smart-card advises: add steps to store smart card signing CA cert

On master, upload the CA certificate to IPA LDAP and NSS databases. On
both master and client run ipa-certupdate to update client-side CA
certificate bundles used as PKINIT anchors.

https://pagure.io/freeipa/issue/7036

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This commit is contained in:
Martin Babinsky 2017-06-21 18:52:57 +02:00 committed by Martin Basti
parent 69ba5f9422
commit 584abe5b68

View File

@ -3,6 +3,7 @@
# #
from ipalib.plugable import Registry from ipalib.plugable import Registry
from ipaplatform import services
from ipaplatform.paths import paths from ipaplatform.paths import paths
from ipaserver.advise.base import Advice from ipaserver.advise.base import Advice
from ipaserver.install.httpinstance import NSS_OCSP_ENABLED from ipaserver.install.httpinstance import NSS_OCSP_ENABLED
@ -19,6 +20,16 @@ class common_smart_card_auth_config(Advice):
systemwide_nssdb = paths.NSS_DB_DIR systemwide_nssdb = paths.NSS_DB_DIR
smart_card_ca_cert_variable_name = "SC_CA_CERT" smart_card_ca_cert_variable_name = "SC_CA_CERT"
def check_ccache_not_empty(self):
self.log.comment('Check whether the credential cache is not empty')
self.log.exit_on_failed_command(
'klist',
[
"Credential cache is empty",
'Use kinit as privileged user to obtain Kerberos credentials'
])
def check_and_set_ca_cert_path(self): def check_and_set_ca_cert_path(self):
ca_path_variable = self.smart_card_ca_cert_variable_name ca_path_variable = self.smart_card_ca_cert_variable_name
self.log.command("{}=$1".format(ca_path_variable)) self.log.command("{}=$1".format(ca_path_variable))
@ -40,6 +51,20 @@ class common_smart_card_auth_config(Advice):
) )
) )
def install_smart_card_signing_ca_cert(self):
self.log.exit_on_failed_command(
'ipa-cacert-manage install ${} -t CT,C,C'.format(
self.smart_card_ca_cert_variable_name
),
['Failed to install external CA certificate to IPA']
)
def update_ipa_ca_certificate_store(self):
self.log.exit_on_failed_command(
'ipa-certupdate',
['Failed to update IPA CA certificate database']
)
@register() @register()
class config_server_for_smart_card_auth(common_smart_card_auth_config): class config_server_for_smart_card_auth(common_smart_card_auth_config):
@ -56,6 +81,7 @@ class config_server_for_smart_card_auth(common_smart_card_auth_config):
nss_conf = paths.HTTPD_NSS_CONF nss_conf = paths.HTTPD_NSS_CONF
nss_ocsp_directive = 'NSSOCSP' nss_ocsp_directive = 'NSSOCSP'
nss_nickname_directive = 'NSSNickname' nss_nickname_directive = 'NSSNickname'
kdc_service_name = services.knownservices.krb5kdc.systemd_name
def get_info(self): def get_info(self):
self.log.exit_on_nonroot_euid() self.log.exit_on_nonroot_euid()
@ -70,15 +96,8 @@ class config_server_for_smart_card_auth(common_smart_card_auth_config):
self.check_and_enable_pkinit() self.check_and_enable_pkinit()
self.enable_ok_to_auth_as_delegate_on_http_principal() self.enable_ok_to_auth_as_delegate_on_http_principal()
self.upload_smartcard_ca_certificate_to_systemwide_db() self.upload_smartcard_ca_certificate_to_systemwide_db()
self.update_ipa_ca_certificate_store()
def check_ccache_not_empty(self): self.restart_kdc()
self.log.comment('Check whether the credential cache is not empty')
self.log.exit_on_failed_command(
'klist',
[
"Credential cache is empty",
'Use kinit as privileged user to obtain Kerberos credentials'
])
def check_hostname_is_in_masters(self): def check_hostname_is_in_masters(self):
self.log.comment('Check whether the host is IPA master') self.log.comment('Check whether the host is IPA master')
@ -193,6 +212,12 @@ class config_server_for_smart_card_auth(common_smart_card_auth_config):
["Failed to set OK_AS_AUTH_AS_DELEGATE flag on HTTP principal"] ["Failed to set OK_AS_AUTH_AS_DELEGATE flag on HTTP principal"]
) )
def restart_kdc(self):
self.log.exit_on_failed_command(
'systemctl restart {}'.format(self.kdc_service_name),
['Failed to restart KDC. Please restart the service manually.']
)
@register() @register()
class config_client_for_smart_card_auth(common_smart_card_auth_config): class config_client_for_smart_card_auth(common_smart_card_auth_config):
@ -214,11 +239,14 @@ class config_client_for_smart_card_auth(common_smart_card_auth_config):
def get_info(self): def get_info(self):
self.log.exit_on_nonroot_euid() self.log.exit_on_nonroot_euid()
self.check_and_set_ca_cert_path() self.check_and_set_ca_cert_path()
self.check_ccache_not_empty()
self.check_and_remove_pam_pkcs11() self.check_and_remove_pam_pkcs11()
self.install_opensc_and_dconf_packages() self.install_opensc_and_dconf_packages()
self.start_enable_smartcard_daemon() self.start_enable_smartcard_daemon()
self.add_pkcs11_module_to_systemwide_db() self.add_pkcs11_module_to_systemwide_db()
self.upload_smartcard_ca_certificate_to_systemwide_db() self.upload_smartcard_ca_certificate_to_systemwide_db()
self.install_smart_card_signing_ca_cert()
self.update_ipa_ca_certificate_store()
self.run_authconfig_to_configure_smart_card_auth() self.run_authconfig_to_configure_smart_card_auth()
self.restart_sssd() self.restart_sssd()