Use Dogtag 10 only when it is available

Put the changes from Ade's dogtag 10 patch into namespaced constants in dogtag.py, which are then referenced in the code. Make ipaserver.install.CAInstance use the service name specified in the configuration. Uninstallation, where config is removed before CA uninstall, also uses the (previously) configured value. This and Ade's patch address https://fedorahosted.org/freeipa/ticket/2846
2025-02-25 18:55:28 -06:00 · 2012-08-23 12:38:45 -04:00
parent 3dd31a8756
commit 4f76c143d2
24 changed files with 516 additions and 138 deletions
--- a/install/conf/ipa-pki-proxy.conf
+++ b/install/conf/ipa-pki-proxy.conf
@@ -1,4 +1,4 @@
-# VERSION 1 - DO NOT REMOVE THIS LINE
+# VERSION 2 - DO NOT REMOVE THIS LINE

 ProxyRequests Off

@@ -6,22 +6,22 @@ ProxyRequests Off
 <LocationMatch "^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange">
    NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
    NSSVerifyClient none
-    ProxyPassMatch ajp://localhost:8009
-    ProxyPassReverse ajp://localhost:8009
+    ProxyPassMatch ajp://localhost:$DOGTAG_PORT
+    ProxyPassReverse ajp://localhost:$DOGTAG_PORT
 </LocationMatch>

 # matches for admin port and installer
 <LocationMatch "^/ca/admin/ca/getCertChain|^/ca/admin/ca/getConfigEntries|^/ca/admin/ca/getCookie|^/ca/admin/ca/getStatus|^/ca/admin/ca/securityDomainLogin|^/ca/admin/ca/getDomainXML|^/ca/rest/installer/installToken">
    NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
    NSSVerifyClient none
-    ProxyPassMatch ajp://localhost:8009
-    ProxyPassReverse ajp://localhost:8009
+    ProxyPassMatch ajp://localhost:$DOGTAG_PORT
+    ProxyPassReverse ajp://localhost:$DOGTAG_PORT
 </LocationMatch>

 # matches for agent port and eeca port
 <LocationMatch "^/ca/agent/ca/displayBySerial|^/ca/agent/ca/doRevoke|^/ca/agent/ca/doUnrevoke|^/ca/agent/ca/updateDomainXML|^/ca/eeca/ca/profileSubmitSSLClient">
    NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
    NSSVerifyClient require
-    ProxyPassMatch ajp://localhost:8009
-    ProxyPassReverse ajp://localhost:8009
+    ProxyPassMatch ajp://localhost:$DOGTAG_PORT
+    ProxyPassReverse ajp://localhost:$DOGTAG_PORT
 </LocationMatch>
--- a/install/conf/ipa.conf
+++ b/install/conf/ipa.conf
@@ -1,5 +1,5 @@
 #
-# VERSION 7 - DO NOT REMOVE THIS LINE
+# VERSION 8 - DO NOT REMOVE THIS LINE
 #
 # This file may be overwritten on upgrades.
 #
@@ -105,8 +105,8 @@ Alias /ipa/config "/usr/share/ipa/html"


 # For CRL publishing
-Alias /ipa/crl "/var/lib/pki/tomcat-ca/ca/publish"
-<Directory "/var/lib/pki/tomcat-ca/ca/publish">
+Alias /ipa/crl "$CRL_PUBLISH_PATH"
+<Directory "$CRL_PUBLISH_PATH">
  SetHandler None
  AllowOverride None
  Options Indexes FollowSymLinks
--- a/install/restart_scripts/renew_ca_cert
+++ b/install/restart_scripts/renew_ca_cert
@@ -32,6 +32,7 @@ from ipapython.dn import DN
 from ipalib import errors
 from ipapython import services as ipaservices
 from ipapython import ipautil
+from ipapython import dogtag
 from ipaserver.install import certs
 from ipaserver.plugins.ldap2 import ldap2
 from ipaserver.install.cainstance import update_cert_config
@@ -45,11 +46,9 @@ nickname = sys.argv[1]
 api.bootstrap(context='restart')
 api.finalize()

-alias_dir = '/etc/pki/pki-tomcat/alias'
-dogtag_instance = 'pki-tomcat'
-if 'dogtag_version' not in api.env:
-    alias_dir = '/var/lib/pki-ca/alias'
-    dogtag_instance = 'pki-ca'
+configured_constants = dogtag.configured_constants(api)
+alias_dir = configured_constants.ALIAS_DIR
+dogtag_instance = configured_constants.PKI_INSTANCE_NAME

 # Fetch the new certificate
 db = certs.CertDB(api.env.realm, nssdir=alias_dir)
@@ -112,5 +111,5 @@ time.sleep(pause)
 try:
    ipaservices.knownservices.pki_cad.restart(dogtag_instance)
 except Exception, e:
-    syslog.syslog(syslog.LOG_ERR, "Cannot restart %sd: %s" % \
+    syslog.syslog(syslog.LOG_ERR, "Cannot restart %sd: %s" %
                  (dogtag_instance, str(e)))
--- a/install/restart_scripts/restart_pkicad
+++ b/install/restart_scripts/restart_pkicad
@@ -22,6 +22,7 @@
 import sys
 import syslog
 from ipapython import services as ipaservices
+from ipapython import dogtag
 from ipaserver.install import certs
 from ipalib import api

@@ -30,18 +31,16 @@ nickname = sys.argv[1]
 api.bootstrap(context='restart')
 api.finalize()

-alias_dir = '/etc/pki/pki-tomcat/alias'
-dogtag_instance = 'pki-tomcat'
-if 'dogtag_version' not in api.env:
-    alias_dir = '/var/lib/pki-ca/alias'
-    dogtag_instance = 'pki-ca'
+configured_constants = dogtag.configured_constants(api)
+alias_dir = configured_constants.ALIAS_DIR
+dogtag_instance = configured_constants.PKI_INSTANCE_NAME

-syslog.syslog(syslog.LOG_NOTICE, "certmonger restarted %sd, nickname '%s'" % \
+syslog.syslog(syslog.LOG_NOTICE, "certmonger restarted %sd, nickname '%s'" %
              (dogtag_instance, nickname))

 # Fix permissions on the audit cert if we're updating it
 if nickname == 'auditSigningCert cert-pki-ca':
-    db = certs.CertDB(api.env.realm, nssdir = alias_dir )
+    db = certs.CertDB(api.env.realm, nssdir=alias_dir)
    args = ['-M',
            '-n', nickname,
            '-t', 'u,u,Pu',
@@ -54,5 +53,5 @@ try:
    ipaservices.knownservices.pki_cad.stop(dogtag_instance)
    ipaservices.knownservices.pki_cad.start(dogtag_instance)
 except Exception, e:
-    syslog.syslog(syslog.LOG_ERR, "Cannot restart %sd: %s" % \
+    syslog.syslog(syslog.LOG_ERR, "Cannot restart %sd: %s" %
                  (dogtag_instance, str(e)))
--- a/install/tools/ipa-ca-install
+++ b/install/tools/ipa-ca-install
@@ -37,6 +37,7 @@ from ipapython import version
 from ipalib import api, util
 from ipapython.config import IPAOptionParser
 from ipapython import sysrestore
+from ipapython import dogtag
 from ipapython.ipa_log_manager import *

 log_file_name = "/var/log/ipareplica-ca-install.log"
@@ -156,10 +157,11 @@ def main():
    # We need to restart apache as we drop a new config file in there
    ipaservices.knownservices.httpd.restart(capture_output=True)

-    #update dogtag version in config file to denote new instance
+    #update dogtag version in config file
    try:
        fd = open("/etc/ipa/default.conf", "a")
-        fd.write("dogtag_version=10\n")
+        fd.write(
+            "dogtag_version=%s\n" % dogtag.install_constants.DOGTAG_VERSION)
        fd.close()
    except IOError, e:
        print "Failed to update /etc/ipa/default.conf"
--- a/install/tools/ipa-csreplica-manage
+++ b/install/tools/ipa-csreplica-manage
@@ -29,6 +29,7 @@ from ipapython import ipautil
 from ipaserver.install import replication, installutils
 from ipaserver import ipaldap
 from ipapython import version
+from ipapython import dogtag
 from ipalib import api, errors, util
 from ipapython.dn import DN

@@ -80,7 +81,7 @@ class CSReplicationManager(replication.ReplicationManager):
        """
        dn = None
        cn = None
-        instance_name = 'pki-tomcat'
+        instance_name = dogtag.configured_constants(api).PKI_INSTANCE_NAME

        # if master is not None we know what dn to return:
        if master is not None:
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
@@ -42,6 +42,7 @@ from ipapython.config import IPAOptionParser
 from ipapython import sysrestore
 from ipapython import services as ipaservices
 from ipapython.ipa_log_manager import *
+from ipapython import dogtag
 from ipapython.dn import DN

 log_file_name = "/var/log/ipareplica-install.log"
@@ -376,7 +377,8 @@ def main():
        if ipautil.file_exists(config.dir + "/cacert.p12"):
            fd.write("enable_ra=True\n")
            fd.write("ra_plugin=dogtag\n")
-            fd.write("dogtag_version=10\n")
+            fd.write("dogtag_version=%s\n" %
+                dogtag.install_constants.DOGTAG_VERSION)
        fd.write("mode=production\n")
        fd.close()
    finally:
--- a/install/tools/ipa-replica-prepare
+++ b/install/tools/ipa-replica-prepare
@@ -33,6 +33,7 @@ from ipaserver.install.replication import enable_replication_version_checking
 from ipaserver.install.installutils import resolve_host, BadHostError, HostLookupError
 from ipaserver.plugins.ldap2 import ldap2
 from ipapython import version
+from ipapython import dogtag
 from ipapython.config import IPAOptionParser
 from ipalib import api, errors, util
 from ipapython.dn import DN
@@ -304,7 +305,9 @@ def main():
        if options.reverse_zone and not bindinstance.verify_reverse_zone(options.reverse_zone, options.ip_address):
            sys.exit(1)

-    if not certs.ipa_self_signed() and not ipautil.file_exists("/var/lib/pki/pki-tomcat/conf/ca/CS.cfg") and not options.dirsrv_pin:
+    if (not certs.ipa_self_signed() and
+            not ipautil.file_exists(dogtag.configured_constants().CS_CFG_PATH) and
+            not options.dirsrv_pin):
        sys.exit("The replica must be created on the primary IPA server.\nIf you installed IPA with your own certificates using PKCS#12 files you must provide PKCS#12 files for any replicas you create as well.")

    check_ipa_configuration(api.env.realm)
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -58,6 +58,7 @@ from ipaserver.plugins.ldap2 import ldap2
 from ipapython import sysrestore
 from ipapython.ipautil import *
 from ipapython import ipautil
+from ipapython import dogtag
 from ipalib import api, errors, util
 from ipapython.config import IPAOptionParser
 from ipalib.x509 import load_certificate_from_file, load_certificate_chain_from_file
@@ -465,6 +466,9 @@ def uninstall():
    except Exception, e:
        pass

+    # Need to get dogtag info before /etc/ipa/default.conf is removed
+    dogtag_constants = dogtag.configured_constants()
+
    print "Removing IPA client configuration"
    try:
        (stdout, stderr, rc) = run(["/usr/sbin/ipa-client-install", "--on-master", "--unattended", "--uninstall"], raiseonerr=False)
@@ -477,10 +481,13 @@ def uninstall():
        print "ipa-client-install returned: " + str(e)

    ntpinstance.NTPInstance(fstore).uninstall()
-    if cainstance.CADSInstance().is_configured():
-        cainstance.CADSInstance().uninstall()
-    if cainstance.CAInstance(api.env.realm, certs.NSS_DIR).is_configured():
-        cainstance.CAInstance(api.env.realm, certs.NSS_DIR).uninstall()
+    cads_instance = cainstance.CADSInstance(dogtag_constants=dogtag_constants)
+    if cads_instance.is_configured():
+        cads_instance.uninstall()
+    ca_instance = cainstance.CAInstance(
+        api.env.realm, certs.NSS_DIR, dogtag_constants=dogtag_constants)
+    if ca_instance.is_configured():
+        ca_instance.uninstall()
    bindinstance.BindInstance(fstore).uninstall()
    httpinstance.HTTPInstance(fstore).uninstall()
    krbinstance.KrbInstance(fstore).uninstall()
@@ -853,7 +860,8 @@ def main():
    fd.write("enable_ra=True\n")
    if not options.selfsign:
        fd.write("ra_plugin=dogtag\n")
-        fd.write("dogtag_version=10\n")
+        fd.write("dogtag_version=%s\n" %
+            dogtag.install_constants.DOGTAG_VERSION)
    fd.write("mode=production\n")
    fd.close()

@@ -916,7 +924,8 @@ def main():
        cs = cainstance.CADSInstance(host_name, realm_name, domain_name, dm_password)
        if not cs.is_configured():
            cs.create_instance(realm_name, host_name, domain_name, dm_password, subject_base=options.subject)
-        ca = cainstance.CAInstance(realm_name, certs.NSS_DIR)
+        ca = cainstance.CAInstance(realm_name, certs.NSS_DIR,
+            dogtag_constants=dogtag.install_constants)
        if external == 0:
            ca.configure_instance(host_name, dm_password, dm_password,
                                  subject_base=options.subject)
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -29,6 +29,7 @@ try:
    from ipapython.config import IPAOptionParser
    from ipapython.ipa_log_manager import *
    from ipapython import certmonger
+    from ipapython import dogtag
    from ipaserver.install import installutils
    from ipaserver.install import dsinstance
    from ipaserver.install import httpinstance
@@ -458,7 +459,7 @@ def enable_certificate_renewal(realm):
            ca.configure_agent_renewal()
        ca.track_servercert()
        sysupgrade.set_upgrade_state('dogtag', 'renewal_configured', True)
-        ca.restart(cainstance.PKI_INSTANCE_NAME)
+        ca.restart(dogtag.configured_constants().PKI_INSTANCE_NAME)
        root_logger.debug('CA subsystem certificate renewal enabled')

 def main():
@@ -495,7 +496,14 @@ def main():
    check_certs()

    auto_redirect = find_autoredirect(fqdn)
-    sub_dict = { "REALM" : api.env.realm, "FQDN": fqdn, "AUTOREDIR": '' if auto_redirect else '#'}
+    configured_constants = dogtag.configured_constants()
+    sub_dict = dict(
+        REALM=api.env.realm,
+        FQDN=fqdn,
+        AUTOREDIR='' if auto_redirect else '#',
+        CRL_PUBLISH_PATH=configured_constants.CRL_PUBLISH_PATH,
+        DOGTAG_PORT=configured_constants.AJP_PORT,
+    )

    upgrade(sub_dict, "/etc/httpd/conf.d/ipa.conf", ipautil.SHARE_DIR + "ipa.conf")
    upgrade(sub_dict, "/etc/httpd/conf.d/ipa-rewrite.conf", ipautil.SHARE_DIR + "ipa-rewrite.conf")
--- a/install/ui/test/data/ipa_init.json
+++ b/install/ui/test/data/ipa_init.json
@@ -669,12 +669,12 @@
                "result": {
                    "basedn": "dc=dev,dc=example,dc=com",
                    "bin": "/var/www",
-                    "ca_agent_install_port": 8443,
+                    "ca_agent_install_port": 9443,
                    "ca_agent_port": 443,
-                    "ca_ee_install_port": 8443,
+                    "ca_ee_install_port": 9444,
                    "ca_ee_port": 443,
                    "ca_host": "dev.example.com",
-                    "ca_install_port": 8080,
+                    "ca_install_port": 9180,
                    "ca_port": 80,
                    "conf": "/etc/ipa/server.conf",
                    "conf_default": "/etc/ipa/default.conf",