mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-22 23:23:30 -06:00
Use Dogtag 10 only when it is available
Put the changes from Ade's dogtag 10 patch into namespaced constants in dogtag.py, which are then referenced in the code. Make ipaserver.install.CAInstance use the service name specified in the configuration. Uninstallation, where config is removed before CA uninstall, also uses the (previously) configured value. This and Ade's patch address https://fedorahosted.org/freeipa/ticket/2846
This commit is contained in:
parent
3dd31a8756
commit
4f76c143d2
@ -250,7 +250,7 @@ Requires: xmlrpc-c
|
||||
%endif
|
||||
%endif
|
||||
Requires: sssd >= 1.8.0
|
||||
Requires: certmonger >= 0.58
|
||||
Requires: certmonger >= 0.60
|
||||
Requires: nss-tools
|
||||
Requires: bind-utils
|
||||
Requires: oddjob-mkhomedir
|
||||
@ -748,6 +748,9 @@ fi
|
||||
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt
|
||||
|
||||
%changelog
|
||||
* Tue Sep 18 2012 Petr Viktorin <pviktori@redhat.com> - 2.99.0-46
|
||||
- Set certmonger minimum version to 0.60 for Dogtag 10 support.
|
||||
|
||||
* Mon Sep 17 2012 Rob Crittenden <rcritten@redhat.com> - 2.99.0-45
|
||||
- Set min for 389-ds-base to 1.2.11.14-1 on F17+ to pull in updated
|
||||
RUV code and nsslapd-readonly schema.
|
||||
|
@ -1,4 +1,4 @@
|
||||
# VERSION 1 - DO NOT REMOVE THIS LINE
|
||||
# VERSION 2 - DO NOT REMOVE THIS LINE
|
||||
|
||||
ProxyRequests Off
|
||||
|
||||
@ -6,22 +6,22 @@ ProxyRequests Off
|
||||
<LocationMatch "^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange">
|
||||
NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
|
||||
NSSVerifyClient none
|
||||
ProxyPassMatch ajp://localhost:8009
|
||||
ProxyPassReverse ajp://localhost:8009
|
||||
ProxyPassMatch ajp://localhost:$DOGTAG_PORT
|
||||
ProxyPassReverse ajp://localhost:$DOGTAG_PORT
|
||||
</LocationMatch>
|
||||
|
||||
# matches for admin port and installer
|
||||
<LocationMatch "^/ca/admin/ca/getCertChain|^/ca/admin/ca/getConfigEntries|^/ca/admin/ca/getCookie|^/ca/admin/ca/getStatus|^/ca/admin/ca/securityDomainLogin|^/ca/admin/ca/getDomainXML|^/ca/rest/installer/installToken">
|
||||
NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
|
||||
NSSVerifyClient none
|
||||
ProxyPassMatch ajp://localhost:8009
|
||||
ProxyPassReverse ajp://localhost:8009
|
||||
ProxyPassMatch ajp://localhost:$DOGTAG_PORT
|
||||
ProxyPassReverse ajp://localhost:$DOGTAG_PORT
|
||||
</LocationMatch>
|
||||
|
||||
# matches for agent port and eeca port
|
||||
<LocationMatch "^/ca/agent/ca/displayBySerial|^/ca/agent/ca/doRevoke|^/ca/agent/ca/doUnrevoke|^/ca/agent/ca/updateDomainXML|^/ca/eeca/ca/profileSubmitSSLClient">
|
||||
NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
|
||||
NSSVerifyClient require
|
||||
ProxyPassMatch ajp://localhost:8009
|
||||
ProxyPassReverse ajp://localhost:8009
|
||||
ProxyPassMatch ajp://localhost:$DOGTAG_PORT
|
||||
ProxyPassReverse ajp://localhost:$DOGTAG_PORT
|
||||
</LocationMatch>
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# VERSION 7 - DO NOT REMOVE THIS LINE
|
||||
# VERSION 8 - DO NOT REMOVE THIS LINE
|
||||
#
|
||||
# This file may be overwritten on upgrades.
|
||||
#
|
||||
@ -105,8 +105,8 @@ Alias /ipa/config "/usr/share/ipa/html"
|
||||
|
||||
|
||||
# For CRL publishing
|
||||
Alias /ipa/crl "/var/lib/pki/tomcat-ca/ca/publish"
|
||||
<Directory "/var/lib/pki/tomcat-ca/ca/publish">
|
||||
Alias /ipa/crl "$CRL_PUBLISH_PATH"
|
||||
<Directory "$CRL_PUBLISH_PATH">
|
||||
SetHandler None
|
||||
AllowOverride None
|
||||
Options Indexes FollowSymLinks
|
||||
|
@ -32,6 +32,7 @@ from ipapython.dn import DN
|
||||
from ipalib import errors
|
||||
from ipapython import services as ipaservices
|
||||
from ipapython import ipautil
|
||||
from ipapython import dogtag
|
||||
from ipaserver.install import certs
|
||||
from ipaserver.plugins.ldap2 import ldap2
|
||||
from ipaserver.install.cainstance import update_cert_config
|
||||
@ -45,11 +46,9 @@ nickname = sys.argv[1]
|
||||
api.bootstrap(context='restart')
|
||||
api.finalize()
|
||||
|
||||
alias_dir = '/etc/pki/pki-tomcat/alias'
|
||||
dogtag_instance = 'pki-tomcat'
|
||||
if 'dogtag_version' not in api.env:
|
||||
alias_dir = '/var/lib/pki-ca/alias'
|
||||
dogtag_instance = 'pki-ca'
|
||||
configured_constants = dogtag.configured_constants(api)
|
||||
alias_dir = configured_constants.ALIAS_DIR
|
||||
dogtag_instance = configured_constants.PKI_INSTANCE_NAME
|
||||
|
||||
# Fetch the new certificate
|
||||
db = certs.CertDB(api.env.realm, nssdir=alias_dir)
|
||||
@ -112,5 +111,5 @@ time.sleep(pause)
|
||||
try:
|
||||
ipaservices.knownservices.pki_cad.restart(dogtag_instance)
|
||||
except Exception, e:
|
||||
syslog.syslog(syslog.LOG_ERR, "Cannot restart %sd: %s" % \
|
||||
syslog.syslog(syslog.LOG_ERR, "Cannot restart %sd: %s" %
|
||||
(dogtag_instance, str(e)))
|
||||
|
@ -22,6 +22,7 @@
|
||||
import sys
|
||||
import syslog
|
||||
from ipapython import services as ipaservices
|
||||
from ipapython import dogtag
|
||||
from ipaserver.install import certs
|
||||
from ipalib import api
|
||||
|
||||
@ -30,18 +31,16 @@ nickname = sys.argv[1]
|
||||
api.bootstrap(context='restart')
|
||||
api.finalize()
|
||||
|
||||
alias_dir = '/etc/pki/pki-tomcat/alias'
|
||||
dogtag_instance = 'pki-tomcat'
|
||||
if 'dogtag_version' not in api.env:
|
||||
alias_dir = '/var/lib/pki-ca/alias'
|
||||
dogtag_instance = 'pki-ca'
|
||||
configured_constants = dogtag.configured_constants(api)
|
||||
alias_dir = configured_constants.ALIAS_DIR
|
||||
dogtag_instance = configured_constants.PKI_INSTANCE_NAME
|
||||
|
||||
syslog.syslog(syslog.LOG_NOTICE, "certmonger restarted %sd, nickname '%s'" % \
|
||||
syslog.syslog(syslog.LOG_NOTICE, "certmonger restarted %sd, nickname '%s'" %
|
||||
(dogtag_instance, nickname))
|
||||
|
||||
# Fix permissions on the audit cert if we're updating it
|
||||
if nickname == 'auditSigningCert cert-pki-ca':
|
||||
db = certs.CertDB(api.env.realm, nssdir = alias_dir )
|
||||
db = certs.CertDB(api.env.realm, nssdir=alias_dir)
|
||||
args = ['-M',
|
||||
'-n', nickname,
|
||||
'-t', 'u,u,Pu',
|
||||
@ -54,5 +53,5 @@ try:
|
||||
ipaservices.knownservices.pki_cad.stop(dogtag_instance)
|
||||
ipaservices.knownservices.pki_cad.start(dogtag_instance)
|
||||
except Exception, e:
|
||||
syslog.syslog(syslog.LOG_ERR, "Cannot restart %sd: %s" % \
|
||||
syslog.syslog(syslog.LOG_ERR, "Cannot restart %sd: %s" %
|
||||
(dogtag_instance, str(e)))
|
||||
|
@ -37,6 +37,7 @@ from ipapython import version
|
||||
from ipalib import api, util
|
||||
from ipapython.config import IPAOptionParser
|
||||
from ipapython import sysrestore
|
||||
from ipapython import dogtag
|
||||
from ipapython.ipa_log_manager import *
|
||||
|
||||
log_file_name = "/var/log/ipareplica-ca-install.log"
|
||||
@ -156,10 +157,11 @@ def main():
|
||||
# We need to restart apache as we drop a new config file in there
|
||||
ipaservices.knownservices.httpd.restart(capture_output=True)
|
||||
|
||||
#update dogtag version in config file to denote new instance
|
||||
#update dogtag version in config file
|
||||
try:
|
||||
fd = open("/etc/ipa/default.conf", "a")
|
||||
fd.write("dogtag_version=10\n")
|
||||
fd.write(
|
||||
"dogtag_version=%s\n" % dogtag.install_constants.DOGTAG_VERSION)
|
||||
fd.close()
|
||||
except IOError, e:
|
||||
print "Failed to update /etc/ipa/default.conf"
|
||||
|
@ -29,6 +29,7 @@ from ipapython import ipautil
|
||||
from ipaserver.install import replication, installutils
|
||||
from ipaserver import ipaldap
|
||||
from ipapython import version
|
||||
from ipapython import dogtag
|
||||
from ipalib import api, errors, util
|
||||
from ipapython.dn import DN
|
||||
|
||||
@ -80,7 +81,7 @@ class CSReplicationManager(replication.ReplicationManager):
|
||||
"""
|
||||
dn = None
|
||||
cn = None
|
||||
instance_name = 'pki-tomcat'
|
||||
instance_name = dogtag.configured_constants(api).PKI_INSTANCE_NAME
|
||||
|
||||
# if master is not None we know what dn to return:
|
||||
if master is not None:
|
||||
|
@ -42,6 +42,7 @@ from ipapython.config import IPAOptionParser
|
||||
from ipapython import sysrestore
|
||||
from ipapython import services as ipaservices
|
||||
from ipapython.ipa_log_manager import *
|
||||
from ipapython import dogtag
|
||||
from ipapython.dn import DN
|
||||
|
||||
log_file_name = "/var/log/ipareplica-install.log"
|
||||
@ -376,7 +377,8 @@ def main():
|
||||
if ipautil.file_exists(config.dir + "/cacert.p12"):
|
||||
fd.write("enable_ra=True\n")
|
||||
fd.write("ra_plugin=dogtag\n")
|
||||
fd.write("dogtag_version=10\n")
|
||||
fd.write("dogtag_version=%s\n" %
|
||||
dogtag.install_constants.DOGTAG_VERSION)
|
||||
fd.write("mode=production\n")
|
||||
fd.close()
|
||||
finally:
|
||||
|
@ -33,6 +33,7 @@ from ipaserver.install.replication import enable_replication_version_checking
|
||||
from ipaserver.install.installutils import resolve_host, BadHostError, HostLookupError
|
||||
from ipaserver.plugins.ldap2 import ldap2
|
||||
from ipapython import version
|
||||
from ipapython import dogtag
|
||||
from ipapython.config import IPAOptionParser
|
||||
from ipalib import api, errors, util
|
||||
from ipapython.dn import DN
|
||||
@ -304,7 +305,9 @@ def main():
|
||||
if options.reverse_zone and not bindinstance.verify_reverse_zone(options.reverse_zone, options.ip_address):
|
||||
sys.exit(1)
|
||||
|
||||
if not certs.ipa_self_signed() and not ipautil.file_exists("/var/lib/pki/pki-tomcat/conf/ca/CS.cfg") and not options.dirsrv_pin:
|
||||
if (not certs.ipa_self_signed() and
|
||||
not ipautil.file_exists(dogtag.configured_constants().CS_CFG_PATH) and
|
||||
not options.dirsrv_pin):
|
||||
sys.exit("The replica must be created on the primary IPA server.\nIf you installed IPA with your own certificates using PKCS#12 files you must provide PKCS#12 files for any replicas you create as well.")
|
||||
|
||||
check_ipa_configuration(api.env.realm)
|
||||
|
@ -58,6 +58,7 @@ from ipaserver.plugins.ldap2 import ldap2
|
||||
from ipapython import sysrestore
|
||||
from ipapython.ipautil import *
|
||||
from ipapython import ipautil
|
||||
from ipapython import dogtag
|
||||
from ipalib import api, errors, util
|
||||
from ipapython.config import IPAOptionParser
|
||||
from ipalib.x509 import load_certificate_from_file, load_certificate_chain_from_file
|
||||
@ -465,6 +466,9 @@ def uninstall():
|
||||
except Exception, e:
|
||||
pass
|
||||
|
||||
# Need to get dogtag info before /etc/ipa/default.conf is removed
|
||||
dogtag_constants = dogtag.configured_constants()
|
||||
|
||||
print "Removing IPA client configuration"
|
||||
try:
|
||||
(stdout, stderr, rc) = run(["/usr/sbin/ipa-client-install", "--on-master", "--unattended", "--uninstall"], raiseonerr=False)
|
||||
@ -477,10 +481,13 @@ def uninstall():
|
||||
print "ipa-client-install returned: " + str(e)
|
||||
|
||||
ntpinstance.NTPInstance(fstore).uninstall()
|
||||
if cainstance.CADSInstance().is_configured():
|
||||
cainstance.CADSInstance().uninstall()
|
||||
if cainstance.CAInstance(api.env.realm, certs.NSS_DIR).is_configured():
|
||||
cainstance.CAInstance(api.env.realm, certs.NSS_DIR).uninstall()
|
||||
cads_instance = cainstance.CADSInstance(dogtag_constants=dogtag_constants)
|
||||
if cads_instance.is_configured():
|
||||
cads_instance.uninstall()
|
||||
ca_instance = cainstance.CAInstance(
|
||||
api.env.realm, certs.NSS_DIR, dogtag_constants=dogtag_constants)
|
||||
if ca_instance.is_configured():
|
||||
ca_instance.uninstall()
|
||||
bindinstance.BindInstance(fstore).uninstall()
|
||||
httpinstance.HTTPInstance(fstore).uninstall()
|
||||
krbinstance.KrbInstance(fstore).uninstall()
|
||||
@ -853,7 +860,8 @@ def main():
|
||||
fd.write("enable_ra=True\n")
|
||||
if not options.selfsign:
|
||||
fd.write("ra_plugin=dogtag\n")
|
||||
fd.write("dogtag_version=10\n")
|
||||
fd.write("dogtag_version=%s\n" %
|
||||
dogtag.install_constants.DOGTAG_VERSION)
|
||||
fd.write("mode=production\n")
|
||||
fd.close()
|
||||
|
||||
@ -916,7 +924,8 @@ def main():
|
||||
cs = cainstance.CADSInstance(host_name, realm_name, domain_name, dm_password)
|
||||
if not cs.is_configured():
|
||||
cs.create_instance(realm_name, host_name, domain_name, dm_password, subject_base=options.subject)
|
||||
ca = cainstance.CAInstance(realm_name, certs.NSS_DIR)
|
||||
ca = cainstance.CAInstance(realm_name, certs.NSS_DIR,
|
||||
dogtag_constants=dogtag.install_constants)
|
||||
if external == 0:
|
||||
ca.configure_instance(host_name, dm_password, dm_password,
|
||||
subject_base=options.subject)
|
||||
|
@ -29,6 +29,7 @@ try:
|
||||
from ipapython.config import IPAOptionParser
|
||||
from ipapython.ipa_log_manager import *
|
||||
from ipapython import certmonger
|
||||
from ipapython import dogtag
|
||||
from ipaserver.install import installutils
|
||||
from ipaserver.install import dsinstance
|
||||
from ipaserver.install import httpinstance
|
||||
@ -458,7 +459,7 @@ def enable_certificate_renewal(realm):
|
||||
ca.configure_agent_renewal()
|
||||
ca.track_servercert()
|
||||
sysupgrade.set_upgrade_state('dogtag', 'renewal_configured', True)
|
||||
ca.restart(cainstance.PKI_INSTANCE_NAME)
|
||||
ca.restart(dogtag.configured_constants().PKI_INSTANCE_NAME)
|
||||
root_logger.debug('CA subsystem certificate renewal enabled')
|
||||
|
||||
def main():
|
||||
@ -495,7 +496,14 @@ def main():
|
||||
check_certs()
|
||||
|
||||
auto_redirect = find_autoredirect(fqdn)
|
||||
sub_dict = { "REALM" : api.env.realm, "FQDN": fqdn, "AUTOREDIR": '' if auto_redirect else '#'}
|
||||
configured_constants = dogtag.configured_constants()
|
||||
sub_dict = dict(
|
||||
REALM=api.env.realm,
|
||||
FQDN=fqdn,
|
||||
AUTOREDIR='' if auto_redirect else '#',
|
||||
CRL_PUBLISH_PATH=configured_constants.CRL_PUBLISH_PATH,
|
||||
DOGTAG_PORT=configured_constants.AJP_PORT,
|
||||
)
|
||||
|
||||
upgrade(sub_dict, "/etc/httpd/conf.d/ipa.conf", ipautil.SHARE_DIR + "ipa.conf")
|
||||
upgrade(sub_dict, "/etc/httpd/conf.d/ipa-rewrite.conf", ipautil.SHARE_DIR + "ipa-rewrite.conf")
|
||||
|
@ -669,12 +669,12 @@
|
||||
"result": {
|
||||
"basedn": "dc=dev,dc=example,dc=com",
|
||||
"bin": "/var/www",
|
||||
"ca_agent_install_port": 8443,
|
||||
"ca_agent_install_port": 9443,
|
||||
"ca_agent_port": 443,
|
||||
"ca_ee_install_port": 8443,
|
||||
"ca_ee_install_port": 9444,
|
||||
"ca_ee_port": 443,
|
||||
"ca_host": "dev.example.com",
|
||||
"ca_install_port": 8080,
|
||||
"ca_install_port": 9180,
|
||||
"ca_port": 80,
|
||||
"conf": "/etc/ipa/server.conf",
|
||||
"conf_default": "/etc/ipa/default.conf",
|
||||
|
@ -66,13 +66,13 @@ The following options are relevant for the server:
|
||||
Specifies the base DN to use when performing LDAP operations. The base must be in DN format (dc=example,dc=com).
|
||||
.TP
|
||||
.B ca_agent_port <port>
|
||||
Specifies the secure CA agent port. The default is 8443.
|
||||
Specifies the secure CA agent port. The default is 9443 for Dogtag 9, and 8443 for Dogtag 10.
|
||||
.TP
|
||||
.B ca_ee_port <port>
|
||||
Specifies the secure CA end user port. The default is 8443.
|
||||
Specifies the secure CA end user port. The default is 9444 for Dogtag 9, and 8443 for Dogtag 10.
|
||||
.TP
|
||||
.B ca_port <port>
|
||||
Specifies the insecure CA end user port. The default is 8080.
|
||||
Specifies the insecure CA end user port. The default is 9180 for Dogtag 9, and 8080 for Dogtag 10.
|
||||
.TP
|
||||
.B ca_host <hostname>
|
||||
Specifies the hostname of the dogtag CA server. The default is the hostname of the IPA server.
|
||||
|
@ -141,9 +141,11 @@ DEFAULT_CONFIG = (
|
||||
('ca_port', 80),
|
||||
('ca_agent_port', 443),
|
||||
('ca_ee_port', 443),
|
||||
('ca_install_port', 8080),
|
||||
('ca_agent_install_port', 8443),
|
||||
('ca_ee_install_port', 8443),
|
||||
# For the following ports, None means a default specific to the installed
|
||||
# Dogtag version.
|
||||
('ca_install_port', None),
|
||||
('ca_agent_install_port', None),
|
||||
('ca_ee_install_port', None),
|
||||
|
||||
|
||||
# Special CLI:
|
||||
@ -156,6 +158,7 @@ DEFAULT_CONFIG = (
|
||||
('enable_ra', False),
|
||||
('ra_plugin', 'selfsign'),
|
||||
('wait_for_attr', False),
|
||||
('dogtag_version', 9),
|
||||
|
||||
# Used when verifying that the API hasn't changed. Not for production.
|
||||
('validate_api', False),
|
||||
|
@ -26,6 +26,7 @@ import sys
|
||||
import re
|
||||
import time
|
||||
from ipapython import ipautil
|
||||
from ipapython import dogtag
|
||||
|
||||
REQUEST_DIR='/var/lib/certmonger/requests/'
|
||||
CA_DIR='/var/lib/certmonger/cas/'
|
||||
@ -337,8 +338,7 @@ def get_pin(token):
|
||||
|
||||
The caller is expected to handle any exceptions raised.
|
||||
"""
|
||||
filename = '/var/lib/pki/pki-tomcat/conf/password.conf'
|
||||
with open(filename, 'r') as f:
|
||||
with open(dogtag.configured_constants().PASSWORD_CONF_PATH, 'r') as f:
|
||||
for line in f:
|
||||
(tok, pin) = line.split('=', 1)
|
||||
if token == tok:
|
||||
|
@ -17,17 +17,118 @@
|
||||
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
#
|
||||
|
||||
import os
|
||||
import httplib
|
||||
import xml.dom.minidom
|
||||
import nss.nss as nss
|
||||
from nss.error import NSPRError
|
||||
import ConfigParser
|
||||
from urllib import urlencode
|
||||
|
||||
import nss.nss as nss
|
||||
from nss.error import NSPRError
|
||||
|
||||
from ipalib import api, errors
|
||||
from ipapython import nsslib, ipautil
|
||||
from ipalib.errors import NetworkError, CertificateOperationError
|
||||
from ipapython.ipa_log_manager import *
|
||||
from ipalib.text import _
|
||||
from ipapython import nsslib, ipautil
|
||||
from ipapython.ipa_log_manager import *
|
||||
|
||||
# IPA can use either Dogtag version 9 or 10.
|
||||
#
|
||||
# Install tools should use the constants from install_constants, so that they
|
||||
# install with version 10 if it is available, and with 9 if not.
|
||||
# After IPA installation, the Dogtag version used is stored in the
|
||||
# "dogtag_version" config option. (If that is missing, version 9 is assumed.)
|
||||
# The configured_constants() function below provides constants relevant to
|
||||
# the configured version.
|
||||
|
||||
class Dogtag10Constants(object):
|
||||
DOGTAG_VERSION = 10
|
||||
UNSECURE_PORT = 8080
|
||||
AGENT_SECURE_PORT = 8443
|
||||
EE_SECURE_PORT = 8443
|
||||
AJP_PORT = 8009
|
||||
|
||||
SPAWN_BINARY = '/usr/sbin/pkispawn'
|
||||
DESTROY_BINARY = '/usr/sbin/pkidestroy'
|
||||
|
||||
SERVER_ROOT = '/var/lib/pki'
|
||||
PKI_INSTANCE_NAME = 'pki-tomcat'
|
||||
PKI_ROOT = '%s/%s' % (SERVER_ROOT, PKI_INSTANCE_NAME)
|
||||
CRL_PUBLISH_PATH = '%s/ca/publish' % PKI_ROOT
|
||||
CS_CFG_PATH = '%s/conf/ca/CS.cfg' % PKI_ROOT
|
||||
PASSWORD_CONF_PATH = '%s/conf/password.conf' % PKI_ROOT
|
||||
SERVICE_PROFILE_DIR = '%s/ca/profiles/ca' % PKI_ROOT
|
||||
ALIAS_DIR = '/etc/pki/pki-tomcat/alias'
|
||||
|
||||
RACERT_LINE_SEP = '\n'
|
||||
|
||||
IPA_SERVICE_PROFILE = '%s/caIPAserviceCert.cfg' % SERVICE_PROFILE_DIR
|
||||
SIGN_PROFILE = '%s/caJarSigningCert.cfg' % SERVICE_PROFILE_DIR
|
||||
|
||||
class Dogtag9Constants(object):
|
||||
DOGTAG_VERSION = 9
|
||||
UNSECURE_PORT = 9180
|
||||
AGENT_SECURE_PORT = 9443
|
||||
EE_SECURE_PORT = 9444
|
||||
AJP_PORT = 9447
|
||||
|
||||
SPAWN_BINARY = '/bin/pkicreate'
|
||||
DESTROY_BINARY = '/bin/pkisilent'
|
||||
|
||||
SERVER_ROOT = '/var/lib'
|
||||
PKI_INSTANCE_NAME = 'pki-ca'
|
||||
PKI_ROOT = '%s/%s' % (SERVER_ROOT, PKI_INSTANCE_NAME)
|
||||
CRL_PUBLISH_PATH = '%s/publish' % PKI_ROOT
|
||||
CS_CFG_PATH = '%s/conf/CS.cfg' % PKI_ROOT
|
||||
PASSWORD_CONF_PATH = '%s/conf/password.conf' % PKI_ROOT
|
||||
SERVICE_PROFILE_DIR = '%s/profiles/ca' % PKI_ROOT
|
||||
ALIAS_DIR = '%s/alias' % PKI_ROOT
|
||||
|
||||
RACERT_LINE_SEP = '\r\n'
|
||||
|
||||
ADMIN_SECURE_PORT = 9445
|
||||
EE_CLIENT_AUTH_PORT = 9446
|
||||
TOMCAT_SERVER_PORT = 9701
|
||||
|
||||
IPA_SERVICE_PROFILE = '%s/caIPAserviceCert.cfg' % SERVICE_PROFILE_DIR
|
||||
SIGN_PROFILE = '%s/caJarSigningCert.cfg' % SERVICE_PROFILE_DIR
|
||||
|
||||
|
||||
if os.path.exists('/usr/sbin/pkispawn'):
|
||||
install_constants = Dogtag10Constants
|
||||
else:
|
||||
install_constants = Dogtag9Constants
|
||||
|
||||
|
||||
def _get_configured_version(api):
|
||||
"""Get the version of Dogtag IPA is configured to use
|
||||
|
||||
If an API is given, use information in its environment.
|
||||
Otherwise, use information from the global config file.
|
||||
"""
|
||||
if api:
|
||||
return int(api.env.dogtag_version)
|
||||
else:
|
||||
p = ConfigParser.SafeConfigParser()
|
||||
p.read("/etc/ipa/default.conf")
|
||||
try:
|
||||
version = p.get('global', 'dogtag_version')
|
||||
except (ConfigParser.NoOptionError, ConfigParser.NoSectionError):
|
||||
return 9
|
||||
else:
|
||||
return int(version)
|
||||
|
||||
|
||||
def configured_constants(api=None):
|
||||
"""Get the name of the Dogtag CA instance
|
||||
|
||||
See get_configured_version
|
||||
"""
|
||||
if _get_configured_version(api) >= 10:
|
||||
return Dogtag10Constants
|
||||
else:
|
||||
return Dogtag9Constants
|
||||
|
||||
|
||||
def get_ca_certchain(ca_host=None):
|
||||
"""
|
||||
@ -36,7 +137,8 @@ def get_ca_certchain(ca_host=None):
|
||||
if ca_host is None:
|
||||
ca_host = api.env.ca_host
|
||||
chain = None
|
||||
conn = httplib.HTTPConnection(ca_host, api.env.ca_install_port)
|
||||
conn = httplib.HTTPConnection(ca_host,
|
||||
api.env.ca_install_port or configured_constants().UNSECURE_PORT)
|
||||
conn.request("GET", "/ca/ee/ca/getCertChain")
|
||||
res = conn.getresponse()
|
||||
doc = None
|
||||
|
@ -293,19 +293,12 @@ def run(args, stdin=None, raiseonerr=True,
|
||||
raise
|
||||
|
||||
# The command and its output may include passwords that we don't want
|
||||
# to log. Run through the nolog items.
|
||||
# to log. Replace those.
|
||||
args = ' '.join(args)
|
||||
for value in nolog:
|
||||
if not isinstance(value, basestring):
|
||||
continue
|
||||
|
||||
quoted = urllib2.quote(value)
|
||||
shquoted = shell_quote(value)
|
||||
for nolog_value in (shquoted, value, quoted):
|
||||
if capture_output:
|
||||
stdout = stdout.replace(nolog_value, 'XXXXXXXX')
|
||||
stderr = stderr.replace(nolog_value, 'XXXXXXXX')
|
||||
args = args.replace(nolog_value, 'XXXXXXXX')
|
||||
if capture_output:
|
||||
stdout = nolog_replace(stdout, nolog)
|
||||
stderr = nolog_replace(stderr, nolog)
|
||||
args = nolog_replace(args, nolog)
|
||||
|
||||
root_logger.debug('args=%s' % args)
|
||||
if capture_output:
|
||||
@ -317,6 +310,20 @@ def run(args, stdin=None, raiseonerr=True,
|
||||
|
||||
return (stdout, stderr, p.returncode)
|
||||
|
||||
|
||||
def nolog_replace(string, nolog):
|
||||
"""Replace occurences of strings given in `nolog` with XXXXXXXX"""
|
||||
for value in nolog:
|
||||
if not isinstance(value, basestring):
|
||||
continue
|
||||
|
||||
quoted = urllib2.quote(value)
|
||||
shquoted = shell_quote(value)
|
||||
for nolog_value in (shquoted, value, quoted):
|
||||
string = string.replace(nolog_value, 'XXXXXXXX')
|
||||
return string
|
||||
|
||||
|
||||
def file_exists(filename):
|
||||
try:
|
||||
mode = os.stat(filename)[stat.ST_MODE]
|
||||
|
@ -34,10 +34,10 @@ wellknownports = {
|
||||
'dirsrv@PKI-IPA.service': [7389],
|
||||
'PKI-IPA': [7389],
|
||||
'dirsrv': [389], # this is only used if the incoming instance name is blank
|
||||
'pki-cad': [9180],
|
||||
'pki-tomcatd@pki-tomcat.service': [8080],
|
||||
'pki-tomcat': [8080],
|
||||
'pki-tomcatd': [8080], # used if the incoming instance name is blank
|
||||
'pki-cad': [9180]
|
||||
}
|
||||
|
||||
class AuthConfig(object):
|
||||
|
@ -48,6 +48,7 @@ import nss.nss as nss
|
||||
from ipapython import ipautil
|
||||
from ipapython import nsslib
|
||||
from ipapython import services as ipaservices
|
||||
from ipapython import dogtag
|
||||
|
||||
from ipaserver import ipaldap
|
||||
from ipaserver.install import service
|
||||
@ -64,11 +65,6 @@ DEFAULT_DSPORT=7389
|
||||
PKI_USER = "pkiuser"
|
||||
PKI_DS_USER = "pkisrv"
|
||||
|
||||
# These values come from /usr/share/pki/ca/setup/postinstall
|
||||
PKI_INSTANCE_NAME="pki-tomcat"
|
||||
AGENT_SECURE_PORT=8443
|
||||
|
||||
IPA_SERVICE_PROFILE = '/var/lib/pki/%s/ca/profiles/ca/caIPAserviceCert.cfg' % PKI_INSTANCE_NAME
|
||||
|
||||
# We need to reset the template because the CA uses the regular boot
|
||||
# information
|
||||
@ -92,9 +88,9 @@ def check_inst():
|
||||
"""
|
||||
|
||||
# Check for a couple of binaries we need
|
||||
if not os.path.exists('/bin/pkispawn'):
|
||||
if not os.path.exists(dogtag.install_constants.SPAWN_BINARY):
|
||||
return False
|
||||
if not os.path.exists('/bin/pkidestroy'):
|
||||
if not os.path.exists(dogtag.install_constants.DESTROY_BINARY):
|
||||
return False
|
||||
|
||||
# This is the template tomcat file for a CA
|
||||
@ -103,6 +99,32 @@ def check_inst():
|
||||
|
||||
return True
|
||||
|
||||
def get_preop_pin(instance_root, instance_name):
|
||||
# Only used for Dogtag 9
|
||||
preop_pin = None
|
||||
|
||||
filename = instance_root + "/" + instance_name + "/conf/CS.cfg"
|
||||
|
||||
# read the config file and get the preop pin
|
||||
try:
|
||||
f=open(filename)
|
||||
except IOError, e:
|
||||
root_logger.error("Cannot open configuration file." + str(e))
|
||||
raise e
|
||||
data = f.read()
|
||||
data = data.split('\n')
|
||||
pattern = re.compile("preop.pin=(.*)" )
|
||||
for line in data:
|
||||
match = re.search(pattern, line)
|
||||
if (match):
|
||||
preop_pin=match.group(1)
|
||||
break
|
||||
|
||||
if preop_pin is None:
|
||||
raise RuntimeError("Unable to find preop.pin in %s. Is your CA already configured?" % filename)
|
||||
|
||||
return preop_pin
|
||||
|
||||
def import_pkcs12(input_file, input_passwd, cert_database,
|
||||
cert_passwd):
|
||||
ipautil.run(["/usr/bin/pk12util", "-d", cert_database,
|
||||
@ -194,7 +216,7 @@ def get_outputList(data):
|
||||
return outputdict
|
||||
|
||||
class CADSInstance(service.Service):
|
||||
def __init__(self, host_name=None, realm_name=None, domain_name=None, dm_password=None):
|
||||
def __init__(self, host_name=None, realm_name=None, domain_name=None, dm_password=None, dogtag_constants=None):
|
||||
service.Service.__init__(self, "pkids", dm_password=dm_password, ldapi=False, autobind=service.DISABLED)
|
||||
self.serverid = "PKI-IPA"
|
||||
self.realm_name = realm_name
|
||||
@ -215,6 +237,10 @@ class CADSInstance(service.Service):
|
||||
else:
|
||||
self.suffix = DN()
|
||||
|
||||
if dogtag_constants is None:
|
||||
dogtag_constants = dogtag.configured_constants()
|
||||
self.dogtag_constants = dogtag_constants
|
||||
|
||||
subject_base = ipautil.dn_attribute_property('_subject_base')
|
||||
|
||||
def create_instance(self, realm_name, host_name, domain_name,
|
||||
@ -385,7 +411,8 @@ class CADSInstance(service.Service):
|
||||
'ocspSigningCert cert-pki-ca',
|
||||
'subsystemCert cert-pki-ca']:
|
||||
try:
|
||||
certmonger.stop_tracking('/etc/pki/pki-tomcat/alias', nickname=nickname)
|
||||
certmonger.stop_tracking(
|
||||
self.dogtag_constants.ALIAS_DIR, nickname=nickname)
|
||||
except (ipautil.CalledProcessError, RuntimeError), e:
|
||||
root_logger.error("certmonger failed to stop tracking certificate: %s" % str(e))
|
||||
|
||||
@ -413,8 +440,12 @@ class CAInstance(service.Service):
|
||||
2 = have signed cert, continue installation
|
||||
"""
|
||||
|
||||
def __init__(self, realm, ra_db):
|
||||
service.Service.__init__(self, "pki-tomcatd")
|
||||
def __init__(self, realm, ra_db, dogtag_constants=None):
|
||||
if dogtag_constants is None:
|
||||
dogtag_constants = dogtag.configured_constants()
|
||||
service.Service.__init__(self,
|
||||
'%sd' % dogtag_constants.PKI_INSTANCE_NAME)
|
||||
self.dogtag_constants = dogtag_constants
|
||||
self.realm = realm
|
||||
self.dm_password = None
|
||||
self.admin_password = None
|
||||
@ -438,7 +469,7 @@ class CAInstance(service.Service):
|
||||
self.ra_agent_pwd = self.ra_agent_db + "/pwdfile.txt"
|
||||
self.ds_port = DEFAULT_DSPORT
|
||||
self.domain_name = "IPA"
|
||||
self.server_root = "/var/lib/pki"
|
||||
self.server_root = dogtag_constants.SERVER_ROOT
|
||||
self.ra_cert = None
|
||||
self.requestId = None
|
||||
|
||||
@ -452,7 +483,8 @@ class CAInstance(service.Service):
|
||||
|
||||
Returns True/False
|
||||
"""
|
||||
return os.path.exists(self.server_root + '/' + PKI_INSTANCE_NAME)
|
||||
return os.path.exists(os.path.join(
|
||||
self.server_root, self.dogtag_constants.PKI_INSTANCE_NAME))
|
||||
|
||||
def configure_instance(self, host_name, dm_password,
|
||||
admin_password, ds_port=DEFAULT_DSPORT,
|
||||
@ -461,6 +493,8 @@ class CAInstance(service.Service):
|
||||
subject_base=None):
|
||||
"""Create a CA instance.
|
||||
|
||||
For Dogtag 9, this may involve creating the pki-ca instance.
|
||||
|
||||
To create a clone, pass in pkcs12_info.
|
||||
|
||||
Creating a CA with an external signer is a 2-step process. In
|
||||
@ -492,11 +526,18 @@ class CAInstance(service.Service):
|
||||
self.external=2
|
||||
|
||||
self.step("creating certificate server user", self.__create_ca_user)
|
||||
self.step("configuring certificate server instance", self.__spawn_instance)
|
||||
if self.dogtag_constants.DOGTAG_VERSION >= 10:
|
||||
self.step("configuring certificate server instance", self.__spawn_instance)
|
||||
else:
|
||||
if not ipautil.dir_exists("/var/lib/pki-ca"):
|
||||
self.step("creating pki-ca instance", self.create_instance)
|
||||
self.step("configuring certificate server instance", self.__configure_instance)
|
||||
self.step("disabling nonces", self.__disable_nonce)
|
||||
# Step 1 of external is getting a CSR so we don't need to do these
|
||||
# steps until we get a cert back from the external CA.
|
||||
if self.external != 1:
|
||||
if self.dogtag_constants.DOGTAG_VERSION < 10 and not self.clone:
|
||||
self.step("creating CA agent PKCS#12 file in /root", self.__create_ca_agent_pkcs12)
|
||||
if self.create_ra_agent_db:
|
||||
self.step("creating RA agent certificate database", self.__create_ra_agent_db)
|
||||
self.step("importing CA chain to RA certificate database", self.__import_ca_chain)
|
||||
@ -608,7 +649,12 @@ class CAInstance(service.Service):
|
||||
# Define the things we don't want logged
|
||||
nolog = (self.admin_password, self.dm_password,)
|
||||
|
||||
args = ["/bin/pkispawn", "-s", "CA", "-f", cfg_file ]
|
||||
args = ["/usr/sbin/pkispawn", "-s", "CA", "-f", cfg_file ]
|
||||
|
||||
with open(cfg_file) as f:
|
||||
root_logger.debug(
|
||||
'Contents of pkispawn configuration file (%s):\n%s' %
|
||||
(cfg_file, ipautil.nolog_replace(f.read(), nolog)))
|
||||
|
||||
try:
|
||||
ipautil.run(args, nolog=nolog)
|
||||
@ -631,6 +677,33 @@ class CAInstance(service.Service):
|
||||
|
||||
root_logger.debug("completed creating ca instance")
|
||||
|
||||
def create_instance(self):
|
||||
"""
|
||||
If for some reason the instance doesn't exist, create a new one."
|
||||
"""
|
||||
# Only used for Dogtag 9
|
||||
|
||||
args = ['/usr/bin/pkicreate',
|
||||
'-pki_instance_root', '/var/lib',
|
||||
'-pki_instance_name',
|
||||
self.dogtag_constants.PKI_INSTANCE_NAME,
|
||||
'-subsystem_type', 'ca',
|
||||
'-agent_secure_port',
|
||||
str(self.dogtag_constants.AGENT_SECURE_PORT),
|
||||
'-ee_secure_port',
|
||||
str(self.dogtag_constants.EE_SECURE_PORT),
|
||||
'-admin_secure_port',
|
||||
str(self.dogtag_constants.ADMIN_SECURE_PORT),
|
||||
'-ee_secure_client_auth_port',
|
||||
str(self.dogtag_constants.EE_CLIENT_AUTH_PORT),
|
||||
'-unsecure_port', str(self.dogtag_constants.UNSECURE_PORT),
|
||||
'-tomcat_server_port',
|
||||
str(self.dogtag_constants.TOMCAT_SERVER_PORT),
|
||||
'-redirect', 'conf=/etc/pki-ca',
|
||||
'-redirect', 'logs=/var/log/pki-ca',
|
||||
'-enable_proxy'
|
||||
]
|
||||
ipautil.run(args, env={'PKI_HOSTNAME':self.fqdn})
|
||||
|
||||
def __enable(self):
|
||||
self.backup_state("enabled", self.is_enabled())
|
||||
@ -656,20 +729,128 @@ class CAInstance(service.Service):
|
||||
except ipautil.CalledProcessError, e:
|
||||
root_logger.critical("failed to add user %s" % e)
|
||||
|
||||
def __configure_instance(self):
|
||||
# Only used for Dogtag 9
|
||||
preop_pin = get_preop_pin(
|
||||
self.server_root, self.dogtag_constants.PKI_INSTANCE_NAME)
|
||||
|
||||
try:
|
||||
args = ["/usr/bin/perl", "/usr/bin/pkisilent", "ConfigureCA",
|
||||
"-cs_hostname", self.fqdn,
|
||||
"-cs_port", str(self.dogtag_constants.ADMIN_SECURE_PORT),
|
||||
"-client_certdb_dir", self.ca_agent_db,
|
||||
"-client_certdb_pwd", self.admin_password,
|
||||
"-preop_pin" , preop_pin,
|
||||
"-domain_name", self.domain_name,
|
||||
"-admin_user", "admin",
|
||||
"-admin_email", "root@localhost",
|
||||
"-admin_password", self.admin_password,
|
||||
"-agent_name", "ipa-ca-agent",
|
||||
"-agent_key_size", "2048",
|
||||
"-agent_key_type", "rsa",
|
||||
"-agent_cert_subject", str(DN(('CN', 'ipa-ca-agent'), self.subject_base)),
|
||||
"-ldap_host", self.fqdn,
|
||||
"-ldap_port", str(self.ds_port),
|
||||
"-bind_dn", "cn=Directory Manager",
|
||||
"-bind_password", self.dm_password,
|
||||
"-base_dn", str(self.basedn),
|
||||
"-db_name", "ipaca",
|
||||
"-key_size", "2048",
|
||||
"-key_type", "rsa",
|
||||
"-key_algorithm", "SHA256withRSA",
|
||||
"-save_p12", "true",
|
||||
"-backup_pwd", self.admin_password,
|
||||
"-subsystem_name", self.service_name,
|
||||
"-token_name", "internal",
|
||||
"-ca_subsystem_cert_subject_name", str(DN(('CN', 'CA Subsystem'), self.subject_base)),
|
||||
"-ca_subsystem_cert_subject_name", str(DN(('CN', 'CA Subsystem'), self.subject_base)),
|
||||
"-ca_ocsp_cert_subject_name", str(DN(('CN', 'OCSP Subsystem'), self.subject_base)),
|
||||
"-ca_server_cert_subject_name", str(DN(('CN', self.fqdn), self.subject_base)),
|
||||
"-ca_audit_signing_cert_subject_name", str(DN(('CN', 'CA Audit'), self.subject_base)),
|
||||
"-ca_sign_cert_subject_name", str(DN(('CN', 'Certificate Authority'), self.subject_base)) ]
|
||||
if self.external == 1:
|
||||
args.append("-external")
|
||||
args.append("true")
|
||||
args.append("-ext_csr_file")
|
||||
args.append(self.csr_file)
|
||||
elif self.external == 2:
|
||||
args.append("-external")
|
||||
args.append("true")
|
||||
args.append("-ext_ca_cert_file")
|
||||
args.append(self.cert_file)
|
||||
args.append("-ext_ca_cert_chain_file")
|
||||
args.append(self.cert_chain_file)
|
||||
else:
|
||||
args.append("-external")
|
||||
args.append("false")
|
||||
if (self.clone):
|
||||
"""sd = security domain --> all CS systems get registered to
|
||||
a security domain. This is set to the hostname and port of
|
||||
the master CA.
|
||||
"""
|
||||
# The install wizard expects the file to be here.
|
||||
cafile = self.pkcs12_info[0]
|
||||
shutil.copy(cafile, "/var/lib/pki-ca/alias/ca.p12")
|
||||
pent = pwd.getpwnam(PKI_USER)
|
||||
os.chown("/var/lib/pki-ca/alias/ca.p12", pent.pw_uid, pent.pw_gid )
|
||||
args.append("-clone")
|
||||
args.append("true")
|
||||
args.append("-clone_p12_file")
|
||||
args.append("ca.p12")
|
||||
args.append("-clone_p12_password")
|
||||
args.append(self.dm_password)
|
||||
args.append("-sd_hostname")
|
||||
args.append(self.master_host)
|
||||
args.append("-sd_admin_port")
|
||||
args.append("443")
|
||||
args.append("-sd_admin_name")
|
||||
args.append("admin")
|
||||
args.append("-sd_admin_password")
|
||||
args.append(self.admin_password)
|
||||
args.append("-clone_start_tls")
|
||||
args.append("true")
|
||||
args.append("-clone_uri")
|
||||
args.append("https://%s" % ipautil.format_netloc(self.master_host, 443))
|
||||
else:
|
||||
args.append("-clone")
|
||||
args.append("false")
|
||||
|
||||
# Define the things we don't want logged
|
||||
nolog = (self.admin_password, self.dm_password,)
|
||||
|
||||
ipautil.run(args, env={'PKI_HOSTNAME':self.fqdn}, nolog=nolog)
|
||||
except ipautil.CalledProcessError, e:
|
||||
root_logger.critical("failed to configure ca instance %s" % e)
|
||||
raise RuntimeError('Configuration of CA failed')
|
||||
|
||||
if self.external == 1:
|
||||
print "The next step is to get %s signed by your CA and re-run ipa-server-install as:" % self.csr_file
|
||||
print "ipa-server-install --external_cert_file=/path/to/signed_certificate --external_ca_file=/path/to/external_ca_certificate"
|
||||
sys.exit(0)
|
||||
|
||||
# pkisilent makes a copy of the CA PKCS#12 file for us but gives
|
||||
# it a lousy name.
|
||||
if ipautil.file_exists("/root/tmp-ca.p12"):
|
||||
shutil.move("/root/tmp-ca.p12", "/root/cacert.p12")
|
||||
|
||||
root_logger.debug("completed creating ca instance")
|
||||
|
||||
def __restart_instance(self):
|
||||
try:
|
||||
self.restart(PKI_INSTANCE_NAME)
|
||||
self.restart(self.dogtag_constants.PKI_INSTANCE_NAME)
|
||||
except Exception:
|
||||
# TODO: roll back here?
|
||||
root_logger.critical("Failed to restart the certificate server. See the installation log for details.")
|
||||
|
||||
def __disable_nonce(self):
|
||||
# Turn off Nonces
|
||||
cfg_file = '/var/lib/pki/pki-tomcat/conf/ca/CS.cfg'
|
||||
if installutils.update_file(cfg_file, 'ca.enableNonces=true', 'ca.enableNonces=false') != 0:
|
||||
update_result = installutils.update_file(
|
||||
self.dogtag_constants.CS_CFG_PATH, 'ca.enableNonces=true',
|
||||
'ca.enableNonces=false')
|
||||
if update_result != 0:
|
||||
raise RuntimeError("Disabling nonces failed")
|
||||
pent = pwd.getpwnam(PKI_USER)
|
||||
os.chown(cfg_file, pent.pw_uid, pent.pw_gid )
|
||||
os.chown(self.dogtag_constants.CS_CFG_PATH, pent.pw_uid, pent.pw_gid)
|
||||
|
||||
def __issue_ra_cert(self):
|
||||
# The CA certificate is in the agent DB but isn't trusted
|
||||
@ -716,11 +897,12 @@ class CAInstance(service.Service):
|
||||
'-p', self.admin_password,
|
||||
'-d', self.ca_agent_db,
|
||||
'-r', '/ca/agent/ca/profileReview?requestId=%s' % self.requestId,
|
||||
'%s' % ipautil.format_netloc(self.fqdn, AGENT_SECURE_PORT),
|
||||
'%s' % ipautil.format_netloc(
|
||||
self.fqdn, self.dogtag_constants.AGENT_SECURE_PORT),
|
||||
]
|
||||
(stdout, stderr, returncode) = ipautil.run(args, nolog=(self.admin_password,))
|
||||
|
||||
data = stdout.split('\n')
|
||||
data = stdout.split(self.dogtag_constants.RACERT_LINE_SEP)
|
||||
params = get_defList(data)
|
||||
params['requestId'] = find_substring(data, "requestId")
|
||||
params['op'] = 'approve'
|
||||
@ -737,11 +919,12 @@ class CAInstance(service.Service):
|
||||
'-d', self.ca_agent_db,
|
||||
'-e', params,
|
||||
'-r', '/ca/agent/ca/profileProcess',
|
||||
'%s' % ipautil.format_netloc(self.fqdn, AGENT_SECURE_PORT),
|
||||
'%s' % ipautil.format_netloc(
|
||||
self.fqdn, self.dogtag_constants.AGENT_SECURE_PORT),
|
||||
]
|
||||
(stdout, stderr, returncode) = ipautil.run(args, nolog=(self.admin_password,))
|
||||
|
||||
data = stdout.split('\n')
|
||||
data = stdout.split(self.dogtag_constants.RACERT_LINE_SEP)
|
||||
outputList = get_outputList(data)
|
||||
|
||||
self.ra_cert = outputList['b64_cert']
|
||||
@ -858,6 +1041,21 @@ class CAInstance(service.Service):
|
||||
except Exception, e:
|
||||
raise RuntimeError("Unable to retrieve CA chain: %s" % str(e))
|
||||
|
||||
def __create_ca_agent_pkcs12(self):
|
||||
# Only used for Dogtag 9
|
||||
(pwd_fd, pwd_name) = tempfile.mkstemp()
|
||||
os.write(pwd_fd, self.admin_password)
|
||||
os.close(pwd_fd)
|
||||
try:
|
||||
ipautil.run(["/usr/bin/pk12util",
|
||||
"-n", "ipa-ca-agent",
|
||||
"-o", "/root/ca-agent.p12",
|
||||
"-d", self.ca_agent_db,
|
||||
"-k", pwd_name,
|
||||
"-w", pwd_name])
|
||||
finally:
|
||||
os.remove(pwd_name)
|
||||
|
||||
def __import_ca_chain(self):
|
||||
chain = self.__get_ca_chain()
|
||||
|
||||
@ -921,7 +1119,8 @@ class CAInstance(service.Service):
|
||||
csr = pkcs10.strip_header(stdout)
|
||||
|
||||
# Send the request to the CA
|
||||
conn = httplib.HTTPConnection(self.fqdn, 8080)
|
||||
conn = httplib.HTTPConnection(
|
||||
self.fqdn, self.dogtag_constants.UNSECURE_PORT)
|
||||
params = urllib.urlencode({'profileId': 'caServerCert',
|
||||
'cert_request_type': 'pkcs10',
|
||||
'requestor_name': 'IPA Installer',
|
||||
@ -959,7 +1158,8 @@ class CAInstance(service.Service):
|
||||
|
||||
def __setup_sign_profile(self):
|
||||
# Tell the profile to automatically issue certs for RAs
|
||||
installutils.set_directive('/var/lib/pki/pki-tomcat/ca/profiles/ca/caJarSigningCert.cfg', 'auth.instance_id', 'raCertAuth', quotes=False, separator='=')
|
||||
installutils.set_directive(self.dogtag_constants.SIGN_PROFILE,
|
||||
'auth.instance_id', 'raCertAuth', quotes=False, separator='=')
|
||||
|
||||
def __enable_crl_publish(self):
|
||||
"""
|
||||
@ -967,9 +1167,9 @@ class CAInstance(service.Service):
|
||||
|
||||
http://www.redhat.com/docs/manuals/cert-system/8.0/admin/html/Setting_up_Publishing.html
|
||||
"""
|
||||
caconfig = "/var/lib/pki/pki-tomcat/conf/ca/CS.cfg"
|
||||
caconfig = self.dogtag_constants.CS_CFG_PATH
|
||||
|
||||
publishdir='/var/lib/pki/pki-tomcat/ca/publish'
|
||||
publishdir = self.dogtag_constants.CRL_PUBLISH_PATH
|
||||
os.mkdir(publishdir)
|
||||
os.chmod(publishdir, 0755)
|
||||
pent = pwd.getpwnam(PKI_USER)
|
||||
@ -1006,7 +1206,7 @@ class CAInstance(service.Service):
|
||||
installutils.set_directive(caconfig, 'ca.publish.rule.instance.LdapXCertRule.enable', 'false', quotes=False, separator='=')
|
||||
|
||||
# Fix the CRL URI in the profile
|
||||
installutils.set_directive(IPA_SERVICE_PROFILE,
|
||||
installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE,
|
||||
'policyset.serverCertSet.9.default.params.crlDistPointsPointName_0',
|
||||
'https://%s/ipa/crl/MasterCRL.bin' % ipautil.format_netloc(self.fqdn),
|
||||
quotes=False, separator='=')
|
||||
@ -1016,7 +1216,8 @@ class CAInstance(service.Service):
|
||||
def __set_subject_in_config(self):
|
||||
# dogtag ships with an IPA-specific profile that forces a subject
|
||||
# format. We need to update that template with our base subject
|
||||
if installutils.update_file(IPA_SERVICE_PROFILE, 'OU=pki-ipa, O=IPA', str(self.subject_base)):
|
||||
if installutils.update_file(self.dogtag_constants.IPA_SERVICE_PROFILE,
|
||||
'OU=pki-ipa, O=IPA', str(self.subject_base)):
|
||||
print "Updating subject_base in CA template failed"
|
||||
|
||||
def uninstall(self):
|
||||
@ -1028,8 +1229,16 @@ class CAInstance(service.Service):
|
||||
self.disable()
|
||||
|
||||
try:
|
||||
ipautil.run(["/bin/pkidestroy", "-i", "pki-tomcat",
|
||||
"-s", "CA"])
|
||||
if self.dogtag_constants.DOGTAG_VERSION >= 10:
|
||||
ipautil.run(["/usr/sbin/pkidestroy", "-i",
|
||||
self.dogtag_constants.PKI_INSTANCE_NAME,
|
||||
"-s", "CA"])
|
||||
else:
|
||||
ipautil.run(["/usr/bin/pkiremove",
|
||||
"-pki_instance_root=/var/lib",
|
||||
"-pki_instance_name=%s" %
|
||||
self.dogtag_constants.PKI_INSTANCE_NAME,
|
||||
"--force"])
|
||||
except ipautil.CalledProcessError, e:
|
||||
root_logger.critical("failed to uninstall CA instance %s" % e)
|
||||
|
||||
@ -1049,15 +1258,21 @@ class CAInstance(service.Service):
|
||||
os.chmod(location, 0444)
|
||||
|
||||
def __http_proxy(self):
|
||||
shutil.copy(ipautil.SHARE_DIR + "ipa-pki-proxy.conf",
|
||||
HTTPD_CONFD + "ipa-pki-proxy.conf")
|
||||
template_filename = ipautil.SHARE_DIR + "ipa-pki-proxy.conf"
|
||||
sub_dict = dict(DOGTAG_PORT=self.dogtag_constants.AJP_PORT)
|
||||
template = ipautil.template_file(template_filename, sub_dict)
|
||||
with open(HTTPD_CONFD + "ipa-pki-proxy.conf", "w") as fd:
|
||||
fd.write(template)
|
||||
|
||||
def track_servercert(self):
|
||||
try:
|
||||
pin = certmonger.get_pin('internal')
|
||||
except IOError, e:
|
||||
raise RuntimeError('Unable to determine PIN for CA instance: %s' % str(e))
|
||||
certmonger.dogtag_start_tracking('dogtag-ipa-renew-agent', 'Server-Cert cert-pki-ca', pin, None, '/etc/pki/pki-tomcat/alias', 'restart_pkicad "Server-Cert cert-pki-ca"')
|
||||
certmonger.dogtag_start_tracking(
|
||||
'dogtag-ipa-renew-agent', 'Server-Cert cert-pki-ca', pin, None,
|
||||
self.dogtag_constants.ALIAS_DIR,
|
||||
'restart_pkicad "Server-Cert cert-pki-ca"')
|
||||
|
||||
def configure_renewal(self):
|
||||
cmonger = ipaservices.knownservices.certmonger
|
||||
@ -1074,7 +1289,9 @@ class CAInstance(service.Service):
|
||||
for nickname in ['auditSigningCert cert-pki-ca',
|
||||
'ocspSigningCert cert-pki-ca',
|
||||
'subsystemCert cert-pki-ca']:
|
||||
certmonger.dogtag_start_tracking('dogtag-ipa-renew-agent', nickname, pin, None, '/etc/pki/pki-tomcat/alias', 'renew_ca_cert "%s"' % nickname)
|
||||
certmonger.dogtag_start_tracking(
|
||||
'dogtag-ipa-renew-agent', nickname, pin, None,
|
||||
self.dogtag_constants.ALIAS_DIR, 'renew_ca_cert "%s"' % nickname)
|
||||
|
||||
# Set up the agent cert for renewal
|
||||
certmonger.dogtag_start_tracking('dogtag-ipa-renew-agent', 'ipaCert', None, '/etc/httpd/alias/pwdfile.txt', '/etc/httpd/alias', 'renew_ra_cert')
|
||||
@ -1118,7 +1335,10 @@ class CAInstance(service.Service):
|
||||
for nickname in ['auditSigningCert cert-pki-ca',
|
||||
'ocspSigningCert cert-pki-ca',
|
||||
'subsystemCert cert-pki-ca']:
|
||||
certmonger.dogtag_start_tracking('dogtag-ipa-retrieve-agent-submit', nickname, pin, None, '/etc/pki/pki-tomcat/alias', 'restart_pkicad "%s"' % nickname)
|
||||
certmonger.dogtag_start_tracking(
|
||||
'dogtag-ipa-retrieve-agent-submit', nickname, pin, None,
|
||||
self.dogtag_constants.ALIAS_DIR,
|
||||
'restart_pkicad "%s"' % nickname)
|
||||
|
||||
# The agent renewal is configured in import_ra_cert which is called
|
||||
# after the HTTP instance is created.
|
||||
@ -1127,33 +1347,40 @@ class CAInstance(service.Service):
|
||||
"""
|
||||
See if Subject Key Identifier is set in the profile and if not, add it.
|
||||
"""
|
||||
setlist = installutils.get_directive(IPA_SERVICE_PROFILE,
|
||||
setlist = installutils.get_directive(
|
||||
self.dogtag_constants.IPA_SERVICE_PROFILE,
|
||||
'policyset.serverCertSet.list', separator='=')
|
||||
|
||||
# this is the default setting from pki-tomcat. Don't touch it if a user
|
||||
# has manually modified it.
|
||||
# this is the default setting from pki-ca/pki-tomcat. Don't touch it
|
||||
# if a user has manually modified it.
|
||||
if setlist == '1,2,3,4,5,6,7,8':
|
||||
installutils.set_directive(IPA_SERVICE_PROFILE,
|
||||
installutils.set_directive(
|
||||
self.dogtag_constants.IPA_SERVICE_PROFILE,
|
||||
'policyset.serverCertSet.list',
|
||||
'1,2,3,4,5,6,7,8,10',
|
||||
quotes=False, separator='=')
|
||||
installutils.set_directive(IPA_SERVICE_PROFILE,
|
||||
installutils.set_directive(
|
||||
self.dogtag_constants.IPA_SERVICE_PROFILE,
|
||||
'policyset.serverCertSet.10.constraint.class_id',
|
||||
'noConstraintImpl',
|
||||
quotes=False, separator='=')
|
||||
installutils.set_directive(IPA_SERVICE_PROFILE,
|
||||
installutils.set_directive(
|
||||
self.dogtag_constants.IPA_SERVICE_PROFILE,
|
||||
'policyset.serverCertSet.10.constraint.name',
|
||||
'No Constraint',
|
||||
quotes=False, separator='=')
|
||||
installutils.set_directive(IPA_SERVICE_PROFILE,
|
||||
installutils.set_directive(
|
||||
self.dogtag_constants.IPA_SERVICE_PROFILE,
|
||||
'policyset.serverCertSet.10.default.class_id',
|
||||
'subjectKeyIdentifierExtDefaultImpl',
|
||||
quotes=False, separator='=')
|
||||
installutils.set_directive(IPA_SERVICE_PROFILE,
|
||||
installutils.set_directive(
|
||||
self.dogtag_constants.IPA_SERVICE_PROFILE,
|
||||
'policyset.serverCertSet.10.default.name',
|
||||
'Subject Key Identifier Extension Default',
|
||||
quotes=False, separator='=')
|
||||
installutils.set_directive(IPA_SERVICE_PROFILE,
|
||||
installutils.set_directive(
|
||||
self.dogtag_constants.IPA_SERVICE_PROFILE,
|
||||
'policyset.serverCertSet.10.default.params.critical',
|
||||
'false',
|
||||
quotes=False, separator='=')
|
||||
@ -1173,7 +1400,7 @@ class CAInstance(service.Service):
|
||||
responsibility to handle changes on upgrades.
|
||||
"""
|
||||
master = installutils.get_directive(
|
||||
'/var/lib/pki/pki-tomcat/conf/ca/CS.cfg', 'subsystem.select', '=')
|
||||
self.dogtag_constants.CS_CFG_PATH, 'subsystem.select', '=')
|
||||
|
||||
return master == 'New'
|
||||
|
||||
@ -1198,12 +1425,14 @@ def install_replica_ca(config, postinstall=False):
|
||||
if not config.setup_ca:
|
||||
# We aren't configuring the CA in this step but we still need
|
||||
# a minimum amount of information on the CA for this IPA install.
|
||||
ca = CAInstance(config.realm_name, certs.NSS_DIR)
|
||||
ca = CAInstance(config.realm_name, certs.NSS_DIR,
|
||||
dogtag_constants=dogtag.install_constants)
|
||||
ca.dm_password = config.dirman_password
|
||||
ca.subject_base = config.subject_base
|
||||
return (ca, None)
|
||||
|
||||
ca = CAInstance(config.realm_name, certs.NSS_DIR)
|
||||
ca = CAInstance(config.realm_name, certs.NSS_DIR,
|
||||
dogtag_constants=dogtag.install_constants)
|
||||
ca.dm_password = config.dirman_password
|
||||
ca.subject_base = config.subject_base
|
||||
if ca.is_installed():
|
||||
@ -1213,14 +1442,15 @@ def install_replica_ca(config, postinstall=False):
|
||||
if ipautil.file_exists(config.dir + "/dogtagcert.p12"):
|
||||
pkcs12_info = (config.dir + "/dogtagcert.p12",
|
||||
config.dir + "/dirsrv_pin.txt")
|
||||
cs = CADSInstance()
|
||||
cs = CADSInstance(dogtag_constants=dogtag.install_constants)
|
||||
cs.create_instance(config.realm_name, config.host_name,
|
||||
config.domain_name, config.dirman_password,
|
||||
pkcs12_info)
|
||||
cs.load_pkcs12()
|
||||
cs.enable_ssl()
|
||||
cs.restart_instance()
|
||||
ca = CAInstance(config.realm_name, certs.NSS_DIR)
|
||||
ca = CAInstance(config.realm_name, certs.NSS_DIR,
|
||||
dogtag_constants=dogtag.install_constants)
|
||||
if postinstall:
|
||||
# If installing this afterward the Apache NSS database already
|
||||
# exists, don't remove it.
|
||||
@ -1240,10 +1470,10 @@ def install_replica_ca(config, postinstall=False):
|
||||
# unix service.
|
||||
|
||||
service.print_msg("Restarting the directory and certificate servers")
|
||||
ca.stop(PKI_INSTANCE_NAME)
|
||||
ca.stop(dogtag.install_constants.PKI_INSTANCE_NAME)
|
||||
ipaservices.knownservices.dirsrv.stop("PKI-IPA")
|
||||
ipaservices.knownservices.dirsrv.start("PKI-IPA")
|
||||
ca.start(PKI_INSTANCE_NAME)
|
||||
ca.start(dogtag.install_constants.PKI_INSTANCE_NAME)
|
||||
|
||||
return (ca, cs)
|
||||
|
||||
@ -1262,7 +1492,7 @@ def update_cert_config(nickname, cert):
|
||||
'subsystemCert cert-pki-ca': 'ca.subsystem.cert',
|
||||
'Server-Cert cert-pki-ca': 'ca.sslserver.cert' }
|
||||
|
||||
installutils.set_directive('/var/lib/pki/%s/conf/ca/CS.cfg' % PKI_INSTANCE_NAME,
|
||||
installutils.set_directive(dogtag.configured_constants().CS_CFG_PATH,
|
||||
directives[nickname],
|
||||
base64.b64encode(cert),
|
||||
quotes=False, separator='=')
|
||||
|
@ -660,8 +660,13 @@ class CertDB(object):
|
||||
f = open(self.passwd_fname, "r")
|
||||
password = f.readline()
|
||||
f.close()
|
||||
http_status, http_reason_phrase, http_headers, http_body = \
|
||||
dogtag.https_request(self.host_name, api.env.ca_ee_install_port, "/ca/ee/ca/profileSubmitSSLClient", self.secdir, password, "ipaCert", **params)
|
||||
result = dogtag.https_request(
|
||||
self.host_name,
|
||||
api.env.ca_ee_install_port or
|
||||
dogtag.install_constants.EE_SECURE_PORT,
|
||||
"/ca/ee/ca/profileSubmitSSLClient",
|
||||
self.secdir, password, "ipaCert", **params)
|
||||
http_status, http_reason_phrase, http_headers, http_body = result
|
||||
|
||||
if http_status != 200:
|
||||
raise CertificateOperationError(
|
||||
@ -743,8 +748,13 @@ class CertDB(object):
|
||||
f = open(self.passwd_fname, "r")
|
||||
password = f.readline()
|
||||
f.close()
|
||||
http_status, http_reason_phrase, http_headers, http_body = \
|
||||
dogtag.https_request(self.host_name, api.env.ca_ee_install_port, "/ca/ee/ca/profileSubmitSSLClient", self.secdir, password, "ipaCert", **params)
|
||||
result = dogtag.https_request(
|
||||
self.host_name,
|
||||
api.env.ca_ee_install_port or
|
||||
dogtag.install_constants.EE_SECURE_PORT,
|
||||
"/ca/ee/ca/profileSubmitSSLClient",
|
||||
self.secdir, password, "ipaCert", **params)
|
||||
http_status, http_reason_phrase, http_headers, http_body = result
|
||||
if http_status != 200:
|
||||
raise RuntimeError("Unable to submit cert request")
|
||||
|
||||
|
@ -31,6 +31,7 @@ import installutils
|
||||
from ipapython import sysrestore
|
||||
from ipapython import ipautil
|
||||
from ipapython import services as ipaservices
|
||||
from ipapython import dogtag
|
||||
from ipalib import util, api
|
||||
|
||||
HTTPD_DIR = "/etc/httpd"
|
||||
@ -70,7 +71,13 @@ class HTTPInstance(service.Service):
|
||||
self.principal = "HTTP/%s@%s" % (self.fqdn, self.realm)
|
||||
self.dercert = None
|
||||
self.subject_base = subject_base
|
||||
self.sub_dict = {"REALM": realm, "FQDN": fqdn, "DOMAIN": self.domain, "AUTOREDIR": '' if auto_redirect else '#'}
|
||||
self.sub_dict = dict(
|
||||
REALM=realm,
|
||||
FQDN=fqdn,
|
||||
DOMAIN=self.domain,
|
||||
AUTOREDIR='' if auto_redirect else '#',
|
||||
CRL_PUBLISH_PATH=dogtag.install_constants.CRL_PUBLISH_PATH,
|
||||
)
|
||||
|
||||
# get a connection to the DS
|
||||
self.ldap_connect()
|
||||
|
@ -47,7 +47,9 @@ from ipalib import errors
|
||||
from ipapython.dn import DN
|
||||
|
||||
# Used to determine install status
|
||||
IPA_MODULES = ['httpd', 'kadmin', 'dirsrv', 'pki-tomcatd', 'pkids', 'install', 'krb5kdc', 'ntpd', 'named', 'ipa_memcached']
|
||||
IPA_MODULES = [
|
||||
'httpd', 'kadmin', 'dirsrv', 'pki-cad', 'pki-tomcatd', 'pkids', 'install',
|
||||
'krb5kdc', 'ntpd', 'named', 'ipa_memcached']
|
||||
|
||||
class BadHostError(Exception):
|
||||
pass
|
||||
|
@ -23,6 +23,7 @@ import tempfile
|
||||
import pwd
|
||||
from ipapython import sysrestore
|
||||
from ipapython import ipautil
|
||||
from ipapython import dogtag
|
||||
from ipapython import services as ipaservices
|
||||
from ipalib import errors
|
||||
from ipapython.dn import DN
|
||||
@ -41,17 +42,6 @@ AUTO = 1
|
||||
ENABLED = 2
|
||||
DISABLED = 3
|
||||
|
||||
# Determine if we have an updated dogtag instance (dogtag 10+) or
|
||||
# an older one.
|
||||
dogtag_service = 'pki-cad'
|
||||
try:
|
||||
for line in open("/etc/ipa/default.conf", "r"):
|
||||
if "dogtag_version" in line:
|
||||
dogtag_service = 'pki-tomcatd'
|
||||
break
|
||||
except IOError, e:
|
||||
pass
|
||||
|
||||
# The service name as stored in cn=masters,cn=ipa,cn=etc. In the tuple
|
||||
# the first value is the *nix service name, the second the start order.
|
||||
SERVICE_LIST = {
|
||||
@ -60,7 +50,7 @@ SERVICE_LIST = {
|
||||
'DNS':('named', 30),
|
||||
'MEMCACHE':('ipa_memcached', 39),
|
||||
'HTTP':('httpd', 40),
|
||||
'CA':(dogtag_service, 50),
|
||||
'CA':('%sd' % dogtag.configured_constants().PKI_INSTANCE_NAME, 50),
|
||||
'ADTRUST':('smb', 60),
|
||||
'EXTID':('winbind', 70)
|
||||
}
|
||||
|
@ -1 +1,2 @@
|
||||
/var/lib/pki-ca/publish(/.*)? gen_context(system_u:object_r:cert_t,s0)
|
||||
/var/lib/pki/pki-tomcat/ca/publish(/.*)? gen_context(system_u:object_r:cert_t,s0)
|
||||
|
Loading…
Reference in New Issue
Block a user