mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-23 15:40:01 -06:00
Enable ephemeral KRA requests
Enabling ephemeral KRA requests will reduce the amount of LDAP write operations and improve overall performance. Re-order some imports and shorten some lines to make pep8 happy. Fixes: https://pagure.io/freeipa/issue/6703 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
This commit is contained in:
parent
10a847b682
commit
a7ae2dbc5f
@ -396,14 +396,18 @@ class CAInstance(DogtagInstance):
|
||||
self.__spawn_instance)
|
||||
self.step("exporting Dogtag certificate store pin",
|
||||
self.create_certstore_passwdfile)
|
||||
self.step("stopping certificate server instance to update CS.cfg", self.stop_instance)
|
||||
self.step("backing up CS.cfg", self.backup_config)
|
||||
self.step("stopping certificate server instance to update CS.cfg",
|
||||
self.stop_instance)
|
||||
self.step("backing up CS.cfg", self.safe_backup_config)
|
||||
self.step("disabling nonces", self.__disable_nonce)
|
||||
self.step("set up CRL publishing", self.__enable_crl_publish)
|
||||
self.step("enable PKIX certificate path discovery and validation", self.enable_pkix)
|
||||
self.step("enable PKIX certificate path discovery and validation",
|
||||
self.enable_pkix)
|
||||
if promote:
|
||||
self.step("destroying installation admin user", self.teardown_admin)
|
||||
self.step("starting certificate server instance", self.start_instance)
|
||||
self.step("destroying installation admin user",
|
||||
self.teardown_admin)
|
||||
self.step("starting certificate server instance",
|
||||
self.start_instance)
|
||||
# Step 1 of external is getting a CSR so we don't need to do these
|
||||
# steps until we get a cert back from the external CA.
|
||||
if self.external != 1:
|
||||
@ -641,9 +645,16 @@ class CAInstance(DogtagInstance):
|
||||
|
||||
logger.debug("completed creating ca instance")
|
||||
|
||||
def backup_config(self):
|
||||
def safe_backup_config(self):
|
||||
"""
|
||||
Safely handle exceptions if backup_config fails
|
||||
|
||||
The parent class raises an exception if the configuration
|
||||
cannot be backed up. Catch that and log the message but
|
||||
don't stop the current installer.
|
||||
"""
|
||||
try:
|
||||
backup_config()
|
||||
super(CAInstance, self).backup_config()
|
||||
except Exception as e:
|
||||
logger.warning("Failed to backup CS.cfg: %s", e)
|
||||
|
||||
@ -1177,7 +1188,7 @@ class CAInstance(DogtagInstance):
|
||||
'Server-Cert cert-pki-ca': 'ca.sslserver.cert'}
|
||||
|
||||
try:
|
||||
backup_config()
|
||||
self.backup_config()
|
||||
except Exception as e:
|
||||
syslog.syslog(syslog.LOG_ERR, "Failed to backup CS.cfg: %s" % e)
|
||||
|
||||
@ -1353,16 +1364,6 @@ def replica_ca_install_check(config, promote):
|
||||
exit('IPA schema missing on master CA directory server')
|
||||
|
||||
|
||||
def backup_config():
|
||||
"""
|
||||
Create a backup copy of CS.cfg
|
||||
"""
|
||||
path = paths.CA_CS_CFG_PATH
|
||||
if services.knownservices['pki_tomcatd'].is_running('pki-tomcat'):
|
||||
raise RuntimeError(
|
||||
"Dogtag must be stopped when creating backup of %s" % path)
|
||||
shutil.copy(path, path + '.ipabkp')
|
||||
|
||||
def __update_entry_from_cert(make_filter, make_entry, cert):
|
||||
"""
|
||||
Given a certificate and functions to make a filter based on the
|
||||
|
@ -463,3 +463,13 @@ class DogtagInstance(service.Service):
|
||||
config.set(self.subsystem, "pki_ds_secure_connection", "True")
|
||||
config.set(self.subsystem, "pki_ds_secure_connection_ca_pem_file",
|
||||
ds_cacert)
|
||||
|
||||
def backup_config(self):
|
||||
"""
|
||||
Create a backup copy of CS.cfg
|
||||
"""
|
||||
path = self.config
|
||||
if services.knownservices['pki_tomcatd'].is_running('pki-tomcat'):
|
||||
raise RuntimeError(
|
||||
"Dogtag must be stopped when creating backup of %s" % path)
|
||||
shutil.copy(path, path + '.ipabkp')
|
||||
|
@ -121,6 +121,7 @@ class KRAInstance(DogtagInstance):
|
||||
if promote:
|
||||
self.step("destroying installation admin user",
|
||||
self.teardown_admin)
|
||||
self.step("enabling ephemeral requests", self.enable_ephemeral)
|
||||
self.step("restarting KRA", self.restart_instance)
|
||||
self.step("configure certmonger for renewals",
|
||||
self.configure_certmonger_renewal)
|
||||
|
@ -11,19 +11,8 @@ import shutil
|
||||
import pwd
|
||||
import fileinput
|
||||
import sys
|
||||
|
||||
from augeas import Augeas
|
||||
import dns.exception
|
||||
|
||||
import six
|
||||
# pylint: disable=import-error
|
||||
if six.PY3:
|
||||
# The SafeConfigParser class has been renamed to ConfigParser in Py3
|
||||
from configparser import ConfigParser as SafeConfigParser
|
||||
else:
|
||||
from ConfigParser import SafeConfigParser
|
||||
# pylint: enable=import-error
|
||||
|
||||
from ipalib import api
|
||||
from ipalib.install import certmonger, sysrestore
|
||||
import SSSDConfig
|
||||
@ -44,6 +33,7 @@ from ipaserver.install import ntpinstance
|
||||
from ipaserver.install import bindinstance
|
||||
from ipaserver.install import service
|
||||
from ipaserver.install import cainstance
|
||||
from ipaserver.install import krainstance
|
||||
from ipaserver.install import certs
|
||||
from ipaserver.install import otpdinstance
|
||||
from ipaserver.install import schemaupdate
|
||||
@ -56,6 +46,15 @@ from ipaserver.install import adtrustinstance
|
||||
from ipaserver.install.upgradeinstance import IPAUpgrade
|
||||
from ipaserver.install.ldapupdate import BadSyntax
|
||||
|
||||
import six
|
||||
# pylint: disable=import-error
|
||||
if six.PY3:
|
||||
# The SafeConfigParser class has been renamed to ConfigParser in Py3
|
||||
from configparser import ConfigParser as SafeConfigParser
|
||||
else:
|
||||
from ConfigParser import SafeConfigParser
|
||||
# pylint: enable=import-error
|
||||
|
||||
if six.PY3:
|
||||
unicode = str
|
||||
|
||||
@ -1668,6 +1667,8 @@ def upgrade_configuration():
|
||||
api.env.realm, host_name=api.env.host)
|
||||
ca_running = ca.is_running()
|
||||
|
||||
kra = krainstance.KRAInstance(api.env.realm)
|
||||
|
||||
# create passswd.txt file in PKI_TOMCAT_ALIAS_DIR if it does not exist
|
||||
# this file will be required on most actions over this NSS DB in FIPS
|
||||
if ca.is_configured() and not os.path.exists(os.path.join(
|
||||
@ -1709,11 +1710,27 @@ def upgrade_configuration():
|
||||
)
|
||||
upgrade_pki(ca, fstore)
|
||||
|
||||
if kra.is_configured():
|
||||
logger.info('[Ensuring ephemeralRequest is enabled in KRA]')
|
||||
kra.backup_config()
|
||||
value = installutils.get_directive(
|
||||
paths.KRA_CS_CFG_PATH,
|
||||
'kra.ephemeralRequests',
|
||||
separator='=')
|
||||
if value is None or value.lower() != 'true':
|
||||
logger.info('Enabling ephemeralRequest')
|
||||
kra.enable_ephemeral()
|
||||
else:
|
||||
logger.info('ephemeralRequest is already enabled')
|
||||
|
||||
# several upgrade steps require running CA. If CA is configured,
|
||||
# always run ca.start() because we need to wait until CA is really ready
|
||||
# by checking status using http
|
||||
if ca.is_configured():
|
||||
ca.start('pki-tomcat')
|
||||
if kra.is_configured() and not kra.is_running():
|
||||
# This is for future-proofing in case the KRA is ever standalone.
|
||||
kra.start('pki-tomcat')
|
||||
|
||||
certmonger_service = services.knownservices.certmonger
|
||||
if ca.is_configured() and not certmonger_service.is_running():
|
||||
|
Loading…
Reference in New Issue
Block a user