Removed clear text passwords from KRA install log.

The ipa-kra-install tool has been modified to use password files instead of clear text passwords when invoking pki tool such that the passwords are no longer visible in ipaserver-kra-install.log. https://fedorahosted.org/freeipa/ticket/5246 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2025-02-25 18:55:28 -06:00 · 2015-08-22 01:14:16 +02:00
parent d7b096486e
commit 8676364ae8
2 changed files with 10 additions and 8 deletions
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -343,6 +343,8 @@ class BasePathNamespace(object):
    SLAPD_INSTANCE_SOCKET_TEMPLATE = "/var/run/slapd-%s.socket"
    ALL_SLAPD_INSTANCE_SOCKETS = "/var/run/slapd-*.socket"
    ADMIN_CERT_PATH = '/root/.dogtag/pki-tomcat/ca_admin.cert'
+    KRA_NSSDB_PASSWORD_FILE = "/root/.dogtag/pki-tomcat/kra/password.conf"
+    KRA_PKCS12_PASSWORD_FILE = "/root/.dogtag/pki-tomcat/kra/pkcs12_password.conf"
    ENTROPY_AVAIL = '/proc/sys/kernel/random/entropy_avail'
    LDIF2DB = '/usr/sbin/ldif2db'
    DB2LDIF = '/usr/sbin/db2ldif'
--- a/ipaserver/install/krainstance.py
+++ b/ipaserver/install/krainstance.py
@@ -275,16 +275,16 @@ class KRAInstance(DogtagInstance):
        # import CA certificate into temporary security database
        args = ["/usr/bin/pki",
            "-d", self.agent_db,
-            "-c", self.admin_password,
+            "-C", paths.KRA_NSSDB_PASSWORD_FILE,
            "client-cert-import",
            "--pkcs12", paths.KRACERT_P12,
-            "--pkcs12-password", self.admin_password]
+            "--pkcs12-password-file", paths.KRA_PKCS12_PASSWORD_FILE]
        ipautil.run(args)

        # trust CA certificate
        args = ["/usr/bin/pki",
            "-d", self.agent_db,
-            "-c", self.admin_password,
+            "-C", paths.KRA_NSSDB_PASSWORD_FILE,
            "client-cert-mod", "Certificate Authority - %s" % api.env.realm,
            "--trust", "CT,c,"]
        ipautil.run(args)
@@ -292,16 +292,16 @@ class KRAInstance(DogtagInstance):
        # import Dogtag admin certificate into temporary security database
        args = ["/usr/bin/pki",
            "-d", self.agent_db,
-            "-c", self.admin_password,
+            "-C", paths.KRA_NSSDB_PASSWORD_FILE,
            "client-cert-import",
            "--pkcs12", paths.DOGTAG_ADMIN_P12,
-            "--pkcs12-password", self.admin_password]
+            "--pkcs12-password-file", paths.KRA_PKCS12_PASSWORD_FILE]
        ipautil.run(args)

        # as Dogtag admin, create ipakra user in KRA
        args = ["/usr/bin/pki",
            "-d", self.agent_db,
-            "-c", self.admin_password,
+            "-C", paths.KRA_NSSDB_PASSWORD_FILE,
            "-n", "ipa-ca-agent",
            "kra-user-add", "ipakra",
            "--fullName", "IPA KRA User"]
@@ -310,7 +310,7 @@ class KRAInstance(DogtagInstance):
        # as Dogtag admin, add ipakra into KRA agents group
        args = ["/usr/bin/pki",
            "-d", self.agent_db,
-            "-c", self.admin_password,
+            "-C", paths.KRA_NSSDB_PASSWORD_FILE,
            "-n", "ipa-ca-agent",
            "kra-user-membership-add", "ipakra", "Data Recovery Manager Agents"]
        ipautil.run(args)
@@ -330,7 +330,7 @@ class KRAInstance(DogtagInstance):
            # as Dogtag admin, upload and assign ipaCert to ipakra
            args = ["/usr/bin/pki",
                "-d", self.agent_db,
-                "-c", self.admin_password,
+                "-C", paths.KRA_NSSDB_PASSWORD_FILE,
                "-n", "ipa-ca-agent",
                "kra-user-cert-add", "ipakra",
                "--input", filename]