Modifications to install scripts for dogtag 10

Dogtag 10 uses a new installer, new directory layout and new default
ports.  This patch changes the ipa install code to integrate these changes.

https://fedorahosted.org/freeipa/ticket/2846
This commit is contained in:
Ade Lee 2012-08-15 22:53:51 -04:00 committed by Rob Crittenden
parent 79b89f4196
commit 3dd31a8756
20 changed files with 224 additions and 239 deletions

View File

@ -6,22 +6,22 @@ ProxyRequests Off
<LocationMatch "^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange">
NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
NSSVerifyClient none
ProxyPassMatch ajp://localhost:9447/
ProxyPassReverse ajp://localhost:9447/
ProxyPassMatch ajp://localhost:8009
ProxyPassReverse ajp://localhost:8009
</LocationMatch>
# matches for admin port
<LocationMatch "^/ca/admin/ca/getCertChain|^/ca/admin/ca/getConfigEntries|^/ca/admin/ca/getCookie|^/ca/admin/ca/getStatus|^/ca/admin/ca/securityDomainLogin|^/ca/admin/ca/getDomainXML">
# matches for admin port and installer
<LocationMatch "^/ca/admin/ca/getCertChain|^/ca/admin/ca/getConfigEntries|^/ca/admin/ca/getCookie|^/ca/admin/ca/getStatus|^/ca/admin/ca/securityDomainLogin|^/ca/admin/ca/getDomainXML|^/ca/rest/installer/installToken">
NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
NSSVerifyClient none
ProxyPassMatch ajp://localhost:9447/
ProxyPassReverse ajp://localhost:9447/
ProxyPassMatch ajp://localhost:8009
ProxyPassReverse ajp://localhost:8009
</LocationMatch>
# matches for agent port and eeca port
<LocationMatch "^/ca/agent/ca/displayBySerial|^/ca/agent/ca/doRevoke|^/ca/agent/ca/doUnrevoke|^/ca/agent/ca/updateDomainXML|^/ca/eeca/ca/profileSubmitSSLClient">
NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
NSSVerifyClient require
ProxyPassMatch ajp://localhost:9447/
ProxyPassReverse ajp://localhost:9447/
ProxyPassMatch ajp://localhost:8009
ProxyPassReverse ajp://localhost:8009
</LocationMatch>

View File

@ -105,8 +105,8 @@ Alias /ipa/config "/usr/share/ipa/html"
# For CRL publishing
Alias /ipa/crl "/var/lib/pki-ca/publish"
<Directory "/var/lib/pki-ca/publish">
Alias /ipa/crl "/var/lib/pki/tomcat-ca/ca/publish"
<Directory "/var/lib/pki/tomcat-ca/ca/publish">
SetHandler None
AllowOverride None
Options Indexes FollowSymLinks

View File

@ -45,8 +45,14 @@ nickname = sys.argv[1]
api.bootstrap(context='restart')
api.finalize()
alias_dir = '/etc/pki/pki-tomcat/alias'
dogtag_instance = 'pki-tomcat'
if 'dogtag_version' not in api.env:
alias_dir = '/var/lib/pki-ca/alias'
dogtag_instance = 'pki-ca'
# Fetch the new certificate
db = certs.CertDB(api.env.realm, nssdir='/var/lib/pki-ca/alias')
db = certs.CertDB(api.env.realm, nssdir=alias_dir)
cert = db.get_cert_from_db(nickname, pem=False)
if not cert:
@ -79,7 +85,7 @@ finally:
# Fix permissions on the audit cert if we're updating it
if nickname == 'auditSigningCert cert-pki-ca':
db = certs.CertDB(api.env.realm, nssdir='/var/lib/pki-ca/alias')
db = certs.CertDB(api.env.realm, nssdir=alias_dir)
args = ['-M',
'-n', nickname,
'-t', 'u,u,Pu',
@ -91,7 +97,9 @@ if nickname == 'auditSigningCert cert-pki-ca':
update_cert_config(nickname, cert)
syslog.syslog(syslog.LOG_NOTICE, 'certmonger restarted pki-cad instance pki-ca to renew %s' % nickname)
syslog.syslog(
syslog.LOG_NOTICE, 'certmonger restarted %sd instance %s to renew %s' %
(dogtag_instance, dogtag_instance, nickname))
# We monitor 3 certs that are all likely to be renewed by certmonger more or
# less at the same time. Each cert renewal is going to need to restart
@ -102,6 +110,7 @@ pause = random.randint(10,360)
syslog.syslog(syslog.LOG_NOTICE, 'Pausing %d seconds to restart pki-ca' % pause)
time.sleep(pause)
try:
ipaservices.knownservices.pki_cad.restart('pki-ca')
ipaservices.knownservices.pki_cad.restart(dogtag_instance)
except Exception, e:
syslog.syslog(syslog.LOG_ERR, "Cannot restart pki-cad: %s" % str(e))
syslog.syslog(syslog.LOG_ERR, "Cannot restart %sd: %s" % \
(dogtag_instance, str(e)))

View File

@ -30,11 +30,18 @@ nickname = sys.argv[1]
api.bootstrap(context='restart')
api.finalize()
syslog.syslog(syslog.LOG_NOTICE, "certmonger restarted pki-cad, nickname '%s'" % nickname)
alias_dir = '/etc/pki/pki-tomcat/alias'
dogtag_instance = 'pki-tomcat'
if 'dogtag_version' not in api.env:
alias_dir = '/var/lib/pki-ca/alias'
dogtag_instance = 'pki-ca'
syslog.syslog(syslog.LOG_NOTICE, "certmonger restarted %sd, nickname '%s'" % \
(dogtag_instance, nickname))
# Fix permissions on the audit cert if we're updating it
if nickname == 'auditSigningCert cert-pki-ca':
db = certs.CertDB(api.env.realm, nssdir='/var/lib/pki-ca/alias')
db = certs.CertDB(api.env.realm, nssdir = alias_dir )
args = ['-M',
'-n', nickname,
'-t', 'u,u,Pu',
@ -44,7 +51,8 @@ if nickname == 'auditSigningCert cert-pki-ca':
try:
# I've seen times where systemd restart does not actually restart
# the process. A full stop/start is required. This works around that
ipaservices.knownservices.pki_cad.stop('pki-ca')
ipaservices.knownservices.pki_cad.start('pki-ca')
ipaservices.knownservices.pki_cad.stop(dogtag_instance)
ipaservices.knownservices.pki_cad.start(dogtag_instance)
except Exception, e:
syslog.syslog(syslog.LOG_ERR, "Cannot restart pki-cad: %s" % str(e))
syslog.syslog(syslog.LOG_ERR, "Cannot restart %sd: %s" % \
(dogtag_instance, str(e)))

View File

@ -156,6 +156,16 @@ def main():
# We need to restart apache as we drop a new config file in there
ipaservices.knownservices.httpd.restart(capture_output=True)
#update dogtag version in config file to denote new instance
try:
fd = open("/etc/ipa/default.conf", "a")
fd.write("dogtag_version=10\n")
fd.close()
except IOError, e:
print "Failed to update /etc/ipa/default.conf"
root_logger.error(str(e))
sys.exit(1)
fail_message = '''
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

View File

@ -80,7 +80,7 @@ class CSReplicationManager(replication.ReplicationManager):
"""
dn = None
cn = None
instance_name = 'pki-ca'
instance_name = 'pki-tomcat'
# if master is not None we know what dn to return:
if master is not None:

View File

@ -376,6 +376,7 @@ def main():
if ipautil.file_exists(config.dir + "/cacert.p12"):
fd.write("enable_ra=True\n")
fd.write("ra_plugin=dogtag\n")
fd.write("dogtag_version=10\n")
fd.write("mode=production\n")
fd.close()
finally:

View File

@ -304,7 +304,7 @@ def main():
if options.reverse_zone and not bindinstance.verify_reverse_zone(options.reverse_zone, options.ip_address):
sys.exit(1)
if not certs.ipa_self_signed() and not ipautil.file_exists("/var/lib/pki-ca/conf/CS.cfg") and not options.dirsrv_pin:
if not certs.ipa_self_signed() and not ipautil.file_exists("/var/lib/pki/pki-tomcat/conf/ca/CS.cfg") and not options.dirsrv_pin:
sys.exit("The replica must be created on the primary IPA server.\nIf you installed IPA with your own certificates using PKCS#12 files you must provide PKCS#12 files for any replicas you create as well.")
check_ipa_configuration(api.env.realm)

View File

@ -853,6 +853,7 @@ def main():
fd.write("enable_ra=True\n")
if not options.selfsign:
fd.write("ra_plugin=dogtag\n")
fd.write("dogtag_version=10\n")
fd.write("mode=production\n")
fd.close()

View File

@ -669,12 +669,12 @@
"result": {
"basedn": "dc=dev,dc=example,dc=com",
"bin": "/var/www",
"ca_agent_install_port": 9443,
"ca_agent_install_port": 8443,
"ca_agent_port": 443,
"ca_ee_install_port": 9444,
"ca_ee_install_port": 8443,
"ca_ee_port": 443,
"ca_host": "dev.example.com",
"ca_install_port": 9180,
"ca_install_port": 8080,
"ca_port": 80,
"conf": "/etc/ipa/server.conf",
"conf_default": "/etc/ipa/default.conf",

View File

@ -66,13 +66,13 @@ The following options are relevant for the server:
Specifies the base DN to use when performing LDAP operations. The base must be in DN format (dc=example,dc=com).
.TP
.B ca_agent_port <port>
Specifies the secure CA agent port. The default is 9443.
Specifies the secure CA agent port. The default is 8443.
.TP
.B ca_ee_port <port>
Specifies the secure CA end user port. The default is 9444.
Specifies the secure CA end user port. The default is 8443.
.TP
.B ca_port <port>
Specifies the insecure CA end user port. The default is 9180.
Specifies the insecure CA end user port. The default is 8080.
.TP
.B ca_host <hostname>
Specifies the hostname of the dogtag CA server. The default is the hostname of the IPA server.

View File

@ -141,9 +141,9 @@ DEFAULT_CONFIG = (
('ca_port', 80),
('ca_agent_port', 443),
('ca_ee_port', 443),
('ca_install_port', 9180),
('ca_agent_install_port', 9443),
('ca_ee_install_port', 9444),
('ca_install_port', 8080),
('ca_agent_install_port', 8443),
('ca_ee_install_port', 8443),
# Special CLI:

View File

@ -337,7 +337,7 @@ def get_pin(token):
The caller is expected to handle any exceptions raised.
"""
filename = '/var/lib/pki-ca/conf/password.conf'
filename = '/var/lib/pki/pki-tomcat/conf/password.conf'
with open(filename, 'r') as f:
for line in f:
(tok, pin) = line.split('=', 1)

View File

@ -25,7 +25,7 @@ from ipalib.plugable import MagicDict
wellknownservices = ['certmonger', 'dirsrv', 'httpd', 'ipa', 'krb5kdc',
'messagebus', 'nslcd', 'nscd', 'ntpd', 'portmap',
'rpcbind', 'kadmin', 'sshd', 'autofs', 'rpcgssd',
'rpcidmapd', 'pki_cad']
'rpcidmapd', 'pki_tomcatd', 'pki-cad']
# The common ports for these services. This is used to wait for the
@ -34,7 +34,10 @@ wellknownports = {
'dirsrv@PKI-IPA.service': [7389],
'PKI-IPA': [7389],
'dirsrv': [389], # this is only used if the incoming instance name is blank
'pki-cad': [9180],
'pki-tomcatd@pki-tomcat.service': [8080],
'pki-tomcat': [8080],
'pki-tomcatd': [8080], # used if the incoming instance name is blank
'pki-cad': [9180]
}
class AuthConfig(object):

View File

@ -46,7 +46,7 @@ system_units = dict(map(lambda x: (x, "%s.service" % (x)), base.wellknownservice
system_units['rpcgssd'] = 'nfs-secure.service'
system_units['rpcidmapd'] = 'nfs-idmap.service'
# Rewrite dirsrv and pki-cad services as they support instances via separate
# Rewrite dirsrv and pki-tomcatd services as they support instances via separate
# service generator. To make this working, one needs to have both foo@.servic
# and foo.target -- the latter is used when request should be coming for
# all instances (like stop). systemd, unfortunately, does not allow one
@ -58,9 +58,12 @@ system_units['rpcidmapd'] = 'nfs-idmap.service'
system_units['dirsrv'] = 'dirsrv@.service'
# Our directory server instance for PKI is dirsrv@PKI-IPA.service
system_units['pkids'] = 'dirsrv@PKI-IPA.service'
# Our PKI instance is pki-cad@pki-ca.service
# Old style PKI instance
system_units['pki-cad'] = 'pki-cad@pki-ca.service'
system_units['pki_cad'] = system_units['pki-cad']
# Our PKI instance is pki-tomcatd@pki-tomcat.service
system_units['pki-tomcatd'] = 'pki-tomcatd@pki-tomcat.service'
system_units['pki_tomcatd'] = system_units['pki-tomcatd']
class Fedora16Service(systemd.SystemdService):
def __init__(self, service_name):

View File

@ -41,10 +41,10 @@ class SystemdService(base.PlatformService):
# Short-cut: if there is already exact service name, return it
if self.lib_path_exists and len(instance_name) == 0:
if len(elements) == 1:
# service name is like pki-cad.target or krb5kdc.service
# service name is like pki-tomcatd.target or krb5kdc.service
return self.service_name
if len(elements) > 1 and elements[1][0] != '.':
# Service name is like pki-cad@pki-ca.service and that file exists
# Service name is like pki-tomcatd@pki-tomcat.service and that file exists
return self.service_name
if len(elements) > 1:

View File

@ -65,15 +65,10 @@ PKI_USER = "pkiuser"
PKI_DS_USER = "pkisrv"
# These values come from /usr/share/pki/ca/setup/postinstall
PKI_INSTANCE_NAME="pki-ca"
AGENT_SECURE_PORT=9443
EE_SECURE_PORT=9444
ADMIN_SECURE_PORT=9445
EE_CLIENT_AUTH_PORT=9446
UNSECURE_PORT=9180
TOMCAT_SERVER_PORT=9701
PKI_INSTANCE_NAME="pki-tomcat"
AGENT_SECURE_PORT=8443
IPA_SERVICE_PROFILE = '/var/lib/%s/profiles/ca/caIPAserviceCert.cfg' % PKI_INSTANCE_NAME
IPA_SERVICE_PROFILE = '/var/lib/pki/%s/ca/profiles/ca/caIPAserviceCert.cfg' % PKI_INSTANCE_NAME
# We need to reset the template because the CA uses the regular boot
# information
@ -97,9 +92,9 @@ def check_inst():
"""
# Check for a couple of binaries we need
if not os.path.exists('/usr/bin/pkicreate'):
if not os.path.exists('/bin/pkispawn'):
return False
if not os.path.exists('/usr/bin/pkisilent'):
if not os.path.exists('/bin/pkidestroy'):
return False
# This is the template tomcat file for a CA
@ -108,31 +103,6 @@ def check_inst():
return True
def get_preop_pin(instance_root, instance_name):
preop_pin = None
filename = instance_root + "/" + instance_name + "/conf/CS.cfg"
# read the config file and get the preop pin
try:
f=open(filename)
except IOError, e:
root_logger.error("Cannot open configuration file." + str(e))
raise e
data = f.read()
data = data.split('\n')
pattern = re.compile("preop.pin=(.*)" )
for line in data:
match = re.search(pattern, line)
if (match):
preop_pin=match.group(1)
break
if preop_pin is None:
raise RuntimeError("Unable to find preop.pin in %s. Is your CA already configured?" % filename)
return preop_pin
def import_pkcs12(input_file, input_passwd, cert_database,
cert_passwd):
ipautil.run(["/usr/bin/pk12util", "-d", cert_database,
@ -415,7 +385,7 @@ class CADSInstance(service.Service):
'ocspSigningCert cert-pki-ca',
'subsystemCert cert-pki-ca']:
try:
certmonger.stop_tracking('/var/lib/pki-ca/alias', nickname=nickname)
certmonger.stop_tracking('/etc/pki/pki-tomcat/alias', nickname=nickname)
except (ipautil.CalledProcessError, RuntimeError), e:
root_logger.error("certmonger failed to stop tracking certificate: %s" % str(e))
@ -444,7 +414,7 @@ class CAInstance(service.Service):
"""
def __init__(self, realm, ra_db):
service.Service.__init__(self, "pki-cad")
service.Service.__init__(self, "pki-tomcatd")
self.realm = realm
self.dm_password = None
self.admin_password = None
@ -468,7 +438,7 @@ class CAInstance(service.Service):
self.ra_agent_pwd = self.ra_agent_db + "/pwdfile.txt"
self.ds_port = DEFAULT_DSPORT
self.domain_name = "IPA"
self.server_root = "/var/lib"
self.server_root = "/var/lib/pki"
self.ra_cert = None
self.requestId = None
@ -489,8 +459,7 @@ class CAInstance(service.Service):
pkcs12_info=None, master_host=None, csr_file=None,
cert_file=None, cert_chain_file=None,
subject_base=None):
"""Create a CA instance. This may involve creating the pki-ca instance
dogtag instance.
"""Create a CA instance.
To create a clone, pass in pkcs12_info.
@ -523,15 +492,11 @@ class CAInstance(service.Service):
self.external=2
self.step("creating certificate server user", self.__create_ca_user)
if not ipautil.dir_exists("/var/lib/pki-ca"):
self.step("creating pki-ca instance", self.create_instance)
self.step("configuring certificate server instance", self.__configure_instance)
self.step("configuring certificate server instance", self.__spawn_instance)
self.step("disabling nonces", self.__disable_nonce)
# Step 1 of external is getting a CSR so we don't need to do these
# steps until we get a cert back from the external CA.
if self.external != 1:
if not self.clone:
self.step("creating CA agent PKCS#12 file in /root", self.__create_ca_agent_pkcs12)
if self.create_ra_agent_db:
self.step("creating RA agent certificate database", self.__create_ra_agent_db)
self.step("importing CA chain to RA certificate database", self.__import_ca_chain)
@ -555,26 +520,117 @@ class CAInstance(service.Service):
self.start_creation("Configuring certificate server", 210)
def create_instance(self):
def __spawn_instance(self):
"""
If for some reason the instance doesn't exist, create a new one."
Create and configure a new instance using pkispawn.
pkispawn requires a configuration file with the appropriate
values substituted in.
"""
args = ['/usr/bin/pkicreate',
'-pki_instance_root', '/var/lib',
'-pki_instance_name', PKI_INSTANCE_NAME,
'-subsystem_type', 'ca',
'-agent_secure_port', str(AGENT_SECURE_PORT),
'-ee_secure_port', str(EE_SECURE_PORT),
'-admin_secure_port', str(ADMIN_SECURE_PORT),
'-ee_secure_client_auth_port', str(EE_CLIENT_AUTH_PORT),
'-unsecure_port', str(UNSECURE_PORT),
'-tomcat_server_port', str(TOMCAT_SERVER_PORT),
'-redirect', 'conf=/etc/pki-ca',
'-redirect', 'logs=/var/log/pki-ca',
'-enable_proxy'
]
ipautil.run(args, env={'PKI_HOSTNAME':self.fqdn})
# create a new config file for this installation
(cfg_fd, cfg_file) = tempfile.mkstemp()
os.close(cfg_fd)
shutil.copy("/usr/share/pki/deployment/config/pkideployment.cfg",
cfg_file)
pent = pwd.getpwnam(PKI_USER)
os.chown(cfg_file, pent.pw_uid, pent.pw_gid )
replacevars = {
"pki_enable_proxy": "True",
"pki_restart_configured_instance": "False",
"pki_client_database_dir": self.ca_agent_db,
"pki_client_database_password": self.admin_password,
"pki_client_database_purge": "False",
"pki_client_pkcs12_password": self.admin_password,
"pki_security_domain_name": self.domain_name,
"pki_admin_email": "root@localhost",
"pki_admin_password": self.admin_password,
"pki_admin_nickname": "ipa-ca-agent",
"pki_admin_subject_dn": "CN=ipa-ca-agent,%s" % self.subject_base,
"pki_ds_ldap_port": str(self.ds_port),
"pki_ds_password": self.dm_password,
"pki_ds_base_dn": self.basedn,
"pki_ds_database": "ipaca",
"pki_backup_keys": "True",
"pki_backup_password": self.admin_password,
"pki_subsystem_subject_dn": \
"CN=CA Subsystem,%s" % self.subject_base,
"pki_ocsp_signing_subject_dn": \
"CN=OCSP Subsystem,%s" % self.subject_base,
"pki_ssl_server_subject_dn": \
"CN=%s,%s" % (self.fqdn, self.subject_base),
"pki_audit_signing_subject_dn": \
"CN=CA Audit,%s" % self.subject_base,
"pki_ca_signing_subject_dn": \
"CN=Certificate Authority,%s" % self.subject_base,
"pki_subsystem_nickname": "subsystemCert cert-pki-ca",
"pki_ocsp_signing_nickname": "ocspSigningCert cert-pki-ca",
"pki_ssl_server_nickname": "Server-Cert cert-pki-ca",
"pki_audit_signing_nickname": "auditSigningCert cert-pki-ca",
"pki_ca_signing_nickname": "caSigningCert cert-pki-ca"
}
if (self.clone):
cafile = self.pkcs12_info[0]
shutil.copy(cafile, "/tmp/ca.p12")
pent = pwd.getpwnam(PKI_USER)
os.chown("/tmp/ca.p12", pent.pw_uid, pent.pw_gid )
clone_vars = {
"pki_clone_pkcs12_password": self.dm_password,
"pki_clone": "True",
"pki_clone_pkcs12_path": "/tmp/ca.p12",
"pki_security_domain_hostname": self.master_host,
"pki_security_domain_https_port": "443",
"pki_security_domain_password": self.admin_password,
"pki_clone_replication_security": "SSL",
"pki_clone_uri": \
"https://%s" % ipautil.format_netloc(self.master_host, 443)
}
replacevars.update(clone_vars)
if self.external == 1:
external_vars = {
"pki_external": "True",
"pki_external_csr_path": self.csr_file
}
replacevars.update(external_vars)
elif self.external == 2:
external_vars = {
"pki_external": "True",
"pki_external_ca_cert_path": self.cert_file,
"pki_external_ca_cert_chain_path": self.cert_chain_file,
"pki_external_step_two": "True"
}
replacevars.update(external_vars)
ipautil.config_replace_variables(cfg_file, replacevars=replacevars)
# Define the things we don't want logged
nolog = (self.admin_password, self.dm_password,)
args = ["/bin/pkispawn", "-s", "CA", "-f", cfg_file ]
try:
ipautil.run(args, nolog=nolog)
except ipautil.CalledProcessError, e:
root_logger.critical("failed to configure ca instance %s" % e)
raise RuntimeError('Configuration of CA failed')
finally:
os.remove(cfg_file)
if not self.clone:
shutil.move("/var/lib/pki/pki-tomcat/alias/ca_admin_cert.p12", \
"/root/ca-agent.p12")
shutil.move("/var/lib/pki/pki-tomcat/alias/ca_backup_keys.p12", \
"/root/cacert.p12")
if self.external == 1:
print "The next step is to get %s signed by your CA and re-run ipa-server-install as:" % self.csr_file
print "ipa-server-install --external_cert_file=/path/to/signed_certificate --external_ca_file=/path/to/external_ca_certificate"
sys.exit(0)
root_logger.debug("completed creating ca instance")
def __enable(self):
self.backup_state("enabled", self.is_enabled())
@ -600,110 +656,6 @@ class CAInstance(service.Service):
except ipautil.CalledProcessError, e:
root_logger.critical("failed to add user %s" % e)
def __configure_instance(self):
preop_pin = get_preop_pin(self.server_root, PKI_INSTANCE_NAME)
try:
args = ["/usr/bin/perl", "/usr/bin/pkisilent", "ConfigureCA",
"-cs_hostname", self.fqdn,
"-cs_port", str(ADMIN_SECURE_PORT),
"-client_certdb_dir", self.ca_agent_db,
"-client_certdb_pwd", self.admin_password,
"-preop_pin" , preop_pin,
"-domain_name", self.domain_name,
"-admin_user", "admin",
"-admin_email", "root@localhost",
"-admin_password", self.admin_password,
"-agent_name", "ipa-ca-agent",
"-agent_key_size", "2048",
"-agent_key_type", "rsa",
"-agent_cert_subject", str(DN(('CN', 'ipa-ca-agent'), self.subject_base)),
"-ldap_host", self.fqdn,
"-ldap_port", str(self.ds_port),
"-bind_dn", "cn=Directory Manager",
"-bind_password", self.dm_password,
"-base_dn", str(self.basedn),
"-db_name", "ipaca",
"-key_size", "2048",
"-key_type", "rsa",
"-key_algorithm", "SHA256withRSA",
"-save_p12", "true",
"-backup_pwd", self.admin_password,
"-subsystem_name", self.service_name,
"-token_name", "internal",
"-ca_subsystem_cert_subject_name", str(DN(('CN', 'CA Subsystem'), self.subject_base)),
"-ca_subsystem_cert_subject_name", str(DN(('CN', 'CA Subsystem'), self.subject_base)),
"-ca_ocsp_cert_subject_name", str(DN(('CN', 'OCSP Subsystem'), self.subject_base)),
"-ca_server_cert_subject_name", str(DN(('CN', self.fqdn), self.subject_base)),
"-ca_audit_signing_cert_subject_name", str(DN(('CN', 'CA Audit'), self.subject_base)),
"-ca_sign_cert_subject_name", str(DN(('CN', 'Certificate Authority'), self.subject_base)) ]
if self.external == 1:
args.append("-external")
args.append("true")
args.append("-ext_csr_file")
args.append(self.csr_file)
elif self.external == 2:
args.append("-external")
args.append("true")
args.append("-ext_ca_cert_file")
args.append(self.cert_file)
args.append("-ext_ca_cert_chain_file")
args.append(self.cert_chain_file)
else:
args.append("-external")
args.append("false")
if (self.clone):
"""sd = security domain --> all CS systems get registered to
a security domain. This is set to the hostname and port of
the master CA.
"""
# The install wizard expects the file to be here.
cafile = self.pkcs12_info[0]
shutil.copy(cafile, "/var/lib/pki-ca/alias/ca.p12")
pent = pwd.getpwnam(PKI_USER)
os.chown("/var/lib/pki-ca/alias/ca.p12", pent.pw_uid, pent.pw_gid )
args.append("-clone")
args.append("true")
args.append("-clone_p12_file")
args.append("ca.p12")
args.append("-clone_p12_password")
args.append(self.dm_password)
args.append("-sd_hostname")
args.append(self.master_host)
args.append("-sd_admin_port")
args.append("443")
args.append("-sd_admin_name")
args.append("admin")
args.append("-sd_admin_password")
args.append(self.admin_password)
args.append("-clone_start_tls")
args.append("true")
args.append("-clone_uri")
args.append("https://%s" % ipautil.format_netloc(self.master_host, 443))
else:
args.append("-clone")
args.append("false")
# Define the things we don't want logged
nolog = (self.admin_password, self.dm_password,)
ipautil.run(args, env={'PKI_HOSTNAME':self.fqdn}, nolog=nolog)
except ipautil.CalledProcessError, e:
root_logger.critical("failed to configure ca instance %s" % e)
raise RuntimeError('Configuration of CA failed')
if self.external == 1:
print "The next step is to get %s signed by your CA and re-run ipa-server-install as:" % self.csr_file
print "ipa-server-install --external_cert_file=/path/to/signed_certificate --external_ca_file=/path/to/external_ca_certificate"
sys.exit(0)
# pkisilent makes a copy of the CA PKCS#12 file for us but gives
# it a lousy name.
if ipautil.file_exists("/root/tmp-ca.p12"):
shutil.move("/root/tmp-ca.p12", "/root/cacert.p12")
root_logger.debug("completed creating ca instance")
def __restart_instance(self):
try:
self.restart(PKI_INSTANCE_NAME)
@ -713,10 +665,11 @@ class CAInstance(service.Service):
def __disable_nonce(self):
# Turn off Nonces
if installutils.update_file('/var/lib/pki-ca/conf/CS.cfg', 'ca.enableNonces=true', 'ca.enableNonces=false') != 0:
cfg_file = '/var/lib/pki/pki-tomcat/conf/ca/CS.cfg'
if installutils.update_file(cfg_file, 'ca.enableNonces=true', 'ca.enableNonces=false') != 0:
raise RuntimeError("Disabling nonces failed")
pent = pwd.getpwnam(PKI_USER)
os.chown('/var/lib/pki-ca/conf/CS.cfg', pent.pw_uid, pent.pw_gid )
os.chown(cfg_file, pent.pw_uid, pent.pw_gid )
def __issue_ra_cert(self):
# The CA certificate is in the agent DB but isn't trusted
@ -767,7 +720,7 @@ class CAInstance(service.Service):
]
(stdout, stderr, returncode) = ipautil.run(args, nolog=(self.admin_password,))
data = stdout.split('\r\n')
data = stdout.split('\n')
params = get_defList(data)
params['requestId'] = find_substring(data, "requestId")
params['op'] = 'approve'
@ -788,7 +741,7 @@ class CAInstance(service.Service):
]
(stdout, stderr, returncode) = ipautil.run(args, nolog=(self.admin_password,))
data = stdout.split('\r\n')
data = stdout.split('\n')
outputList = get_outputList(data)
self.ra_cert = outputList['b64_cert']
@ -905,20 +858,6 @@ class CAInstance(service.Service):
except Exception, e:
raise RuntimeError("Unable to retrieve CA chain: %s" % str(e))
def __create_ca_agent_pkcs12(self):
(pwd_fd, pwd_name) = tempfile.mkstemp()
os.write(pwd_fd, self.admin_password)
os.close(pwd_fd)
try:
ipautil.run(["/usr/bin/pk12util",
"-n", "ipa-ca-agent",
"-o", "/root/ca-agent.p12",
"-d", self.ca_agent_db,
"-k", pwd_name,
"-w", pwd_name])
finally:
os.remove(pwd_name)
def __import_ca_chain(self):
chain = self.__get_ca_chain()
@ -982,7 +921,7 @@ class CAInstance(service.Service):
csr = pkcs10.strip_header(stdout)
# Send the request to the CA
conn = httplib.HTTPConnection(self.fqdn, 9180)
conn = httplib.HTTPConnection(self.fqdn, 8080)
params = urllib.urlencode({'profileId': 'caServerCert',
'cert_request_type': 'pkcs10',
'requestor_name': 'IPA Installer',
@ -1020,7 +959,7 @@ class CAInstance(service.Service):
def __setup_sign_profile(self):
# Tell the profile to automatically issue certs for RAs
installutils.set_directive('/var/lib/pki-ca/profiles/ca/caJarSigningCert.cfg', 'auth.instance_id', 'raCertAuth', quotes=False, separator='=')
installutils.set_directive('/var/lib/pki/pki-tomcat/ca/profiles/ca/caJarSigningCert.cfg', 'auth.instance_id', 'raCertAuth', quotes=False, separator='=')
def __enable_crl_publish(self):
"""
@ -1028,9 +967,9 @@ class CAInstance(service.Service):
http://www.redhat.com/docs/manuals/cert-system/8.0/admin/html/Setting_up_Publishing.html
"""
caconfig = "/var/lib/pki-ca/conf/CS.cfg"
caconfig = "/var/lib/pki/pki-tomcat/conf/ca/CS.cfg"
publishdir='/var/lib/pki-ca/publish'
publishdir='/var/lib/pki/pki-tomcat/ca/publish'
os.mkdir(publishdir)
os.chmod(publishdir, 0755)
pent = pwd.getpwnam(PKI_USER)
@ -1089,8 +1028,8 @@ class CAInstance(service.Service):
self.disable()
try:
ipautil.run(["/usr/bin/pkiremove", "-pki_instance_root=/var/lib",
"-pki_instance_name=%s" % PKI_INSTANCE_NAME, "--force"])
ipautil.run(["/bin/pkidestroy", "-i", "pki-tomcat",
"-s", "CA"])
except ipautil.CalledProcessError, e:
root_logger.critical("failed to uninstall CA instance %s" % e)
@ -1118,7 +1057,7 @@ class CAInstance(service.Service):
pin = certmonger.get_pin('internal')
except IOError, e:
raise RuntimeError('Unable to determine PIN for CA instance: %s' % str(e))
certmonger.dogtag_start_tracking('dogtag-ipa-renew-agent', 'Server-Cert cert-pki-ca', pin, None, '/var/lib/pki-ca/alias', 'restart_pkicad "Server-Cert cert-pki-ca"')
certmonger.dogtag_start_tracking('dogtag-ipa-renew-agent', 'Server-Cert cert-pki-ca', pin, None, '/etc/pki/pki-tomcat/alias', 'restart_pkicad "Server-Cert cert-pki-ca"')
def configure_renewal(self):
cmonger = ipaservices.knownservices.certmonger
@ -1135,7 +1074,7 @@ class CAInstance(service.Service):
for nickname in ['auditSigningCert cert-pki-ca',
'ocspSigningCert cert-pki-ca',
'subsystemCert cert-pki-ca']:
certmonger.dogtag_start_tracking('dogtag-ipa-renew-agent', nickname, pin, None, '/var/lib/pki-ca/alias', 'renew_ca_cert "%s"' % nickname)
certmonger.dogtag_start_tracking('dogtag-ipa-renew-agent', nickname, pin, None, '/etc/pki/pki-tomcat/alias', 'renew_ca_cert "%s"' % nickname)
# Set up the agent cert for renewal
certmonger.dogtag_start_tracking('dogtag-ipa-renew-agent', 'ipaCert', None, '/etc/httpd/alias/pwdfile.txt', '/etc/httpd/alias', 'renew_ra_cert')
@ -1179,7 +1118,7 @@ class CAInstance(service.Service):
for nickname in ['auditSigningCert cert-pki-ca',
'ocspSigningCert cert-pki-ca',
'subsystemCert cert-pki-ca']:
certmonger.dogtag_start_tracking('dogtag-ipa-retrieve-agent-submit', nickname, pin, None, '/var/lib/pki-ca/alias', 'restart_pkicad "%s"' % nickname)
certmonger.dogtag_start_tracking('dogtag-ipa-retrieve-agent-submit', nickname, pin, None, '/etc/pki/pki-tomcat/alias', 'restart_pkicad "%s"' % nickname)
# The agent renewal is configured in import_ra_cert which is called
# after the HTTP instance is created.
@ -1191,7 +1130,7 @@ class CAInstance(service.Service):
setlist = installutils.get_directive(IPA_SERVICE_PROFILE,
'policyset.serverCertSet.list', separator='=')
# this is the default setting from pki-ca. Don't touch it if a user
# this is the default setting from pki-tomcat. Don't touch it if a user
# has manually modified it.
if setlist == '1,2,3,4,5,6,7,8':
installutils.set_directive(IPA_SERVICE_PROFILE,
@ -1234,7 +1173,7 @@ class CAInstance(service.Service):
responsibility to handle changes on upgrades.
"""
master = installutils.get_directive(
'/var/lib/pki-ca/conf/CS.cfg', 'subsystem.select', '=')
'/var/lib/pki/pki-tomcat/conf/ca/CS.cfg', 'subsystem.select', '=')
return master == 'New'
@ -1301,10 +1240,10 @@ def install_replica_ca(config, postinstall=False):
# unix service.
service.print_msg("Restarting the directory and certificate servers")
ca.stop()
ca.stop(PKI_INSTANCE_NAME)
ipaservices.knownservices.dirsrv.stop("PKI-IPA")
ipaservices.knownservices.dirsrv.start("PKI-IPA")
ca.start()
ca.start(PKI_INSTANCE_NAME)
return (ca, cs)
@ -1323,7 +1262,7 @@ def update_cert_config(nickname, cert):
'subsystemCert cert-pki-ca': 'ca.subsystem.cert',
'Server-Cert cert-pki-ca': 'ca.sslserver.cert' }
installutils.set_directive('/var/lib/%s/conf/CS.cfg' % PKI_INSTANCE_NAME,
installutils.set_directive('/var/lib/pki/%s/conf/ca/CS.cfg' % PKI_INSTANCE_NAME,
directives[nickname],
base64.b64encode(cert),
quotes=False, separator='=')

View File

@ -47,7 +47,7 @@ from ipalib import errors
from ipapython.dn import DN
# Used to determine install status
IPA_MODULES = ['httpd', 'kadmin', 'dirsrv', 'pki-cad', 'pkids', 'install', 'krb5kdc', 'ntpd', 'named', 'ipa_memcached']
IPA_MODULES = ['httpd', 'kadmin', 'dirsrv', 'pki-tomcatd', 'pkids', 'install', 'krb5kdc', 'ntpd', 'named', 'ipa_memcached']
class BadHostError(Exception):
pass

View File

@ -41,6 +41,17 @@ AUTO = 1
ENABLED = 2
DISABLED = 3
# Determine if we have an updated dogtag instance (dogtag 10+) or
# an older one.
dogtag_service = 'pki-cad'
try:
for line in open("/etc/ipa/default.conf", "r"):
if "dogtag_version" in line:
dogtag_service = 'pki-tomcatd'
break
except IOError, e:
pass
# The service name as stored in cn=masters,cn=ipa,cn=etc. In the tuple
# the first value is the *nix service name, the second the start order.
SERVICE_LIST = {
@ -49,7 +60,7 @@ SERVICE_LIST = {
'DNS':('named', 30),
'MEMCACHE':('ipa_memcached', 39),
'HTTP':('httpd', 40),
'CA':('pki-cad', 50),
'CA':(dogtag_service, 50),
'ADTRUST':('smb', 60),
'EXTID':('winbind', 70)
}

View File

@ -1 +1 @@
/var/lib/pki-ca/publish(/.*)? gen_context(system_u:object_r:cert_t,s0)
/var/lib/pki/pki-tomcat/ca/publish(/.*)? gen_context(system_u:object_r:cert_t,s0)