mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-02-25 18:55:28 -06:00
Modifications to install scripts for dogtag 10
Dogtag 10 uses a new installer, new directory layout and new default ports. This patch changes the ipa install code to integrate these changes. https://fedorahosted.org/freeipa/ticket/2846
This commit is contained in:
parent
79b89f4196
commit
3dd31a8756
@ -6,22 +6,22 @@ ProxyRequests Off
|
||||
<LocationMatch "^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange">
|
||||
NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
|
||||
NSSVerifyClient none
|
||||
ProxyPassMatch ajp://localhost:9447/
|
||||
ProxyPassReverse ajp://localhost:9447/
|
||||
ProxyPassMatch ajp://localhost:8009
|
||||
ProxyPassReverse ajp://localhost:8009
|
||||
</LocationMatch>
|
||||
|
||||
# matches for admin port
|
||||
<LocationMatch "^/ca/admin/ca/getCertChain|^/ca/admin/ca/getConfigEntries|^/ca/admin/ca/getCookie|^/ca/admin/ca/getStatus|^/ca/admin/ca/securityDomainLogin|^/ca/admin/ca/getDomainXML">
|
||||
# matches for admin port and installer
|
||||
<LocationMatch "^/ca/admin/ca/getCertChain|^/ca/admin/ca/getConfigEntries|^/ca/admin/ca/getCookie|^/ca/admin/ca/getStatus|^/ca/admin/ca/securityDomainLogin|^/ca/admin/ca/getDomainXML|^/ca/rest/installer/installToken">
|
||||
NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
|
||||
NSSVerifyClient none
|
||||
ProxyPassMatch ajp://localhost:9447/
|
||||
ProxyPassReverse ajp://localhost:9447/
|
||||
ProxyPassMatch ajp://localhost:8009
|
||||
ProxyPassReverse ajp://localhost:8009
|
||||
</LocationMatch>
|
||||
|
||||
# matches for agent port and eeca port
|
||||
<LocationMatch "^/ca/agent/ca/displayBySerial|^/ca/agent/ca/doRevoke|^/ca/agent/ca/doUnrevoke|^/ca/agent/ca/updateDomainXML|^/ca/eeca/ca/profileSubmitSSLClient">
|
||||
NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
|
||||
NSSVerifyClient require
|
||||
ProxyPassMatch ajp://localhost:9447/
|
||||
ProxyPassReverse ajp://localhost:9447/
|
||||
ProxyPassMatch ajp://localhost:8009
|
||||
ProxyPassReverse ajp://localhost:8009
|
||||
</LocationMatch>
|
||||
|
@ -105,8 +105,8 @@ Alias /ipa/config "/usr/share/ipa/html"
|
||||
|
||||
|
||||
# For CRL publishing
|
||||
Alias /ipa/crl "/var/lib/pki-ca/publish"
|
||||
<Directory "/var/lib/pki-ca/publish">
|
||||
Alias /ipa/crl "/var/lib/pki/tomcat-ca/ca/publish"
|
||||
<Directory "/var/lib/pki/tomcat-ca/ca/publish">
|
||||
SetHandler None
|
||||
AllowOverride None
|
||||
Options Indexes FollowSymLinks
|
||||
|
@ -45,8 +45,14 @@ nickname = sys.argv[1]
|
||||
api.bootstrap(context='restart')
|
||||
api.finalize()
|
||||
|
||||
alias_dir = '/etc/pki/pki-tomcat/alias'
|
||||
dogtag_instance = 'pki-tomcat'
|
||||
if 'dogtag_version' not in api.env:
|
||||
alias_dir = '/var/lib/pki-ca/alias'
|
||||
dogtag_instance = 'pki-ca'
|
||||
|
||||
# Fetch the new certificate
|
||||
db = certs.CertDB(api.env.realm, nssdir='/var/lib/pki-ca/alias')
|
||||
db = certs.CertDB(api.env.realm, nssdir=alias_dir)
|
||||
cert = db.get_cert_from_db(nickname, pem=False)
|
||||
|
||||
if not cert:
|
||||
@ -79,7 +85,7 @@ finally:
|
||||
|
||||
# Fix permissions on the audit cert if we're updating it
|
||||
if nickname == 'auditSigningCert cert-pki-ca':
|
||||
db = certs.CertDB(api.env.realm, nssdir='/var/lib/pki-ca/alias')
|
||||
db = certs.CertDB(api.env.realm, nssdir=alias_dir)
|
||||
args = ['-M',
|
||||
'-n', nickname,
|
||||
'-t', 'u,u,Pu',
|
||||
@ -91,7 +97,9 @@ if nickname == 'auditSigningCert cert-pki-ca':
|
||||
|
||||
update_cert_config(nickname, cert)
|
||||
|
||||
syslog.syslog(syslog.LOG_NOTICE, 'certmonger restarted pki-cad instance pki-ca to renew %s' % nickname)
|
||||
syslog.syslog(
|
||||
syslog.LOG_NOTICE, 'certmonger restarted %sd instance %s to renew %s' %
|
||||
(dogtag_instance, dogtag_instance, nickname))
|
||||
|
||||
# We monitor 3 certs that are all likely to be renewed by certmonger more or
|
||||
# less at the same time. Each cert renewal is going to need to restart
|
||||
@ -102,6 +110,7 @@ pause = random.randint(10,360)
|
||||
syslog.syslog(syslog.LOG_NOTICE, 'Pausing %d seconds to restart pki-ca' % pause)
|
||||
time.sleep(pause)
|
||||
try:
|
||||
ipaservices.knownservices.pki_cad.restart('pki-ca')
|
||||
ipaservices.knownservices.pki_cad.restart(dogtag_instance)
|
||||
except Exception, e:
|
||||
syslog.syslog(syslog.LOG_ERR, "Cannot restart pki-cad: %s" % str(e))
|
||||
syslog.syslog(syslog.LOG_ERR, "Cannot restart %sd: %s" % \
|
||||
(dogtag_instance, str(e)))
|
||||
|
@ -30,11 +30,18 @@ nickname = sys.argv[1]
|
||||
api.bootstrap(context='restart')
|
||||
api.finalize()
|
||||
|
||||
syslog.syslog(syslog.LOG_NOTICE, "certmonger restarted pki-cad, nickname '%s'" % nickname)
|
||||
alias_dir = '/etc/pki/pki-tomcat/alias'
|
||||
dogtag_instance = 'pki-tomcat'
|
||||
if 'dogtag_version' not in api.env:
|
||||
alias_dir = '/var/lib/pki-ca/alias'
|
||||
dogtag_instance = 'pki-ca'
|
||||
|
||||
syslog.syslog(syslog.LOG_NOTICE, "certmonger restarted %sd, nickname '%s'" % \
|
||||
(dogtag_instance, nickname))
|
||||
|
||||
# Fix permissions on the audit cert if we're updating it
|
||||
if nickname == 'auditSigningCert cert-pki-ca':
|
||||
db = certs.CertDB(api.env.realm, nssdir='/var/lib/pki-ca/alias')
|
||||
db = certs.CertDB(api.env.realm, nssdir = alias_dir )
|
||||
args = ['-M',
|
||||
'-n', nickname,
|
||||
'-t', 'u,u,Pu',
|
||||
@ -44,7 +51,8 @@ if nickname == 'auditSigningCert cert-pki-ca':
|
||||
try:
|
||||
# I've seen times where systemd restart does not actually restart
|
||||
# the process. A full stop/start is required. This works around that
|
||||
ipaservices.knownservices.pki_cad.stop('pki-ca')
|
||||
ipaservices.knownservices.pki_cad.start('pki-ca')
|
||||
ipaservices.knownservices.pki_cad.stop(dogtag_instance)
|
||||
ipaservices.knownservices.pki_cad.start(dogtag_instance)
|
||||
except Exception, e:
|
||||
syslog.syslog(syslog.LOG_ERR, "Cannot restart pki-cad: %s" % str(e))
|
||||
syslog.syslog(syslog.LOG_ERR, "Cannot restart %sd: %s" % \
|
||||
(dogtag_instance, str(e)))
|
||||
|
@ -156,6 +156,16 @@ def main():
|
||||
# We need to restart apache as we drop a new config file in there
|
||||
ipaservices.knownservices.httpd.restart(capture_output=True)
|
||||
|
||||
#update dogtag version in config file to denote new instance
|
||||
try:
|
||||
fd = open("/etc/ipa/default.conf", "a")
|
||||
fd.write("dogtag_version=10\n")
|
||||
fd.close()
|
||||
except IOError, e:
|
||||
print "Failed to update /etc/ipa/default.conf"
|
||||
root_logger.error(str(e))
|
||||
sys.exit(1)
|
||||
|
||||
fail_message = '''
|
||||
Your system may be partly configured.
|
||||
Run /usr/sbin/ipa-server-install --uninstall to clean up.
|
||||
|
@ -80,7 +80,7 @@ class CSReplicationManager(replication.ReplicationManager):
|
||||
"""
|
||||
dn = None
|
||||
cn = None
|
||||
instance_name = 'pki-ca'
|
||||
instance_name = 'pki-tomcat'
|
||||
|
||||
# if master is not None we know what dn to return:
|
||||
if master is not None:
|
||||
|
@ -376,6 +376,7 @@ def main():
|
||||
if ipautil.file_exists(config.dir + "/cacert.p12"):
|
||||
fd.write("enable_ra=True\n")
|
||||
fd.write("ra_plugin=dogtag\n")
|
||||
fd.write("dogtag_version=10\n")
|
||||
fd.write("mode=production\n")
|
||||
fd.close()
|
||||
finally:
|
||||
|
@ -304,7 +304,7 @@ def main():
|
||||
if options.reverse_zone and not bindinstance.verify_reverse_zone(options.reverse_zone, options.ip_address):
|
||||
sys.exit(1)
|
||||
|
||||
if not certs.ipa_self_signed() and not ipautil.file_exists("/var/lib/pki-ca/conf/CS.cfg") and not options.dirsrv_pin:
|
||||
if not certs.ipa_self_signed() and not ipautil.file_exists("/var/lib/pki/pki-tomcat/conf/ca/CS.cfg") and not options.dirsrv_pin:
|
||||
sys.exit("The replica must be created on the primary IPA server.\nIf you installed IPA with your own certificates using PKCS#12 files you must provide PKCS#12 files for any replicas you create as well.")
|
||||
|
||||
check_ipa_configuration(api.env.realm)
|
||||
|
@ -853,6 +853,7 @@ def main():
|
||||
fd.write("enable_ra=True\n")
|
||||
if not options.selfsign:
|
||||
fd.write("ra_plugin=dogtag\n")
|
||||
fd.write("dogtag_version=10\n")
|
||||
fd.write("mode=production\n")
|
||||
fd.close()
|
||||
|
||||
|
@ -669,12 +669,12 @@
|
||||
"result": {
|
||||
"basedn": "dc=dev,dc=example,dc=com",
|
||||
"bin": "/var/www",
|
||||
"ca_agent_install_port": 9443,
|
||||
"ca_agent_install_port": 8443,
|
||||
"ca_agent_port": 443,
|
||||
"ca_ee_install_port": 9444,
|
||||
"ca_ee_install_port": 8443,
|
||||
"ca_ee_port": 443,
|
||||
"ca_host": "dev.example.com",
|
||||
"ca_install_port": 9180,
|
||||
"ca_install_port": 8080,
|
||||
"ca_port": 80,
|
||||
"conf": "/etc/ipa/server.conf",
|
||||
"conf_default": "/etc/ipa/default.conf",
|
||||
|
@ -66,13 +66,13 @@ The following options are relevant for the server:
|
||||
Specifies the base DN to use when performing LDAP operations. The base must be in DN format (dc=example,dc=com).
|
||||
.TP
|
||||
.B ca_agent_port <port>
|
||||
Specifies the secure CA agent port. The default is 9443.
|
||||
Specifies the secure CA agent port. The default is 8443.
|
||||
.TP
|
||||
.B ca_ee_port <port>
|
||||
Specifies the secure CA end user port. The default is 9444.
|
||||
Specifies the secure CA end user port. The default is 8443.
|
||||
.TP
|
||||
.B ca_port <port>
|
||||
Specifies the insecure CA end user port. The default is 9180.
|
||||
Specifies the insecure CA end user port. The default is 8080.
|
||||
.TP
|
||||
.B ca_host <hostname>
|
||||
Specifies the hostname of the dogtag CA server. The default is the hostname of the IPA server.
|
||||
|
@ -141,9 +141,9 @@ DEFAULT_CONFIG = (
|
||||
('ca_port', 80),
|
||||
('ca_agent_port', 443),
|
||||
('ca_ee_port', 443),
|
||||
('ca_install_port', 9180),
|
||||
('ca_agent_install_port', 9443),
|
||||
('ca_ee_install_port', 9444),
|
||||
('ca_install_port', 8080),
|
||||
('ca_agent_install_port', 8443),
|
||||
('ca_ee_install_port', 8443),
|
||||
|
||||
|
||||
# Special CLI:
|
||||
|
@ -337,7 +337,7 @@ def get_pin(token):
|
||||
|
||||
The caller is expected to handle any exceptions raised.
|
||||
"""
|
||||
filename = '/var/lib/pki-ca/conf/password.conf'
|
||||
filename = '/var/lib/pki/pki-tomcat/conf/password.conf'
|
||||
with open(filename, 'r') as f:
|
||||
for line in f:
|
||||
(tok, pin) = line.split('=', 1)
|
||||
|
@ -25,7 +25,7 @@ from ipalib.plugable import MagicDict
|
||||
wellknownservices = ['certmonger', 'dirsrv', 'httpd', 'ipa', 'krb5kdc',
|
||||
'messagebus', 'nslcd', 'nscd', 'ntpd', 'portmap',
|
||||
'rpcbind', 'kadmin', 'sshd', 'autofs', 'rpcgssd',
|
||||
'rpcidmapd', 'pki_cad']
|
||||
'rpcidmapd', 'pki_tomcatd', 'pki-cad']
|
||||
|
||||
|
||||
# The common ports for these services. This is used to wait for the
|
||||
@ -34,7 +34,10 @@ wellknownports = {
|
||||
'dirsrv@PKI-IPA.service': [7389],
|
||||
'PKI-IPA': [7389],
|
||||
'dirsrv': [389], # this is only used if the incoming instance name is blank
|
||||
'pki-cad': [9180],
|
||||
'pki-tomcatd@pki-tomcat.service': [8080],
|
||||
'pki-tomcat': [8080],
|
||||
'pki-tomcatd': [8080], # used if the incoming instance name is blank
|
||||
'pki-cad': [9180]
|
||||
}
|
||||
|
||||
class AuthConfig(object):
|
||||
|
@ -46,7 +46,7 @@ system_units = dict(map(lambda x: (x, "%s.service" % (x)), base.wellknownservice
|
||||
system_units['rpcgssd'] = 'nfs-secure.service'
|
||||
system_units['rpcidmapd'] = 'nfs-idmap.service'
|
||||
|
||||
# Rewrite dirsrv and pki-cad services as they support instances via separate
|
||||
# Rewrite dirsrv and pki-tomcatd services as they support instances via separate
|
||||
# service generator. To make this working, one needs to have both foo@.servic
|
||||
# and foo.target -- the latter is used when request should be coming for
|
||||
# all instances (like stop). systemd, unfortunately, does not allow one
|
||||
@ -58,9 +58,12 @@ system_units['rpcidmapd'] = 'nfs-idmap.service'
|
||||
system_units['dirsrv'] = 'dirsrv@.service'
|
||||
# Our directory server instance for PKI is dirsrv@PKI-IPA.service
|
||||
system_units['pkids'] = 'dirsrv@PKI-IPA.service'
|
||||
# Our PKI instance is pki-cad@pki-ca.service
|
||||
# Old style PKI instance
|
||||
system_units['pki-cad'] = 'pki-cad@pki-ca.service'
|
||||
system_units['pki_cad'] = system_units['pki-cad']
|
||||
# Our PKI instance is pki-tomcatd@pki-tomcat.service
|
||||
system_units['pki-tomcatd'] = 'pki-tomcatd@pki-tomcat.service'
|
||||
system_units['pki_tomcatd'] = system_units['pki-tomcatd']
|
||||
|
||||
class Fedora16Service(systemd.SystemdService):
|
||||
def __init__(self, service_name):
|
||||
|
@ -41,10 +41,10 @@ class SystemdService(base.PlatformService):
|
||||
# Short-cut: if there is already exact service name, return it
|
||||
if self.lib_path_exists and len(instance_name) == 0:
|
||||
if len(elements) == 1:
|
||||
# service name is like pki-cad.target or krb5kdc.service
|
||||
# service name is like pki-tomcatd.target or krb5kdc.service
|
||||
return self.service_name
|
||||
if len(elements) > 1 and elements[1][0] != '.':
|
||||
# Service name is like pki-cad@pki-ca.service and that file exists
|
||||
# Service name is like pki-tomcatd@pki-tomcat.service and that file exists
|
||||
return self.service_name
|
||||
|
||||
if len(elements) > 1:
|
||||
|
@ -65,15 +65,10 @@ PKI_USER = "pkiuser"
|
||||
PKI_DS_USER = "pkisrv"
|
||||
|
||||
# These values come from /usr/share/pki/ca/setup/postinstall
|
||||
PKI_INSTANCE_NAME="pki-ca"
|
||||
AGENT_SECURE_PORT=9443
|
||||
EE_SECURE_PORT=9444
|
||||
ADMIN_SECURE_PORT=9445
|
||||
EE_CLIENT_AUTH_PORT=9446
|
||||
UNSECURE_PORT=9180
|
||||
TOMCAT_SERVER_PORT=9701
|
||||
PKI_INSTANCE_NAME="pki-tomcat"
|
||||
AGENT_SECURE_PORT=8443
|
||||
|
||||
IPA_SERVICE_PROFILE = '/var/lib/%s/profiles/ca/caIPAserviceCert.cfg' % PKI_INSTANCE_NAME
|
||||
IPA_SERVICE_PROFILE = '/var/lib/pki/%s/ca/profiles/ca/caIPAserviceCert.cfg' % PKI_INSTANCE_NAME
|
||||
|
||||
# We need to reset the template because the CA uses the regular boot
|
||||
# information
|
||||
@ -97,9 +92,9 @@ def check_inst():
|
||||
"""
|
||||
|
||||
# Check for a couple of binaries we need
|
||||
if not os.path.exists('/usr/bin/pkicreate'):
|
||||
if not os.path.exists('/bin/pkispawn'):
|
||||
return False
|
||||
if not os.path.exists('/usr/bin/pkisilent'):
|
||||
if not os.path.exists('/bin/pkidestroy'):
|
||||
return False
|
||||
|
||||
# This is the template tomcat file for a CA
|
||||
@ -108,31 +103,6 @@ def check_inst():
|
||||
|
||||
return True
|
||||
|
||||
def get_preop_pin(instance_root, instance_name):
|
||||
preop_pin = None
|
||||
|
||||
filename = instance_root + "/" + instance_name + "/conf/CS.cfg"
|
||||
|
||||
# read the config file and get the preop pin
|
||||
try:
|
||||
f=open(filename)
|
||||
except IOError, e:
|
||||
root_logger.error("Cannot open configuration file." + str(e))
|
||||
raise e
|
||||
data = f.read()
|
||||
data = data.split('\n')
|
||||
pattern = re.compile("preop.pin=(.*)" )
|
||||
for line in data:
|
||||
match = re.search(pattern, line)
|
||||
if (match):
|
||||
preop_pin=match.group(1)
|
||||
break
|
||||
|
||||
if preop_pin is None:
|
||||
raise RuntimeError("Unable to find preop.pin in %s. Is your CA already configured?" % filename)
|
||||
|
||||
return preop_pin
|
||||
|
||||
def import_pkcs12(input_file, input_passwd, cert_database,
|
||||
cert_passwd):
|
||||
ipautil.run(["/usr/bin/pk12util", "-d", cert_database,
|
||||
@ -415,7 +385,7 @@ class CADSInstance(service.Service):
|
||||
'ocspSigningCert cert-pki-ca',
|
||||
'subsystemCert cert-pki-ca']:
|
||||
try:
|
||||
certmonger.stop_tracking('/var/lib/pki-ca/alias', nickname=nickname)
|
||||
certmonger.stop_tracking('/etc/pki/pki-tomcat/alias', nickname=nickname)
|
||||
except (ipautil.CalledProcessError, RuntimeError), e:
|
||||
root_logger.error("certmonger failed to stop tracking certificate: %s" % str(e))
|
||||
|
||||
@ -444,7 +414,7 @@ class CAInstance(service.Service):
|
||||
"""
|
||||
|
||||
def __init__(self, realm, ra_db):
|
||||
service.Service.__init__(self, "pki-cad")
|
||||
service.Service.__init__(self, "pki-tomcatd")
|
||||
self.realm = realm
|
||||
self.dm_password = None
|
||||
self.admin_password = None
|
||||
@ -468,7 +438,7 @@ class CAInstance(service.Service):
|
||||
self.ra_agent_pwd = self.ra_agent_db + "/pwdfile.txt"
|
||||
self.ds_port = DEFAULT_DSPORT
|
||||
self.domain_name = "IPA"
|
||||
self.server_root = "/var/lib"
|
||||
self.server_root = "/var/lib/pki"
|
||||
self.ra_cert = None
|
||||
self.requestId = None
|
||||
|
||||
@ -489,8 +459,7 @@ class CAInstance(service.Service):
|
||||
pkcs12_info=None, master_host=None, csr_file=None,
|
||||
cert_file=None, cert_chain_file=None,
|
||||
subject_base=None):
|
||||
"""Create a CA instance. This may involve creating the pki-ca instance
|
||||
dogtag instance.
|
||||
"""Create a CA instance.
|
||||
|
||||
To create a clone, pass in pkcs12_info.
|
||||
|
||||
@ -523,15 +492,11 @@ class CAInstance(service.Service):
|
||||
self.external=2
|
||||
|
||||
self.step("creating certificate server user", self.__create_ca_user)
|
||||
if not ipautil.dir_exists("/var/lib/pki-ca"):
|
||||
self.step("creating pki-ca instance", self.create_instance)
|
||||
self.step("configuring certificate server instance", self.__configure_instance)
|
||||
self.step("configuring certificate server instance", self.__spawn_instance)
|
||||
self.step("disabling nonces", self.__disable_nonce)
|
||||
# Step 1 of external is getting a CSR so we don't need to do these
|
||||
# steps until we get a cert back from the external CA.
|
||||
if self.external != 1:
|
||||
if not self.clone:
|
||||
self.step("creating CA agent PKCS#12 file in /root", self.__create_ca_agent_pkcs12)
|
||||
if self.create_ra_agent_db:
|
||||
self.step("creating RA agent certificate database", self.__create_ra_agent_db)
|
||||
self.step("importing CA chain to RA certificate database", self.__import_ca_chain)
|
||||
@ -555,26 +520,117 @@ class CAInstance(service.Service):
|
||||
|
||||
self.start_creation("Configuring certificate server", 210)
|
||||
|
||||
def create_instance(self):
|
||||
def __spawn_instance(self):
|
||||
"""
|
||||
If for some reason the instance doesn't exist, create a new one."
|
||||
Create and configure a new instance using pkispawn.
|
||||
pkispawn requires a configuration file with the appropriate
|
||||
values substituted in.
|
||||
"""
|
||||
|
||||
args = ['/usr/bin/pkicreate',
|
||||
'-pki_instance_root', '/var/lib',
|
||||
'-pki_instance_name', PKI_INSTANCE_NAME,
|
||||
'-subsystem_type', 'ca',
|
||||
'-agent_secure_port', str(AGENT_SECURE_PORT),
|
||||
'-ee_secure_port', str(EE_SECURE_PORT),
|
||||
'-admin_secure_port', str(ADMIN_SECURE_PORT),
|
||||
'-ee_secure_client_auth_port', str(EE_CLIENT_AUTH_PORT),
|
||||
'-unsecure_port', str(UNSECURE_PORT),
|
||||
'-tomcat_server_port', str(TOMCAT_SERVER_PORT),
|
||||
'-redirect', 'conf=/etc/pki-ca',
|
||||
'-redirect', 'logs=/var/log/pki-ca',
|
||||
'-enable_proxy'
|
||||
]
|
||||
ipautil.run(args, env={'PKI_HOSTNAME':self.fqdn})
|
||||
# create a new config file for this installation
|
||||
(cfg_fd, cfg_file) = tempfile.mkstemp()
|
||||
os.close(cfg_fd)
|
||||
shutil.copy("/usr/share/pki/deployment/config/pkideployment.cfg",
|
||||
cfg_file)
|
||||
pent = pwd.getpwnam(PKI_USER)
|
||||
os.chown(cfg_file, pent.pw_uid, pent.pw_gid )
|
||||
replacevars = {
|
||||
"pki_enable_proxy": "True",
|
||||
"pki_restart_configured_instance": "False",
|
||||
"pki_client_database_dir": self.ca_agent_db,
|
||||
"pki_client_database_password": self.admin_password,
|
||||
"pki_client_database_purge": "False",
|
||||
"pki_client_pkcs12_password": self.admin_password,
|
||||
"pki_security_domain_name": self.domain_name,
|
||||
"pki_admin_email": "root@localhost",
|
||||
"pki_admin_password": self.admin_password,
|
||||
"pki_admin_nickname": "ipa-ca-agent",
|
||||
"pki_admin_subject_dn": "CN=ipa-ca-agent,%s" % self.subject_base,
|
||||
"pki_ds_ldap_port": str(self.ds_port),
|
||||
"pki_ds_password": self.dm_password,
|
||||
"pki_ds_base_dn": self.basedn,
|
||||
"pki_ds_database": "ipaca",
|
||||
"pki_backup_keys": "True",
|
||||
"pki_backup_password": self.admin_password,
|
||||
"pki_subsystem_subject_dn": \
|
||||
"CN=CA Subsystem,%s" % self.subject_base,
|
||||
"pki_ocsp_signing_subject_dn": \
|
||||
"CN=OCSP Subsystem,%s" % self.subject_base,
|
||||
"pki_ssl_server_subject_dn": \
|
||||
"CN=%s,%s" % (self.fqdn, self.subject_base),
|
||||
"pki_audit_signing_subject_dn": \
|
||||
"CN=CA Audit,%s" % self.subject_base,
|
||||
"pki_ca_signing_subject_dn": \
|
||||
"CN=Certificate Authority,%s" % self.subject_base,
|
||||
"pki_subsystem_nickname": "subsystemCert cert-pki-ca",
|
||||
"pki_ocsp_signing_nickname": "ocspSigningCert cert-pki-ca",
|
||||
"pki_ssl_server_nickname": "Server-Cert cert-pki-ca",
|
||||
"pki_audit_signing_nickname": "auditSigningCert cert-pki-ca",
|
||||
"pki_ca_signing_nickname": "caSigningCert cert-pki-ca"
|
||||
}
|
||||
|
||||
if (self.clone):
|
||||
cafile = self.pkcs12_info[0]
|
||||
shutil.copy(cafile, "/tmp/ca.p12")
|
||||
pent = pwd.getpwnam(PKI_USER)
|
||||
os.chown("/tmp/ca.p12", pent.pw_uid, pent.pw_gid )
|
||||
|
||||
clone_vars = {
|
||||
"pki_clone_pkcs12_password": self.dm_password,
|
||||
"pki_clone": "True",
|
||||
"pki_clone_pkcs12_path": "/tmp/ca.p12",
|
||||
"pki_security_domain_hostname": self.master_host,
|
||||
"pki_security_domain_https_port": "443",
|
||||
"pki_security_domain_password": self.admin_password,
|
||||
"pki_clone_replication_security": "SSL",
|
||||
"pki_clone_uri": \
|
||||
"https://%s" % ipautil.format_netloc(self.master_host, 443)
|
||||
}
|
||||
replacevars.update(clone_vars)
|
||||
|
||||
if self.external == 1:
|
||||
external_vars = {
|
||||
"pki_external": "True",
|
||||
"pki_external_csr_path": self.csr_file
|
||||
}
|
||||
replacevars.update(external_vars)
|
||||
elif self.external == 2:
|
||||
external_vars = {
|
||||
"pki_external": "True",
|
||||
"pki_external_ca_cert_path": self.cert_file,
|
||||
"pki_external_ca_cert_chain_path": self.cert_chain_file,
|
||||
"pki_external_step_two": "True"
|
||||
}
|
||||
replacevars.update(external_vars)
|
||||
|
||||
ipautil.config_replace_variables(cfg_file, replacevars=replacevars)
|
||||
|
||||
# Define the things we don't want logged
|
||||
nolog = (self.admin_password, self.dm_password,)
|
||||
|
||||
args = ["/bin/pkispawn", "-s", "CA", "-f", cfg_file ]
|
||||
|
||||
try:
|
||||
ipautil.run(args, nolog=nolog)
|
||||
except ipautil.CalledProcessError, e:
|
||||
root_logger.critical("failed to configure ca instance %s" % e)
|
||||
raise RuntimeError('Configuration of CA failed')
|
||||
finally:
|
||||
os.remove(cfg_file)
|
||||
|
||||
if not self.clone:
|
||||
shutil.move("/var/lib/pki/pki-tomcat/alias/ca_admin_cert.p12", \
|
||||
"/root/ca-agent.p12")
|
||||
shutil.move("/var/lib/pki/pki-tomcat/alias/ca_backup_keys.p12", \
|
||||
"/root/cacert.p12")
|
||||
|
||||
if self.external == 1:
|
||||
print "The next step is to get %s signed by your CA and re-run ipa-server-install as:" % self.csr_file
|
||||
print "ipa-server-install --external_cert_file=/path/to/signed_certificate --external_ca_file=/path/to/external_ca_certificate"
|
||||
sys.exit(0)
|
||||
|
||||
root_logger.debug("completed creating ca instance")
|
||||
|
||||
|
||||
def __enable(self):
|
||||
self.backup_state("enabled", self.is_enabled())
|
||||
@ -600,110 +656,6 @@ class CAInstance(service.Service):
|
||||
except ipautil.CalledProcessError, e:
|
||||
root_logger.critical("failed to add user %s" % e)
|
||||
|
||||
def __configure_instance(self):
|
||||
preop_pin = get_preop_pin(self.server_root, PKI_INSTANCE_NAME)
|
||||
|
||||
try:
|
||||
args = ["/usr/bin/perl", "/usr/bin/pkisilent", "ConfigureCA",
|
||||
"-cs_hostname", self.fqdn,
|
||||
"-cs_port", str(ADMIN_SECURE_PORT),
|
||||
"-client_certdb_dir", self.ca_agent_db,
|
||||
"-client_certdb_pwd", self.admin_password,
|
||||
"-preop_pin" , preop_pin,
|
||||
"-domain_name", self.domain_name,
|
||||
"-admin_user", "admin",
|
||||
"-admin_email", "root@localhost",
|
||||
"-admin_password", self.admin_password,
|
||||
"-agent_name", "ipa-ca-agent",
|
||||
"-agent_key_size", "2048",
|
||||
"-agent_key_type", "rsa",
|
||||
"-agent_cert_subject", str(DN(('CN', 'ipa-ca-agent'), self.subject_base)),
|
||||
"-ldap_host", self.fqdn,
|
||||
"-ldap_port", str(self.ds_port),
|
||||
"-bind_dn", "cn=Directory Manager",
|
||||
"-bind_password", self.dm_password,
|
||||
"-base_dn", str(self.basedn),
|
||||
"-db_name", "ipaca",
|
||||
"-key_size", "2048",
|
||||
"-key_type", "rsa",
|
||||
"-key_algorithm", "SHA256withRSA",
|
||||
"-save_p12", "true",
|
||||
"-backup_pwd", self.admin_password,
|
||||
"-subsystem_name", self.service_name,
|
||||
"-token_name", "internal",
|
||||
"-ca_subsystem_cert_subject_name", str(DN(('CN', 'CA Subsystem'), self.subject_base)),
|
||||
"-ca_subsystem_cert_subject_name", str(DN(('CN', 'CA Subsystem'), self.subject_base)),
|
||||
"-ca_ocsp_cert_subject_name", str(DN(('CN', 'OCSP Subsystem'), self.subject_base)),
|
||||
"-ca_server_cert_subject_name", str(DN(('CN', self.fqdn), self.subject_base)),
|
||||
"-ca_audit_signing_cert_subject_name", str(DN(('CN', 'CA Audit'), self.subject_base)),
|
||||
"-ca_sign_cert_subject_name", str(DN(('CN', 'Certificate Authority'), self.subject_base)) ]
|
||||
if self.external == 1:
|
||||
args.append("-external")
|
||||
args.append("true")
|
||||
args.append("-ext_csr_file")
|
||||
args.append(self.csr_file)
|
||||
elif self.external == 2:
|
||||
args.append("-external")
|
||||
args.append("true")
|
||||
args.append("-ext_ca_cert_file")
|
||||
args.append(self.cert_file)
|
||||
args.append("-ext_ca_cert_chain_file")
|
||||
args.append(self.cert_chain_file)
|
||||
else:
|
||||
args.append("-external")
|
||||
args.append("false")
|
||||
if (self.clone):
|
||||
"""sd = security domain --> all CS systems get registered to
|
||||
a security domain. This is set to the hostname and port of
|
||||
the master CA.
|
||||
"""
|
||||
# The install wizard expects the file to be here.
|
||||
cafile = self.pkcs12_info[0]
|
||||
shutil.copy(cafile, "/var/lib/pki-ca/alias/ca.p12")
|
||||
pent = pwd.getpwnam(PKI_USER)
|
||||
os.chown("/var/lib/pki-ca/alias/ca.p12", pent.pw_uid, pent.pw_gid )
|
||||
args.append("-clone")
|
||||
args.append("true")
|
||||
args.append("-clone_p12_file")
|
||||
args.append("ca.p12")
|
||||
args.append("-clone_p12_password")
|
||||
args.append(self.dm_password)
|
||||
args.append("-sd_hostname")
|
||||
args.append(self.master_host)
|
||||
args.append("-sd_admin_port")
|
||||
args.append("443")
|
||||
args.append("-sd_admin_name")
|
||||
args.append("admin")
|
||||
args.append("-sd_admin_password")
|
||||
args.append(self.admin_password)
|
||||
args.append("-clone_start_tls")
|
||||
args.append("true")
|
||||
args.append("-clone_uri")
|
||||
args.append("https://%s" % ipautil.format_netloc(self.master_host, 443))
|
||||
else:
|
||||
args.append("-clone")
|
||||
args.append("false")
|
||||
|
||||
# Define the things we don't want logged
|
||||
nolog = (self.admin_password, self.dm_password,)
|
||||
|
||||
ipautil.run(args, env={'PKI_HOSTNAME':self.fqdn}, nolog=nolog)
|
||||
except ipautil.CalledProcessError, e:
|
||||
root_logger.critical("failed to configure ca instance %s" % e)
|
||||
raise RuntimeError('Configuration of CA failed')
|
||||
|
||||
if self.external == 1:
|
||||
print "The next step is to get %s signed by your CA and re-run ipa-server-install as:" % self.csr_file
|
||||
print "ipa-server-install --external_cert_file=/path/to/signed_certificate --external_ca_file=/path/to/external_ca_certificate"
|
||||
sys.exit(0)
|
||||
|
||||
# pkisilent makes a copy of the CA PKCS#12 file for us but gives
|
||||
# it a lousy name.
|
||||
if ipautil.file_exists("/root/tmp-ca.p12"):
|
||||
shutil.move("/root/tmp-ca.p12", "/root/cacert.p12")
|
||||
|
||||
root_logger.debug("completed creating ca instance")
|
||||
|
||||
def __restart_instance(self):
|
||||
try:
|
||||
self.restart(PKI_INSTANCE_NAME)
|
||||
@ -713,10 +665,11 @@ class CAInstance(service.Service):
|
||||
|
||||
def __disable_nonce(self):
|
||||
# Turn off Nonces
|
||||
if installutils.update_file('/var/lib/pki-ca/conf/CS.cfg', 'ca.enableNonces=true', 'ca.enableNonces=false') != 0:
|
||||
cfg_file = '/var/lib/pki/pki-tomcat/conf/ca/CS.cfg'
|
||||
if installutils.update_file(cfg_file, 'ca.enableNonces=true', 'ca.enableNonces=false') != 0:
|
||||
raise RuntimeError("Disabling nonces failed")
|
||||
pent = pwd.getpwnam(PKI_USER)
|
||||
os.chown('/var/lib/pki-ca/conf/CS.cfg', pent.pw_uid, pent.pw_gid )
|
||||
os.chown(cfg_file, pent.pw_uid, pent.pw_gid )
|
||||
|
||||
def __issue_ra_cert(self):
|
||||
# The CA certificate is in the agent DB but isn't trusted
|
||||
@ -767,7 +720,7 @@ class CAInstance(service.Service):
|
||||
]
|
||||
(stdout, stderr, returncode) = ipautil.run(args, nolog=(self.admin_password,))
|
||||
|
||||
data = stdout.split('\r\n')
|
||||
data = stdout.split('\n')
|
||||
params = get_defList(data)
|
||||
params['requestId'] = find_substring(data, "requestId")
|
||||
params['op'] = 'approve'
|
||||
@ -788,7 +741,7 @@ class CAInstance(service.Service):
|
||||
]
|
||||
(stdout, stderr, returncode) = ipautil.run(args, nolog=(self.admin_password,))
|
||||
|
||||
data = stdout.split('\r\n')
|
||||
data = stdout.split('\n')
|
||||
outputList = get_outputList(data)
|
||||
|
||||
self.ra_cert = outputList['b64_cert']
|
||||
@ -905,20 +858,6 @@ class CAInstance(service.Service):
|
||||
except Exception, e:
|
||||
raise RuntimeError("Unable to retrieve CA chain: %s" % str(e))
|
||||
|
||||
def __create_ca_agent_pkcs12(self):
|
||||
(pwd_fd, pwd_name) = tempfile.mkstemp()
|
||||
os.write(pwd_fd, self.admin_password)
|
||||
os.close(pwd_fd)
|
||||
try:
|
||||
ipautil.run(["/usr/bin/pk12util",
|
||||
"-n", "ipa-ca-agent",
|
||||
"-o", "/root/ca-agent.p12",
|
||||
"-d", self.ca_agent_db,
|
||||
"-k", pwd_name,
|
||||
"-w", pwd_name])
|
||||
finally:
|
||||
os.remove(pwd_name)
|
||||
|
||||
def __import_ca_chain(self):
|
||||
chain = self.__get_ca_chain()
|
||||
|
||||
@ -982,7 +921,7 @@ class CAInstance(service.Service):
|
||||
csr = pkcs10.strip_header(stdout)
|
||||
|
||||
# Send the request to the CA
|
||||
conn = httplib.HTTPConnection(self.fqdn, 9180)
|
||||
conn = httplib.HTTPConnection(self.fqdn, 8080)
|
||||
params = urllib.urlencode({'profileId': 'caServerCert',
|
||||
'cert_request_type': 'pkcs10',
|
||||
'requestor_name': 'IPA Installer',
|
||||
@ -1020,7 +959,7 @@ class CAInstance(service.Service):
|
||||
|
||||
def __setup_sign_profile(self):
|
||||
# Tell the profile to automatically issue certs for RAs
|
||||
installutils.set_directive('/var/lib/pki-ca/profiles/ca/caJarSigningCert.cfg', 'auth.instance_id', 'raCertAuth', quotes=False, separator='=')
|
||||
installutils.set_directive('/var/lib/pki/pki-tomcat/ca/profiles/ca/caJarSigningCert.cfg', 'auth.instance_id', 'raCertAuth', quotes=False, separator='=')
|
||||
|
||||
def __enable_crl_publish(self):
|
||||
"""
|
||||
@ -1028,9 +967,9 @@ class CAInstance(service.Service):
|
||||
|
||||
http://www.redhat.com/docs/manuals/cert-system/8.0/admin/html/Setting_up_Publishing.html
|
||||
"""
|
||||
caconfig = "/var/lib/pki-ca/conf/CS.cfg"
|
||||
caconfig = "/var/lib/pki/pki-tomcat/conf/ca/CS.cfg"
|
||||
|
||||
publishdir='/var/lib/pki-ca/publish'
|
||||
publishdir='/var/lib/pki/pki-tomcat/ca/publish'
|
||||
os.mkdir(publishdir)
|
||||
os.chmod(publishdir, 0755)
|
||||
pent = pwd.getpwnam(PKI_USER)
|
||||
@ -1089,8 +1028,8 @@ class CAInstance(service.Service):
|
||||
self.disable()
|
||||
|
||||
try:
|
||||
ipautil.run(["/usr/bin/pkiremove", "-pki_instance_root=/var/lib",
|
||||
"-pki_instance_name=%s" % PKI_INSTANCE_NAME, "--force"])
|
||||
ipautil.run(["/bin/pkidestroy", "-i", "pki-tomcat",
|
||||
"-s", "CA"])
|
||||
except ipautil.CalledProcessError, e:
|
||||
root_logger.critical("failed to uninstall CA instance %s" % e)
|
||||
|
||||
@ -1118,7 +1057,7 @@ class CAInstance(service.Service):
|
||||
pin = certmonger.get_pin('internal')
|
||||
except IOError, e:
|
||||
raise RuntimeError('Unable to determine PIN for CA instance: %s' % str(e))
|
||||
certmonger.dogtag_start_tracking('dogtag-ipa-renew-agent', 'Server-Cert cert-pki-ca', pin, None, '/var/lib/pki-ca/alias', 'restart_pkicad "Server-Cert cert-pki-ca"')
|
||||
certmonger.dogtag_start_tracking('dogtag-ipa-renew-agent', 'Server-Cert cert-pki-ca', pin, None, '/etc/pki/pki-tomcat/alias', 'restart_pkicad "Server-Cert cert-pki-ca"')
|
||||
|
||||
def configure_renewal(self):
|
||||
cmonger = ipaservices.knownservices.certmonger
|
||||
@ -1135,7 +1074,7 @@ class CAInstance(service.Service):
|
||||
for nickname in ['auditSigningCert cert-pki-ca',
|
||||
'ocspSigningCert cert-pki-ca',
|
||||
'subsystemCert cert-pki-ca']:
|
||||
certmonger.dogtag_start_tracking('dogtag-ipa-renew-agent', nickname, pin, None, '/var/lib/pki-ca/alias', 'renew_ca_cert "%s"' % nickname)
|
||||
certmonger.dogtag_start_tracking('dogtag-ipa-renew-agent', nickname, pin, None, '/etc/pki/pki-tomcat/alias', 'renew_ca_cert "%s"' % nickname)
|
||||
|
||||
# Set up the agent cert for renewal
|
||||
certmonger.dogtag_start_tracking('dogtag-ipa-renew-agent', 'ipaCert', None, '/etc/httpd/alias/pwdfile.txt', '/etc/httpd/alias', 'renew_ra_cert')
|
||||
@ -1179,7 +1118,7 @@ class CAInstance(service.Service):
|
||||
for nickname in ['auditSigningCert cert-pki-ca',
|
||||
'ocspSigningCert cert-pki-ca',
|
||||
'subsystemCert cert-pki-ca']:
|
||||
certmonger.dogtag_start_tracking('dogtag-ipa-retrieve-agent-submit', nickname, pin, None, '/var/lib/pki-ca/alias', 'restart_pkicad "%s"' % nickname)
|
||||
certmonger.dogtag_start_tracking('dogtag-ipa-retrieve-agent-submit', nickname, pin, None, '/etc/pki/pki-tomcat/alias', 'restart_pkicad "%s"' % nickname)
|
||||
|
||||
# The agent renewal is configured in import_ra_cert which is called
|
||||
# after the HTTP instance is created.
|
||||
@ -1191,7 +1130,7 @@ class CAInstance(service.Service):
|
||||
setlist = installutils.get_directive(IPA_SERVICE_PROFILE,
|
||||
'policyset.serverCertSet.list', separator='=')
|
||||
|
||||
# this is the default setting from pki-ca. Don't touch it if a user
|
||||
# this is the default setting from pki-tomcat. Don't touch it if a user
|
||||
# has manually modified it.
|
||||
if setlist == '1,2,3,4,5,6,7,8':
|
||||
installutils.set_directive(IPA_SERVICE_PROFILE,
|
||||
@ -1234,7 +1173,7 @@ class CAInstance(service.Service):
|
||||
responsibility to handle changes on upgrades.
|
||||
"""
|
||||
master = installutils.get_directive(
|
||||
'/var/lib/pki-ca/conf/CS.cfg', 'subsystem.select', '=')
|
||||
'/var/lib/pki/pki-tomcat/conf/ca/CS.cfg', 'subsystem.select', '=')
|
||||
|
||||
return master == 'New'
|
||||
|
||||
@ -1301,10 +1240,10 @@ def install_replica_ca(config, postinstall=False):
|
||||
# unix service.
|
||||
|
||||
service.print_msg("Restarting the directory and certificate servers")
|
||||
ca.stop()
|
||||
ca.stop(PKI_INSTANCE_NAME)
|
||||
ipaservices.knownservices.dirsrv.stop("PKI-IPA")
|
||||
ipaservices.knownservices.dirsrv.start("PKI-IPA")
|
||||
ca.start()
|
||||
ca.start(PKI_INSTANCE_NAME)
|
||||
|
||||
return (ca, cs)
|
||||
|
||||
@ -1323,7 +1262,7 @@ def update_cert_config(nickname, cert):
|
||||
'subsystemCert cert-pki-ca': 'ca.subsystem.cert',
|
||||
'Server-Cert cert-pki-ca': 'ca.sslserver.cert' }
|
||||
|
||||
installutils.set_directive('/var/lib/%s/conf/CS.cfg' % PKI_INSTANCE_NAME,
|
||||
installutils.set_directive('/var/lib/pki/%s/conf/ca/CS.cfg' % PKI_INSTANCE_NAME,
|
||||
directives[nickname],
|
||||
base64.b64encode(cert),
|
||||
quotes=False, separator='=')
|
||||
|
@ -47,7 +47,7 @@ from ipalib import errors
|
||||
from ipapython.dn import DN
|
||||
|
||||
# Used to determine install status
|
||||
IPA_MODULES = ['httpd', 'kadmin', 'dirsrv', 'pki-cad', 'pkids', 'install', 'krb5kdc', 'ntpd', 'named', 'ipa_memcached']
|
||||
IPA_MODULES = ['httpd', 'kadmin', 'dirsrv', 'pki-tomcatd', 'pkids', 'install', 'krb5kdc', 'ntpd', 'named', 'ipa_memcached']
|
||||
|
||||
class BadHostError(Exception):
|
||||
pass
|
||||
|
@ -41,6 +41,17 @@ AUTO = 1
|
||||
ENABLED = 2
|
||||
DISABLED = 3
|
||||
|
||||
# Determine if we have an updated dogtag instance (dogtag 10+) or
|
||||
# an older one.
|
||||
dogtag_service = 'pki-cad'
|
||||
try:
|
||||
for line in open("/etc/ipa/default.conf", "r"):
|
||||
if "dogtag_version" in line:
|
||||
dogtag_service = 'pki-tomcatd'
|
||||
break
|
||||
except IOError, e:
|
||||
pass
|
||||
|
||||
# The service name as stored in cn=masters,cn=ipa,cn=etc. In the tuple
|
||||
# the first value is the *nix service name, the second the start order.
|
||||
SERVICE_LIST = {
|
||||
@ -49,7 +60,7 @@ SERVICE_LIST = {
|
||||
'DNS':('named', 30),
|
||||
'MEMCACHE':('ipa_memcached', 39),
|
||||
'HTTP':('httpd', 40),
|
||||
'CA':('pki-cad', 50),
|
||||
'CA':(dogtag_service, 50),
|
||||
'ADTRUST':('smb', 60),
|
||||
'EXTID':('winbind', 70)
|
||||
}
|
||||
|
@ -1 +1 @@
|
||||
/var/lib/pki-ca/publish(/.*)? gen_context(system_u:object_r:cert_t,s0)
|
||||
/var/lib/pki/pki-tomcat/ca/publish(/.*)? gen_context(system_u:object_r:cert_t,s0)
|
||||
|
Loading…
Reference in New Issue
Block a user