IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Modifications to install scripts for dogtag 10

Browse Source 
Dogtag 10 uses a new installer, new directory layout and new default
ports.  This patch changes the ipa install code to integrate these changes.

https://fedorahosted.org/freeipa/ticket/2846
This commit is contained in:
Ade Lee 2012-08-15 22:53:51 -04:00 committed by Rob Crittenden
parent 79b89f4196
commit 3dd31a8756
20 changed files with 224 additions and 239 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
install/conf/ipa-pki-proxy.conf
View File

@ -6,22 +6,22 @@ ProxyRequests Off
<LocationMatch "^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange">
NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
NSSVerifyClient none
ProxyPassMatch ajp://localhost:9447/
ProxyPassReverse ajp://localhost:9447/
ProxyPassMatch ajp://localhost:8009
ProxyPassReverse ajp://localhost:8009
</LocationMatch>
# matches for admin port
<LocationMatch "^/ca/admin/ca/getCertChain|^/ca/admin/ca/getConfigEntries|^/ca/admin/ca/getCookie|^/ca/admin/ca/getStatus|^/ca/admin/ca/securityDomainLogin|^/ca/admin/ca/getDomainXML">
# matches for admin port and installer
<LocationMatch "^/ca/admin/ca/getCertChain|^/ca/admin/ca/getConfigEntries|^/ca/admin/ca/getCookie|^/ca/admin/ca/getStatus|^/ca/admin/ca/securityDomainLogin|^/ca/admin/ca/getDomainXML|^/ca/rest/installer/installToken">
NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
NSSVerifyClient none
ProxyPassMatch ajp://localhost:9447/
ProxyPassReverse ajp://localhost:9447/
ProxyPassMatch ajp://localhost:8009
ProxyPassReverse ajp://localhost:8009
</LocationMatch>
# matches for agent port and eeca port
<LocationMatch "^/ca/agent/ca/displayBySerial|^/ca/agent/ca/doRevoke|^/ca/agent/ca/doUnrevoke|^/ca/agent/ca/updateDomainXML|^/ca/eeca/ca/profileSubmitSSLClient">
NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
NSSVerifyClient require
ProxyPassMatch ajp://localhost:9447/
ProxyPassReverse ajp://localhost:9447/
ProxyPassMatch ajp://localhost:8009
ProxyPassReverse ajp://localhost:8009
</LocationMatch>

4
install/conf/ipa.conf
View File

@ -105,8 +105,8 @@ Alias /ipa/config "/usr/share/ipa/html"
# For CRL publishing
Alias /ipa/crl "/var/lib/pki-ca/publish"
<Directory "/var/lib/pki-ca/publish">
Alias /ipa/crl "/var/lib/pki/tomcat-ca/ca/publish"
<Directory "/var/lib/pki/tomcat-ca/ca/publish">
SetHandler None
AllowOverride None
Options Indexes FollowSymLinks

19
install/restart_scripts/renew_ca_cert
View File

@ -45,8 +45,14 @@ nickname = sys.argv[1]
api.bootstrap(context='restart')
api.finalize()
alias_dir = '/etc/pki/pki-tomcat/alias'
dogtag_instance = 'pki-tomcat'
if 'dogtag_version' not in api.env:
alias_dir = '/var/lib/pki-ca/alias'
dogtag_instance = 'pki-ca'
# Fetch the new certificate
db = certs.CertDB(api.env.realm, nssdir='/var/lib/pki-ca/alias')
db = certs.CertDB(api.env.realm, nssdir=alias_dir)
cert = db.get_cert_from_db(nickname, pem=False)
if not cert:
@ -79,7 +85,7 @@ finally:
# Fix permissions on the audit cert if we're updating it
if nickname == 'auditSigningCert cert-pki-ca':
db = certs.CertDB(api.env.realm, nssdir='/var/lib/pki-ca/alias')
db = certs.CertDB(api.env.realm, nssdir=alias_dir)
args = ['-M',
'-n', nickname,
'-t', 'u,u,Pu',
@ -91,7 +97,9 @@ if nickname == 'auditSigningCert cert-pki-ca':
update_cert_config(nickname, cert)
syslog.syslog(syslog.LOG_NOTICE, 'certmonger restarted pki-cad instance pki-ca to renew %s' % nickname)
syslog.syslog(
syslog.LOG_NOTICE, 'certmonger restarted %sd instance %s to renew %s' %
(dogtag_instance, dogtag_instance, nickname))
# We monitor 3 certs that are all likely to be renewed by certmonger more or
# less at the same time. Each cert renewal is going to need to restart
@ -102,6 +110,7 @@ pause = random.randint(10,360)
syslog.syslog(syslog.LOG_NOTICE, 'Pausing %d seconds to restart pki-ca' % pause)
time.sleep(pause)
try:
ipaservices.knownservices.pki_cad.restart('pki-ca')
ipaservices.knownservices.pki_cad.restart(dogtag_instance)
except Exception, e:
syslog.syslog(syslog.LOG_ERR, "Cannot restart pki-cad: %s" % str(e))
syslog.syslog(syslog.LOG_ERR, "Cannot restart %sd: %s" % \
(dogtag_instance, str(e)))

18
install/restart_scripts/restart_pkicad
View File

@ -30,11 +30,18 @@ nickname = sys.argv[1]
api.bootstrap(context='restart')
api.finalize()
syslog.syslog(syslog.LOG_NOTICE, "certmonger restarted pki-cad, nickname '%s'" % nickname)
alias_dir = '/etc/pki/pki-tomcat/alias'
dogtag_instance = 'pki-tomcat'
if 'dogtag_version' not in api.env:
alias_dir = '/var/lib/pki-ca/alias'
dogtag_instance = 'pki-ca'
syslog.syslog(syslog.LOG_NOTICE, "certmonger restarted %sd, nickname '%s'" % \
(dogtag_instance, nickname))
# Fix permissions on the audit cert if we're updating it
if nickname == 'auditSigningCert cert-pki-ca':
db = certs.CertDB(api.env.realm, nssdir='/var/lib/pki-ca/alias')
db = certs.CertDB(api.env.realm, nssdir = alias_dir )
args = ['-M',
'-n', nickname,
'-t', 'u,u,Pu',
@ -44,7 +51,8 @@ if nickname == 'auditSigningCert cert-pki-ca':
try:
# I've seen times where systemd restart does not actually restart
# the process. A full stop/start is required. This works around that
ipaservices.knownservices.pki_cad.stop('pki-ca')
ipaservices.knownservices.pki_cad.start('pki-ca')
ipaservices.knownservices.pki_cad.stop(dogtag_instance)
ipaservices.knownservices.pki_cad.start(dogtag_instance)
except Exception, e:
syslog.syslog(syslog.LOG_ERR, "Cannot restart pki-cad: %s" % str(e))
syslog.syslog(syslog.LOG_ERR, "Cannot restart %sd: %s" % \
(dogtag_instance, str(e)))

10
install/tools/ipa-ca-install
View File

@ -156,6 +156,16 @@ def main():
# We need to restart apache as we drop a new config file in there
ipaservices.knownservices.httpd.restart(capture_output=True)
#update dogtag version in config file to denote new instance
try:
fd = open("/etc/ipa/default.conf", "a")
fd.write("dogtag_version=10\n")
fd.close()
except IOError, e:
print "Failed to update /etc/ipa/default.conf"
root_logger.error(str(e))
sys.exit(1)
fail_message = '''
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

2
install/tools/ipa-csreplica-manage
View File

@ -80,7 +80,7 @@ class CSReplicationManager(replication.ReplicationManager):
"""
dn = None
cn = None
instance_name = 'pki-ca'
instance_name = 'pki-tomcat'
# if master is not None we know what dn to return:
if master is not None:

1
install/tools/ipa-replica-install
View File

@ -376,6 +376,7 @@ def main():
if ipautil.file_exists(config.dir + "/cacert.p12"):
fd.write("enable_ra=True\n")
fd.write("ra_plugin=dogtag\n")
fd.write("dogtag_version=10\n")
fd.write("mode=production\n")
fd.close()
finally:

2
install/tools/ipa-replica-prepare
View File

@ -304,7 +304,7 @@ def main():
if options.reverse_zone and not bindinstance.verify_reverse_zone(options.reverse_zone, options.ip_address):
sys.exit(1)
if not certs.ipa_self_signed() and not ipautil.file_exists("/var/lib/pki-ca/conf/CS.cfg") and not options.dirsrv_pin:
if not certs.ipa_self_signed() and not ipautil.file_exists("/var/lib/pki/pki-tomcat/conf/ca/CS.cfg") and not options.dirsrv_pin:
sys.exit("The replica must be created on the primary IPA server.\nIf you installed IPA with your own certificates using PKCS#12 files you must provide PKCS#12 files for any replicas you create as well.")
check_ipa_configuration(api.env.realm)

1
install/tools/ipa-server-install
View File

@ -853,6 +853,7 @@ def main():
fd.write("enable_ra=True\n")
if not options.selfsign:
fd.write("ra_plugin=dogtag\n")
fd.write("dogtag_version=10\n")
fd.write("mode=production\n")
fd.close()

6
install/ui/test/data/ipa_init.json
View File

@ -669,12 +669,12 @@
"result": {
"basedn": "dc=dev,dc=example,dc=com",
"bin": "/var/www",
"ca_agent_install_port": 9443,
"ca_agent_install_port": 8443,
"ca_agent_port": 443,
"ca_ee_install_port": 9444,
"ca_ee_install_port": 8443,
"ca_ee_port": 443,
"ca_host": "dev.example.com",
"ca_install_port": 9180,
"ca_install_port": 8080,
"ca_port": 80,
"conf": "/etc/ipa/server.conf",
"conf_default": "/etc/ipa/default.conf",

6
ipa-client/man/default.conf.5
View File

@ -66,13 +66,13 @@ The following options are relevant for the server:
Specifies the base DN to use when performing LDAP operations. The base must be in DN format (dc=example,dc=com).
.TP
.B ca_agent_port <port>
Specifies the secure CA agent port. The default is 9443.
Specifies the secure CA agent port. The default is 8443.
.TP
.B ca_ee_port <port>
Specifies the secure CA end user port. The default is 9444.
Specifies the secure CA end user port. The default is 8443.
.TP
.B ca_port <port>
Specifies the insecure CA end user port. The default is 9180.
Specifies the insecure CA end user port. The default is 8080.
.TP
.B ca_host <hostname>
Specifies the hostname of the dogtag CA server. The default is the hostname of the IPA server.

6
ipalib/constants.py
View File

@ -141,9 +141,9 @@ DEFAULT_CONFIG = (
('ca_port', 80),
('ca_agent_port', 443),
('ca_ee_port', 443),
('ca_install_port', 9180),
('ca_agent_install_port', 9443),
('ca_ee_install_port', 9444),
('ca_install_port', 8080),
('ca_agent_install_port', 8443),
('ca_ee_install_port', 8443),
# Special CLI:

2
ipapython/certmonger.py
View File

@ -337,7 +337,7 @@ def get_pin(token):
The caller is expected to handle any exceptions raised.
"""
filename = '/var/lib/pki-ca/conf/password.conf'
filename = '/var/lib/pki/pki-tomcat/conf/password.conf'
with open(filename, 'r') as f:
for line in f:
(tok, pin) = line.split('=', 1)

7
ipapython/platform/base.py
View File

@ -25,7 +25,7 @@ from ipalib.plugable import MagicDict
wellknownservices = ['certmonger', 'dirsrv', 'httpd', 'ipa', 'krb5kdc',
'messagebus', 'nslcd', 'nscd', 'ntpd', 'portmap',
'rpcbind', 'kadmin', 'sshd', 'autofs', 'rpcgssd',
'rpcidmapd', 'pki_cad']
'rpcidmapd', 'pki_tomcatd', 'pki-cad']
# The common ports for these services. This is used to wait for the
@ -34,7 +34,10 @@ wellknownports = {
'dirsrv@PKI-IPA.service': [7389],
'PKI-IPA': [7389],
'dirsrv': [389], # this is only used if the incoming instance name is blank
'pki-cad': [9180],
'pki-tomcatd@pki-tomcat.service': [8080],
'pki-tomcat': [8080],
'pki-tomcatd': [8080], # used if the incoming instance name is blank
'pki-cad': [9180]
}
class AuthConfig(object):

7
ipapython/platform/fedora16.py
View File

@ -46,7 +46,7 @@ system_units = dict(map(lambda x: (x, "%s.service" % (x)), base.wellknownservice
system_units['rpcgssd'] = 'nfs-secure.service'
system_units['rpcidmapd'] = 'nfs-idmap.service'
# Rewrite dirsrv and pki-cad services as they support instances via separate
# Rewrite dirsrv and pki-tomcatd services as they support instances via separate
# service generator. To make this working, one needs to have both foo@.servic
# and foo.target -- the latter is used when request should be coming for
# all instances (like stop). systemd, unfortunately, does not allow one
@ -58,9 +58,12 @@ system_units['rpcidmapd'] = 'nfs-idmap.service'
system_units['dirsrv'] = 'dirsrv@.service'
# Our directory server instance for PKI is dirsrv@PKI-IPA.service
system_units['pkids'] = 'dirsrv@PKI-IPA.service'
# Our PKI instance is pki-cad@pki-ca.service
# Old style PKI instance
system_units['pki-cad'] = 'pki-cad@pki-ca.service'
system_units['pki_cad'] = system_units['pki-cad']
# Our PKI instance is pki-tomcatd@pki-tomcat.service
system_units['pki-tomcatd'] = 'pki-tomcatd@pki-tomcat.service'
system_units['pki_tomcatd'] = system_units['pki-tomcatd']
class Fedora16Service(systemd.SystemdService):
def __init__(self, service_name):

4
ipapython/platform/systemd.py
View File

@ -41,10 +41,10 @@ class SystemdService(base.PlatformService):
# Short-cut: if there is already exact service name, return it
if self.lib_path_exists and len(instance_name) == 0:
if len(elements) == 1:
# service name is like pki-cad.target or krb5kdc.service
# service name is like pki-tomcatd.target or krb5kdc.service
return self.service_name
if len(elements) > 1 and elements[1][0] != '.':
# Service name is like pki-cad@pki-ca.service and that file exists
# Service name is like pki-tomcatd@pki-tomcat.service and that file exists
return self.service_name
if len(elements) > 1:

335
ipaserver/install/cainstance.py
View File

@ -65,15 +65,10 @@ PKI_USER = "pkiuser"
PKI_DS_USER = "pkisrv"
# These values come from /usr/share/pki/ca/setup/postinstall
PKI_INSTANCE_NAME="pki-ca"
AGENT_SECURE_PORT=9443
EE_SECURE_PORT=9444
ADMIN_SECURE_PORT=9445
EE_CLIENT_AUTH_PORT=9446
UNSECURE_PORT=9180
TOMCAT_SERVER_PORT=9701
PKI_INSTANCE_NAME="pki-tomcat"
AGENT_SECURE_PORT=8443
IPA_SERVICE_PROFILE = '/var/lib/%s/profiles/ca/caIPAserviceCert.cfg' % PKI_INSTANCE_NAME
IPA_SERVICE_PROFILE = '/var/lib/pki/%s/ca/profiles/ca/caIPAserviceCert.cfg' % PKI_INSTANCE_NAME
# We need to reset the template because the CA uses the regular boot
# information
@ -97,9 +92,9 @@ def check_inst():
"""
# Check for a couple of binaries we need
if not os.path.exists('/usr/bin/pkicreate'):
if not os.path.exists('/bin/pkispawn'):
return False
if not os.path.exists('/usr/bin/pkisilent'):
if not os.path.exists('/bin/pkidestroy'):
return False
# This is the template tomcat file for a CA
@ -108,31 +103,6 @@ def check_inst():
return True
def get_preop_pin(instance_root, instance_name):
preop_pin = None
filename = instance_root + "/" + instance_name + "/conf/CS.cfg"
# read the config file and get the preop pin
try:
f=open(filename)
except IOError, e:
root_logger.error("Cannot open configuration file." + str(e))
raise e
data = f.read()
data = data.split('\n')
pattern = re.compile("preop.pin=(.*)" )
for line in data:
match = re.search(pattern, line)
if (match):
preop_pin=match.group(1)
break
if preop_pin is None:
raise RuntimeError("Unable to find preop.pin in %s. Is your CA already configured?" % filename)
return preop_pin
def import_pkcs12(input_file, input_passwd, cert_database,
cert_passwd):
ipautil.run(["/usr/bin/pk12util", "-d", cert_database,
@ -415,7 +385,7 @@ class CADSInstance(service.Service):
'ocspSigningCert cert-pki-ca',
'subsystemCert cert-pki-ca']:
try:
certmonger.stop_tracking('/var/lib/pki-ca/alias', nickname=nickname)
certmonger.stop_tracking('/etc/pki/pki-tomcat/alias', nickname=nickname)
except (ipautil.CalledProcessError, RuntimeError), e:
root_logger.error("certmonger failed to stop tracking certificate: %s" % str(e))
@ -444,7 +414,7 @@ class CAInstance(service.Service):
"""
def __init__(self, realm, ra_db):
service.Service.__init__(self, "pki-cad")
service.Service.__init__(self, "pki-tomcatd")
self.realm = realm
self.dm_password = None
self.admin_password = None
@ -468,7 +438,7 @@ class CAInstance(service.Service):
self.ra_agent_pwd = self.ra_agent_db + "/pwdfile.txt"
self.ds_port = DEFAULT_DSPORT
self.domain_name = "IPA"
self.server_root = "/var/lib"
self.server_root = "/var/lib/pki"
self.ra_cert = None
self.requestId = None
@ -489,8 +459,7 @@ class CAInstance(service.Service):
pkcs12_info=None, master_host=None, csr_file=None,
cert_file=None, cert_chain_file=None,
subject_base=None):
"""Create a CA instance. This may involve creating the pki-ca instance
dogtag instance.
"""Create a CA instance.
To create a clone, pass in pkcs12_info.
@ -523,15 +492,11 @@ class CAInstance(service.Service):
self.external=2
self.step("creating certificate server user", self.__create_ca_user)
if not ipautil.dir_exists("/var/lib/pki-ca"):
self.step("creating pki-ca instance", self.create_instance)
self.step("configuring certificate server instance", self.__configure_instance)
self.step("configuring certificate server instance", self.__spawn_instance)
self.step("disabling nonces", self.__disable_nonce)
# Step 1 of external is getting a CSR so we don't need to do these
# steps until we get a cert back from the external CA.
if self.external != 1:
if not self.clone:
self.step("creating CA agent PKCS#12 file in /root", self.__create_ca_agent_pkcs12)
if self.create_ra_agent_db:
self.step("creating RA agent certificate database", self.__create_ra_agent_db)
self.step("importing CA chain to RA certificate database", self.__import_ca_chain)
@ -555,26 +520,117 @@ class CAInstance(service.Service):
self.start_creation("Configuring certificate server", 210)
def create_instance(self):
def __spawn_instance(self):
"""
If for some reason the instance doesn't exist, create a new one."
Create and configure a new instance using pkispawn.
pkispawn requires a configuration file with the appropriate
values substituted in.
"""
args = ['/usr/bin/pkicreate',
'-pki_instance_root', '/var/lib',
'-pki_instance_name', PKI_INSTANCE_NAME,
'-subsystem_type', 'ca',
'-agent_secure_port', str(AGENT_SECURE_PORT),
'-ee_secure_port', str(EE_SECURE_PORT),
'-admin_secure_port', str(ADMIN_SECURE_PORT),
'-ee_secure_client_auth_port', str(EE_CLIENT_AUTH_PORT),
'-unsecure_port', str(UNSECURE_PORT),
'-tomcat_server_port', str(TOMCAT_SERVER_PORT),
'-redirect', 'conf=/etc/pki-ca',
'-redirect', 'logs=/var/log/pki-ca',
'-enable_proxy'
]
ipautil.run(args, env={'PKI_HOSTNAME':self.fqdn})
# create a new config file for this installation
(cfg_fd, cfg_file) = tempfile.mkstemp()
os.close(cfg_fd)
shutil.copy("/usr/share/pki/deployment/config/pkideployment.cfg",
cfg_file)
pent = pwd.getpwnam(PKI_USER)
os.chown(cfg_file, pent.pw_uid, pent.pw_gid )
replacevars = {
"pki_enable_proxy": "True",
"pki_restart_configured_instance": "False",
"pki_client_database_dir": self.ca_agent_db,
"pki_client_database_password": self.admin_password,
"pki_client_database_purge": "False",
"pki_client_pkcs12_password": self.admin_password,
"pki_security_domain_name": self.domain_name,
"pki_admin_email": "root@localhost",
"pki_admin_password": self.admin_password,
"pki_admin_nickname": "ipa-ca-agent",
"pki_admin_subject_dn": "CN=ipa-ca-agent,%s" % self.subject_base,
"pki_ds_ldap_port": str(self.ds_port),
"pki_ds_password": self.dm_password,
"pki_ds_base_dn": self.basedn,
"pki_ds_database": "ipaca",
"pki_backup_keys": "True",
"pki_backup_password": self.admin_password,
"pki_subsystem_subject_dn": \
"CN=CA Subsystem,%s" % self.subject_base,
"pki_ocsp_signing_subject_dn": \
"CN=OCSP Subsystem,%s" % self.subject_base,
"pki_ssl_server_subject_dn": \
"CN=%s,%s" % (self.fqdn, self.subject_base),
"pki_audit_signing_subject_dn": \
"CN=CA Audit,%s" % self.subject_base,
"pki_ca_signing_subject_dn": \
"CN=Certificate Authority,%s" % self.subject_base,
"pki_subsystem_nickname": "subsystemCert cert-pki-ca",
"pki_ocsp_signing_nickname": "ocspSigningCert cert-pki-ca",
"pki_ssl_server_nickname": "Server-Cert cert-pki-ca",
"pki_audit_signing_nickname": "auditSigningCert cert-pki-ca",
"pki_ca_signing_nickname": "caSigningCert cert-pki-ca"
}
if (self.clone):
cafile = self.pkcs12_info[0]
shutil.copy(cafile, "/tmp/ca.p12")
pent = pwd.getpwnam(PKI_USER)
os.chown("/tmp/ca.p12", pent.pw_uid, pent.pw_gid )
clone_vars = {
"pki_clone_pkcs12_password": self.dm_password,
"pki_clone": "True",
"pki_clone_pkcs12_path": "/tmp/ca.p12",
"pki_security_domain_hostname": self.master_host,
"pki_security_domain_https_port": "443",
"pki_security_domain_password": self.admin_password,
"pki_clone_replication_security": "SSL",
"pki_clone_uri": \
"https://%s" % ipautil.format_netloc(self.master_host, 443)
}
replacevars.update(clone_vars)
if self.external == 1:
external_vars = {
"pki_external": "True",
"pki_external_csr_path": self.csr_file
}
replacevars.update(external_vars)
elif self.external == 2:
external_vars = {
"pki_external": "True",
"pki_external_ca_cert_path": self.cert_file,
"pki_external_ca_cert_chain_path": self.cert_chain_file,
"pki_external_step_two": "True"
}
replacevars.update(external_vars)
ipautil.config_replace_variables(cfg_file, replacevars=replacevars)
# Define the things we don't want logged
nolog = (self.admin_password, self.dm_password,)
args = ["/bin/pkispawn", "-s", "CA", "-f", cfg_file ]
try:
ipautil.run(args, nolog=nolog)
except ipautil.CalledProcessError, e:
root_logger.critical("failed to configure ca instance %s" % e)
raise RuntimeError('Configuration of CA failed')
finally:
os.remove(cfg_file)
if not self.clone:
shutil.move("/var/lib/pki/pki-tomcat/alias/ca_admin_cert.p12", \
"/root/ca-agent.p12")
shutil.move("/var/lib/pki/pki-tomcat/alias/ca_backup_keys.p12", \
"/root/cacert.p12")
if self.external == 1:
print "The next step is to get %s signed by your CA and re-run ipa-server-install as:" % self.csr_file
print "ipa-server-install --external_cert_file=/path/to/signed_certificate --external_ca_file=/path/to/external_ca_certificate"
sys.exit(0)
root_logger.debug("completed creating ca instance")
def __enable(self):
self.backup_state("enabled", self.is_enabled())
@ -600,110 +656,6 @@ class CAInstance(service.Service):
except ipautil.CalledProcessError, e:
root_logger.critical("failed to add user %s" % e)
def __configure_instance(self):
preop_pin = get_preop_pin(self.server_root, PKI_INSTANCE_NAME)
try:
args = ["/usr/bin/perl", "/usr/bin/pkisilent", "ConfigureCA",
"-cs_hostname", self.fqdn,
"-cs_port", str(ADMIN_SECURE_PORT),
"-client_certdb_dir", self.ca_agent_db,
"-client_certdb_pwd", self.admin_password,
"-preop_pin" , preop_pin,
"-domain_name", self.domain_name,
"-admin_user", "admin",
"-admin_email", "root@localhost",
"-admin_password", self.admin_password,
"-agent_name", "ipa-ca-agent",
"-agent_key_size", "2048",
"-agent_key_type", "rsa",
"-agent_cert_subject", str(DN(('CN', 'ipa-ca-agent'), self.subject_base)),
"-ldap_host", self.fqdn,
"-ldap_port", str(self.ds_port),
"-bind_dn", "cn=Directory Manager",
"-bind_password", self.dm_password,
"-base_dn", str(self.basedn),
"-db_name", "ipaca",
"-key_size", "2048",
"-key_type", "rsa",
"-key_algorithm", "SHA256withRSA",
"-save_p12", "true",
"-backup_pwd", self.admin_password,
"-subsystem_name", self.service_name,
"-token_name", "internal",
"-ca_subsystem_cert_subject_name", str(DN(('CN', 'CA Subsystem'), self.subject_base)),
"-ca_subsystem_cert_subject_name", str(DN(('CN', 'CA Subsystem'), self.subject_base)),
"-ca_ocsp_cert_subject_name", str(DN(('CN', 'OCSP Subsystem'), self.subject_base)),
"-ca_server_cert_subject_name", str(DN(('CN', self.fqdn), self.subject_base)),
"-ca_audit_signing_cert_subject_name", str(DN(('CN', 'CA Audit'), self.subject_base)),
"-ca_sign_cert_subject_name", str(DN(('CN', 'Certificate Authority'), self.subject_base)) ]
if self.external == 1:
args.append("-external")
args.append("true")
args.append("-ext_csr_file")
args.append(self.csr_file)
elif self.external == 2:
args.append("-external")
args.append("true")
args.append("-ext_ca_cert_file")
args.append(self.cert_file)
args.append("-ext_ca_cert_chain_file")
args.append(self.cert_chain_file)
else:
args.append("-external")
args.append("false")
if (self.clone):
"""sd = security domain --> all CS systems get registered to
a security domain. This is set to the hostname and port of
the master CA.
"""
# The install wizard expects the file to be here.
cafile = self.pkcs12_info[0]
shutil.copy(cafile, "/var/lib/pki-ca/alias/ca.p12")
pent = pwd.getpwnam(PKI_USER)
os.chown("/var/lib/pki-ca/alias/ca.p12", pent.pw_uid, pent.pw_gid )
args.append("-clone")
args.append("true")
args.append("-clone_p12_file")
args.append("ca.p12")
args.append("-clone_p12_password")
args.append(self.dm_password)
args.append("-sd_hostname")
args.append(self.master_host)
args.append("-sd_admin_port")
args.append("443")
args.append("-sd_admin_name")
args.append("admin")
args.append("-sd_admin_password")
args.append(self.admin_password)
args.append("-clone_start_tls")
args.append("true")
args.append("-clone_uri")
args.append("https://%s" % ipautil.format_netloc(self.master_host, 443))
else:
args.append("-clone")
args.append("false")
# Define the things we don't want logged
nolog = (self.admin_password, self.dm_password,)
ipautil.run(args, env={'PKI_HOSTNAME':self.fqdn}, nolog=nolog)
except ipautil.CalledProcessError, e:
root_logger.critical("failed to configure ca instance %s" % e)
raise RuntimeError('Configuration of CA failed')
if self.external == 1:
print "The next step is to get %s signed by your CA and re-run ipa-server-install as:" % self.csr_file
print "ipa-server-install --external_cert_file=/path/to/signed_certificate --external_ca_file=/path/to/external_ca_certificate"
sys.exit(0)
# pkisilent makes a copy of the CA PKCS#12 file for us but gives
# it a lousy name.
if ipautil.file_exists("/root/tmp-ca.p12"):
shutil.move("/root/tmp-ca.p12", "/root/cacert.p12")
root_logger.debug("completed creating ca instance")
def __restart_instance(self):
try:
self.restart(PKI_INSTANCE_NAME)
@ -713,10 +665,11 @@ class CAInstance(service.Service):
def __disable_nonce(self):
# Turn off Nonces
if installutils.update_file('/var/lib/pki-ca/conf/CS.cfg', 'ca.enableNonces=true', 'ca.enableNonces=false') != 0:
cfg_file = '/var/lib/pki/pki-tomcat/conf/ca/CS.cfg'
if installutils.update_file(cfg_file, 'ca.enableNonces=true', 'ca.enableNonces=false') != 0:
raise RuntimeError("Disabling nonces failed")
pent = pwd.getpwnam(PKI_USER)
os.chown('/var/lib/pki-ca/conf/CS.cfg', pent.pw_uid, pent.pw_gid )
os.chown(cfg_file, pent.pw_uid, pent.pw_gid )
def __issue_ra_cert(self):
# The CA certificate is in the agent DB but isn't trusted
@ -767,7 +720,7 @@ class CAInstance(service.Service):
]
(stdout, stderr, returncode) = ipautil.run(args, nolog=(self.admin_password,))
data = stdout.split('\r\n')
data = stdout.split('\n')
params = get_defList(data)
params['requestId'] = find_substring(data, "requestId")
params['op'] = 'approve'
@ -788,7 +741,7 @@ class CAInstance(service.Service):
]
(stdout, stderr, returncode) = ipautil.run(args, nolog=(self.admin_password,))
data = stdout.split('\r\n')
data = stdout.split('\n')
outputList = get_outputList(data)
self.ra_cert = outputList['b64_cert']
@ -905,20 +858,6 @@ class CAInstance(service.Service):
except Exception, e:
raise RuntimeError("Unable to retrieve CA chain: %s" % str(e))
def __create_ca_agent_pkcs12(self):
(pwd_fd, pwd_name) = tempfile.mkstemp()
os.write(pwd_fd, self.admin_password)
os.close(pwd_fd)
try:
ipautil.run(["/usr/bin/pk12util",
"-n", "ipa-ca-agent",
"-o", "/root/ca-agent.p12",
"-d", self.ca_agent_db,
"-k", pwd_name,
"-w", pwd_name])
finally:
os.remove(pwd_name)
def __import_ca_chain(self):
chain = self.__get_ca_chain()
@ -982,7 +921,7 @@ class CAInstance(service.Service):
csr = pkcs10.strip_header(stdout)
# Send the request to the CA
conn = httplib.HTTPConnection(self.fqdn, 9180)
conn = httplib.HTTPConnection(self.fqdn, 8080)
params = urllib.urlencode({'profileId': 'caServerCert',
'cert_request_type': 'pkcs10',
'requestor_name': 'IPA Installer',
@ -1020,7 +959,7 @@ class CAInstance(service.Service):
def __setup_sign_profile(self):
# Tell the profile to automatically issue certs for RAs
installutils.set_directive('/var/lib/pki-ca/profiles/ca/caJarSigningCert.cfg', 'auth.instance_id', 'raCertAuth', quotes=False, separator='=')
installutils.set_directive('/var/lib/pki/pki-tomcat/ca/profiles/ca/caJarSigningCert.cfg', 'auth.instance_id', 'raCertAuth', quotes=False, separator='=')
def __enable_crl_publish(self):
"""
@ -1028,9 +967,9 @@ class CAInstance(service.Service):
http://www.redhat.com/docs/manuals/cert-system/8.0/admin/html/Setting_up_Publishing.html
"""
caconfig = "/var/lib/pki-ca/conf/CS.cfg"
caconfig = "/var/lib/pki/pki-tomcat/conf/ca/CS.cfg"
publishdir='/var/lib/pki-ca/publish'
publishdir='/var/lib/pki/pki-tomcat/ca/publish'
os.mkdir(publishdir)
os.chmod(publishdir, 0755)
pent = pwd.getpwnam(PKI_USER)
@ -1089,8 +1028,8 @@ class CAInstance(service.Service):
self.disable()
try:
ipautil.run(["/usr/bin/pkiremove", "-pki_instance_root=/var/lib",
"-pki_instance_name=%s" % PKI_INSTANCE_NAME, "--force"])
ipautil.run(["/bin/pkidestroy", "-i", "pki-tomcat",
"-s", "CA"])
except ipautil.CalledProcessError, e:
root_logger.critical("failed to uninstall CA instance %s" % e)
@ -1118,7 +1057,7 @@ class CAInstance(service.Service):
pin = certmonger.get_pin('internal')
except IOError, e:
raise RuntimeError('Unable to determine PIN for CA instance: %s' % str(e))
certmonger.dogtag_start_tracking('dogtag-ipa-renew-agent', 'Server-Cert cert-pki-ca', pin, None, '/var/lib/pki-ca/alias', 'restart_pkicad "Server-Cert cert-pki-ca"')
certmonger.dogtag_start_tracking('dogtag-ipa-renew-agent', 'Server-Cert cert-pki-ca', pin, None, '/etc/pki/pki-tomcat/alias', 'restart_pkicad "Server-Cert cert-pki-ca"')
def configure_renewal(self):
cmonger = ipaservices.knownservices.certmonger
@ -1135,7 +1074,7 @@ class CAInstance(service.Service):
for nickname in ['auditSigningCert cert-pki-ca',
'ocspSigningCert cert-pki-ca',
'subsystemCert cert-pki-ca']:
certmonger.dogtag_start_tracking('dogtag-ipa-renew-agent', nickname, pin, None, '/var/lib/pki-ca/alias', 'renew_ca_cert "%s"' % nickname)
certmonger.dogtag_start_tracking('dogtag-ipa-renew-agent', nickname, pin, None, '/etc/pki/pki-tomcat/alias', 'renew_ca_cert "%s"' % nickname)
# Set up the agent cert for renewal
certmonger.dogtag_start_tracking('dogtag-ipa-renew-agent', 'ipaCert', None, '/etc/httpd/alias/pwdfile.txt', '/etc/httpd/alias', 'renew_ra_cert')
@ -1179,7 +1118,7 @@ class CAInstance(service.Service):
for nickname in ['auditSigningCert cert-pki-ca',
'ocspSigningCert cert-pki-ca',
'subsystemCert cert-pki-ca']:
certmonger.dogtag_start_tracking('dogtag-ipa-retrieve-agent-submit', nickname, pin, None, '/var/lib/pki-ca/alias', 'restart_pkicad "%s"' % nickname)
certmonger.dogtag_start_tracking('dogtag-ipa-retrieve-agent-submit', nickname, pin, None, '/etc/pki/pki-tomcat/alias', 'restart_pkicad "%s"' % nickname)
# The agent renewal is configured in import_ra_cert which is called
# after the HTTP instance is created.
@ -1191,7 +1130,7 @@ class CAInstance(service.Service):
setlist = installutils.get_directive(IPA_SERVICE_PROFILE,
'policyset.serverCertSet.list', separator='=')
# this is the default setting from pki-ca. Don't touch it if a user
# this is the default setting from pki-tomcat. Don't touch it if a user
# has manually modified it.
if setlist == '1,2,3,4,5,6,7,8':
installutils.set_directive(IPA_SERVICE_PROFILE,
@ -1234,7 +1173,7 @@ class CAInstance(service.Service):
responsibility to handle changes on upgrades.
"""
master = installutils.get_directive(
'/var/lib/pki-ca/conf/CS.cfg', 'subsystem.select', '=')
'/var/lib/pki/pki-tomcat/conf/ca/CS.cfg', 'subsystem.select', '=')
return master == 'New'
@ -1301,10 +1240,10 @@ def install_replica_ca(config, postinstall=False):
# unix service.
service.print_msg("Restarting the directory and certificate servers")
ca.stop()
ca.stop(PKI_INSTANCE_NAME)
ipaservices.knownservices.dirsrv.stop("PKI-IPA")
ipaservices.knownservices.dirsrv.start("PKI-IPA")
ca.start()
ca.start(PKI_INSTANCE_NAME)
return (ca, cs)
@ -1323,7 +1262,7 @@ def update_cert_config(nickname, cert):
'subsystemCert cert-pki-ca': 'ca.subsystem.cert',
'Server-Cert cert-pki-ca': 'ca.sslserver.cert' }
installutils.set_directive('/var/lib/%s/conf/CS.cfg' % PKI_INSTANCE_NAME,
installutils.set_directive('/var/lib/pki/%s/conf/ca/CS.cfg' % PKI_INSTANCE_NAME,
directives[nickname],
base64.b64encode(cert),
quotes=False, separator='=')

2
ipaserver/install/installutils.py
View File

@ -47,7 +47,7 @@ from ipalib import errors
from ipapython.dn import DN
# Used to determine install status
IPA_MODULES = ['httpd', 'kadmin', 'dirsrv', 'pki-cad', 'pkids', 'install', 'krb5kdc', 'ntpd', 'named', 'ipa_memcached']
IPA_MODULES = ['httpd', 'kadmin', 'dirsrv', 'pki-tomcatd', 'pkids', 'install', 'krb5kdc', 'ntpd', 'named', 'ipa_memcached']
class BadHostError(Exception):
pass

13
ipaserver/install/service.py
View File

@ -41,6 +41,17 @@ AUTO = 1
ENABLED = 2
DISABLED = 3
# Determine if we have an updated dogtag instance (dogtag 10+) or
# an older one.
dogtag_service = 'pki-cad'
try:
for line in open("/etc/ipa/default.conf", "r"):
if "dogtag_version" in line:
dogtag_service = 'pki-tomcatd'
break
except IOError, e:
pass
# The service name as stored in cn=masters,cn=ipa,cn=etc. In the tuple
# the first value is the *nix service name, the second the start order.
SERVICE_LIST = {
@ -49,7 +60,7 @@ SERVICE_LIST = {
'DNS':('named', 30),
'MEMCACHE':('ipa_memcached', 39),
'HTTP':('httpd', 40),
'CA':('pki-cad', 50),
'CA':(dogtag_service, 50),
'ADTRUST':('smb', 60),
'EXTID':('winbind', 70)
}

2
selinux/ipa_dogtag/ipa_dogtag.fc
View File

@ -1 +1 @@
/var/lib/pki-ca/publish(/.*)? gen_context(system_u:object_r:cert_t,s0)
/var/lib/pki/pki-tomcat/ca/publish(/.*)? gen_context(system_u:object_r:cert_t,s0)