA installation
options.realm_name = realm_name
options.domain_name = domain_name
@@ -808,23 +766,13 @@ def install(options):
options.forwarders = dns.dns_forwarders
options.reverse_zones = dns.reverse_zones
write_cache(vars(options))
ca.configure_instance(
host_name, domain_name, dm_password, dm_password,
csr_file=paths.ROOT_IPA_CSR,
subject_base=options.subject,
ca_signing_algorithm=options.ca_signing_algorithm,
ca_type=options.external_ca_type)
else:
# stage 2 of external CA installation
ca.configure_instance(
host_name, domain_name, dm_password, dm_password,
cert_file=external_cert_file.name,
cert_chain_file=external_ca_file.name,
subject_base=options.subject,
ca_signing_algorithm=options.ca_signing_algorithm)
ca.install_step_0(False, None, options)
# Now put the CA cert where other instances exepct it
ca.publish_ca_cert(CACERT)
ca_instance = cainstance.CAInstance(realm_name, certs.NSS_DIR,
dogtag_constants=dogtag_constants)
ca_instance.publish_ca_cert(CACERT)
else:
# Put the CA cert where other instances expect it
x509.write_certificate(http_ca_cert, CACERT)
@@ -834,13 +782,7 @@ def install(options):
ds.enable_ssl()
if setup_ca:
# We need to ldap_enable the CA now that DS is up and running
ca.ldap_enable('CA', host_name, dm_password,
ipautil.realm_to_suffix(realm_name),
['caRenewalMaster'])
# This is done within stopped_service context, which restarts CA
ca.enable_client_auth_to_db(ca.dogtag_constants.CS_CFG_PATH)
ca.install_step_1(False, None, options)
krb = krbinstance.KrbInstance(fstore)
if options.pkinit_cert_files:
@@ -903,8 +845,8 @@ def install(options):
krb.restart()
if setup_ca:
service.print_msg("Restarting the certificate server")
ca.restart(dogtag.configured_constants().PKI_INSTANCE_NAME)
dogtag_service = services.knownservices[dogtag_constants.SERVICE_NAME]
dogtag_service.restart(dogtag_constants.PKI_INSTANCE_NAME)
if options.setup_dns:
api.Backend.ldap2.connect(autobind=True)
@@ -1125,19 +1067,10 @@ def uninstall(options):
print "ipa-client-install returned: " + str(e)
ntpinstance.NTPInstance(fstore).uninstall()
if not dogtag_constants.SHARED_DB:
cads_instance = cainstance.CADSInstance(
dogtag_constants=dogtag_constants)
if cads_instance.is_configured():
cads_instance.uninstall()
kra.uninstall()
ca_instance = cainstance.CAInstance(
api.env.realm, certs.NSS_DIR, dogtag_constants=dogtag_constants)
ca_instance.stop_tracking_certificates()
if ca_instance.is_configured():
ca_instance.uninstall()
ca.uninstall(dogtag_constants)
dns.uninstall()

55
ipaserver/install/server/replicainstall.py
View File

@@ -20,7 +20,7 @@ from ipaplatform.paths import paths
from ipalib import api, certstore, constants, create_api, errors, x509
import ipaclient.ntpconf
from ipaserver.install import (
bindinstance, cainstance, dns, dsinstance, httpinstance, installutils, kra,
bindinstance, ca, dns, dsinstance, httpinstance, installutils, kra,
krbinstance, memcacheinstance, ntpinstance, otpdinstance, service)
from ipaserver.install.installutils import create_replica_config
from ipaserver.install.replication import (
@@ -326,11 +326,6 @@ def install_check(filename, options):
check_dirsrv()
if options.setup_ca:
if not cainstance.check_port():
print "IPA requires port 8443 for PKI but it is currently in use."
sys.exit("Aborting installation")
if options.conf_ntp:
try:
ipaclient.ntpconf.check_timedate_services()
@@ -356,12 +351,14 @@ def install_check(filename, options):
global REPLICA_INFO_TOP_DIR
REPLICA_INFO_TOP_DIR = config.top_dir
config.setup_ca = options.setup_ca
if config.setup_ca and not ipautil.file_exists(config.dir + "/cacert.p12"):
print 'CA cannot be installed in CA-less setup.'
sys.exit(1)
config.setup_kra = options.setup_kra
if options.setup_ca:
options.realm_name = config.realm_name
options.host_name = config.host_name
options.subject = config.subject_base
ca.install_check(False, config, options)
if config.setup_kra:
try:
kra.install_check(config, options, False,
@@ -398,6 +395,8 @@ def install_check(filename, options):
def install(filename, options):
global config
dogtag_constants = dogtag.install_constants
# Create the management framework config file
# Note: We must do this before bootstraping and finalizing ipalib.api
old_umask = os.umask(022) # must be readable for httpd
@@ -416,8 +415,7 @@ def install(filename, options):
if ipautil.file_exists(config.dir + "/cacert.p12"):
fd.write("enable_ra=True\n")
fd.write("ra_plugin=dogtag\n")
fd.write("dogtag_version=%s\n" %
dogtag.install_constants.DOGTAG_VERSION)
fd.write("dogtag_version=%s\n" % dogtag_constants.DOGTAG_VERSION)
else:
fd.write("enable_ra=False\n")
fd.write("ra_plugin=none\n")
@@ -538,11 +536,6 @@ def install(filename, options):
if replman and replman.conn:
replman.conn.unbind()
if options.skip_schema_check:
root_logger.info("Skipping CA DS schema check")
else:
cainstance.replica_ca_install_check(config)
# Configure ntpd
if options.conf_ntp:
ipaclient.ntpconf.force_ntpd(sstore)
@@ -552,22 +545,19 @@ def install(filename, options):
# Configure dirsrv
ds = install_replica_ds(config)
# Configure the CA if necessary
CA = cainstance.install_replica_ca(config)
# Always try to install DNS records
install_dns_records(config, options, remote_api)
finally:
if conn.isconnected():
conn.disconnect()
# We need to ldap_enable the CA now that DS is up and running
if CA and config.setup_ca:
CA.ldap_enable('CA', config.host_name, config.dirman_password,
ipautil.realm_to_suffix(config.realm_name))
if config.setup_ca:
options.realm_name = config.realm_name
options.domain_name = config.domain_name
options.dm_password = config.dirman_password
options.host_name = config.host_name
# This is done within stopped_service context, which restarts CA
CA.enable_client_auth_to_db(CA.dogtag_constants.CS_CFG_PATH)
ca.install(False, config, options)
krb = install_krb(config, setup_pkinit=options.setup_pkinit)
http = install_http(config, auto_redirect=options.ui_redirect)
@@ -576,11 +566,6 @@ def install(filename, options):
otpd.create_instance('OTPD', config.host_name, config.dirman_password,
ipautil.realm_to_suffix(config.realm_name))
if CA:
CA.configure_certmonger_renewal()
CA.import_ra_cert(config.dir + "/ra.p12")
CA.fix_ra_perms()
# The DS instance is created before the keytab, add the SSL cert we
# generated
ds.add_cert_to_service()
@@ -598,9 +583,9 @@ def install(filename, options):
service.print_msg("Restarting the KDC")
krb.restart()
if CA and config.setup_ca:
service.print_msg("Restarting the certificate server")
CA.restart(dogtag.configured_constants().PKI_INSTANCE_NAME)
if config.setup_ca:
dogtag_service = services.knownservices[dogtag_constants.SERVICE_NAME]
dogtag_service.restart(dogtag_constants.PKI_INSTANCE_NAME)
if options.setup_dns:
api.Backend.ldap2.connect(autobind=True)