Modifications to install scripts for dogtag 10

Dogtag 10 uses a new installer, new directory layout and new default
ports.  This patch changes the ipa install code to integrate these changes.

https://fedorahosted.org/freeipa/ticket/2846

install/conf/ipa-pki-proxy.conf

@@ -6,22 +6,22 @@ ProxyRequests Off
 <LocationMatch "^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange">
     NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
     NSSVerifyClient none
-    ProxyPassMatch ajp://localhost:9447/
+    ProxyPassMatch ajp://localhost:8009
-    ProxyPassReverse ajp://localhost:9447/
+    ProxyPassReverse ajp://localhost:8009
 </LocationMatch>
 
-# matches for admin port
+# matches for admin port and installer
-<LocationMatch "^/ca/admin/ca/getCertChain|^/ca/admin/ca/getConfigEntries|^/ca/admin/ca/getCookie|^/ca/admin/ca/getStatus|^/ca/admin/ca/securityDomainLogin|^/ca/admin/ca/getDomainXML">
+<LocationMatch "^/ca/admin/ca/getCertChain|^/ca/admin/ca/getConfigEntries|^/ca/admin/ca/getCookie|^/ca/admin/ca/getStatus|^/ca/admin/ca/securityDomainLogin|^/ca/admin/ca/getDomainXML|^/ca/rest/installer/installToken">
     NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
     NSSVerifyClient none
-    ProxyPassMatch ajp://localhost:9447/
+    ProxyPassMatch ajp://localhost:8009
-    ProxyPassReverse ajp://localhost:9447/
+    ProxyPassReverse ajp://localhost:8009
 </LocationMatch>
 
 # matches for agent port and eeca port
 <LocationMatch "^/ca/agent/ca/displayBySerial|^/ca/agent/ca/doRevoke|^/ca/agent/ca/doUnrevoke|^/ca/agent/ca/updateDomainXML|^/ca/eeca/ca/profileSubmitSSLClient">
     NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
     NSSVerifyClient require
-    ProxyPassMatch ajp://localhost:9447/
+    ProxyPassMatch ajp://localhost:8009
-    ProxyPassReverse ajp://localhost:9447/
+    ProxyPassReverse ajp://localhost:8009
 </LocationMatch>

install/conf/ipa.conf

@@ -105,8 +105,8 @@ Alias /ipa/config "/usr/share/ipa/html"
 
 
 # For CRL publishing
-Alias /ipa/crl "/var/lib/pki-ca/publish"
+Alias /ipa/crl "/var/lib/pki/tomcat-ca/ca/publish"
-<Directory "/var/lib/pki-ca/publish">
+<Directory "/var/lib/pki/tomcat-ca/ca/publish">
   SetHandler None
   AllowOverride None
   Options Indexes FollowSymLinks

install/restart_scripts/renew_ca_cert

@@ -45,8 +45,14 @@ nickname = sys.argv[1]
 api.bootstrap(context='restart')
 api.finalize()
 
+alias_dir = '/etc/pki/pki-tomcat/alias'
+dogtag_instance = 'pki-tomcat'
+if 'dogtag_version' not in api.env:
+    alias_dir = '/var/lib/pki-ca/alias'
+    dogtag_instance = 'pki-ca'
+
 # Fetch the new certificate
-db = certs.CertDB(api.env.realm, nssdir='/var/lib/pki-ca/alias')
+db = certs.CertDB(api.env.realm, nssdir=alias_dir)
 cert = db.get_cert_from_db(nickname, pem=False)
 
 if not cert:
@@ -79,7 +85,7 @@ finally:
 
 # Fix permissions on the audit cert if we're updating it
 if nickname == 'auditSigningCert cert-pki-ca':
-    db = certs.CertDB(api.env.realm, nssdir='/var/lib/pki-ca/alias')
+    db = certs.CertDB(api.env.realm, nssdir=alias_dir)
     args = ['-M',
             '-n', nickname,
             '-t', 'u,u,Pu',
@@ -91,7 +97,9 @@ if nickname == 'auditSigningCert cert-pki-ca':
 
 update_cert_config(nickname, cert)
 
-syslog.syslog(syslog.LOG_NOTICE, 'certmonger restarted pki-cad instance pki-ca to renew %s' % nickname)
+syslog.syslog(
+    syslog.LOG_NOTICE, 'certmonger restarted %sd instance %s to renew %s' %
+        (dogtag_instance, dogtag_instance, nickname))
 
 # We monitor 3 certs that are all likely to be renewed by certmonger more or
 # less at the same time. Each cert renewal is going to need to restart
@@ -102,6 +110,7 @@ pause = random.randint(10,360)
 syslog.syslog(syslog.LOG_NOTICE, 'Pausing %d seconds to restart pki-ca' % pause)
 time.sleep(pause)
 try:
-    ipaservices.knownservices.pki_cad.restart('pki-ca')
+    ipaservices.knownservices.pki_cad.restart(dogtag_instance)
 except Exception, e:
-    syslog.syslog(syslog.LOG_ERR, "Cannot restart pki-cad: %s" % str(e))
+    syslog.syslog(syslog.LOG_ERR, "Cannot restart %sd: %s" % \
+                  (dogtag_instance, str(e)))

install/restart_scripts/restart_pkicad

@@ -30,11 +30,18 @@ nickname = sys.argv[1]
 api.bootstrap(context='restart')
 api.finalize()
 
-syslog.syslog(syslog.LOG_NOTICE, "certmonger restarted pki-cad, nickname '%s'" % nickname)
+alias_dir = '/etc/pki/pki-tomcat/alias'
+dogtag_instance = 'pki-tomcat'
+if 'dogtag_version' not in api.env:
+    alias_dir = '/var/lib/pki-ca/alias'
+    dogtag_instance = 'pki-ca'
+
+syslog.syslog(syslog.LOG_NOTICE, "certmonger restarted %sd, nickname '%s'" % \
+              (dogtag_instance, nickname))
 
 # Fix permissions on the audit cert if we're updating it
 if nickname == 'auditSigningCert cert-pki-ca':
-    db = certs.CertDB(api.env.realm, nssdir='/var/lib/pki-ca/alias')
+    db = certs.CertDB(api.env.realm, nssdir = alias_dir )
     args = ['-M',
             '-n', nickname,
             '-t', 'u,u,Pu',
@@ -44,7 +51,8 @@ if nickname == 'auditSigningCert cert-pki-ca':
 try:
     # I've seen times where systemd restart does not actually restart
     # the process. A full stop/start is required. This works around that
-    ipaservices.knownservices.pki_cad.stop('pki-ca')
+    ipaservices.knownservices.pki_cad.stop(dogtag_instance)
-    ipaservices.knownservices.pki_cad.start('pki-ca')
+    ipaservices.knownservices.pki_cad.start(dogtag_instance)
 except Exception, e:
-    syslog.syslog(syslog.LOG_ERR, "Cannot restart pki-cad: %s" % str(e))
+    syslog.syslog(syslog.LOG_ERR, "Cannot restart %sd: %s" % \
+                  (dogtag_instance, str(e)))

install/tools/ipa-ca-install

@@ -156,6 +156,16 @@ def main():
     # We need to restart apache as we drop a new config file in there
     ipaservices.knownservices.httpd.restart(capture_output=True)
 
+    #update dogtag version in config file to denote new instance
+    try:
+        fd = open("/etc/ipa/default.conf", "a")
+        fd.write("dogtag_version=10\n")
+        fd.close()
+    except IOError, e:
+        print "Failed to update /etc/ipa/default.conf"
+        root_logger.error(str(e))
+        sys.exit(1)
+
 fail_message = '''
 Your system may be partly configured.
 Run /usr/sbin/ipa-server-install --uninstall to clean up.

install/tools/ipa-csreplica-manage

@@ -80,7 +80,7 @@ class CSReplicationManager(replication.ReplicationManager):
         """
         dn = None
         cn = None
-        instance_name = 'pki-ca'
+        instance_name = 'pki-tomcat'
 
         # if master is not None we know what dn to return:
         if master is not None:

install/tools/ipa-replica-install

@@ -376,6 +376,7 @@ def main():
         if ipautil.file_exists(config.dir + "/cacert.p12"):
             fd.write("enable_ra=True\n")
             fd.write("ra_plugin=dogtag\n")
+            fd.write("dogtag_version=10\n")
         fd.write("mode=production\n")
         fd.close()
     finally:

install/tools/ipa-replica-prepare

@@ -304,7 +304,7 @@ def main():
         if options.reverse_zone and not bindinstance.verify_reverse_zone(options.reverse_zone, options.ip_address):
             sys.exit(1)
 
-    if not certs.ipa_self_signed() and not ipautil.file_exists("/var/lib/pki-ca/conf/CS.cfg") and not options.dirsrv_pin:
+    if not certs.ipa_self_signed() and not ipautil.file_exists("/var/lib/pki/pki-tomcat/conf/ca/CS.cfg") and not options.dirsrv_pin:
         sys.exit("The replica must be created on the primary IPA server.\nIf you installed IPA with your own certificates using PKCS#12 files you must provide PKCS#12 files for any replicas you create as well.")
 
     check_ipa_configuration(api.env.realm)

install/tools/ipa-server-install

@@ -853,6 +853,7 @@ def main():
     fd.write("enable_ra=True\n")
     if not options.selfsign:
         fd.write("ra_plugin=dogtag\n")
+        fd.write("dogtag_version=10\n")
     fd.write("mode=production\n")
     fd.close()
 

install/ui/test/data/ipa_init.json

@@ -669,12 +669,12 @@
                 "result": {
                     "basedn": "dc=dev,dc=example,dc=com",
                     "bin": "/var/www",
-                    "ca_agent_install_port": 9443,
+                    "ca_agent_install_port": 8443,
                     "ca_agent_port": 443,
-                    "ca_ee_install_port": 9444,
+                    "ca_ee_install_port": 8443,
                     "ca_ee_port": 443,
                     "ca_host": "dev.example.com",
-                    "ca_install_port": 9180,
+                    "ca_install_port": 8080,
                     "ca_port": 80,
                     "conf": "/etc/ipa/server.conf",
                     "conf_default": "/etc/ipa/default.conf",

ipa-client/man/default.conf.5

@@ -66,13 +66,13 @@ The following options are relevant for the server:
 Specifies the base DN to use when performing LDAP operations. The base must be in DN format (dc=example,dc=com).
 .TP
 .B ca_agent_port <port>
-Specifies the secure CA agent port. The default is 9443.
+Specifies the secure CA agent port. The default is 8443.
 .TP
 .B ca_ee_port <port>
-Specifies the secure CA end user port. The default is 9444.
+Specifies the secure CA end user port. The default is 8443.
 .TP
 .B ca_port <port>
-Specifies the insecure CA end user port. The default is 9180.
+Specifies the insecure CA end user port. The default is 8080.
 .TP
 .B ca_host <hostname>
 Specifies the hostname of the dogtag CA server. The default is the hostname of the IPA server.

ipalib/constants.py

@@ -141,9 +141,9 @@ DEFAULT_CONFIG = (
     ('ca_port', 80),
     ('ca_agent_port', 443),
     ('ca_ee_port', 443),
-    ('ca_install_port', 9180),
+    ('ca_install_port', 8080),
-    ('ca_agent_install_port', 9443),
+    ('ca_agent_install_port', 8443),
-    ('ca_ee_install_port', 9444),
+    ('ca_ee_install_port', 8443),
 
 
     # Special CLI:

ipapython/certmonger.py

@@ -337,7 +337,7 @@ def get_pin(token):
 
     The caller is expected to handle any exceptions raised.
     """
-    filename = '/var/lib/pki-ca/conf/password.conf'
+    filename = '/var/lib/pki/pki-tomcat/conf/password.conf'
     with open(filename, 'r') as f:
         for line in f:
             (tok, pin) = line.split('=', 1)

ipapython/platform/base.py

@@ -25,7 +25,7 @@ from ipalib.plugable import MagicDict
 wellknownservices = ['certmonger', 'dirsrv', 'httpd', 'ipa', 'krb5kdc',
                      'messagebus', 'nslcd', 'nscd', 'ntpd', 'portmap',
                      'rpcbind', 'kadmin', 'sshd', 'autofs', 'rpcgssd',
-                     'rpcidmapd', 'pki_cad']
+                     'rpcidmapd', 'pki_tomcatd', 'pki-cad']
 
 
 # The common ports for these services. This is used to wait for the
@@ -34,7 +34,10 @@ wellknownports = {
     'dirsrv@PKI-IPA.service': [7389],
     'PKI-IPA': [7389],
     'dirsrv': [389], # this is only used if the incoming instance name is blank
-    'pki-cad': [9180],
+    'pki-tomcatd@pki-tomcat.service': [8080],
+    'pki-tomcat': [8080],
+    'pki-tomcatd': [8080], # used if the incoming instance name is blank
+    'pki-cad': [9180]
 }
 
 class AuthConfig(object):

ipapython/platform/fedora16.py

@@ -46,7 +46,7 @@ system_units = dict(map(lambda x: (x, "%s.service" % (x)), base.wellknownservice
 system_units['rpcgssd'] = 'nfs-secure.service'
 system_units['rpcidmapd'] = 'nfs-idmap.service'
 
-# Rewrite dirsrv and pki-cad services as they support instances via separate
+# Rewrite dirsrv and pki-tomcatd services as they support instances via separate
 # service generator. To make this working, one needs to have both foo@.servic
 # and foo.target -- the latter is used when request should be coming for
 # all instances (like stop). systemd, unfortunately, does not allow one
@@ -58,9 +58,12 @@ system_units['rpcidmapd'] = 'nfs-idmap.service'
 system_units['dirsrv'] = 'dirsrv@.service'
 # Our directory server instance for PKI is dirsrv@PKI-IPA.service
 system_units['pkids'] = 'dirsrv@PKI-IPA.service'
-# Our PKI instance is pki-cad@pki-ca.service
+# Old style PKI instance
 system_units['pki-cad'] = 'pki-cad@pki-ca.service'
 system_units['pki_cad'] = system_units['pki-cad']
+# Our PKI instance is pki-tomcatd@pki-tomcat.service
+system_units['pki-tomcatd'] = 'pki-tomcatd@pki-tomcat.service'
+system_units['pki_tomcatd'] = system_units['pki-tomcatd']
 
 class Fedora16Service(systemd.SystemdService):
     def __init__(self, service_name):

ipapython/platform/systemd.py

@@ -41,10 +41,10 @@ class SystemdService(base.PlatformService):
         # Short-cut: if there is already exact service name, return it
         if self.lib_path_exists and len(instance_name) == 0:
             if len(elements) == 1:
-                # service name is like pki-cad.target or krb5kdc.service
+                # service name is like pki-tomcatd.target or krb5kdc.service
                 return self.service_name
             if len(elements) > 1 and elements[1][0] != '.':
-                # Service name is like pki-cad@pki-ca.service and that file exists
+                # Service name is like pki-tomcatd@pki-tomcat.service and that file exists
                 return self.service_name
 
         if len(elements) > 1:

ipaserver/install/cainstance.py

@@ -65,15 +65,10 @@ PKI_USER = "pkiuser"
 PKI_DS_USER = "pkisrv"
 
 # These values come from /usr/share/pki/ca/setup/postinstall
-PKI_INSTANCE_NAME="pki-ca"
+PKI_INSTANCE_NAME="pki-tomcat"
-AGENT_SECURE_PORT=9443
+AGENT_SECURE_PORT=8443
-EE_SECURE_PORT=9444
-ADMIN_SECURE_PORT=9445
-EE_CLIENT_AUTH_PORT=9446
-UNSECURE_PORT=9180
-TOMCAT_SERVER_PORT=9701
 
-IPA_SERVICE_PROFILE = '/var/lib/%s/profiles/ca/caIPAserviceCert.cfg' % PKI_INSTANCE_NAME
+IPA_SERVICE_PROFILE = '/var/lib/pki/%s/ca/profiles/ca/caIPAserviceCert.cfg' % PKI_INSTANCE_NAME
 
 # We need to reset the template because the CA uses the regular boot
 # information
@@ -97,9 +92,9 @@ def check_inst():
     """
 
     # Check for a couple of binaries we need
-    if not os.path.exists('/usr/bin/pkicreate'):
+    if not os.path.exists('/bin/pkispawn'):
         return False
-    if not os.path.exists('/usr/bin/pkisilent'):
+    if not os.path.exists('/bin/pkidestroy'):
         return False
 
     # This is the template tomcat file for a CA
@@ -108,31 +103,6 @@ def check_inst():
 
     return True
 
-def get_preop_pin(instance_root, instance_name):
-    preop_pin = None
-
-    filename = instance_root + "/" + instance_name + "/conf/CS.cfg"
-
-    # read the config file and get the preop pin
-    try:
-        f=open(filename)
-    except IOError, e:
-        root_logger.error("Cannot open configuration file." + str(e))
-        raise e
-    data = f.read()
-    data = data.split('\n')
-    pattern = re.compile("preop.pin=(.*)" )
-    for line in data:
-        match = re.search(pattern, line)
-        if (match):
-            preop_pin=match.group(1)
-            break
-
-    if preop_pin is None:
-        raise RuntimeError("Unable to find preop.pin in %s. Is your CA already configured?" % filename)
-
-    return preop_pin
-
 def import_pkcs12(input_file, input_passwd, cert_database,
                   cert_passwd):
     ipautil.run(["/usr/bin/pk12util", "-d", cert_database,
@@ -415,7 +385,7 @@ class CADSInstance(service.Service):
                          'ocspSigningCert cert-pki-ca',
                          'subsystemCert cert-pki-ca']:
             try:
-                certmonger.stop_tracking('/var/lib/pki-ca/alias', nickname=nickname)
+                certmonger.stop_tracking('/etc/pki/pki-tomcat/alias', nickname=nickname)
             except (ipautil.CalledProcessError, RuntimeError), e:
                 root_logger.error("certmonger failed to stop tracking certificate: %s" % str(e))
 
@@ -444,7 +414,7 @@ class CAInstance(service.Service):
     """
 
     def __init__(self, realm, ra_db):
-        service.Service.__init__(self, "pki-cad")
+        service.Service.__init__(self, "pki-tomcatd")
         self.realm = realm
         self.dm_password = None
         self.admin_password = None
@@ -468,7 +438,7 @@ class CAInstance(service.Service):
         self.ra_agent_pwd = self.ra_agent_db + "/pwdfile.txt"
         self.ds_port = DEFAULT_DSPORT
         self.domain_name = "IPA"
-        self.server_root = "/var/lib"
+        self.server_root = "/var/lib/pki"
         self.ra_cert = None
         self.requestId = None
 
@@ -489,8 +459,7 @@ class CAInstance(service.Service):
                            pkcs12_info=None, master_host=None, csr_file=None,
                            cert_file=None, cert_chain_file=None,
                            subject_base=None):
-        """Create a CA instance. This may involve creating the pki-ca instance
+        """Create a CA instance.
-           dogtag instance.
 
            To create a clone, pass in pkcs12_info.
 
@@ -523,15 +492,11 @@ class CAInstance(service.Service):
             self.external=2
 
         self.step("creating certificate server user", self.__create_ca_user)
-        if not ipautil.dir_exists("/var/lib/pki-ca"):
+        self.step("configuring certificate server instance", self.__spawn_instance)
-            self.step("creating pki-ca instance", self.create_instance)
-        self.step("configuring certificate server instance", self.__configure_instance)
         self.step("disabling nonces", self.__disable_nonce)
         # Step 1 of external is getting a CSR so we don't need to do these
         # steps until we get a cert back from the external CA.
         if self.external != 1:
-            if not self.clone:
-                self.step("creating CA agent PKCS#12 file in /root", self.__create_ca_agent_pkcs12)
             if self.create_ra_agent_db:
                 self.step("creating RA agent certificate database", self.__create_ra_agent_db)
             self.step("importing CA chain to RA certificate database", self.__import_ca_chain)
@@ -555,26 +520,117 @@ class CAInstance(service.Service):
 
         self.start_creation("Configuring certificate server", 210)
 
-    def create_instance(self):
+    def __spawn_instance(self):
         """
-        If for some reason the instance doesn't exist, create a new one."
+        Create and configure a new instance using pkispawn.
+        pkispawn requires a configuration file with the appropriate
+        values substituted in.
         """
 
-        args = ['/usr/bin/pkicreate',
+        # create a new config file for this installation
-                '-pki_instance_root', '/var/lib',
+        (cfg_fd, cfg_file) = tempfile.mkstemp()
-                '-pki_instance_name', PKI_INSTANCE_NAME,
+        os.close(cfg_fd)
-                '-subsystem_type', 'ca',
+        shutil.copy("/usr/share/pki/deployment/config/pkideployment.cfg",
-                '-agent_secure_port', str(AGENT_SECURE_PORT),
+                    cfg_file)
-                '-ee_secure_port', str(EE_SECURE_PORT),
+        pent = pwd.getpwnam(PKI_USER)
-                '-admin_secure_port', str(ADMIN_SECURE_PORT),
+        os.chown(cfg_file, pent.pw_uid, pent.pw_gid )
-                '-ee_secure_client_auth_port', str(EE_CLIENT_AUTH_PORT),
+        replacevars = {
-                '-unsecure_port', str(UNSECURE_PORT),
+            "pki_enable_proxy": "True",
-                '-tomcat_server_port', str(TOMCAT_SERVER_PORT),
+            "pki_restart_configured_instance": "False",
-                '-redirect', 'conf=/etc/pki-ca',
+            "pki_client_database_dir": self.ca_agent_db,
-                '-redirect', 'logs=/var/log/pki-ca',
+            "pki_client_database_password": self.admin_password,
-                '-enable_proxy'
+            "pki_client_database_purge": "False",
-        ]
+            "pki_client_pkcs12_password": self.admin_password,
-        ipautil.run(args, env={'PKI_HOSTNAME':self.fqdn})
+            "pki_security_domain_name": self.domain_name,
+            "pki_admin_email":  "root@localhost",
+            "pki_admin_password": self.admin_password,
+            "pki_admin_nickname": "ipa-ca-agent",
+            "pki_admin_subject_dn": "CN=ipa-ca-agent,%s" % self.subject_base,
+            "pki_ds_ldap_port": str(self.ds_port),
+            "pki_ds_password": self.dm_password,
+            "pki_ds_base_dn": self.basedn,
+            "pki_ds_database": "ipaca",
+            "pki_backup_keys": "True",
+            "pki_backup_password": self.admin_password,
+            "pki_subsystem_subject_dn": \
+                "CN=CA Subsystem,%s" % self.subject_base,
+            "pki_ocsp_signing_subject_dn": \
+                "CN=OCSP Subsystem,%s" % self.subject_base,
+            "pki_ssl_server_subject_dn": \
+                "CN=%s,%s" % (self.fqdn, self.subject_base),
+            "pki_audit_signing_subject_dn": \
+                "CN=CA Audit,%s" % self.subject_base,
+            "pki_ca_signing_subject_dn": \
+                 "CN=Certificate Authority,%s" % self.subject_base,
+            "pki_subsystem_nickname": "subsystemCert cert-pki-ca",
+            "pki_ocsp_signing_nickname": "ocspSigningCert cert-pki-ca",
+            "pki_ssl_server_nickname": "Server-Cert cert-pki-ca",
+            "pki_audit_signing_nickname": "auditSigningCert cert-pki-ca",
+            "pki_ca_signing_nickname": "caSigningCert cert-pki-ca"
+        }
+
+        if (self.clone):
+            cafile = self.pkcs12_info[0]
+            shutil.copy(cafile, "/tmp/ca.p12")
+            pent = pwd.getpwnam(PKI_USER)
+            os.chown("/tmp/ca.p12", pent.pw_uid, pent.pw_gid )
+
+            clone_vars = {
+                "pki_clone_pkcs12_password": self.dm_password,
+                "pki_clone": "True",
+                "pki_clone_pkcs12_path": "/tmp/ca.p12",
+                "pki_security_domain_hostname": self.master_host,
+                "pki_security_domain_https_port": "443",
+                "pki_security_domain_password": self.admin_password,
+                "pki_clone_replication_security": "SSL",
+                "pki_clone_uri": \
+                    "https://%s" % ipautil.format_netloc(self.master_host, 443)
+            }
+            replacevars.update(clone_vars)
+
+        if self.external == 1:
+            external_vars = {
+                "pki_external": "True",
+                "pki_external_csr_path": self.csr_file
+            }
+            replacevars.update(external_vars)
+        elif self.external == 2:
+            external_vars = {
+                "pki_external": "True",
+                "pki_external_ca_cert_path": self.cert_file,
+                "pki_external_ca_cert_chain_path": self.cert_chain_file,
+                "pki_external_step_two": "True"
+            }
+            replacevars.update(external_vars)
+
+        ipautil.config_replace_variables(cfg_file, replacevars=replacevars)
+
+        # Define the things we don't want logged
+        nolog = (self.admin_password, self.dm_password,)
+
+        args = ["/bin/pkispawn", "-s", "CA", "-f", cfg_file ]
+
+        try:
+            ipautil.run(args, nolog=nolog)
+        except ipautil.CalledProcessError, e:
+            root_logger.critical("failed to configure ca instance %s" % e)
+            raise RuntimeError('Configuration of CA failed')
+        finally:
+            os.remove(cfg_file)
+
+        if not self.clone:
+            shutil.move("/var/lib/pki/pki-tomcat/alias/ca_admin_cert.p12", \
+                        "/root/ca-agent.p12")
+        shutil.move("/var/lib/pki/pki-tomcat/alias/ca_backup_keys.p12", \
+                    "/root/cacert.p12")
+
+        if self.external == 1:
+            print "The next step is to get %s signed by your CA and re-run ipa-server-install as:" % self.csr_file
+            print "ipa-server-install --external_cert_file=/path/to/signed_certificate --external_ca_file=/path/to/external_ca_certificate"
+            sys.exit(0)
+
+        root_logger.debug("completed creating ca instance")
+
 
     def __enable(self):
         self.backup_state("enabled", self.is_enabled())
@@ -600,110 +656,6 @@ class CAInstance(service.Service):
             except ipautil.CalledProcessError, e:
                 root_logger.critical("failed to add user %s" % e)
 
-    def __configure_instance(self):
-        preop_pin = get_preop_pin(self.server_root, PKI_INSTANCE_NAME)
-
-        try:
-            args = ["/usr/bin/perl", "/usr/bin/pkisilent",  "ConfigureCA",
-                    "-cs_hostname", self.fqdn,
-                    "-cs_port", str(ADMIN_SECURE_PORT),
-                    "-client_certdb_dir", self.ca_agent_db,
-                    "-client_certdb_pwd", self.admin_password,
-                    "-preop_pin" , preop_pin,
-                    "-domain_name", self.domain_name,
-                    "-admin_user", "admin",
-                    "-admin_email",  "root@localhost",
-                    "-admin_password", self.admin_password,
-                    "-agent_name", "ipa-ca-agent",
-                    "-agent_key_size", "2048",
-                    "-agent_key_type", "rsa",
-                    "-agent_cert_subject", str(DN(('CN', 'ipa-ca-agent'), self.subject_base)),
-                    "-ldap_host", self.fqdn,
-                    "-ldap_port", str(self.ds_port),
-                    "-bind_dn", "cn=Directory Manager",
-                    "-bind_password", self.dm_password,
-                    "-base_dn", str(self.basedn),
-                    "-db_name", "ipaca",
-                    "-key_size", "2048",
-                    "-key_type", "rsa",
-                    "-key_algorithm", "SHA256withRSA",
-                    "-save_p12", "true",
-                    "-backup_pwd", self.admin_password,
-                    "-subsystem_name", self.service_name,
-                    "-token_name", "internal",
-                    "-ca_subsystem_cert_subject_name", str(DN(('CN', 'CA Subsystem'), self.subject_base)),
-                    "-ca_subsystem_cert_subject_name", str(DN(('CN', 'CA Subsystem'), self.subject_base)),
-                    "-ca_ocsp_cert_subject_name", str(DN(('CN', 'OCSP Subsystem'), self.subject_base)),
-                    "-ca_server_cert_subject_name", str(DN(('CN', self.fqdn), self.subject_base)),
-                    "-ca_audit_signing_cert_subject_name", str(DN(('CN', 'CA Audit'), self.subject_base)),
-                    "-ca_sign_cert_subject_name", str(DN(('CN', 'Certificate Authority'), self.subject_base)) ]
-            if self.external == 1:
-                args.append("-external")
-                args.append("true")
-                args.append("-ext_csr_file")
-                args.append(self.csr_file)
-            elif self.external == 2:
-                args.append("-external")
-                args.append("true")
-                args.append("-ext_ca_cert_file")
-                args.append(self.cert_file)
-                args.append("-ext_ca_cert_chain_file")
-                args.append(self.cert_chain_file)
-            else:
-                args.append("-external")
-                args.append("false")
-            if (self.clone):
-                """sd = security domain -->  all CS systems get registered to
-                   a security domain. This is set to the hostname and port of
-                   the master CA.
-                """
-                # The install wizard expects the file to be here.
-                cafile = self.pkcs12_info[0]
-                shutil.copy(cafile, "/var/lib/pki-ca/alias/ca.p12")
-                pent = pwd.getpwnam(PKI_USER)
-                os.chown("/var/lib/pki-ca/alias/ca.p12", pent.pw_uid, pent.pw_gid )
-                args.append("-clone")
-                args.append("true")
-                args.append("-clone_p12_file")
-                args.append("ca.p12")
-                args.append("-clone_p12_password")
-                args.append(self.dm_password)
-                args.append("-sd_hostname")
-                args.append(self.master_host)
-                args.append("-sd_admin_port")
-                args.append("443")
-                args.append("-sd_admin_name")
-                args.append("admin")
-                args.append("-sd_admin_password")
-                args.append(self.admin_password)
-                args.append("-clone_start_tls")
-                args.append("true")
-                args.append("-clone_uri")
-                args.append("https://%s" % ipautil.format_netloc(self.master_host, 443))
-            else:
-                args.append("-clone")
-                args.append("false")
-
-            # Define the things we don't want logged
-            nolog = (self.admin_password, self.dm_password,)
-
-            ipautil.run(args, env={'PKI_HOSTNAME':self.fqdn}, nolog=nolog)
-        except ipautil.CalledProcessError, e:
-            root_logger.critical("failed to configure ca instance %s" % e)
-            raise RuntimeError('Configuration of CA failed')
-
-        if self.external == 1:
-            print "The next step is to get %s signed by your CA and re-run ipa-server-install as:" % self.csr_file
-            print "ipa-server-install --external_cert_file=/path/to/signed_certificate --external_ca_file=/path/to/external_ca_certificate"
-            sys.exit(0)
-
-        # pkisilent makes a copy of the CA PKCS#12 file for us but gives
-        # it a lousy name.
-        if ipautil.file_exists("/root/tmp-ca.p12"):
-            shutil.move("/root/tmp-ca.p12", "/root/cacert.p12")
-
-        root_logger.debug("completed creating ca instance")
-
     def __restart_instance(self):
         try:
             self.restart(PKI_INSTANCE_NAME)
@@ -713,10 +665,11 @@ class CAInstance(service.Service):
 
     def __disable_nonce(self):
         # Turn off Nonces
-        if installutils.update_file('/var/lib/pki-ca/conf/CS.cfg', 'ca.enableNonces=true', 'ca.enableNonces=false') != 0:
+        cfg_file = '/var/lib/pki/pki-tomcat/conf/ca/CS.cfg'
+        if installutils.update_file(cfg_file, 'ca.enableNonces=true', 'ca.enableNonces=false') != 0:
             raise RuntimeError("Disabling nonces failed")
         pent = pwd.getpwnam(PKI_USER)
-        os.chown('/var/lib/pki-ca/conf/CS.cfg', pent.pw_uid, pent.pw_gid )
+        os.chown(cfg_file, pent.pw_uid, pent.pw_gid )
 
     def __issue_ra_cert(self):
         # The CA certificate is in the agent DB but isn't trusted
@@ -767,7 +720,7 @@ class CAInstance(service.Service):
         ]
         (stdout, stderr, returncode) = ipautil.run(args, nolog=(self.admin_password,))
 
-        data = stdout.split('\r\n')
+        data = stdout.split('\n')
         params = get_defList(data)
         params['requestId'] = find_substring(data, "requestId")
         params['op'] = 'approve'
@@ -788,7 +741,7 @@ class CAInstance(service.Service):
         ]
         (stdout, stderr, returncode) = ipautil.run(args, nolog=(self.admin_password,))
 
-        data = stdout.split('\r\n')
+        data = stdout.split('\n')
         outputList = get_outputList(data)
 
         self.ra_cert = outputList['b64_cert']
@@ -905,20 +858,6 @@ class CAInstance(service.Service):
         except Exception, e:
             raise RuntimeError("Unable to retrieve CA chain: %s" % str(e))
 
-    def __create_ca_agent_pkcs12(self):
-        (pwd_fd, pwd_name) = tempfile.mkstemp()
-        os.write(pwd_fd, self.admin_password)
-        os.close(pwd_fd)
-        try:
-            ipautil.run(["/usr/bin/pk12util",
-                         "-n", "ipa-ca-agent",
-                         "-o", "/root/ca-agent.p12",
-                         "-d", self.ca_agent_db,
-                         "-k", pwd_name,
-                         "-w", pwd_name])
-        finally:
-            os.remove(pwd_name)
-
     def __import_ca_chain(self):
         chain = self.__get_ca_chain()
 
@@ -982,7 +921,7 @@ class CAInstance(service.Service):
         csr = pkcs10.strip_header(stdout)
 
         # Send the request to the CA
-        conn = httplib.HTTPConnection(self.fqdn, 9180)
+        conn = httplib.HTTPConnection(self.fqdn, 8080)
         params = urllib.urlencode({'profileId': 'caServerCert',
                 'cert_request_type': 'pkcs10',
                 'requestor_name': 'IPA Installer',
@@ -1020,7 +959,7 @@ class CAInstance(service.Service):
 
     def __setup_sign_profile(self):
         # Tell the profile to automatically issue certs for RAs
-        installutils.set_directive('/var/lib/pki-ca/profiles/ca/caJarSigningCert.cfg', 'auth.instance_id', 'raCertAuth', quotes=False, separator='=')
+        installutils.set_directive('/var/lib/pki/pki-tomcat/ca/profiles/ca/caJarSigningCert.cfg', 'auth.instance_id', 'raCertAuth', quotes=False, separator='=')
 
     def __enable_crl_publish(self):
         """
@@ -1028,9 +967,9 @@ class CAInstance(service.Service):
 
         http://www.redhat.com/docs/manuals/cert-system/8.0/admin/html/Setting_up_Publishing.html
         """
-        caconfig = "/var/lib/pki-ca/conf/CS.cfg"
+        caconfig = "/var/lib/pki/pki-tomcat/conf/ca/CS.cfg"
 
-        publishdir='/var/lib/pki-ca/publish'
+        publishdir='/var/lib/pki/pki-tomcat/ca/publish'
         os.mkdir(publishdir)
         os.chmod(publishdir, 0755)
         pent = pwd.getpwnam(PKI_USER)
@@ -1089,8 +1028,8 @@ class CAInstance(service.Service):
             self.disable()
 
         try:
-            ipautil.run(["/usr/bin/pkiremove", "-pki_instance_root=/var/lib",
+            ipautil.run(["/bin/pkidestroy", "-i", "pki-tomcat",
-                         "-pki_instance_name=%s" % PKI_INSTANCE_NAME, "--force"])
+                         "-s", "CA"])
         except ipautil.CalledProcessError, e:
             root_logger.critical("failed to uninstall CA instance %s" % e)
 
@@ -1118,7 +1057,7 @@ class CAInstance(service.Service):
             pin = certmonger.get_pin('internal')
         except IOError, e:
             raise RuntimeError('Unable to determine PIN for CA instance: %s' % str(e))
-        certmonger.dogtag_start_tracking('dogtag-ipa-renew-agent', 'Server-Cert cert-pki-ca', pin, None, '/var/lib/pki-ca/alias', 'restart_pkicad "Server-Cert cert-pki-ca"')
+        certmonger.dogtag_start_tracking('dogtag-ipa-renew-agent', 'Server-Cert cert-pki-ca', pin, None, '/etc/pki/pki-tomcat/alias', 'restart_pkicad "Server-Cert cert-pki-ca"')
 
     def configure_renewal(self):
         cmonger = ipaservices.knownservices.certmonger
@@ -1135,7 +1074,7 @@ class CAInstance(service.Service):
         for nickname in ['auditSigningCert cert-pki-ca',
                          'ocspSigningCert cert-pki-ca',
                          'subsystemCert cert-pki-ca']:
-            certmonger.dogtag_start_tracking('dogtag-ipa-renew-agent', nickname, pin, None, '/var/lib/pki-ca/alias', 'renew_ca_cert "%s"' % nickname)
+            certmonger.dogtag_start_tracking('dogtag-ipa-renew-agent', nickname, pin, None, '/etc/pki/pki-tomcat/alias', 'renew_ca_cert "%s"' % nickname)
 
         # Set up the agent cert for renewal
         certmonger.dogtag_start_tracking('dogtag-ipa-renew-agent', 'ipaCert', None, '/etc/httpd/alias/pwdfile.txt', '/etc/httpd/alias', 'renew_ra_cert')
@@ -1179,7 +1118,7 @@ class CAInstance(service.Service):
         for nickname in ['auditSigningCert cert-pki-ca',
                          'ocspSigningCert cert-pki-ca',
                          'subsystemCert cert-pki-ca']:
-            certmonger.dogtag_start_tracking('dogtag-ipa-retrieve-agent-submit', nickname, pin, None, '/var/lib/pki-ca/alias', 'restart_pkicad "%s"' % nickname)
+            certmonger.dogtag_start_tracking('dogtag-ipa-retrieve-agent-submit', nickname, pin, None, '/etc/pki/pki-tomcat/alias', 'restart_pkicad "%s"' % nickname)
 
         # The agent renewal is configured in import_ra_cert which is called
         # after the HTTP instance is created.
@@ -1191,7 +1130,7 @@ class CAInstance(service.Service):
         setlist = installutils.get_directive(IPA_SERVICE_PROFILE,
             'policyset.serverCertSet.list', separator='=')
 
-        # this is the default setting from pki-ca. Don't touch it if a user
+        # this is the default setting from pki-tomcat. Don't touch it if a user
         # has manually modified it.
         if setlist == '1,2,3,4,5,6,7,8':
             installutils.set_directive(IPA_SERVICE_PROFILE,
@@ -1234,7 +1173,7 @@ class CAInstance(service.Service):
         responsibility to handle changes on upgrades.
         """
         master = installutils.get_directive(
-            '/var/lib/pki-ca/conf/CS.cfg', 'subsystem.select', '=')
+            '/var/lib/pki/pki-tomcat/conf/ca/CS.cfg', 'subsystem.select', '=')
 
         return master == 'New'
 
@@ -1301,10 +1240,10 @@ def install_replica_ca(config, postinstall=False):
     # unix service.
 
     service.print_msg("Restarting the directory and certificate servers")
-    ca.stop()
+    ca.stop(PKI_INSTANCE_NAME)
     ipaservices.knownservices.dirsrv.stop("PKI-IPA")
     ipaservices.knownservices.dirsrv.start("PKI-IPA")
-    ca.start()
+    ca.start(PKI_INSTANCE_NAME)
 
     return (ca, cs)
 
@@ -1323,7 +1262,7 @@ def update_cert_config(nickname, cert):
                   'subsystemCert cert-pki-ca': 'ca.subsystem.cert',
                   'Server-Cert cert-pki-ca': 'ca.sslserver.cert' }
 
-    installutils.set_directive('/var/lib/%s/conf/CS.cfg' % PKI_INSTANCE_NAME,
+    installutils.set_directive('/var/lib/pki/%s/conf/ca/CS.cfg' % PKI_INSTANCE_NAME,
                                 directives[nickname],
                                 base64.b64encode(cert),
                                 quotes=False, separator='=')

ipaserver/install/installutils.py

@@ -47,7 +47,7 @@ from ipalib import errors
 from ipapython.dn import DN
 
 # Used to determine install status
-IPA_MODULES = ['httpd', 'kadmin', 'dirsrv', 'pki-cad', 'pkids', 'install', 'krb5kdc', 'ntpd', 'named', 'ipa_memcached']
+IPA_MODULES = ['httpd', 'kadmin', 'dirsrv', 'pki-tomcatd', 'pkids', 'install', 'krb5kdc', 'ntpd', 'named', 'ipa_memcached']
 
 class BadHostError(Exception):
     pass

ipaserver/install/service.py

@@ -41,6 +41,17 @@ AUTO = 1
 ENABLED = 2
 DISABLED = 3
 
+# Determine if we have an updated dogtag instance (dogtag 10+) or
+# an older one.
+dogtag_service = 'pki-cad'
+try:
+    for line in open("/etc/ipa/default.conf", "r"):
+        if "dogtag_version" in line:
+            dogtag_service = 'pki-tomcatd'
+            break
+except IOError, e:
+    pass
+
 # The service name as stored in cn=masters,cn=ipa,cn=etc. In the tuple
 # the first value is the *nix service name, the second the start order.
 SERVICE_LIST = {
@@ -49,7 +60,7 @@ SERVICE_LIST = {
     'DNS':('named', 30),
     'MEMCACHE':('ipa_memcached', 39),
     'HTTP':('httpd', 40),
-    'CA':('pki-cad', 50),
+    'CA':(dogtag_service, 50),
     'ADTRUST':('smb', 60),
     'EXTID':('winbind', 70)
 }

selinux/ipa_dogtag/ipa_dogtag.fc

@@ -1 +1 @@
-/var/lib/pki-ca/publish(/.*)?	gen_context(system_u:object_r:cert_t,s0)
+/var/lib/pki/pki-tomcat/ca/publish(/.*)?	gen_context(system_u:object_r:cert_t,s0)