Use Realm as certs subject base name

Also use the realm name as nickname for the CA certificate
2025-01-11 00:31:56 -06:00 · 2010-11-01 13:51:14 -04:00 · 2010-11-01 13:51:14 -04:00 · 74ba0cc7c1
commit 74ba0cc7c1
parent 775fc23738
12 changed files with 53 additions and 39 deletions
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
@ -48,7 +48,7 @@ class ReplicaConfig:
        self.host_name = ""
        self.repl_password = ""
        self.dir = ""
-        self.subject_base = "O=IPA"
+        self.subject_base = ""

 def parse_options():
    usage = "%prog [options] REPLICA_FILE"
--- a/install/tools/ipa-replica-prepare
+++ b/install/tools/ipa-replica-prepare
@ -103,14 +103,14 @@ def export_certdb(realm_name, ds_dir, dir, passwd_fname, fname, hostname, subjec
    try:
        self_signed = certs.ipa_self_signed()

-        db = certs.CertDB(dir, subject_base=subject_base)
+        db = certs.CertDB(dir, realm_name, subject_base=subject_base)
        db.create_passwd_file()
 #        if self_signed:
 #            ca_db = certs.CertDB(dsinstance.config_dirname(dsinstance.realm_to_serverid(realm_name)))
 #            db.create_from_cacert(ca_db.cacert_fname)
 #        else:
 #            ca_db = certs.CertDB(httpinstance.NSS_DIR, host_name=api.env.host)
-        ca_db = certs.CertDB(httpinstance.NSS_DIR, host_name=api.env.host, subject_base=subject_base)
+        ca_db = certs.CertDB(httpinstance.NSS_DIR, realm_name, host_name=api.env.host, subject_base=subject_base)
        db.create_from_cacert(ca_db.cacert_fname)
        db.create_server_cert("Server-Cert", hostname, ca_db)
    except Exception, e:
@ -148,7 +148,7 @@ def export_ra_pkcs12(dir, dm_password):

    try:
        try:
-            db = certs.CertDB(httpinstance.NSS_DIR, host_name=api.env.host)
+            db = certs.CertDB(httpinstance.NSS_DIR, api.env.realm, host_name=api.env.host)

            if db.has_nickname("ipaCert"):
                pkcs12_fname = "%s/ra.p12" % dir
--- a/install/tools/ipa-server-certinstall
+++ b/install/tools/ipa-server-certinstall
@ -89,7 +89,7 @@ def choose_server_cert(server_certs):
    return server_certs[num - 1]

 def import_cert(dirname, pkcs12_fname, pkcs12_passwd, db_password):
-    cdb = certs.CertDB(dirname)
+    cdb = certs.CertDB(dirname, api.env.realm)
    cdb.create_passwd_file(db_password)
    cdb.create_certdbs()
    [pw_fd, pw_name] = tempfile.mkstemp()
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@ -122,8 +122,8 @@ def parse_options():
                      help="The starting uid value (default random)")
    parser.add_option("--gidstart", dest="gidstart", default=namespace, type=int,
                      help="The starting gid value (default random)")
-    parser.add_option("--subject", dest="subject", default="O=IPA",
-                      help="The certificate subject base (default O=IPA)")
+    parser.add_option("--subject", dest="subject",
+                      help="The certificate subject base (default O=<realm-name>)")
    parser.add_option("--no_hbac_allow", dest="hbac_allow", default=False,
                      action="store_true",
                      help="Don't install allow_all HBAC rule")
@ -402,8 +402,8 @@ def uninstall():
    ntpinstance.NTPInstance(fstore).uninstall()
    if cainstance.CADSInstance().is_configured():
        cainstance.CADSInstance().uninstall()
-    if cainstance.CAInstance().is_configured():
-        cainstance.CAInstance().uninstall()
+    if cainstance.CAInstance(api.env.realm).is_configured():
+        cainstance.CAInstance(api.env.realm).uninstall()
    bindinstance.BindInstance(fstore).uninstall()
    httpinstance.HTTPInstance(fstore).uninstall()
    krbinstance.KrbInstance(fstore).uninstall()
@ -465,7 +465,6 @@ def main():
    global fstore
    fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore')

-
    # Configuration for ipalib, we will bootstrap and finalize later, after
    # we are sure we have the configuration file ready.
    cfg = dict(
@ -610,6 +609,9 @@ def main():
    else:
        realm_name = options.realm_name.upper()

+    if not options.subject:
+        options.subject = "O=%s" % realm_name
+
    if not options.dm_password:
        dm_password = read_dm_password()
    else:
@ -689,7 +691,7 @@ def main():
        if options.external_cert_file is None:
            cs = cainstance.CADSInstance()
            cs.create_instance("pkisrv", realm_name, host_name, domain_name, dm_password)
-        ca = cainstance.CAInstance()
+        ca = cainstance.CAInstance(realm_name)
        if external == 0:
            ca.configure_instance("pkiuser", host_name, dm_password, dm_password, subject_base=options.subject)
        elif external == 1:
--- a/install/tools/man/ipa-server-install.1
+++ b/install/tools/man/ipa-server-install.1
@ -102,7 +102,7 @@ The starting user id number (default random)
 The starting group id number (default random)
 .TP
 \fB\-\-subject\fR=\fISUBJECT\fR
- The certificate subject base (default O=IPA)
+ The certificate subject base (default O=REALM.NAME)
 .TP
 \fB\-\-no_hbac_allow\fR
 Don't install allow_all HBAC rule. This rule lets any user from any host access any service on any other host. It is expected that users will remove this rule before moving to production.
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@ -521,8 +521,7 @@ def main():
    cli_server = None
    cli_realm = None
    cli_basedn = None
-
-    subject_base = "O=IPA"
+    subject_base = None

    if options.unattended and (options.password is None and options.principal is None and options.prompt_password is False) and not options.on_master:
        print "One of password and principal are required."
@ -597,6 +596,7 @@ def main():

    cli_realm = ds.getRealmName()
    cli_basedn = ds.getBaseDN()
+    subject_base = "O=%s" % ds.getRealmName()

    print "Realm: "+cli_realm
    print "DNS Domain: "+cli_domain
--- a/ipapython/certdb.py
+++ b/ipapython/certdb.py
@ -25,7 +25,9 @@ from ipalib.compat import sha1
 import shutil
 import os

-CA_NICKNAME = "IPA CA"
+CA_NICKNAME_FMT = "%s IPA CA"
+def get_ca_nickname(realm, format=CA_NICKNAME_FMT):
+    return format % realm

 class CertDB(object):
    """
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@ -36,7 +36,7 @@ import urllib
 import xml.dom.minidom
 import stat
 from ipapython import dogtag
-from ipapython.certdb import CA_NICKNAME
+from ipapython.certdb import get_ca_nickname
 from ipalib import pkcs10
 import subprocess

@ -365,8 +365,9 @@ class CAInstance(service.Service):
       2 = have signed cert, continue installation
    """

-    def __init__(self):
+    def __init__(self, realm):
        service.Service.__init__(self, "pki-cad")
+        self.realm = realm
        self.pki_user = "pkiuser"
        self.dm_password = None
        self.admin_password = None
@ -382,7 +383,7 @@ class CAInstance(service.Service):
        # The same database is used for mod_nss because the NSS context
        # will already have been initialized by Apache by the time
        # mod_python wants to do things.
-        self.canickname = CA_NICKNAME
+        self.canickname = get_ca_nickname(realm)
        self.basedn = "o=ipaca"
        self.ca_agent_db = tempfile.mkdtemp(prefix = "tmp-")
        self.ra_agent_db = "/etc/httpd/alias"
@ -400,7 +401,7 @@ class CAInstance(service.Service):
                           admin_password, ds_port=DEFAULT_DSPORT,
                           pkcs12_info=None, master_host=None, csr_file=None,
                           cert_file=None, cert_chain_file=None,
-                           subject_base="O=IPA"):
+                           subject_base=None):
        """Create a CA instance. This may involve creating the pki-ca instance
           dogtag instance.

@ -420,7 +421,10 @@ class CAInstance(service.Service):
        if self.pkcs12_info is not None:
            self.clone = True
        self.master_host = master_host
-        self.subject_base = subject_base
+        if subject_base is None:
+            self.subject_base = "O=%s" % self.realm
+        else:
+            self.subject_base = subject_base

        # Determine if we are installing as an externally-signed CA and
        # what stage we're in.
@ -1000,5 +1004,5 @@ if __name__ == "__main__":
    installutils.standard_logging_setup("install.log", False)
    cs = CADSInstance()
    cs.create_instance("dirsrv", "EXAMPLE.COM", "catest.example.com", "example.com", "password")
-    ca = CAInstance()
+    ca = CAInstance("EXAMPLE.COM")
    ca.configure_instance("pkiuser", "catest.example.com", "password", "password")
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@ -33,7 +33,7 @@ from ipapython import dogtag
 from ipapython import sysrestore
 from ipapython import ipautil
 from ipapython import certmonger
-from ipapython.certdb import CA_NICKNAME
+from ipapython.certdb import get_ca_nickname
 from ipalib import pkcs10
 from ConfigParser import RawConfigParser, MissingSectionHeaderError
 import service
@ -163,8 +163,9 @@ def next_replica(serial_file=CA_SERIALNO):
    return str(serial)

 class CertDB(object):
-    def __init__(self, nssdir, fstore=None, host_name=None, subject_base=None):
+    def __init__(self, nssdir, realm, fstore=None, host_name=None, subject_base=None):
        self.secdir = nssdir
+        self.realm = realm

        self.noise_fname = self.secdir + "/noise.txt"
        self.passwd_fname = self.secdir + "/pwdfile.txt"
@ -191,7 +192,7 @@ class CertDB(object):
        else:
            self.subject_format = "CN=%s,O=IPA"

-        self.cacert_name = CA_NICKNAME
+        self.cacert_name = get_ca_nickname(self.realm)
        self.valid_months = "120"
        self.keysize = "1024"

@ -345,10 +346,11 @@ class CertDB(object):

    def create_ca_cert(self):
        os.chdir(self.secdir)
+        subject = "cn=%s Certificate Authority" % self.realm
        p = subprocess.Popen(["/usr/bin/certutil",
                              "-d", self.secdir,
                              "-S", "-n", self.cacert_name,
-                              "-s", "cn=IPA Test Certificate Authority",
+                              "-s", subject,
                              "-x",
                              "-t", "CT,,C",
                              "-1",
@ -853,7 +855,10 @@ class CertDB(object):
            else:
                raise RuntimeError("unknown error import pkcs#12 file")

-    def export_pkcs12(self, pkcs12_fname, pkcs12_pwd_fname, nickname=CA_NICKNAME):
+    def export_pkcs12(self, pkcs12_fname, pkcs12_pwd_fname, nickname=None):
+        if nickname is None:
+            nickname = get_ca_nickname(api.env.realm)
+
        ipautil.run(["/usr/bin/pk12util", "-d", self.secdir,
                     "-o", pkcs12_fname,
                     "-n", nickname,
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@ -404,7 +404,7 @@ class DsInstance(service.Service):

    def __enable_ssl(self):
        dirname = config_dirname(self.serverid)
-        dsdb = certs.CertDB(dirname, subject_base=self.subject_base)
+        dsdb = certs.CertDB(dirname, self.realm_name, subject_base=self.subject_base)
        if self.pkcs12_info:
            dsdb.create_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1])
            server_certs = dsdb.find_server_certs()
@ -416,7 +416,7 @@ class DsInstance(service.Service):
            self.dercert = dsdb.get_cert_from_db(nickname)
        else:
            nickname = "Server-Cert"
-            cadb = certs.CertDB(httpinstance.NSS_DIR, host_name=self.fqdn, subject_base=self.subject_base)
+            cadb = certs.CertDB(httpinstance.NSS_DIR, self.realm_name, host_name=self.fqdn, subject_base=self.subject_base)
            if self.self_signed_ca:
                cadb.create_self_signed()
                dsdb.create_from_cacert(cadb.cacert_fname, passwd=None)
@ -529,7 +529,7 @@ class DsInstance(service.Service):
            # drop the trailing / off the config_dirname so the directory
            # will match what is in certmonger
            dirname = config_dirname(serverid)[:-1]
-            dsdb = certs.CertDB(dirname)
+            dsdb = certs.CertDB(dirname, self.realm_name)
            dsdb.untrack_server_cert("Server-Cert")
            erase_ds_instance_data(serverid)

@ -571,7 +571,7 @@ class DsInstance(service.Service):
        self.stop()

        dirname = config_dirname(realm_to_serverid(self.realm_name))
-        certdb = certs.CertDB(dirname, subject_base=self.subject_base)
+        certdb = certs.CertDB(dirname, self.realm_name, subject_base=self.subject_base)
        if not cacert_name or len(cacert_name) == 0:
            cacert_name = "Imported CA"
        # we can't pass in the nickname, so we set the instance variable
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@ -30,7 +30,7 @@ import dsinstance
 import installutils
 from ipapython import sysrestore
 from ipapython import ipautil
-from ipalib import util
+from ipalib import util, api

 HTTPD_DIR = "/etc/httpd"
 SSL_CONF = HTTPD_DIR + "/conf.d/ssl.conf"
@ -164,10 +164,10 @@ class HTTPInstance(service.Service):

    def __setup_ssl(self):
        if self.self_signed_ca:
-            ca_db = certs.CertDB(NSS_DIR, subject_base=self.subject_base)
+            ca_db = certs.CertDB(NSS_DIR, self.realm, subject_base=self.subject_base)
        else:
-            ca_db = certs.CertDB(NSS_DIR, host_name=self.fqdn, subject_base=self.subject_base)
-        db = certs.CertDB(NSS_DIR, subject_base=self.subject_base)
+            ca_db = certs.CertDB(NSS_DIR, self.realm, host_name=self.fqdn, subject_base=self.subject_base)
+        db = certs.CertDB(NSS_DIR, self.realm, subject_base=self.subject_base)
        if self.pkcs12_info:
            db.create_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1], passwd="")
            server_certs = db.find_server_certs()
@ -223,7 +223,7 @@ class HTTPInstance(service.Service):
        prefs_fd.close()

        # The signing cert is generated in __setup_ssl
-        db = certs.CertDB(NSS_DIR, subject_base=self.subject_base)
+        db = certs.CertDB(NSS_DIR, self.realm, subject_base=self.subject_base)

        pwdfile = open(db.passwd_fname)
        pwd = pwdfile.read()
@ -238,7 +238,7 @@ class HTTPInstance(service.Service):
        shutil.rmtree(tmpdir)

    def __publish_ca_cert(self):
-        ca_db = certs.CertDB(NSS_DIR)
+        ca_db = certs.CertDB(NSS_DIR, self.realm)
        shutil.copy(ca_db.cacert_fname, "/usr/share/ipa/html/ca.crt")
        os.chmod("/usr/share/ipa/html/ca.crt", 0444)

@ -252,7 +252,7 @@ class HTTPInstance(service.Service):
        if not running is None:
            self.stop()

-        db = certs.CertDB(NSS_DIR)
+        db = certs.CertDB(NSS_DIR, api.env.realm)
        db.untrack_server_cert("Server-Cert")
        if not enabled is None and not enabled:
            self.chkconfig_off()
--- a/ipaserver/plugins/selfsign.py
+++ b/ipaserver/plugins/selfsign.py
@ -39,7 +39,7 @@ from ipalib import Backend
 from ipalib import errors
 from ipalib import x509
 from ipalib import pkcs10
-from ipapython.certdb import CA_NICKNAME
+from ipapython.certdb import get_ca_nickname
 import subprocess
 import os
 import re
@ -47,6 +47,7 @@ from ipaserver.plugins import rabase
 from ipaserver.install import certs
 import tempfile
 from ipalib import  _
+from ipalib import  api
 from ipalib.plugins.cert import get_csr_hostname
 from nss.error import NSPRError

@ -157,7 +158,7 @@ class ra(rabase.rabase):
                "/usr/bin/certutil",
                "-C",
                "-d", self.sec_dir,
-                "-c", CA_NICKNAME,
+                "-c", get_ca_nickname(api.env.realm),
                "-i", csr_name,
                "-o", cert_name,
                "-m", str(serialno),