Modifications to install scripts for dogtag 10

Dogtag 10 uses a new installer, new directory layout and new default
ports.  This patch changes the ipa install code to integrate these changes.

https://fedorahosted.org/freeipa/ticket/2846

install/conf/ipa-pki-proxy.conf

@@ -6,22 +6,22 @@ ProxyRequests Off
 <LocationMatch "^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange">
     NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
     NSSVerifyClient none
-    ProxyPassMatch ajp://localhost:9447/
-    ProxyPassReverse ajp://localhost:9447/
+    ProxyPassMatch ajp://localhost:8009
+    ProxyPassReverse ajp://localhost:8009
 </LocationMatch>
 
-# matches for admin port
-<LocationMatch "^/ca/admin/ca/getCertChain|^/ca/admin/ca/getConfigEntries|^/ca/admin/ca/getCookie|^/ca/admin/ca/getStatus|^/ca/admin/ca/securityDomainLogin|^/ca/admin/ca/getDomainXML">
+# matches for admin port and installer
+<LocationMatch "^/ca/admin/ca/getCertChain|^/ca/admin/ca/getConfigEntries|^/ca/admin/ca/getCookie|^/ca/admin/ca/getStatus|^/ca/admin/ca/securityDomainLogin|^/ca/admin/ca/getDomainXML|^/ca/rest/installer/installToken">
     NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
     NSSVerifyClient none
-    ProxyPassMatch ajp://localhost:9447/
-    ProxyPassReverse ajp://localhost:9447/
+    ProxyPassMatch ajp://localhost:8009
+    ProxyPassReverse ajp://localhost:8009
 </LocationMatch>
 
 # matches for agent port and eeca port
 <LocationMatch "^/ca/agent/ca/displayBySerial|^/ca/agent/ca/doRevoke|^/ca/agent/ca/doUnrevoke|^/ca/agent/ca/updateDomainXML|^/ca/eeca/ca/profileSubmitSSLClient">
     NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
     NSSVerifyClient require
-    ProxyPassMatch ajp://localhost:9447/
-    ProxyPassReverse ajp://localhost:9447/
+    ProxyPassMatch ajp://localhost:8009
+    ProxyPassReverse ajp://localhost:8009
 </LocationMatch>

install/conf/ipa.conf

@@ -105,8 +105,8 @@ Alias /ipa/config "/usr/share/ipa/html"
 
 
 # For CRL publishing
-Alias /ipa/crl "/var/lib/pki-ca/publish"
-<Directory "/var/lib/pki-ca/publish">
+Alias /ipa/crl "/var/lib/pki/tomcat-ca/ca/publish"
+<Directory "/var/lib/pki/tomcat-ca/ca/publish">
   SetHandler None
   AllowOverride None
   Options Indexes FollowSymLinks

install/restart_scripts/renew_ca_cert

@@ -45,8 +45,14 @@ nickname = sys.argv[1]
 api.bootstrap(context='restart')
 api.finalize()
 
+alias_dir = '/etc/pki/pki-tomcat/alias'
+dogtag_instance = 'pki-tomcat'
+if 'dogtag_version' not in api.env:
+    alias_dir = '/var/lib/pki-ca/alias'
+    dogtag_instance = 'pki-ca'
+
 # Fetch the new certificate
-db = certs.CertDB(api.env.realm, nssdir='/var/lib/pki-ca/alias')
+db = certs.CertDB(api.env.realm, nssdir=alias_dir)
 cert = db.get_cert_from_db(nickname, pem=False)
 
 if not cert:
@@ -79,7 +85,7 @@ finally:
 
 # Fix permissions on the audit cert if we're updating it
 if nickname == 'auditSigningCert cert-pki-ca':
-    db = certs.CertDB(api.env.realm, nssdir='/var/lib/pki-ca/alias')
+    db = certs.CertDB(api.env.realm, nssdir=alias_dir)
     args = ['-M',
             '-n', nickname,
             '-t', 'u,u,Pu',
@@ -91,7 +97,9 @@ if nickname == 'auditSigningCert cert-pki-ca':
 
 update_cert_config(nickname, cert)
 
-syslog.syslog(syslog.LOG_NOTICE, 'certmonger restarted pki-cad instance pki-ca to renew %s' % nickname)
+syslog.syslog(
+    syslog.LOG_NOTICE, 'certmonger restarted %sd instance %s to renew %s' %
+        (dogtag_instance, dogtag_instance, nickname))
 
 # We monitor 3 certs that are all likely to be renewed by certmonger more or
 # less at the same time. Each cert renewal is going to need to restart
@@ -102,6 +110,7 @@ pause = random.randint(10,360)
 syslog.syslog(syslog.LOG_NOTICE, 'Pausing %d seconds to restart pki-ca' % pause)
 time.sleep(pause)
 try:
-    ipaservices.knownservices.pki_cad.restart('pki-ca')
+    ipaservices.knownservices.pki_cad.restart(dogtag_instance)
 except Exception, e:
-    syslog.syslog(syslog.LOG_ERR, "Cannot restart pki-cad: %s" % str(e))
+    syslog.syslog(syslog.LOG_ERR, "Cannot restart %sd: %s" % \
+                  (dogtag_instance, str(e)))

install/restart_scripts/restart_pkicad

@@ -30,11 +30,18 @@ nickname = sys.argv[1]
 api.bootstrap(context='restart')
 api.finalize()
 
-syslog.syslog(syslog.LOG_NOTICE, "certmonger restarted pki-cad, nickname '%s'" % nickname)
+alias_dir = '/etc/pki/pki-tomcat/alias'
+dogtag_instance = 'pki-tomcat'
+if 'dogtag_version' not in api.env:
+    alias_dir = '/var/lib/pki-ca/alias'
+    dogtag_instance = 'pki-ca'
+
+syslog.syslog(syslog.LOG_NOTICE, "certmonger restarted %sd, nickname '%s'" % \
+              (dogtag_instance, nickname))
 
 # Fix permissions on the audit cert if we're updating it
 if nickname == 'auditSigningCert cert-pki-ca':
-    db = certs.CertDB(api.env.realm, nssdir='/var/lib/pki-ca/alias')
+    db = certs.CertDB(api.env.realm, nssdir = alias_dir )
     args = ['-M',
             '-n', nickname,
             '-t', 'u,u,Pu',
@@ -44,7 +51,8 @@ if nickname == 'auditSigningCert cert-pki-ca':
 try:
     # I've seen times where systemd restart does not actually restart
     # the process. A full stop/start is required. This works around that
-    ipaservices.knownservices.pki_cad.stop('pki-ca')
-    ipaservices.knownservices.pki_cad.start('pki-ca')
+    ipaservices.knownservices.pki_cad.stop(dogtag_instance)
+    ipaservices.knownservices.pki_cad.start(dogtag_instance)
 except Exception, e:
-    syslog.syslog(syslog.LOG_ERR, "Cannot restart pki-cad: %s" % str(e))
+    syslog.syslog(syslog.LOG_ERR, "Cannot restart %sd: %s" % \
+                  (dogtag_instance, str(e)))

install/tools/ipa-ca-install

@@ -156,6 +156,16 @@ def main():
     # We need to restart apache as we drop a new config file in there
     ipaservices.knownservices.httpd.restart(capture_output=True)
 
+    #update dogtag version in config file to denote new instance
+    try:
+        fd = open("/etc/ipa/default.conf", "a")
+        fd.write("dogtag_version=10\n")
+        fd.close()
+    except IOError, e:
+        print "Failed to update /etc/ipa/default.conf"
+        root_logger.error(str(e))
+        sys.exit(1)
+
 fail_message = '''
 Your system may be partly configured.
 Run /usr/sbin/ipa-server-install --uninstall to clean up.

install/tools/ipa-csreplica-manage

@@ -80,7 +80,7 @@ class CSReplicationManager(replication.ReplicationManager):
         """
         dn = None
         cn = None
-        instance_name = 'pki-ca'
+        instance_name = 'pki-tomcat'
 
         # if master is not None we know what dn to return:
         if master is not None:

install/tools/ipa-replica-install

@@ -376,6 +376,7 @@ def main():
         if ipautil.file_exists(config.dir + "/cacert.p12"):
             fd.write("enable_ra=True\n")
             fd.write("ra_plugin=dogtag\n")
+            fd.write("dogtag_version=10\n")
         fd.write("mode=production\n")
         fd.close()
     finally:

install/tools/ipa-replica-prepare

@@ -304,7 +304,7 @@ def main():
         if options.reverse_zone and not bindinstance.verify_reverse_zone(options.reverse_zone, options.ip_address):
             sys.exit(1)
 
-    if not certs.ipa_self_signed() and not ipautil.file_exists("/var/lib/pki-ca/conf/CS.cfg") and not options.dirsrv_pin:
+    if not certs.ipa_self_signed() and not ipautil.file_exists("/var/lib/pki/pki-tomcat/conf/ca/CS.cfg") and not options.dirsrv_pin:
         sys.exit("The replica must be created on the primary IPA server.\nIf you installed IPA with your own certificates using PKCS#12 files you must provide PKCS#12 files for any replicas you create as well.")
 
     check_ipa_configuration(api.env.realm)

install/tools/ipa-server-install

@@ -853,6 +853,7 @@ def main():
     fd.write("enable_ra=True\n")
     if not options.selfsign:
         fd.write("ra_plugin=dogtag\n")
+        fd.write("dogtag_version=10\n")
     fd.write("mode=production\n")
     fd.close()
 

install/ui/test/data/ipa_init.json

@@ -669,12 +669,12 @@
                 "result": {
                     "basedn": "dc=dev,dc=example,dc=com",
                     "bin": "/var/www",
-                    "ca_agent_install_port": 9443,
+                    "ca_agent_install_port": 8443,
                     "ca_agent_port": 443,
-                    "ca_ee_install_port": 9444,
+                    "ca_ee_install_port": 8443,
                     "ca_ee_port": 443,
                     "ca_host": "dev.example.com",
-                    "ca_install_port": 9180,
+                    "ca_install_port": 8080,
                     "ca_port": 80,
                     "conf": "/etc/ipa/server.conf",
                     "conf_default": "/etc/ipa/default.conf",