Enable ephemeral KRA requests

Enabling ephemeral KRA requests will reduce the amount of LDAP
write operations and improve overall performance.

Re-order some imports and shorten some lines to make pep8 happy.

Fixes: https://pagure.io/freeipa/issue/6703

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
This commit is contained in:
Rob Crittenden 2017-09-27 17:45:38 -04:00 committed by Christian Heimes
parent 10a847b682
commit a7ae2dbc5f
4 changed files with 58 additions and 29 deletions

View File

@ -396,14 +396,18 @@ class CAInstance(DogtagInstance):
self.__spawn_instance)
self.step("exporting Dogtag certificate store pin",
self.create_certstore_passwdfile)
self.step("stopping certificate server instance to update CS.cfg", self.stop_instance)
self.step("backing up CS.cfg", self.backup_config)
self.step("stopping certificate server instance to update CS.cfg",
self.stop_instance)
self.step("backing up CS.cfg", self.safe_backup_config)
self.step("disabling nonces", self.__disable_nonce)
self.step("set up CRL publishing", self.__enable_crl_publish)
self.step("enable PKIX certificate path discovery and validation", self.enable_pkix)
self.step("enable PKIX certificate path discovery and validation",
self.enable_pkix)
if promote:
self.step("destroying installation admin user", self.teardown_admin)
self.step("starting certificate server instance", self.start_instance)
self.step("destroying installation admin user",
self.teardown_admin)
self.step("starting certificate server instance",
self.start_instance)
# Step 1 of external is getting a CSR so we don't need to do these
# steps until we get a cert back from the external CA.
if self.external != 1:
@ -641,9 +645,16 @@ class CAInstance(DogtagInstance):
logger.debug("completed creating ca instance")
def backup_config(self):
def safe_backup_config(self):
"""
Safely handle exceptions if backup_config fails
The parent class raises an exception if the configuration
cannot be backed up. Catch that and log the message but
don't stop the current installer.
"""
try:
backup_config()
super(CAInstance, self).backup_config()
except Exception as e:
logger.warning("Failed to backup CS.cfg: %s", e)
@ -1177,7 +1188,7 @@ class CAInstance(DogtagInstance):
'Server-Cert cert-pki-ca': 'ca.sslserver.cert'}
try:
backup_config()
self.backup_config()
except Exception as e:
syslog.syslog(syslog.LOG_ERR, "Failed to backup CS.cfg: %s" % e)
@ -1353,16 +1364,6 @@ def replica_ca_install_check(config, promote):
exit('IPA schema missing on master CA directory server')
def backup_config():
"""
Create a backup copy of CS.cfg
"""
path = paths.CA_CS_CFG_PATH
if services.knownservices['pki_tomcatd'].is_running('pki-tomcat'):
raise RuntimeError(
"Dogtag must be stopped when creating backup of %s" % path)
shutil.copy(path, path + '.ipabkp')
def __update_entry_from_cert(make_filter, make_entry, cert):
"""
Given a certificate and functions to make a filter based on the

View File

@ -463,3 +463,13 @@ class DogtagInstance(service.Service):
config.set(self.subsystem, "pki_ds_secure_connection", "True")
config.set(self.subsystem, "pki_ds_secure_connection_ca_pem_file",
ds_cacert)
def backup_config(self):
"""
Create a backup copy of CS.cfg
"""
path = self.config
if services.knownservices['pki_tomcatd'].is_running('pki-tomcat'):
raise RuntimeError(
"Dogtag must be stopped when creating backup of %s" % path)
shutil.copy(path, path + '.ipabkp')

View File

@ -121,6 +121,7 @@ class KRAInstance(DogtagInstance):
if promote:
self.step("destroying installation admin user",
self.teardown_admin)
self.step("enabling ephemeral requests", self.enable_ephemeral)
self.step("restarting KRA", self.restart_instance)
self.step("configure certmonger for renewals",
self.configure_certmonger_renewal)

View File

@ -11,19 +11,8 @@ import shutil
import pwd
import fileinput
import sys
from augeas import Augeas
import dns.exception
import six
# pylint: disable=import-error
if six.PY3:
# The SafeConfigParser class has been renamed to ConfigParser in Py3
from configparser import ConfigParser as SafeConfigParser
else:
from ConfigParser import SafeConfigParser
# pylint: enable=import-error
from ipalib import api
from ipalib.install import certmonger, sysrestore
import SSSDConfig
@ -44,6 +33,7 @@ from ipaserver.install import ntpinstance
from ipaserver.install import bindinstance
from ipaserver.install import service
from ipaserver.install import cainstance
from ipaserver.install import krainstance
from ipaserver.install import certs
from ipaserver.install import otpdinstance
from ipaserver.install import schemaupdate
@ -56,6 +46,15 @@ from ipaserver.install import adtrustinstance
from ipaserver.install.upgradeinstance import IPAUpgrade
from ipaserver.install.ldapupdate import BadSyntax
import six
# pylint: disable=import-error
if six.PY3:
# The SafeConfigParser class has been renamed to ConfigParser in Py3
from configparser import ConfigParser as SafeConfigParser
else:
from ConfigParser import SafeConfigParser
# pylint: enable=import-error
if six.PY3:
unicode = str
@ -1668,6 +1667,8 @@ def upgrade_configuration():
api.env.realm, host_name=api.env.host)
ca_running = ca.is_running()
kra = krainstance.KRAInstance(api.env.realm)
# create passswd.txt file in PKI_TOMCAT_ALIAS_DIR if it does not exist
# this file will be required on most actions over this NSS DB in FIPS
if ca.is_configured() and not os.path.exists(os.path.join(
@ -1709,11 +1710,27 @@ def upgrade_configuration():
)
upgrade_pki(ca, fstore)
if kra.is_configured():
logger.info('[Ensuring ephemeralRequest is enabled in KRA]')
kra.backup_config()
value = installutils.get_directive(
paths.KRA_CS_CFG_PATH,
'kra.ephemeralRequests',
separator='=')
if value is None or value.lower() != 'true':
logger.info('Enabling ephemeralRequest')
kra.enable_ephemeral()
else:
logger.info('ephemeralRequest is already enabled')
# several upgrade steps require running CA. If CA is configured,
# always run ca.start() because we need to wait until CA is really ready
# by checking status using http
if ca.is_configured():
ca.start('pki-tomcat')
if kra.is_configured() and not kra.is_running():
# This is for future-proofing in case the KRA is ever standalone.
kra.start('pki-tomcat')
certmonger_service = services.knownservices.certmonger
if ca.is_configured() and not certmonger_service.is_running():