Use TLS for dogtag replication agreements.

Configure the dogtag 389-ds instance with SSL so we can enable TLS for the dogtag replication agreements. The NSS database we use is a symbolic link to the IPA 389-ds instance. ticket 1060
2025-02-25 18:55:28 -06:00 · 2011-03-10 00:06:15 -05:00
parent ed5cffd026
commit 9dfb0f05b0
3 changed files with 91 additions and 7 deletions
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
@@ -167,9 +167,22 @@ def install_ca(config):
        print "Please install dogtag and restart the setup program"
        sys.exit(1)

+    # We replicate to the master using TLS. In order for this to work we
+    # need an SSL server cert. To make things easier we'll re-use the
+    # IPA 389-ds instance certificate loaded directly into the
+    # dogtag 389-ds instance. Later we will replace the NSS databases with
+    # symbolic links.
+    pkcs12_info = None
+    if ipautil.file_exists(config.dir + "/dscert.p12"):
+        pkcs12_info = (config.dir + "/dscert.p12",
+                       config.dir + "/dirsrv_pin.txt")
    cs = cainstance.CADSInstance()
    cs.create_instance(config.realm_name, config.host_name,
-                       config.domain_name, config.dirman_password)
+                       config.domain_name, config.dirman_password,
+                       pkcs12_info)
+    cs.load_pkcs12()
+    cs.enable_ssl()
+    cs.restart_instance()
    ca = cainstance.CAInstance(config.realm_name, certs.NSS_DIR)
    ca.configure_instance(config.host_name, config.dirman_password,
                          config.dirman_password, pkcs12_info=(cafile,),
@@ -187,8 +200,8 @@ def install_ca(config):
    service_name = cs.service_name
    service.print_msg("Restarting the directory and certificate servers")
    cs.service_name = "dirsrv"
-    cs.stop("PKI-IPA")
    ca.stop()
+    cs.stop("PKI-IPA")
    cs.start("PKI-IPA")
    ca.start()
    cs.service_name = service_name
@@ -487,6 +500,15 @@ def main():
        CA.ldap_enable('CA', config.host_name, config.dirman_password,
                       util.realm_to_suffix(config.realm_name))

+        # Now we will replace the existing dogtag 389-ds instance NSS
+        # database with a symbolic link to the IPA 389-ds NSS database.
+        caconfigdir = dsinstance.config_dirname(dsinstance.realm_to_serverid('PKI-IPA'))
+        for filename in ['cert8.db', 'key3.db', 'secmod.db', 'pin.txt']:
+            os.unlink('%s%s' % (caconfigdir, filename))
+        dsconfigdir = dsinstance.config_dirname(dsinstance.realm_to_serverid(config.realm_name))
+        for filename in ['cert8.db', 'key3.db', 'secmod.db', 'pin.txt']:
+            os.symlink('%s%s' % (dsconfigdir, filename), '%s%s' % (caconfigdir, filename))
+
    install_krb(config, setup_pkinit=options.setup_pkinit)
    install_http(config)
    if CA:
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -760,6 +760,7 @@ def main():
            ca.configure_instance(host_name, dm_password, dm_password,
                                  subject_base=options.subject)
        elif external == 1:
+            # stage 2 of external CA installation
            options.realm_name = realm_name
            options.domain_name = domain_name
            options.master_password = master_password
@@ -776,6 +777,7 @@ def main():
                # This can happen if someone passes external_ca_file without
                # already having done the first stage of the CA install.
                sys.exit('CA is not installed yet. To install with an external CA is a two-stage process.\nFirst run the installer with --external-ca.')
+            cs = cainstance.CADSInstance(dm_password=dm_password)
            ca.configure_instance(host_name, dm_password, dm_password,
                                  cert_file=options.external_cert_file,
                                  cert_chain_file=options.external_ca_file,
@@ -810,11 +812,23 @@ def main():
                           subject_base=options.subject,
                           hbac_allow=not options.hbac_allow)

-    # We ned to ldap_enable the CA now that DS is up and running
+    # We need to ldap_enable the CA now that DS is up and running
    if not options.selfsign:
        ca.ldap_enable('CA', host_name, dm_password,
                       util.realm_to_suffix(realm_name))

+        # Symlink the IPA LDAP server NSS database to this one.
+        caconfigdir = dsinstance.config_dirname(dsinstance.realm_to_serverid('PKI-IPA'))
+        for filename in ['cert8.db', 'key3.db', 'secmod.db']:
+            os.unlink('%s%s' % (caconfigdir, filename))
+        dsconfigdir = dsinstance.config_dirname(dsinstance.realm_to_serverid(realm_name))
+        for filename in ['cert8.db', 'key3.db', 'secmod.db', 'pin.txt']:
+            os.symlink('%s%s' % (dsconfigdir, filename), '%s%s' % (caconfigdir, filename))
+
+        # Turn on SSL in the dogtag LDAP instance. This will get restarted
+        # later, we don't need SSL now.
+        cs.enable_ssl()
+
    # Create a kerberos instance
    if options.pkinit_pin:
        [pw_fd, pw_name] = tempfile.mkstemp()