IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

install: drop support for Dogtag 9

Browse Source 
Dogtag 9 CA and CA DS install and uninstall code was removed. Existing
Dogtag 9 CA and CA DS instances are disabled on upgrade.

Creating a replica of a Dogtag 9 IPA master is still supported.

https://fedorahosted.org/freeipa/ticket/5197

Reviewed-By: David Kupka <dkupka@redhat.com>
This commit is contained in:
Jan Cholasta 2015-11-09 18:28:47 +01:00
parent 5427e7a8c7
commit aeffe2da42
31 changed files with 297 additions and 820 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
install/restart_scripts/renew_ca_cert
View File

@ -27,7 +27,7 @@ import tempfile
import shutil
import traceback
from ipapython import dogtag, ipautil
from ipapython import ipautil
from ipapython.dn import DN
from ipalib import api, errors, x509, certstore
from ipaserver.install import certs, cainstance, installutils
@ -42,20 +42,17 @@ def _main():
api.bootstrap(context='restart')
api.finalize()
configured_constants = dogtag.configured_constants(api)
alias_dir = configured_constants.ALIAS_DIR
dogtag_service = services.knownservices[configured_constants.SERVICE_NAME]
dogtag_instance = configured_constants.PKI_INSTANCE_NAME
dogtag_service = services.knownservices['pki_tomcatd']
# dogtag opens its NSS database in read/write mode so we need it
# shut down so certmonger can open it read/write mode. This avoids
# database corruption. It should already be stopped by the pre-command
# but lets be sure.
if dogtag_service.is_running(dogtag_instance):
if dogtag_service.is_running('pki-tomcat'):
syslog.syslog(
syslog.LOG_NOTICE, "Stopping %s" % dogtag_service.service_name)
try:
dogtag_service.stop(dogtag_instance)
dogtag_service.stop('pki-tomcat')
except Exception as e:
syslog.syslog(
syslog.LOG_ERR,
@ -65,7 +62,7 @@ def _main():
syslog.LOG_NOTICE, "Stopped %s" % dogtag_service.service_name)
# Fetch the new certificate
db = certs.CertDB(api.env.realm, nssdir=alias_dir)
db = certs.CertDB(api.env.realm, nssdir=paths.PKI_TOMCAT_ALIAS_DIR)
cert = db.get_cert_from_db(nickname, pem=False)
if not cert:
syslog.syslog(syslog.LOG_ERR, 'No certificate %s found.' % nickname)
@ -79,7 +76,7 @@ def _main():
os.environ['KRB5CCNAME'] = ccache_filename
ca = cainstance.CAInstance(host_name=api.env.host, ldapi=False)
ca.update_cert_config(nickname, cert, configured_constants)
ca.update_cert_config(nickname, cert)
if ca.is_renewal_master():
cainstance.update_people_entry(cert)
@ -100,7 +97,7 @@ def _main():
(nickname, db.secdir))
elif nickname == 'caSigningCert cert-pki-ca':
# Update CS.cfg
cfg_path = configured_constants.CS_CFG_PATH
cfg_path = paths.CA_CS_CFG_PATH
config = installutils.get_directive(
cfg_path, 'subsystem.select', '=')
if config == 'New':
@ -203,7 +200,7 @@ def _main():
syslog.LOG_NOTICE,
'Starting %s' % dogtag_service.service_name)
try:
dogtag_service.start(dogtag_instance)
dogtag_service.start('pki-tomcat')
except Exception as e:
syslog.syslog(
syslog.LOG_ERR,

7
install/restart_scripts/stop_pkicad
View File

@ -22,7 +22,6 @@
import sys
import syslog
import traceback
from ipapython import dogtag
from ipalib import api
from ipaplatform import services
from ipaserver.install import certs
@ -32,15 +31,13 @@ def main():
api.bootstrap(context='restart')
api.finalize()
configured_constants = dogtag.configured_constants(api)
dogtag_service = services.knownservices[configured_constants.SERVICE_NAME]
dogtag_instance = configured_constants.PKI_INSTANCE_NAME
dogtag_service = services.knownservices['pki_tomcatd']
certs.renewal_lock.acquire('renew_ca_cert')
syslog.syslog(syslog.LOG_NOTICE, "Stopping %s" % dogtag_service.service_name)
try:
dogtag_service.stop(dogtag_instance)
dogtag_service.stop('pki-tomcat')
except Exception as e:
syslog.syslog(
syslog.LOG_ERR, "Cannot stop %s: %s" % (dogtag_service.service_name, e))

4
install/tools/ipa-ca-install
View File

@ -30,7 +30,6 @@ from ipaserver.install.installutils import create_replica_config
from ipaserver.install.installutils import check_creds, ReplicaConfig
from ipaserver.install import dsinstance, ca
from ipaserver.install import cainstance, custodiainstance, service
from ipapython import dogtag
from ipapython import version
from ipalib import api
from ipalib.constants import DOMAIN_LEVEL_0
@ -144,7 +143,7 @@ def install_replica(safe_options, options, filename):
config.host_name = api.env.host
config.domain_name = api.env.domain
config.dirman_password = dirman_password
config.ca_ds_port = dogtag.install_constants.DS_PORT
config.ca_ds_port = 389
config.top_dir = tempfile.mkdtemp("ipa")
config.dir = config.top_dir
else:
@ -184,7 +183,6 @@ def install_replica(safe_options, options, filename):
custodia.get_ca_keys(config.ca_host_name, ca_data[0], ca_data[1])
CA = cainstance.CAInstance(config.realm_name, certs.NSS_DIR,
dogtag_constants=dogtag.install_constants,
host_name=config.host_name,
dm_password=config.dirman_password)
CA.configure_replica(config.ca_host_name,

5
install/tools/ipa-replica-conncheck
View File

@ -23,7 +23,6 @@ from __future__ import print_function
from ipapython.config import IPAOptionParser
from ipapython import version
from ipapython import ipautil
from ipapython import dogtag
from ipapython.ipautil import CalledProcessError
from ipaserver.install import installutils
import ipaclient.ipachangeconf
@ -325,8 +324,8 @@ def main():
if options.check_ca:
# Check old Dogtag CA replication port
# New installs with unified databases use main DS port (checked above)
required_ports.append(CheckedPort(dogtag.Dogtag9Constants.DS_PORT,
SOCK_STREAM, "PKI-CA: Directory Service port"))
required_ports.append(CheckedPort(7389, SOCK_STREAM,
"PKI-CA: Directory Service port"))
if options.replica:
print_info("Check connection from master to remote replica '%s':" % options.replica)

7
ipa-client/ipaclient/ipa_certupdate.py
View File

@ -23,8 +23,8 @@ import shutil
from six.moves.urllib.parse import urlsplit
from ipapython import (admintool, ipautil, ipaldap, sysrestore, dogtag,
certmonger, certdb)
from ipapython import (admintool, ipautil, ipaldap, sysrestore, certmonger,
certdb)
from ipaplatform import services
from ipaplatform.paths import paths
from ipaplatform.tasks import tasks
@ -134,10 +134,9 @@ class CertUpdate(admintool.AdminTool):
if services.knownservices.httpd.is_running():
services.knownservices.httpd.restart()
dogtag_constants = dogtag.configured_constants()
nickname = 'caSigningCert cert-pki-ca'
criteria = {
'cert-database': dogtag_constants.ALIAS_DIR,
'cert-database': paths.PKI_TOMCAT_ALIAS_DIR,
'cert-nickname': nickname,
'ca-name': 'dogtag-ipa-ca-renew-agent',
}

6
ipa-client/man/default.conf.5
View File

@ -66,16 +66,16 @@ The following options are relevant for the server:
Specifies the base DN to use when performing LDAP operations. The base must be in DN format (dc=example,dc=com).
.TP
.B ca_agent_port <port>
Specifies the secure CA agent port. The default is 9443 for Dogtag 9, and 8443 for Dogtag 10.
Specifies the secure CA agent port. The default is 8443.
.TP
.B ca_ee_port <port>
Specifies the secure CA end user port. The default is 9444 for Dogtag 9, and 8443 for Dogtag 10.
Specifies the secure CA end user port. The default is 8443.
.TP
.B ca_host <hostname>
Specifies the hostname of the dogtag CA server. The default is the hostname of the IPA server.
.TP
.B ca_port <port>
Specifies the insecure CA end user port. The default is 9180 for Dogtag 9, and 8080 for Dogtag 10.
Specifies the insecure CA end user port. The default is 8080.
.TP
.B context <context>
Specifies the context that IPA is being executed in. IPA may operate differently depending on the context. The current defined contexts are cli and server. Additionally this value is used to load /etc/ipa/\fBcontext\fR.conf to provide context\-specific configuration. For example, if you want to always perform client requests in verbose mode but do not want to have verbose enabled on the server, add the verbose option to \fI/etc/ipa/cli.conf\fR.

31
ipaplatform/base/paths.py
View File

@ -27,8 +27,6 @@ class BasePathNamespace(object):
BIN_FALSE = "/bin/false"
BIN_HOSTNAME = "/bin/hostname"
LS = "/bin/ls"
PKICREATE = "/bin/pkicreate"
PKISILENT = "/bin/pkisilent"
SH = "/bin/sh"
SYSTEMCTL = "/bin/systemctl"
TAR = "/bin/tar"
@ -39,7 +37,6 @@ class BasePathNamespace(object):
ETC_DIRSRV = "/etc/dirsrv"
DS_KEYTAB = "/etc/dirsrv/ds.keytab"
ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE = "/etc/dirsrv/slapd-%s"
ETC_SLAPD_PKI_IPA_DIR = "/etc/dirsrv/slapd-PKI-IPA"
ETC_FEDORA_RELEASE = "/etc/fedora-release"
GROUP = "/etc/group"
ETC_HOSTNAME = "/etc/hostname"
@ -94,12 +91,11 @@ class BasePathNamespace(object):
OPENLDAP_LDAP_CONF = "/etc/openldap/ldap.conf"
PAM_LDAP_CONF = "/etc/pam_ldap.conf"
PASSWD = "/etc/passwd"
ETC_PKI_CA_DIR = "/etc/pki-ca"
SYSTEMWIDE_IPA_CA_CRT = "/etc/pki/ca-trust/source/anchors/ipa-ca.crt"
IPA_P11_KIT = "/etc/pki/ca-trust/source/ipa.p11-kit"
NSS_DB_DIR = "/etc/pki/nssdb"
PKI_TOMCAT = "/etc/pki/pki-tomcat"
PKI_TOMCAT_ALIAS_DIR = "/etc/pki/pki-tomcat/alias/"
PKI_TOMCAT_ALIAS_DIR = "/etc/pki/pki-tomcat/alias"
PKI_TOMCAT_PASSWORD_CONF = "/etc/pki/pki-tomcat/password.conf"
ETC_REDHAT_RELEASE = "/etc/redhat-release"
RESOLV_CONF = "/etc/resolv.conf"
@ -116,7 +112,6 @@ class BasePathNamespace(object):
SYSCONFIG_AUTOFS = "/etc/sysconfig/autofs"
SYSCONFIG_DIRSRV = "/etc/sysconfig/dirsrv"
SYSCONFIG_DIRSRV_INSTANCE = "/etc/sysconfig/dirsrv-%s"
SYSCONFIG_DIRSRV_PKI_IPA_DIR = "/etc/sysconfig/dirsrv-PKI-IPA"
SYSCONFIG_DIRSRV_SYSTEMD = "/etc/sysconfig/dirsrv.systemd"
SYSCONFIG_IPA_DNSKEYSYNCD = "/etc/sysconfig/ipa-dnskeysyncd"
SYSCONFIG_IPA_ODS_EXPORTER = "/etc/sysconfig/ipa-ods-exporter"
@ -129,9 +124,7 @@ class BasePathNamespace(object):
SYSCONFIG_NTPD = "/etc/sysconfig/ntpd"
SYSCONFIG_ODS = "/etc/sysconfig/ods"
SYSCONFIG_PKI = "/etc/sysconfig/pki"
SYSCONFIG_PKI_CA_DIR = "/etc/sysconfig/pki-ca"
SYSCONFIG_PKI_TOMCAT = "/etc/sysconfig/pki-tomcat"
SYSCONFIG_PKI_CA_PKI_CA_DIR = "/etc/sysconfig/pki/ca/pki-ca"
SYSCONFIG_PKI_TOMCAT_PKI_TOMCAT_DIR = "/etc/sysconfig/pki/tomcat/pki-tomcat"
ETC_SYSTEMD_SYSTEM_DIR = "/etc/systemd/system/"
SYSTEMD_CERTMONGER_SERVICE = "/etc/systemd/system/multi-user.target.wants/certmonger.service"
@ -146,7 +139,6 @@ class BasePathNamespace(object):
KRA_AGENT_PEM = "/etc/httpd/alias/kra-agent.pem"
CACERT_P12 = "/root/cacert.p12"
ROOT_IPA_CSR = "/root/ipa.csr"
ROOT_TMP_CA_P12 = "/root/tmp-ca.p12"
NAMED_PID = "/run/named/named.pid"
IP = "/sbin/ip"
NOLOGIN = "/sbin/nologin"
@ -178,12 +170,7 @@ class BasePathNamespace(object):
ODS_KSMUTIL = "/usr/bin/ods-ksmutil"
ODS_SIGNER = "/usr/sbin/ods-signer"
OPENSSL = "/usr/bin/openssl"
PERL = "/usr/bin/perl"
PK12UTIL = "/usr/bin/pk12util"
PKI_SETUP_PROXY = "/usr/bin/pki-setup-proxy"
PKICREATE = "/usr/bin/pkicreate"
PKIREMOVE = "/usr/bin/pkiremove"
PKISILENT = "/usr/bin/pkisilent"
SETPASSWD = "/usr/bin/setpasswd"
SIGNTOOL = "/usr/bin/signtool"
SOFTHSM2_UTIL = "/usr/bin/softhsm2-util"
@ -198,13 +185,11 @@ class BasePathNamespace(object):
BIND_LDAP_DNS_IPA_WORKDIR = "/var/named/dyndb-ldap/ipa/"
BIND_LDAP_DNS_ZONE_WORKDIR = "/var/named/dyndb-ldap/ipa/master/"
USR_LIB_DIRSRV = "/usr/lib/dirsrv"
USR_LIB_SLAPD_PKI_IPA_DIR = "/usr/lib/dirsrv/slapd-PKI-IPA"
LIB_FIREFOX = "/usr/lib/firefox"
LIBSOFTHSM2_SO = "/usr/lib/pkcs11/libsofthsm2.so"
LIB_SYSTEMD_SYSTEMD_DIR = "/usr/lib/systemd/system/"
BIND_LDAP_SO_64 = "/usr/lib64/bind/ldap.so"
USR_LIB_DIRSRV_64 = "/usr/lib64/dirsrv"
SLAPD_PKI_IPA = "/usr/lib64/dirsrv/slapd-PKI-IPA"
LIB64_FIREFOX = "/usr/lib64/firefox"
LIBSOFTHSM2_SO_64 = "/usr/lib64/pkcs11/libsofthsm2.so"
DOGTAG_IPA_CA_RENEW_AGENT_SUBMIT = "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit"
@ -271,7 +256,6 @@ class BasePathNamespace(object):
SLAPD_INSTANCE_BACKUP_DIR_TEMPLATE = "/var/lib/dirsrv/slapd-%s/bak/%s"
SLAPD_INSTANCE_DB_DIR_TEMPLATE = "/var/lib/dirsrv/slapd-%s/db/%s"
SLAPD_INSTANCE_LDIF_DIR_TEMPLATE = "/var/lib/dirsrv/slapd-%s/ldif"
VAR_LIB_SLAPD_PKI_IPA_DIR_TEMPLATE = "/var/lib/dirsrv/slapd-PKI-IPA"
VAR_LIB_IPA = "/var/lib/ipa"
IPA_CLIENT_SYSRESTORE = "/var/lib/ipa-client/sysrestore"
SYSRESTORE_INDEX = "/var/lib/ipa-client/sysrestore/sysrestore.index"
@ -288,11 +272,16 @@ class BasePathNamespace(object):
STATEFILE_DIR = "/var/lib/ipa/sysupgrade"
VAR_LIB_KDCPROXY = "/var/lib/kdcproxy"
VAR_LIB_PKI_DIR = "/var/lib/pki"
VAR_LIB_PKI_CA_DIR = "/var/lib/pki-ca"
PKI_ALIAS_CA_P12 = "/var/lib/pki-ca/alias/ca.p12"
VAR_LIB_PKI_CA_ALIAS_DIR = "/var/lib/pki-ca/alias"
VAR_LIB_PKI_TOMCAT_DIR = "/var/lib/pki/pki-tomcat"
CA_BACKUP_KEYS_P12 = "/var/lib/pki/pki-tomcat/alias/ca_backup_keys.p12"
KRA_BACKUP_KEYS_P12 = "/var/lib/pki/pki-tomcat/alias/kra_backup_keys.p12"
CA_CS_CFG_PATH = "/var/lib/pki/pki-tomcat/conf/ca/CS.cfg"
CAJARSIGNINGCERT_CFG = (
"/var/lib/pki/pki-tomcat/ca/profiles/ca/caJarSigningCert.cfg")
CASIGNEDLOGCERT_CFG = (
"/var/lib/pki/pki-tomcat/ca/profiles/ca/caSignedLogCert.cfg")
KRA_CS_CFG_PATH = "/var/lib/pki/pki-tomcat/conf/kra/CS.cfg"
KRACERT_P12 = "/root/kracert.p12"
SAMBA_DIR = "/var/lib/samba/"
SSSD_DB = "/var/lib/sss/db"
@ -304,7 +293,6 @@ class BasePathNamespace(object):
VAR_LOG_DIRSRV_INSTANCE_TEMPLATE = "/var/log/dirsrv/slapd-%s"
SLAPD_INSTANCE_ACCESS_LOG_TEMPLATE = "/var/log/dirsrv/slapd-%s/access"
SLAPD_INSTANCE_ERROR_LOG_TEMPLATE = "/var/log/dirsrv/slapd-%s/errors"
VAR_LOG_SLAPD_PKI_IPA_DIR = "/var/log/dirsrv/slapd-PKI-IPA"
VAR_LOG_HTTPD_DIR = "/var/log/httpd"
IPABACKUP_LOG = "/var/log/ipabackup.log"
IPACLIENT_INSTALL_LOG = "/var/log/ipaclient-install.log"
@ -321,9 +309,6 @@ class BasePathNamespace(object):
IPAUPGRADE_LOG = "/var/log/ipaupgrade.log"
KADMIND_LOG = "/var/log/kadmind.log"
MESSAGES = "/var/log/messages"
PKI_CA_LOG_DIR = "/var/log/pki-ca"
PKI_CA_INSTALL_LOG = "/var/log/pki-ca-install.log"
PKI_CA_UNINSTALL_LOG = "/var/log/pki-ca-uninstall.log"
VAR_LOG_PKI_DIR = "/var/log/pki/"
TOMCAT_TOPLEVEL_DIR = "/var/log/pki/pki-tomcat"
TOMCAT_CA_DIR = "/var/log/pki/pki-tomcat/ca"

7
ipaplatform/base/services.py
View File

@ -41,16 +41,13 @@ from ipaplatform.paths import paths
wellknownservices = ['certmonger', 'dirsrv', 'httpd', 'ipa', 'krb5kdc',
'messagebus', 'nslcd', 'nscd', 'ntpd', 'portmap',
'rpcbind', 'kadmin', 'sshd', 'autofs', 'rpcgssd',
'rpcidmapd', 'pki_tomcatd', 'pki_cad', 'chronyd',
'domainname', 'named', 'ods_enforcerd', 'ods_signerd']
'rpcidmapd', 'pki_tomcatd', 'chronyd', 'domainname',
'named', 'ods_enforcerd', 'ods_signerd']
# The common ports for these services. This is used to wait for the
# service to become available.
wellknownports = {
'dirsrv@PKI-IPA.service': [7389],
'PKI-IPA': [7389],
'dirsrv': [389], # only used if the incoming instance name is blank
'pki-cad': [9180, 9443, 9444],
'pki-tomcatd@pki-tomcat.service': [8080, 8443],
'pki-tomcat': [8080, 8443],
'pki-tomcatd': [8080, 8443], # used if the incoming instance name is blank

7
ipaplatform/redhat/services.py
View File

@ -58,11 +58,6 @@ redhat_system_units['rpcidmapd'] = 'nfs-idmap.service'
# code).
redhat_system_units['dirsrv'] = 'dirsrv@.service'
# Our directory server instance for PKI is dirsrv@PKI-IPA.service
redhat_system_units['pkids'] = 'dirsrv@PKI-IPA.service'
# Old style PKI instance
redhat_system_units['pki-cad'] = 'pki-cad@pki-ca.service'
redhat_system_units['pki_cad'] = redhat_system_units['pki-cad']
# Our PKI instance is pki-tomcatd@pki-tomcat.service
redhat_system_units['pki-tomcatd'] = 'pki-tomcatd@pki-tomcat.service'
redhat_system_units['pki_tomcatd'] = redhat_system_units['pki-tomcatd']
@ -284,7 +279,7 @@ def redhat_service_class_factory(name):
return RedHatIPAService(name)
if name == 'sshd':
return RedHatSSHService(name)
if name in ('pki-cad', 'pki_cad', 'pki-tomcatd', 'pki_tomcatd'):
if name in ('pki-tomcatd', 'pki_tomcatd'):
return RedHatCAService(name)
if name == 'named':
return RedHatNamedService(name)

7
ipapython/certmonger.py
View File

@ -32,7 +32,6 @@ import shlex
import subprocess
import tempfile
from ipapython import ipautil
from ipapython import dogtag
from ipapython.ipa_log_manager import *
from ipaplatform.paths import paths
from ipaplatform import services
@ -444,15 +443,13 @@ def remove_principal_from_cas():
ca.prop_if.Set(DBUS_CM_CA_IF, 'external-helper', ext_helper)
def get_pin(token, dogtag_constants=None):
def get_pin(token):
"""
Dogtag stores its NSS pin in a file formatted as token:PIN.
The caller is expected to handle any exceptions raised.
"""
if dogtag_constants is None:
dogtag_constants = dogtag.configured_constants()
with open(dogtag_constants.PASSWORD_CONF_PATH, 'r') as f:
with open(paths.PKI_TOMCAT_PASSWORD_CONF, 'r') as f:
for line in f:
(tok, pin) = line.split('=', 1)
if token == tok:

126
ipapython/dogtag.py
View File

@ -18,19 +18,16 @@
#
import collections
import os
import xml.dom.minidom
import nss.nss as nss
import six
from six.moves import configparser
from six.moves.urllib.parse import urlencode
from ipalib import api, errors
from ipalib.errors import NetworkError
from ipalib.text import _
from ipapython import nsslib, ipautil
from ipaplatform.paths import paths
from ipapython.ipa_log_manager import *
# Python 3 rename. The package is available in "six.moves.http_client", but
@ -43,16 +40,6 @@ except ImportError:
if six.PY3:
unicode = str
# IPA can use either Dogtag version 9 or 10.
#
# Install tools should use the constants from install_constants, so that they
# install with version 10 if it is available, and with 9 if not.
# After IPA installation, the Dogtag version used is stored in the
# "dogtag_version" config option. (If that is missing, version 9 is assumed.)
# The configured_constants() function below provides constants relevant to
# the configured version.
Profile = collections.namedtuple('Profile', ['profile_id', 'description', 'store_issued'])
INCLUDED_PROFILES = {
@ -62,113 +49,6 @@ INCLUDED_PROFILES = {
DEFAULT_PROFILE = u'caIPAserviceCert'
class Dogtag10Constants(object):
DOGTAG_VERSION = 10
UNSECURE_PORT = 8080
AGENT_SECURE_PORT = 8443
EE_SECURE_PORT = 8443
AJP_PORT = 8009
DS_PORT = 389
DS_SECURE_PORT = 636
SPAWN_BINARY = paths.PKISPAWN
DESTROY_BINARY = paths.PKIDESTROY
SERVER_ROOT = paths.VAR_LIB_PKI_DIR
PKI_INSTALL_LOG = paths.PKI_CA_INSTALL_LOG
PKI_INSTANCE_NAME = 'pki-tomcat'
PKI_LOG_TOP_LEVEL = os.path.join(paths.VAR_LOG_PKI_DIR, PKI_INSTANCE_NAME)
PKI_ROOT = '%s/%s' % (SERVER_ROOT, PKI_INSTANCE_NAME)
CRL_PUBLISH_PATH = paths.PKI_CA_PUBLISH_DIR
CS_CFG_PATH = '%s/conf/ca/CS.cfg' % PKI_ROOT
PASSWORD_CONF_PATH = '%s/conf/password.conf' % PKI_ROOT
SERVICE_PROFILE_DIR = '%s/ca/profiles/ca' % PKI_ROOT
ALIAS_DIR = paths.PKI_TOMCAT_ALIAS_DIR.rstrip('/')
SYSCONFIG_FILE_PATH = '%s/%s' % (paths.ETC_SYSCONFIG_DIR, PKI_INSTANCE_NAME)
KRA_CS_CFG_PATH = '%s/conf/kra/CS.cfg' % PKI_ROOT
SERVICE_NAME = 'pki_tomcatd'
RACERT_LINE_SEP = '\n'
SIGN_PROFILE = '%s/caJarSigningCert.cfg' % SERVICE_PROFILE_DIR
SHARED_DB = True
DS_USER = "dirsrv"
DS_NAME = "dirsrv"
class Dogtag9Constants(object):
DOGTAG_VERSION = 9
UNSECURE_PORT = 9180
AGENT_SECURE_PORT = 9443
EE_SECURE_PORT = 9444
AJP_PORT = 9447
DS_PORT = 7389
DS_SECURE_PORT = 7636
SPAWN_BINARY = paths.PKICREATE
DESTROY_BINARY = paths.PKISILENT
SERVER_ROOT = paths.VAR_LIB
PKI_INSTALL_LOG = paths.PKI_CA_INSTALL_LOG
PKI_INSTANCE_NAME = 'pki-ca'
PKI_LOG_TOP_LEVEL = paths.PKI_CA_LOG_DIR
PKI_ROOT = '%s/%s' % (SERVER_ROOT, PKI_INSTANCE_NAME)
CRL_PUBLISH_PATH = paths.PKI_CA_PUBLISH_DIR
CS_CFG_PATH = '%s/conf/CS.cfg' % PKI_ROOT
PASSWORD_CONF_PATH = '%s/conf/password.conf' % PKI_ROOT
SERVICE_PROFILE_DIR = '%s/profiles/ca' % PKI_ROOT
ALIAS_DIR = '%s/alias' % PKI_ROOT
SYSCONFIG_FILE_PATH = '%s/%s' % (paths.ETC_SYSCONFIG_DIR, PKI_INSTANCE_NAME)
SERVICE_NAME = 'pki-cad'
RACERT_LINE_SEP = '\r\n'
ADMIN_SECURE_PORT = 9445
EE_CLIENT_AUTH_PORT = 9446
TOMCAT_SERVER_PORT = 9701
SIGN_PROFILE = '%s/caJarSigningCert.cfg' % SERVICE_PROFILE_DIR
SHARED_DB = False
DS_USER = "pkisrv"
DS_NAME = "PKI-IPA"
if os.path.exists(paths.PKISPAWN):
install_constants = Dogtag10Constants
else:
install_constants = Dogtag9Constants
def _get_configured_version(api):
"""Get the version of Dogtag IPA is configured to use
If an API is given, use information in its environment.
Otherwise, use information from the global config file.
"""
if api:
return int(api.env.dogtag_version)
else:
p = configparser.SafeConfigParser()
p.read(paths.IPA_DEFAULT_CONF)
try:
version = p.get('global', 'dogtag_version')
except (configparser.NoOptionError, configparser.NoSectionError):
return 9
else:
return int(version)
def configured_constants(api=None):
"""Get the name of the Dogtag CA instance
See get_configured_version
"""
if _get_configured_version(api) >= 10:
return Dogtag10Constants
else:
return Dogtag9Constants
def error_from_xml(doc, message_template):
try:
@ -179,18 +59,16 @@ def error_from_xml(doc, message_template):
return errors.RemoteRetrieveError(reason=message_template % e)
def get_ca_certchain(ca_host=None, dogtag_constants=None):
def get_ca_certchain(ca_host=None):
"""
Retrieve the CA Certificate chain from the configured Dogtag server.
"""
if ca_host is None:
ca_host = api.env.ca_host
if dogtag_constants is None:
dogtag_constants = configured_constants()
chain = None
conn = httplib.HTTPConnection(
ca_host,
api.env.ca_install_port or dogtag_constants.UNSECURE_PORT)
api.env.ca_install_port or 8080)
conn.request("GET", "/ca/ee/ca/getCertChain")
res = conn.getresponse()
doc = None

33
ipaserver/install/ca.py
View File

@ -10,7 +10,7 @@ import os.path
from six.moves.configparser import RawConfigParser
from ipaserver.install import cainstance, dsinstance, bindinstance
from ipapython import dogtag, ipautil, certdb
from ipapython import ipautil, certdb
from ipaplatform import services
from ipaplatform.paths import paths
from ipaserver.install import installutils, certs
@ -126,8 +126,6 @@ def install_step_0(standalone, replica_config, options):
host_name = options.host_name
subject_base = options.subject
dogtag_constants = dogtag.install_constants
if replica_config is not None:
# Configure the CA if necessary
if standalone:
@ -154,8 +152,7 @@ def install_step_0(standalone, replica_config, options):
else:
external = 0
ca = cainstance.CAInstance(realm_name, certs.NSS_DIR,
dogtag_constants=dogtag_constants)
ca = cainstance.CAInstance(realm_name, certs.NSS_DIR)
if standalone:
ca.create_ra_agent_db = False
if external == 0:
@ -185,19 +182,16 @@ def install_step_1(standalone, replica_config, options):
basedn = ipautil.realm_to_suffix(realm_name)
dogtag_constants = dogtag.install_constants
ca = cainstance.CAInstance(realm_name, certs.NSS_DIR,
dogtag_constants=dogtag_constants)
ca = cainstance.CAInstance(realm_name, certs.NSS_DIR)
if standalone:
ca.stop(ca.dogtag_constants.PKI_INSTANCE_NAME)
ca.stop('pki-tomcat')
# We need to ldap_enable the CA now that DS is up and running
ca.ldap_enable('CA', host_name, dm_password, basedn, ['caRenewalMaster'])
# This is done within stopped_service context, which restarts CA
ca.enable_client_auth_to_db(dogtag_constants.CS_CFG_PATH)
ca.enable_client_auth_to_db(paths.CA_CS_CFG_PATH)
if standalone and replica_config is None:
serverid = installutils.realm_to_serverid(realm_name)
@ -231,7 +225,7 @@ def install_step_1(standalone, replica_config, options):
bind_pw=dm_password)
# Store DS CA cert in Dogtag NSS database
dogtagdb = certs.CertDB(realm_name, nssdir=dogtag_constants.ALIAS_DIR)
dogtagdb = certs.CertDB(realm_name, nssdir=paths.PKI_TOMCAT_ALIAS_DIR)
trust_flags = dict(reversed(dsdb.list_certs()))
server_certs = dsdb.find_server_certs()
trust_chain = dsdb.find_root_cert(server_certs[0][0])[:-1]
@ -240,7 +234,7 @@ def install_step_1(standalone, replica_config, options):
dogtagdb.add_cert(cert, nickname, trust_flags[nickname])
if standalone:
ca.start(ca.dogtag_constants.PKI_INSTANCE_NAME)
ca.start('pki-tomcat')
# Update config file
try:
@ -248,8 +242,7 @@ def install_step_1(standalone, replica_config, options):
parser.read(paths.IPA_DEFAULT_CONF)
parser.set('global', 'enable_ra', 'True')
parser.set('global', 'ra_plugin', 'dogtag')
parser.set('global', 'dogtag_version',
str(dogtag_constants.DOGTAG_VERSION))
parser.set('global', 'dogtag_version', '10')
with open(paths.IPA_DEFAULT_CONF, 'w') as f:
parser.write(f)
except IOError as e:
@ -266,15 +259,9 @@ def install_step_1(standalone, replica_config, options):
bind.add_ipa_ca_dns_records(host_name, domain_name)
def uninstall(dogtag_constants):
if not dogtag_constants.SHARED_DB:
cads_instance = cainstance.CADSInstance(
dogtag_constants=dogtag_constants)
if cads_instance.is_configured():
cads_instance.uninstall()
def uninstall():
ca_instance = cainstance.CAInstance(
api.env.realm, certs.NSS_DIR, dogtag_constants=dogtag_constants)
api.env.realm, certs.NSS_DIR)
ca_instance.stop_tracking_certificates()
if ca_instance.is_configured():
ca_instance.uninstall()

361
ipaserver/install/cainstance.py
View File

@ -68,7 +68,7 @@ from ipaserver.install import ldapupdate
from ipaserver.install import replication
from ipaserver.install import service
from ipaserver.install.dogtaginstance import (
DEFAULT_DSPORT, PKI_USER, export_kra_agent_pem, DogtagInstance)
PKI_USER, export_kra_agent_pem, DogtagInstance)
from ipaserver.plugins import ldap2
# Python 3 rename. The package is available in "six.moves.http_client", but
@ -248,7 +248,7 @@ def get_crl_files(path=None):
@param path Custom target directory
"""
if path is None:
path = dogtag.configured_constants().CRL_PUBLISH_PATH
path = paths.PKI_CA_PUBLISH_DIR
files = os.listdir(path)
for f in files:
@ -261,7 +261,7 @@ def get_crl_files(path=None):
def is_step_one_done():
"""Read CS.cfg and determine if step one of an external CA install is done
"""
path = dogtag.install_constants.CS_CFG_PATH
path = paths.CA_CS_CFG_PATH
if not os.path.exists(path):
return False
test = installutils.get_directive(path, 'preop.ca.type', '=')
@ -274,8 +274,7 @@ def is_ca_installed_locally():
"""Check if CA is installed locally by checking for existence of CS.cfg
:return:True/False
"""
path = dogtag.install_constants.CS_CFG_PATH
return os.path.exists(path)
return os.path.exists(paths.CA_CS_CFG_PATH)
def create_ca_user():
@ -288,63 +287,6 @@ def create_ca_user():
)
class CADSInstance(service.Service):
"""Certificate Authority DS instance
The CA DS was used with Dogtag 9. Only upgraded installations still use it.
Thus this class only does uninstallation.
"""
def __init__(self, host_name=None, realm_name=None, dm_password=None, dogtag_constants=None):
service.Service.__init__(
self, "pkids",
service_desc="directory server for the CA",
dm_password=dm_password,
ldapi=False,
autobind=ipaldap.AUTOBIND_DISABLED)
self.serverid = "PKI-IPA"
self.realm = realm_name
self.sub_dict = None
self.fqdn = host_name
self.dercert = None
self.pkcs12_info = None
self.ds_port = None
self.master_host = None
self.nickname = 'Server-Cert'
self.subject_base = None
def uninstall(self):
if self.is_configured():
self.print_msg("Unconfiguring CA directory server")
enabled = self.restore_state("enabled")
serverid = self.restore_state("serverid")
# Just eat this state if it exists
self.restore_state("running")
if not enabled is None and not enabled:
services.knownservices.dirsrv.disable()
if serverid is not None:
# drop the trailing / off the config_dirname so the directory
# will match what is in certmonger
dirname = dsinstance.config_dirname(serverid)[:-1]
dsdb = certs.CertDB(self.realm, nssdir=dirname)
dsdb.untrack_server_cert("Server-Cert")
try:
dsinstance.remove_ds_instance(serverid)
except ipautil.CalledProcessError:
root_logger.error("Failed to remove CA DS instance. You may "
"need to remove instance data manually")
self.restore_state("user_exists")
# At one time we removed this user on uninstall. That can potentially
# orphan files, or worse, if another useradd runs in the interim,
# cause files to have a new owner.
class CAInstance(DogtagInstance):
"""
When using a dogtag CA the DS database contains just the
@ -368,16 +310,12 @@ class CAInstance(DogtagInstance):
('caSigningCert cert-pki-ca', 'ipaCACertRenewal'))
server_cert_name = 'Server-Cert cert-pki-ca'
def __init__(self, realm=None, ra_db=None, dogtag_constants=None,
host_name=None, dm_password=None, ldapi=True):
if dogtag_constants is None:
dogtag_constants = dogtag.configured_constants()
def __init__(self, realm=None, ra_db=None, host_name=None,
dm_password=None, ldapi=True):
super(CAInstance, self).__init__(
realm=realm,
subsystem="CA",
service_desc="certificate server",
dogtag_constants=dogtag_constants,
host_name=host_name,
dm_password=dm_password,
ldapi=ldapi
@ -404,8 +342,7 @@ class CAInstance(DogtagInstance):
self.log = log_mgr.get_logger(self)
self.no_db_setup = False
def configure_instance(self, host_name, dm_password,
admin_password, ds_port=DEFAULT_DSPORT,
def configure_instance(self, host_name, dm_password, admin_password,
pkcs12_info=None, master_host=None, csr_file=None,
cert_file=None, cert_chain_file=None,
master_replication_port=None,
@ -413,8 +350,6 @@ class CAInstance(DogtagInstance):
ca_type=None, ra_p12=None):
"""Create a CA instance.
For Dogtag 9, this may involve creating the pki-ca instance.
To create a clone, pass in pkcs12_info.
Creating a CA with an external signer is a 2-step process. In
@ -426,7 +361,6 @@ class CAInstance(DogtagInstance):
self.dm_password = dm_password
self.admin_user = "admin"
self.admin_password = admin_password
self.ds_port = ds_port
self.pkcs12_info = pkcs12_info
if self.pkcs12_info is not None:
self.clone = True
@ -456,12 +390,8 @@ class CAInstance(DogtagInstance):
self.external = 2
self.step("creating certificate server user", create_ca_user)
if self.dogtag_constants.DOGTAG_VERSION >= 10:
self.step("configuring certificate server instance", self.__spawn_instance)
else:
if not ipautil.dir_exists(paths.VAR_LIB_PKI_CA_DIR):
self.step("creating pki-ca instance", self.create_instance)
self.step("configuring certificate server instance", self.__configure_instance)
self.step("configuring certificate server instance",
self.__spawn_instance)
self.step("stopping certificate server instance to update CS.cfg", self.stop_instance)
self.step("backing up CS.cfg", self.backup_config)
self.step("disabling nonces", self.__disable_nonce)
@ -471,8 +401,6 @@ class CAInstance(DogtagInstance):
# Step 1 of external is getting a CSR so we don't need to do these
# steps until we get a cert back from the external CA.
if self.external != 1:
if self.dogtag_constants.DOGTAG_VERSION < 10 and not self.clone:
self.step("creating CA agent PKCS#12 file in /root", self.__create_ca_agent_pkcs12)
if self.create_ra_agent_db:
self.step("creating RA agent certificate database", self.__create_ra_agent_db)
self.step("importing CA chain to RA certificate database", self.__import_ca_chain)
@ -547,7 +475,7 @@ class CAInstance(DogtagInstance):
config.set("CA", "pki_client_admin_cert_p12", paths.DOGTAG_ADMIN_P12)
# Directory server
config.set("CA", "pki_ds_ldap_port", str(self.ds_port))
config.set("CA", "pki_ds_ldap_port", "389")
config.set("CA", "pki_ds_password", self.dm_password)
config.set("CA", "pki_ds_base_dn", self.basedn)
config.set("CA", "pki_ds_database", "ipaca")
@ -598,7 +526,7 @@ class CAInstance(DogtagInstance):
config.set("CA", "pki_clone_pkcs12_password", self.dm_password)
config.set("CA", "pki_clone_replication_security", "TLS")
config.set("CA", "pki_clone_replication_master_port", str(self.master_replication_port))
config.set("CA", "pki_clone_replication_clone_port", dogtag.install_constants.DS_PORT)
config.set("CA", "pki_clone_replication_clone_port", "389")
config.set("CA", "pki_clone_replicate_schema", "False")
config.set("CA", "pki_clone_uri", "https://%s" % ipautil.format_netloc(self.master_host, 443))
@ -656,151 +584,9 @@ class CAInstance(DogtagInstance):
self.log.debug("completed creating ca instance")
def create_instance(self):
"""
If for some reason the instance doesn't exist, create a new one."
"""
# Only used for Dogtag 9
args = [paths.PKICREATE,
'-pki_instance_root', paths.VAR_LIB,
'-pki_instance_name',
self.dogtag_constants.PKI_INSTANCE_NAME,
'-subsystem_type', 'ca',
'-agent_secure_port',
str(self.dogtag_constants.AGENT_SECURE_PORT),
'-ee_secure_port',
str(self.dogtag_constants.EE_SECURE_PORT),
'-admin_secure_port',
str(self.dogtag_constants.ADMIN_SECURE_PORT),
'-ee_secure_client_auth_port',
str(self.dogtag_constants.EE_CLIENT_AUTH_PORT),
'-unsecure_port', str(self.dogtag_constants.UNSECURE_PORT),
'-tomcat_server_port',
str(self.dogtag_constants.TOMCAT_SERVER_PORT),
'-redirect', 'conf=/etc/pki-ca',
'-redirect', 'logs=/var/log/pki-ca',
'-enable_proxy'
]
self.backup_state('installed', True)
ipautil.run(args, env={'PKI_HOSTNAME':self.fqdn})
def __configure_instance(self):
# Only used for Dogtag 9
preop_pin = get_preop_pin(
self.server_root, self.dogtag_constants.PKI_INSTANCE_NAME)
try:
args = [paths.PERL, paths.PKISILENT, "ConfigureCA",
"-cs_hostname", self.fqdn,
"-cs_port", str(self.dogtag_constants.ADMIN_SECURE_PORT),
"-client_certdb_dir", self.agent_db,
"-client_certdb_pwd", self.admin_password,
"-preop_pin" , preop_pin,
"-domain_name", self.security_domain_name,
"-admin_user", self.admin_user,
"-admin_email", "root@localhost",
"-admin_password", self.admin_password,
"-agent_name", "ipa-ca-agent",
"-agent_key_size", "2048",
"-agent_key_type", "rsa",
"-agent_cert_subject", str(DN(('CN', 'ipa-ca-agent'), self.subject_base)),
"-ldap_host", self.fqdn,
"-ldap_port", str(self.ds_port),
"-bind_dn", "cn=Directory Manager",
"-bind_password", self.dm_password,
"-base_dn", str(self.basedn),
"-db_name", "ipaca",
"-key_size", "2048",
"-key_type", "rsa",
"-key_algorithm", self.ca_signing_algorithm,
"-signing_algorithm", "SHA256withRSA",
"-save_p12", "true",
"-backup_pwd", self.admin_password,
"-subsystem_name", self.service_name,
"-token_name", "internal",
"-ca_subsystem_cert_subject_name", str(DN(('CN', 'CA Subsystem'), self.subject_base)),
"-ca_subsystem_cert_subject_name", str(DN(('CN', 'CA Subsystem'), self.subject_base)),
"-ca_ocsp_cert_subject_name", str(DN(('CN', 'OCSP Subsystem'), self.subject_base)),
"-ca_server_cert_subject_name", str(DN(('CN', self.fqdn), self.subject_base)),
"-ca_audit_signing_cert_subject_name", str(DN(('CN', 'CA Audit'), self.subject_base)),
"-ca_sign_cert_subject_name", str(DN(('CN', 'Certificate Authority'), self.subject_base)) ]
if self.external == 1:
args.append("-external")
args.append("true")
args.append("-ext_csr_file")
args.append(self.csr_file)
elif self.external == 2:
cert = x509.load_certificate_from_file(self.cert_file)
cert_file = tempfile.NamedTemporaryFile()
x509.write_certificate(cert.der_data, cert_file.name)
cert_file.flush()
args.append("-external")
args.append("true")
args.append("-ext_ca_cert_file")
args.append(cert_file.name)
args.append("-ext_ca_cert_chain_file")
args.append(self.cert_chain_file)
else:
args.append("-external")
args.append("false")
if self.clone:
"""sd = security domain --> all CS systems get registered to
a security domain. This is set to the hostname and port of
the master CA.
"""
# The install wizard expects the file to be here.
cafile = self.pkcs12_info[0]
shutil.copy(cafile, paths.PKI_ALIAS_CA_P12)
pent = pwd.getpwnam(PKI_USER)
os.chown(paths.PKI_ALIAS_CA_P12, pent.pw_uid, pent.pw_gid )
args.append("-clone")
args.append("true")
args.append("-clone_p12_file")
args.append("ca.p12")
args.append("-clone_p12_password")
args.append(self.dm_password)
args.append("-sd_hostname")
args.append(self.master_host)
args.append("-sd_admin_port")
args.append("443")
args.append("-sd_admin_name")
args.append(self.admin_user)
args.append("-sd_admin_password")
args.append(self.admin_password)
args.append("-clone_master_port")
args.append(str(self.master_replication_port))
args.append("-clone_start_tls")
args.append("true")
args.append("-clone_uri")
args.append("https://%s" % ipautil.format_netloc(self.master_host, 443))
else:
args.append("-clone")
args.append("false")
# Define the things we don't want logged
nolog = (self.admin_password, self.dm_password,)
ipautil.run(args, env={'PKI_HOSTNAME':self.fqdn}, nolog=nolog)
except ipautil.CalledProcessError as e:
self.handle_setup_error(e)
if self.external == 1:
print("The next step is to get %s signed by your CA and re-run %s as:" % (self.csr_file, sys.argv[0]))
print("%s --external-cert-file=/path/to/signed_certificate --external-cert-file=/path/to/external_ca_certificate" % sys.argv[0])
sys.exit(0)
# pkisilent makes a copy of the CA PKCS#12 file for us but gives
# it a lousy name.
if ipautil.file_exists(paths.ROOT_TMP_CA_P12):
shutil.move(paths.ROOT_TMP_CA_P12, paths.CACERT_P12)
self.log.debug("completed creating ca instance")
def backup_config(self):
try:
backup_config(self.dogtag_constants)
backup_config()
except Exception as e:
root_logger.warning("Failed to backup CS.cfg: %s", e)
@ -816,16 +602,15 @@ class CAInstance(DogtagInstance):
def __disable_nonce(self):
# Turn off Nonces
update_result = installutils.update_file(
self.dogtag_constants.CS_CFG_PATH, 'ca.enableNonces=true',
paths.CA_CS_CFG_PATH, 'ca.enableNonces=true',
'ca.enableNonces=false')
if update_result != 0:
raise RuntimeError("Disabling nonces failed")
pent = pwd.getpwnam(PKI_USER)
os.chown(self.dogtag_constants.CS_CFG_PATH,
pent.pw_uid, pent.pw_gid)
os.chown(paths.CA_CS_CFG_PATH, pent.pw_uid, pent.pw_gid)
def enable_pkix(self):
installutils.set_directive(self.dogtag_constants.SYSCONFIG_FILE_PATH,
installutils.set_directive(paths.SYSCONFIG_PKI_TOMCAT,
'NSS_ENABLE_PKIX_VERIFY', '1',
quotes=False, separator='=')
@ -874,13 +659,12 @@ class CAInstance(DogtagInstance):
'-p', self.admin_password,
'-d', self.agent_db,
'-r', '/ca/agent/ca/profileReview?requestId=%s' % self.requestId,
'%s' % ipautil.format_netloc(
self.fqdn, self.dogtag_constants.AGENT_SECURE_PORT),
'%s' % ipautil.format_netloc(self.fqdn, 8443),
]
(stdout, _stderr, _returncode) = ipautil.run(
args, nolog=(self.admin_password,))
data = stdout.split(self.dogtag_constants.RACERT_LINE_SEP)
data = stdout.split('\n')
params = get_defList(data)
params['requestId'] = find_substring(data, "requestId")
params['op'] = 'approve'
@ -897,13 +681,12 @@ class CAInstance(DogtagInstance):
'-d', self.agent_db,
'-e', params,
'-r', '/ca/agent/ca/profileProcess',
'%s' % ipautil.format_netloc(
self.fqdn, self.dogtag_constants.AGENT_SECURE_PORT),
'%s' % ipautil.format_netloc(self.fqdn, 8443),
]
(stdout, _stderr, _returncode) = ipautil.run(
args, nolog=(self.admin_password,))
data = stdout.split(self.dogtag_constants.RACERT_LINE_SEP)
data = stdout.split('\n')
outputList = get_outputList(data)
self.ra_cert = outputList['b64_cert']
@ -1024,26 +807,10 @@ class CAInstance(DogtagInstance):
def __get_ca_chain(self):
try:
return dogtag.get_ca_certchain(ca_host=self.fqdn,
dogtag_constants=self.dogtag_constants)
return dogtag.get_ca_certchain(ca_host=self.fqdn)
except Exception as e:
raise RuntimeError("Unable to retrieve CA chain: %s" % str(e))
def __create_ca_agent_pkcs12(self):
# Only used for Dogtag 9
(pwd_fd, pwd_name) = tempfile.mkstemp()
os.write(pwd_fd, self.admin_password)
os.close(pwd_fd)
try:
ipautil.run([paths.PK12UTIL,
"-n", "ipa-ca-agent",
"-o", paths.DOGTAG_ADMIN_P12,
"-d", self.agent_db,
"-k", pwd_name,
"-w", pwd_name])
finally:
os.remove(pwd_name)
def __import_ca_chain(self):
chain = self.__get_ca_chain()
@ -1113,8 +880,7 @@ class CAInstance(DogtagInstance):
csr = pkcs10.strip_header(stdout)
# Send the request to the CA
conn = httplib.HTTPConnection(
self.fqdn, self.dogtag_constants.UNSECURE_PORT)
conn = httplib.HTTPConnection(self.fqdn, 8080)
params = urllib.parse.urlencode({'profileId': 'caServerCert',
'cert_request_type': 'pkcs10',
'requestor_name': 'IPA Installer',
@ -1152,8 +918,9 @@ class CAInstance(DogtagInstance):
def __setup_sign_profile(self):
# Tell the profile to automatically issue certs for RAs
installutils.set_directive(self.dogtag_constants.SIGN_PROFILE,
'auth.instance_id', 'raCertAuth', quotes=False, separator='=')
installutils.set_directive(
paths.CAJARSIGNINGCERT_CFG, 'auth.instance_id', 'raCertAuth',
quotes=False, separator='=')
def prepare_crl_publish_dir(self):
"""
@ -1161,7 +928,7 @@ class CAInstance(DogtagInstance):
Returns a path to the CRL publishing directory
"""
publishdir = self.dogtag_constants.CRL_PUBLISH_PATH
publishdir = paths.PKI_CA_PUBLISH_DIR
if not os.path.exists(publishdir):
os.mkdir(publishdir)
@ -1181,7 +948,7 @@ class CAInstance(DogtagInstance):
https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Certificate_System/8.0/html/Admin_Guide/Setting_up_Publishing.html
"""
caconfig = self.dogtag_constants.CS_CFG_PATH
caconfig = paths.CA_CS_CFG_PATH
publishdir = self.prepare_crl_publish_dir()
@ -1232,20 +999,7 @@ class CAInstance(DogtagInstance):
# just eat state
self.restore_state("enabled")
if self.dogtag_constants.DOGTAG_VERSION >= 10:
DogtagInstance.uninstall(self)
else:
if self.is_configured():
self.print_msg("Unconfiguring CA")
try:
ipautil.run([paths.PKIREMOVE,
"-pki_instance_root=%s" % paths.VAR_LIB,
"-pki_instance_name=%s" %
self.dogtag_constants.PKI_INSTANCE_NAME,
"--force"])
except ipautil.CalledProcessError as e:
self.log.critical("failed to uninstall CA instance %s", e)
DogtagInstance.uninstall(self)
self.restore_state("installed")
@ -1289,9 +1043,9 @@ class CAInstance(DogtagInstance):
# remove CRL directory
self.log.info("Remove CRL directory")
if os.path.exists(self.dogtag_constants.CRL_PUBLISH_PATH):
if os.path.exists(paths.PKI_CA_PUBLISH_DIR):
try:
shutil.rmtree(self.dogtag_constants.CRL_PUBLISH_PATH)
shutil.rmtree(paths.PKI_CA_PUBLISH_DIR)
except OSError as e:
self.log.warning("Error while removing CRL publish "
"directory: %s", e)
@ -1370,7 +1124,7 @@ class CAInstance(DogtagInstance):
# Check the default validity period of the audit signing cert
# and set it to 2 years if it is 6 months.
cert_range = installutils.get_directive(
'%s/caSignedLogCert.cfg' % self.dogtag_constants.SERVICE_PROFILE_DIR,
paths.CASIGNEDLOGCERT_CFG,
'policyset.caLogSigningSet.2.default.params.range',
separator='='
)
@ -1378,14 +1132,14 @@ class CAInstance(DogtagInstance):
'caSignedLogCert.cfg profile validity range is %s', cert_range)
if cert_range == "180":
installutils.set_directive(
'%s/caSignedLogCert.cfg' % self.dogtag_constants.SERVICE_PROFILE_DIR,
paths.CASIGNEDLOGCERT_CFG,
'policyset.caLogSigningSet.2.default.params.range',
'720',
quotes=False,
separator='='
)
installutils.set_directive(
'%s/caSignedLogCert.cfg' % self.dogtag_constants.SERVICE_PROFILE_DIR,
paths.CASIGNEDLOGCERT_CFG,
'policyset.caLogSigningSet.2.constraint.params.range',
'720',
quotes=False,
@ -1447,7 +1201,7 @@ class CAInstance(DogtagInstance):
self.admin_conn.update_entry(master_entry)
@staticmethod
def update_cert_config(nickname, cert, dogtag_constants=None):
def update_cert_config(nickname, cert):
"""
When renewing a CA subsystem certificate the configuration file
needs to get the new certificate as well.
@ -1456,9 +1210,6 @@ class CAInstance(DogtagInstance):
cert is a DER-encoded certificate.
"""
if dogtag_constants is None:
dogtag_constants = dogtag.configured_constants()
# The cert directive to update per nickname
directives = {'auditSigningCert cert-pki-ca': 'ca.audit_signing.cert',
'ocspSigningCert cert-pki-ca': 'ca.ocsp_signing.cert',
@ -1467,14 +1218,12 @@ class CAInstance(DogtagInstance):
'Server-Cert cert-pki-ca': 'ca.sslserver.cert'}
try:
backup_config(dogtag_constants)
backup_config()
except Exception as e:
syslog.syslog(syslog.LOG_ERR, "Failed to backup CS.cfg: %s" % e)
DogtagInstance.update_cert_cs_cfg(
nickname, cert, directives,
dogtag.configured_constants().CS_CFG_PATH,
dogtag_constants)
nickname, cert, directives, paths.CA_CS_CFG_PATH)
def __create_ds_db(self):
'''
@ -1519,7 +1268,7 @@ class CAInstance(DogtagInstance):
self.__update_topology()
def __client_auth_to_db(self):
self.enable_client_auth_to_db(self.dogtag_constants.CS_CFG_PATH)
self.enable_client_auth_to_db(paths.CA_CS_CFG_PATH)
def __restart_http_instance(self):
# We need to restart apache as we drop a new config file in there
@ -1536,9 +1285,8 @@ class CAInstance(DogtagInstance):
the topology plugin to manage replication.
Requires domain_level >= DOMAIN_LEVEL_1 and custodia on the master.
"""
self.ds_port = DEFAULT_DSPORT
self.master_host = master_host
self.master_replication_port = DEFAULT_DSPORT
self.master_replication_port = 389
if subject_base is None:
self.subject_base = DN(('O', self.realm))
else:
@ -1614,14 +1362,7 @@ def replica_ca_install_check(config):
# Replica of old "self-signed" master - CA won't be installed
return
# Exit if we have an old-style (Dogtag 9) CA already installed
ca = CAInstance(config.realm_name, certs.NSS_DIR,
dogtag_constants=dogtag.Dogtag9Constants)
if ca.is_installed():
root_logger.info('Dogtag 9 style CA instance found')
sys.exit("A CA is already configured on this system.")
if config.ca_ds_port != dogtag.Dogtag9Constants.DS_PORT:
if config.ca_ds_port != 7389:
root_logger.debug(
'Installing CA Replica from master with a merged database')
return
@ -1675,8 +1416,7 @@ def install_replica_ca(config, postinstall=False, ra_p12=None):
# Replica of old "self-signed" master - skip installing CA
return None
ca = CAInstance(config.realm_name, certs.NSS_DIR,
dogtag_constants=dogtag.install_constants)
ca = CAInstance(config.realm_name, certs.NSS_DIR)
ca.dm_password = config.dirman_password
ca.subject_base = config.subject_base
@ -1716,27 +1456,24 @@ def install_replica_ca(config, postinstall=False, ra_p12=None):
# unix service.
service.print_msg("Restarting the directory and certificate servers")
ca.stop(dogtag.install_constants.PKI_INSTANCE_NAME)
ca.stop('pki-tomcat')
services.knownservices.dirsrv.restart()
ca.start(dogtag.install_constants.PKI_INSTANCE_NAME)
ca.start('pki-tomcat')
return ca
def backup_config(dogtag_constants=None):
def backup_config():
"""
Create a backup copy of CS.cfg
"""
if dogtag_constants is None:
dogtag_constants = dogtag.configured_constants()
if services.knownservices[dogtag_constants.SERVICE_NAME].is_running(
dogtag_constants.PKI_INSTANCE_NAME):
raise RuntimeError("Dogtag must be stopped when creating backup of %s"
% dogtag_constants.CS_CFG_PATH)
shutil.copy(dogtag_constants.CS_CFG_PATH,
dogtag_constants.CS_CFG_PATH + '.ipabkp')
path = paths.CA_CS_CFG_PATH
if services.knownservices['pki_tomcatd'].is_running('pki-tomcat'):
raise RuntimeError(
"Dogtag must be stopped when creating backup of %s" % path)
shutil.copy(path, path + '.ipabkp')
def update_people_entry(dercert):
"""
@ -1940,7 +1677,7 @@ def migrate_profiles_to_ldap():
api.Backend.ra_certprofile._read_password()
api.Backend.ra_certprofile.override_port = 8443
with open(dogtag.configured_constants().CS_CFG_PATH) as f:
with open(paths.CA_CS_CFG_PATH) as f:
cs_cfg = f.read()
match = re.search(r'^profile\.list=(\S*)', cs_cfg, re.MULTILINE)
profile_ids = match.group(1).split(',')

10
ipaserver/install/certs.py
View File

@ -399,10 +399,7 @@ class CertDB(object):
password = f.readline()
f.close()
result = dogtag.https_request(
self.host_name,
api.env.ca_ee_install_port or
dogtag.configured_constants().EE_SECURE_PORT,
"/ca/ee/ca/profileSubmitSSLClient",
self.host_name, 8443, "/ca/ee/ca/profileSubmitSSLClient",
self.secdir, password, "ipaCert", **params)
http_status, http_reason_phrase, http_headers, http_body = result
@ -456,10 +453,7 @@ class CertDB(object):
password = f.readline()
f.close()
result = dogtag.https_request(
self.host_name,
api.env.ca_ee_install_port or
dogtag.configured_constants().EE_SECURE_PORT,
"/ca/ee/ca/profileSubmitSSLClient",
self.host_name, 8443, "/ca/ee/ca/profileSubmitSSLClient",
self.secdir, password, "ipaCert", **params)
http_status, http_reason_phrase, http_headers, http_body = result
if http_status != 200:

77
ipaserver/install/dogtaginstance.py
View File

@ -35,7 +35,6 @@ from ipalib import errors
from ipaplatform import services
from ipaplatform.paths import paths
from ipapython import certmonger
from ipapython import dogtag
from ipapython import ipaldap
from ipapython import ipautil
from ipapython.dn import DN
@ -45,10 +44,7 @@ from ipaserver.install import replication
from ipaserver.install.installutils import stopped_service
from ipapython.ipa_log_manager import log_mgr
DEFAULT_DSPORT = dogtag.install_constants.DS_PORT
PKI_USER = "pkiuser"
PKI_DS_USER = dogtag.install_constants.DS_USER
def check_inst(subsystem):
@ -57,9 +53,9 @@ def check_inst(subsystem):
"""
# Check for a couple of binaries we need
if not os.path.exists(dogtag.install_constants.SPAWN_BINARY):
if not os.path.exists(paths.PKISPAWN):
return False
if not os.path.exists(dogtag.install_constants.DESTROY_BINARY):
if not os.path.exists(paths.PKIDESTROY):
return False
if not os.path.exists(paths.PKI_CONF_SERVER_XML_TEMPLATE % subsystem):
@ -127,21 +123,18 @@ class DogtagInstance(service.Service):
tracking_reqs = None
server_cert_name = None
def __init__(self, realm, subsystem, service_desc, dogtag_constants=None,
host_name=None, dm_password=None, ldapi=True):
def __init__(self, realm, subsystem, service_desc, host_name=None,
dm_password=None, ldapi=True,
nss_db=paths.PKI_TOMCAT_ALIAS_DIR):
"""Initializer"""
if dogtag_constants is None:
dogtag_constants = dogtag.configured_constants()
super(DogtagInstance, self).__init__(
'%sd' % dogtag_constants.PKI_INSTANCE_NAME,
'pki-tomcatd',
service_desc=service_desc,
dm_password=dm_password,
ldapi=ldapi
)
self.dogtag_constants = dogtag_constants
self.realm = realm
self.admin_password = None
self.fqdn = host_name
@ -154,15 +147,13 @@ class DogtagInstance(service.Service):
('ou', 'people'), ('o', 'ipaca'))
self.admin_groups = None
self.agent_db = tempfile.mkdtemp(prefix="tmp-")
self.ds_port = DEFAULT_DSPORT
self.server_root = dogtag_constants.SERVER_ROOT
self.subsystem = subsystem
self.security_domain_name = "IPA"
# replication parameters
self.master_host = None
self.master_replication_port = None
self.subject_base = None
self.nss_db = nss_db
self.log = log_mgr.get_logger(self)
@ -176,8 +167,7 @@ class DogtagInstance(service.Service):
Returns True/False
"""
return os.path.exists(os.path.join(
self.server_root, self.dogtag_constants.PKI_INSTANCE_NAME,
self.subsystem.lower()))
paths.VAR_LIB_PKI_TOMCAT_DIR, self.subsystem.lower()))
def spawn_instance(self, cfg_file, nolog_list=None):
"""
@ -208,7 +198,7 @@ class DogtagInstance(service.Service):
def restart_instance(self):
try:
self.restart(self.dogtag_constants.PKI_INSTANCE_NAME)
self.restart('pki-tomcat')
except Exception:
self.log.debug(traceback.format_exc())
self.log.critical(
@ -217,7 +207,7 @@ class DogtagInstance(service.Service):
def start_instance(self):
try:
self.start(self.dogtag_constants.PKI_INSTANCE_NAME)
self.start('pki-tomcat')
except Exception:
self.log.debug(traceback.format_exc())
self.log.critical(
@ -226,7 +216,7 @@ class DogtagInstance(service.Service):
def stop_instance(self):
try:
self.stop(self.dogtag_constants.PKI_INSTANCE_NAME)
self.stop('pki-tomcat')
except Exception:
self.log.debug(traceback.format_exc())
self.log.critical(
@ -239,9 +229,7 @@ class DogtagInstance(service.Service):
Path to CS.cfg config file passed in.
"""
with stopped_service(
self.dogtag_constants.SERVICE_NAME,
instance_name=self.dogtag_constants.PKI_INSTANCE_NAME):
with stopped_service('pki-tomcatd', 'pki-tomcat'):
installutils.set_directive(
config,
'authz.instance.DirAclAuthz.ldap.ldapauth.authtype',
@ -256,8 +244,7 @@ class DogtagInstance(service.Service):
'subsystemCert cert-pki-ca', quotes=False, separator='=')
installutils.set_directive(
config,
'authz.instance.DirAclAuthz.ldap.ldapconn.port',
str(dogtag.install_constants.DS_SECURE_PORT),
'authz.instance.DirAclAuthz.ldap.ldapconn.port', '636',
quotes=False, separator='=')
installutils.set_directive(
config,
@ -279,15 +266,13 @@ class DogtagInstance(service.Service):
'subsystemCert cert-pki-ca', quotes=False, separator='=')
installutils.set_directive(
config,
'internaldb.ldapconn.port',
str(dogtag.install_constants.DS_SECURE_PORT),
quotes=False, separator='=')
'internaldb.ldapconn.port', '636', quotes=False, separator='=')
installutils.set_directive(
config,
'internaldb.ldapconn.secureConn', 'true', quotes=False,
separator='=')
# Remove internaldb password as is not needed anymore
installutils.set_directive(self.dogtag_constants.PASSWORD_CONF_PATH,
installutils.set_directive(paths.PKI_TOMCAT_PASSWORD_CONF,
'internaldb', None)
def uninstall(self):
@ -295,8 +280,8 @@ class DogtagInstance(service.Service):
self.print_msg("Unconfiguring %s" % self.subsystem)
try:
ipautil.run([paths.PKIDESTROY, "-i",
self.dogtag_constants.PKI_INSTANCE_NAME,
ipautil.run([paths.PKIDESTROY,
"-i", 'pki-tomcat',
"-s", self.subsystem])
except ipautil.CalledProcessError as e:
self.log.critical("failed to uninstall %s instance %s",
@ -306,7 +291,7 @@ class DogtagInstance(service.Service):
""" Update the http proxy file """
template_filename = ipautil.SHARE_DIR + "ipa-pki-proxy.conf"
sub_dict = dict(
DOGTAG_PORT=self.dogtag_constants.AJP_PORT,
DOGTAG_PORT=8009,
CLONE='' if self.clone else '#',
FQDN=self.fqdn,
)
@ -337,8 +322,7 @@ class DogtagInstance(service.Service):
def __get_pin(self):
try:
return certmonger.get_pin('internal',
dogtag_constants=self.dogtag_constants)
return certmonger.get_pin('internal')
except IOError as e:
self.log.debug(
'Unable to determine PIN for the Dogtag instance: %s', e)
@ -355,7 +339,7 @@ class DogtagInstance(service.Service):
nickname=nickname,
pin=pin,
pinfile=None,
secdir=self.dogtag_constants.ALIAS_DIR,
secdir=self.nss_db,
pre_command='stop_pkicad',
post_command='renew_ca_cert "%s"' % nickname,
profile=profile)
@ -376,7 +360,7 @@ class DogtagInstance(service.Service):
nickname=self.server_cert_name,
pin=pin,
pinfile=None,
secdir=self.dogtag_constants.ALIAS_DIR,
secdir=self.nss_db,
pre_command='stop_pkicad',
post_command='renew_ca_cert "%s"' % self.server_cert_name)
except RuntimeError as e:
@ -401,7 +385,7 @@ class DogtagInstance(service.Service):
for nickname in nicknames:
try:
certmonger.stop_tracking(
self.dogtag_constants.ALIAS_DIR, nickname=nickname)
self.nss_db, nickname=nickname)
except RuntimeError as e:
self.log.error(
"certmonger failed to stop tracking certificate: %s", e)
@ -410,8 +394,7 @@ class DogtagInstance(service.Service):
cmonger.stop()
@staticmethod
def update_cert_cs_cfg(nickname, cert, directives, cs_cfg,
dogtag_constants=None):
def update_cert_cs_cfg(nickname, cert, directives, cs_cfg):
"""
When renewing a Dogtag subsystem certificate the configuration file
needs to get the new certificate as well.
@ -422,11 +405,7 @@ class DogtagInstance(service.Service):
cs_cfg is the path to the CS.cfg file
"""
if dogtag_constants is None:
dogtag_constants = dogtag.configured_constants()
with stopped_service(dogtag_constants.SERVICE_NAME,
instance_name=dogtag_constants.PKI_INSTANCE_NAME):
with stopped_service('pki-tomcatd', 'pki-tomcat'):
installutils.set_directive(
cs_cfg,
directives[nickname],
@ -461,11 +440,7 @@ class DogtagInstance(service.Service):
% (self.subsystem, e))
self.log.critical("See the installation logs and the following "
"files/directories for more information:")
logs = [self.dogtag_constants.PKI_INSTALL_LOG,
self.dogtag_constants.PKI_LOG_TOP_LEVEL]
for log in logs:
self.log.critical(" %s" % log)
self.log.critical(" %s" % paths.TOMCAT_TOPLEVEL_DIR)
raise RuntimeError("%s configuration failed." % self.subsystem)
@ -517,7 +492,7 @@ class DogtagInstance(service.Service):
# Now wait until the other server gets replicated this data
master_conn = ipaldap.IPAdmin(self.master_host,
port=DEFAULT_DSPORT,
port=389,
protocol='ldap')
master_conn.do_sasl_gssapi_bind()
replication.wait_for_entry(master_conn, entry)

3
ipaserver/install/httpinstance.py
View File

@ -34,7 +34,6 @@ from ipaserver.install import certs
from ipaserver.install import installutils
from ipapython import sysrestore
from ipapython import ipautil
from ipapython import dogtag
from ipapython.dn import DN
from ipapython.ipa_log_manager import root_logger
import ipapython.errors
@ -128,7 +127,7 @@ class HTTPInstance(service.Service):
FQDN=fqdn,
DOMAIN=self.domain,
AUTOREDIR='' if auto_redirect else '#',
CRL_PUBLISH_PATH=dogtag.install_constants.CRL_PUBLISH_PATH,
CRL_PUBLISH_PATH=paths.PKI_CA_PUBLISH_DIR,
)
self.ca_file = ca_file
if ca_is_configured is not None:

8
ipaserver/install/installutils.py
View File

@ -45,7 +45,7 @@ from six.moves.configparser import SafeConfigParser, NoOptionError
import ipaplatform
from ipapython import ipautil, sysrestore, admintool, dogtag, version
from ipapython import ipautil, sysrestore, admintool, version
from ipapython.admintool import ScriptError
from ipapython.ipa_log_manager import root_logger, log_mgr
from ipalib.util import validate_hostname
@ -64,8 +64,8 @@ if six.PY3:
# Used to determine install status
IPA_MODULES = [
'httpd', 'kadmin', 'dirsrv', 'pki-cad', 'pki-tomcatd', 'install',
'krb5kdc', 'ntpd', 'named', 'ipa_memcached']
'httpd', 'kadmin', 'dirsrv', 'pki-tomcatd', 'install', 'krb5kdc', 'ntpd',
'named', 'ipa_memcached']
class BadHostError(Exception):
@ -583,7 +583,7 @@ def read_replica_info(dir_path, rconfig):
def read_replica_info_dogtag_port(config_dir):
portfile = config_dir + "/dogtag_directory_port.txt"
default_port = dogtag.Dogtag9Constants.DS_PORT
default_port = 7389
if not ipautil.file_exists(portfile):
dogtag_master_ds_port = default_port
else:

67
ipaserver/install/ipa_backup.py
View File

@ -106,12 +106,10 @@ class Backup(admintool.AdminTool):
dirs = (paths.IPA_HTML_DIR,
paths.ROOT_PKI,
paths.ETC_PKI_CA_DIR,
paths.PKI_TOMCAT,
paths.SYSCONFIG_PKI,
paths.HTTPD_ALIAS_DIR,
paths.VAR_LIB_PKI_DIR,
paths.VAR_LIB_PKI_CA_DIR,
paths.SYSRESTORE,
paths.IPA_CLIENT_SYSRESTORE,
paths.IPA_DNSSEC_DIR,
@ -127,12 +125,10 @@ class Backup(admintool.AdminTool):
paths.NAMED_CONF,
paths.NAMED_KEYTAB,
paths.RESOLV_CONF,
paths.SYSCONFIG_PKI_CA_DIR,
paths.SYSCONFIG_PKI_TOMCAT,
paths.SYSCONFIG_DIRSRV,
paths.SYSCONFIG_NTPD,
paths.SYSCONFIG_KRB5KDC_DIR,
paths.SYSCONFIG_PKI_CA_PKI_CA_DIR,
paths.SYSCONFIG_IPA_DNSKEYSYNCD,
paths.SYSCONFIG_IPA_ODS_EXPORTER,
paths.SYSCONFIG_NAMED,
@ -187,18 +183,14 @@ class Backup(admintool.AdminTool):
)
logs=(
paths.PKI_CA_LOG_DIR,
paths.VAR_LOG_PKI_DIR,
paths.VAR_LOG_SLAPD_PKI_IPA_DIR,
paths.VAR_LOG_HTTPD_DIR,
paths.IPASERVER_INSTALL_LOG,
paths.KADMIND_LOG,
paths.PKI_CA_INSTALL_LOG,
paths.MESSAGES,
paths.IPACLIENT_INSTALL_LOG,
paths.LOG_SECURE,
paths.IPASERVER_UNINSTALL_LOG,
paths.PKI_CA_UNINSTALL_LOG,
paths.IPACLIENT_UNINSTALL_LOG,
paths.NAMED_RUN,
)
@ -306,14 +298,14 @@ class Backup(admintool.AdminTool):
self.log.info('Stopping IPA services')
run(['ipactl', 'stop'])
for instance in [
installutils.realm_to_serverid(api.env.realm), 'PKI-IPA'
]:
if os.path.exists(paths.VAR_LIB_SLAPD_INSTANCE_DIR_TEMPLATE % instance):
if os.path.exists(paths.SLAPD_INSTANCE_DB_DIR_TEMPLATE % (instance, 'ipaca')):
self.db2ldif(instance, 'ipaca', online=options.online)
self.db2ldif(instance, 'userRoot', online=options.online)
self.db2bak(instance, online=options.online)
instance = installutils.realm_to_serverid(api.env.realm)
if os.path.exists(paths.VAR_LIB_SLAPD_INSTANCE_DIR_TEMPLATE %
instance):
if os.path.exists(paths.SLAPD_INSTANCE_DB_DIR_TEMPLATE %
(instance, 'ipaca')):
self.db2ldif(instance, 'ipaca', online=options.online)
self.db2ldif(instance, 'userRoot', online=options.online)
self.db2bak(instance, online=options.online)
if not options.data_only:
# create backup of auth configuration
auth_backup_path = os.path.join(paths.VAR_LIB_IPA, 'auth_backup')
@ -341,34 +333,21 @@ class Backup(admintool.AdminTool):
'''
Add instance-specific files and directories.
NOTE: this adds some things that may not get backed up, like the PKI-IPA
instance.
NOTE: this adds some things that may not get backed up.
'''
serverid = installutils.realm_to_serverid(api.env.realm)
for dir in [
paths.ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE % serverid,
paths.VAR_LIB_DIRSRV_INSTANCE_SCRIPTS_TEMPLATE % serverid,
paths.VAR_LIB_SLAPD_INSTANCE_DIR_TEMPLATE % serverid,
paths.VAR_LIB_SLAPD_PKI_IPA_DIR_TEMPLATE,
paths.USR_LIB_SLAPD_PKI_IPA_DIR,
paths.ETC_SLAPD_PKI_IPA_DIR,
paths.VAR_LIB_SLAPD_PKI_IPA_DIR_TEMPLATE,
self.__find_scripts_dir('PKI-IPA'),
]:
for dir in [paths.ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE % serverid,
paths.VAR_LIB_DIRSRV_INSTANCE_SCRIPTS_TEMPLATE % serverid,
paths.VAR_LIB_SLAPD_INSTANCE_DIR_TEMPLATE % serverid]:
if os.path.exists(dir):
self.dirs.append(dir)
for file in [
paths.SYSCONFIG_DIRSRV_INSTANCE % serverid,
paths.SYSCONFIG_DIRSRV_PKI_IPA_DIR]:
if os.path.exists(file):
self.files.append(file)
file = paths.SYSCONFIG_DIRSRV_INSTANCE % serverid
if os.path.exists(file):
self.files.append(file)
for log in [
paths.VAR_LOG_DIRSRV_INSTANCE_TEMPLATE % serverid,
]:
self.logs.append(log)
self.logs.append(paths.VAR_LOG_DIRSRV_INSTANCE_TEMPLATE % serverid)
def get_connection(self):
@ -628,17 +607,3 @@ class Backup(admintool.AdminTool):
shutil.move(self.header, backup_dir)
self.log.info('Backed up to %s', backup_dir)
def __find_scripts_dir(self, instance):
"""
IPA stores its 389-ds scripts in a different directory than dogtag
does so we need to probe for it.
"""
if instance != 'PKI-IPA':
return os.path.join(paths.VAR_LIB_DIRSRV, 'scripts-%s' % instance)
else:
if sys.maxsize > 2**32:
libpath = 'lib64'
else:
libpath = 'lib'
return os.path.join(paths.USR_DIR, libpath, 'dirsrv', 'slapd-PKI-IPA')

7
ipaserver/install/ipa_cacert_manage.py
View File

@ -144,9 +144,8 @@ class CACertManage(admintool.AdminTool):
if not ca.is_configured():
raise admintool.ScriptError("CA is not configured on this system")
nss_dir = ca.dogtag_constants.ALIAS_DIR
criteria = {
'cert-database': nss_dir,
'cert-database': paths.PKI_TOMCAT_ALIAS_DIR,
'cert-nickname': self.cert_nickname,
'ca-name': 'dogtag-ipa-ca-renew-agent',
}
@ -157,7 +156,7 @@ class CACertManage(admintool.AdminTool):
self.log.debug(
"Found certmonger request id %r", self.request_id)
db = certs.CertDB(api.env.realm, nssdir=nss_dir)
db = certs.CertDB(api.env.realm, nssdir=paths.PKI_TOMCAT_ALIAS_DIR)
cert = db.get_cert_from_db(self.cert_nickname, pem=False)
options = self.options
@ -206,7 +205,7 @@ class CACertManage(admintool.AdminTool):
options.external_cert_files, x509.subject_base())
nss_cert = None
nss.nss_init(ca.dogtag_constants.ALIAS_DIR)
nss.nss_init(paths.PKI_TOMCAT_ALIAS_DIR)
try:
nss_cert = x509.load_certificate(old_cert, x509.DER)
subject = nss_cert.subject

6
ipaserver/install/ipa_kra_install.py
View File

@ -28,7 +28,6 @@ from ipalib.constants import DOMAIN_LEVEL_0
from ipaplatform import services
from ipaplatform.paths import paths
from ipapython import admintool
from ipapython import dogtag
from ipapython import ipautil
from ipapython.dn import DN
from ipaserver.install import service
@ -100,8 +99,7 @@ class KRAUninstaller(KRAInstall):
if self.args:
self.option_parser.error("Too many parameters provided.")
dogtag_constants = dogtag.configured_constants(api)
_kra = krainstance.KRAInstance(api, dogtag_constants=dogtag_constants)
_kra = krainstance.KRAInstance(api)
if not _kra.is_installed():
self.option_parser.error(
"Cannot uninstall. There is no KRA installed on this system."
@ -194,7 +192,7 @@ class KRAInstaller(KRAInstall):
config.host_name = api.env.host
config.domain_name = api.env.domain
config.dirman_password = self.options.password
config.ca_ds_port = dogtag.install_constants.DS_PORT
config.ca_ds_port = 389
config.top_dir = tempfile.mkdtemp("ipa")
config.dir = config.top_dir
else:

7
ipaserver/install/ipa_replica_prepare.py
View File

@ -35,7 +35,7 @@ from ipaserver.install.replication import enable_replication_version_checking
from ipaserver.plugins.ldap2 import ldap2
from ipaserver.install.bindinstance import (
add_zone, add_fwd_rr, add_ptr_rr, dns_container_exists)
from ipapython import ipautil, admintool, dogtag
from ipapython import ipautil, admintool
from ipapython.dn import DN
from ipapython import version
from ipalib import api
@ -342,8 +342,7 @@ class ReplicaPrepare(admintool.AdminTool):
"Apache Server SSL certificate and Directory Server SSL "
"certificate are not signed by the same CA certificate")
if (not ipautil.file_exists(
dogtag.configured_constants().CS_CFG_PATH) and
if (not ipautil.file_exists(paths.CA_CS_CFG_PATH) and
options.dirsrv_pin is None):
self.log.info("If you installed IPA with your own certificates "
"using PKCS#12 files you must provide PKCS#12 files for any "
@ -419,7 +418,7 @@ class ReplicaPrepare(admintool.AdminTool):
port_fname = os.path.join(
self.dir, "dogtag_directory_port.txt")
with open(port_fname, "w") as fd:
fd.write("%s\n" % str(dogtag.configured_constants().DS_PORT))
fd.write("389\n")
def copy_httpd_certificate(self):
options = self.options

31
ipaserver/install/ipa_restore.py
View File

@ -387,10 +387,7 @@ class Restore(admintool.AdminTool):
httpinstance.create_kdcproxy_user()
# Always restore the data from ldif
# If we are restoring PKI-IPA then we need to restore the
# userRoot backend in it and the main IPA instance. If we
# have a unified instance we need to restore both userRoot and
# ipaca.
# We need to restore both userRoot and ipaca.
for instance, backend in databases:
self.ldif2db(instance, backend, online=options.online)
@ -591,7 +588,7 @@ class Restore(admintool.AdminTool):
instance here is a loaded term. It can mean either a separate
389-ds install instance or a separate 389-ds backend. We only need
to treat PKI-IPA and ipaca specially.
to treat ipaca specially.
'''
if backend is not None:
self.log.info('Restoring %s in %s' % (backend, instance))
@ -766,21 +763,6 @@ class Restore(admintool.AdminTool):
# We can remove the decoded tarball
os.unlink(filename)
def __find_scripts_dir(self, instance):
"""
IPA stores its 389-ds scripts in a different directory than dogtag
does so we need to probe for it.
"""
if instance != 'PKI-IPA':
return os.path.join(paths.VAR_LIB_DIRSRV, 'scripts-%s' % instance)
else:
if sys.maxsize > 2**32:
libpath = 'lib64'
else:
libpath = 'lib'
return os.path.join(paths.USR_DIR, libpath, 'dirsrv', 'slapd-PKI-IPA')
def __create_dogtag_log_dirs(self):
"""
If we are doing a full restore and the dogtag log directories do
@ -790,11 +772,6 @@ class Restore(admintool.AdminTool):
or a d10-based installation.
"""
dirs = []
# dogtag 9
if (os.path.exists(paths.VAR_LIB_PKI_CA_DIR) and
not os.path.exists(paths.PKI_CA_LOG_DIR)):
dirs += [paths.PKI_CA_LOG_DIR,
os.path.join(paths.PKI_CA_LOG_DIR, 'signedAudit')]
# dogtag 10
if (os.path.exists(paths.VAR_LIB_PKI_TOMCAT_DIR) and
not os.path.exists(paths.TOMCAT_TOPLEVEL_DIR)):
@ -879,7 +856,5 @@ class Restore(admintool.AdminTool):
api.bootstrap(in_server=False, context='restore', **overrides)
api.finalize()
self.instances = [
installutils.realm_to_serverid(api.env.realm), 'PKI-IPA'
]
self.instances = [installutils.realm_to_serverid(api.env.realm)]
self.backends = ['userRoot', 'ipaca']

21
ipaserver/install/kra.py
View File

@ -6,8 +6,8 @@ import os
from ipalib import api, errors
from ipaplatform import services
from ipaplatform.paths import paths
from ipapython import certdb
from ipapython import dogtag
from ipapython import ipautil
from ipapython.dn import DN
from ipaserver.install import custodiainstance
@ -18,9 +18,7 @@ from ipaserver.install import service
def install_check(api, replica_config, options):
dogtag_constants = dogtag.configured_constants(api=api)
kra = krainstance.KRAInstance(api.env.realm,
dogtag_constants=dogtag_constants)
kra = krainstance.KRAInstance(api.env.realm)
if kra.is_installed():
raise RuntimeError("KRA is already installed.")
@ -61,10 +59,7 @@ def install_check(api, replica_config, options):
def install(api, replica_config, options):
subject = dsinstance.DsInstance().find_subject_base()
if replica_config is None:
kra = krainstance.KRAInstance(
api.env.realm,
dogtag_constants=dogtag.install_constants)
kra = krainstance.KRAInstance(api.env.realm)
kra.configure_instance(
api.env.realm, api.env.host, options.dm_password,
options.dm_password, subject_base=subject)
@ -78,9 +73,7 @@ def install(api, replica_config, options):
custodia.get_kra_keys(replica_config.kra_host_name,
ca_data[0], ca_data[1])
kra = krainstance.KRAInstance(
replica_config.realm_name,
dogtag_constants=dogtag.install_constants)
kra = krainstance.KRAInstance(replica_config.realm_name)
kra.configure_replica(replica_config.host_name,
replica_config.kra_host_name,
replica_config.dirman_password,
@ -96,16 +89,14 @@ def install(api, replica_config, options):
kra.ldap_enable('KRA', api.env.host, options.dm_password, api.env.basedn)
kra.enable_client_auth_to_db(kra.dogtag_constants.KRA_CS_CFG_PATH)
kra.enable_client_auth_to_db(paths.KRA_CS_CFG_PATH)
# Restart apache for new proxy config file
services.knownservices.httpd.restart(capture_output=True)
def uninstall(standalone):
dogtag_constants = dogtag.configured_constants(api)
kra = krainstance.KRAInstance(api.env.realm,
dogtag_constants=dogtag_constants)
kra = krainstance.KRAInstance(api.env.realm)
if standalone:
kra.ldap_connect()

39
ipaserver/install/krainstance.py
View File

@ -30,7 +30,6 @@ from ipalib import x509
from ipaplatform import services
from ipaplatform.paths import paths
from ipapython import certdb
from ipapython import dogtag
from ipapython import ipautil
from ipapython.dn import DN
from ipaserver.install import certs
@ -39,7 +38,7 @@ from ipaserver.install import installutils
from ipaserver.install import ldapupdate
from ipaserver.install import service
from ipaserver.install.dogtaginstance import (
DEFAULT_DSPORT, PKI_USER, export_kra_agent_pem, DogtagInstance)
PKI_USER, export_kra_agent_pem, DogtagInstance)
from ipaserver.plugins import ldap2
from ipapython.ipa_log_manager import log_mgr
@ -68,23 +67,18 @@ class KRAInstance(DogtagInstance):
('transportCert cert-pki-kra', None),
('storageCert cert-pki-kra', None))
def __init__(self, realm, dogtag_constants=None):
if dogtag_constants is None:
dogtag_constants = dogtag.configured_constants()
def __init__(self, realm):
super(KRAInstance, self).__init__(
realm=realm,
subsystem="KRA",
service_desc="KRA server",
dogtag_constants=dogtag_constants
)
self.basedn = DN(('o', 'kra'), ('o', 'ipaca'))
self.log = log_mgr.get_logger(self)
def configure_instance(self, realm_name, host_name, dm_password,
admin_password, ds_port=DEFAULT_DSPORT,
pkcs12_info=None, master_host=None,
admin_password, pkcs12_info=None, master_host=None,
subject_base=None):
"""Create a KRA instance.
@ -93,7 +87,6 @@ class KRAInstance(DogtagInstance):
self.fqdn = host_name
self.dm_password = dm_password
self.admin_password = admin_password
self.ds_port = ds_port
self.pkcs12_info = pkcs12_info
if self.pkcs12_info is not None:
self.clone = True
@ -110,9 +103,7 @@ class KRAInstance(DogtagInstance):
raise RuntimeError(
"KRA already installed.")
# Confirm that a Dogtag 10 CA instance already exists
ca = cainstance.CAInstance(
api.env.realm, certs.NSS_DIR,
dogtag_constants=dogtag.Dogtag10Constants)
ca = cainstance.CAInstance(api.env.realm, certs.NSS_DIR)
if not ca.is_installed():
raise RuntimeError(
"KRA configuration failed. "
@ -185,7 +176,7 @@ class KRAInstance(DogtagInstance):
config.set("KRA", "pki_client_admin_cert_p12", paths.DOGTAG_ADMIN_P12)
# Directory server
config.set("KRA", "pki_ds_ldap_port", str(self.ds_port))
config.set("KRA", "pki_ds_ldap_port", "389")
config.set("KRA", "pki_ds_password", self.dm_password)
config.set("KRA", "pki_ds_base_dn", self.basedn)
config.set("KRA", "pki_ds_database", "ipaca")
@ -337,7 +328,7 @@ class KRAInstance(DogtagInstance):
ld.update([os.path.join(paths.UPDATES_DIR, '40-vault.update')])
@staticmethod
def update_cert_config(nickname, cert, dogtag_constants=None):
def update_cert_config(nickname, cert):
"""
When renewing a KRA subsystem certificate the configuration file
needs to get the new certificate as well.
@ -346,9 +337,6 @@ class KRAInstance(DogtagInstance):
cert is a DER-encoded certificate.
"""
if dogtag_constants is None:
dogtag_constants = dogtag.configured_constants()
# The cert directive to update per nickname
directives = {
'auditSigningCert cert-pki-kra': 'kra.audit_signing.cert',
@ -358,9 +346,7 @@ class KRAInstance(DogtagInstance):
'Server-Cert cert-pki-ca': 'kra.sslserver.cert'}
DogtagInstance.update_cert_cs_cfg(
nickname, cert, directives,
dogtag.configured_constants().KRA_CS_CFG_PATH,
dogtag_constants)
nickname, cert, directives, paths.KRA_CS_CFG_PATH)
def __enable_instance(self):
self.ldap_enable('KRA', self.fqdn, None, self.suffix)
@ -373,7 +359,6 @@ class KRAInstance(DogtagInstance):
"""
self.fqdn = host_name
self.dm_password = dm_password
self.ds_port = DEFAULT_DSPORT
self.master_host = master_host
if subject_base is None:
self.subject_base = DN(('O', self.realm))
@ -390,8 +375,7 @@ class KRAInstance(DogtagInstance):
raise RuntimeError(
"KRA already installed.")
# Confirm that a Dogtag 10 CA instance already exists
ca = cainstance.CAInstance(self.realm, certs.NSS_DIR,
dogtag_constants=dogtag.Dogtag10Constants)
ca = cainstance.CAInstance(self.realm, certs.NSS_DIR)
if not ca.is_installed():
raise RuntimeError(
"KRA configuration failed. "
@ -433,8 +417,7 @@ def install_replica_kra(config, postinstall=False):
"Unable to clone KRA."
" cacert.p12 file not found in replica file")
_kra = KRAInstance(config.realm_name,
dogtag_constants=dogtag.install_constants)
_kra = KRAInstance(config.realm_name)
_kra.dm_password = config.dirman_password
_kra.subject_base = config.subject_base
if _kra.is_installed():
@ -455,8 +438,8 @@ def install_replica_kra(config, postinstall=False):
# dogtag
service.print_msg("Restarting the directory and KRA servers")
_kra.stop(dogtag.install_constants.PKI_INSTANCE_NAME)
_kra.stop('pki-tomcat')
services.knownservices.dirsrv.restart()
_kra.start(dogtag.install_constants.PKI_INSTANCE_NAME)
_kra.start('pki-tomcat')
return _kra

5
ipaserver/install/plugins/ca_renewal_master.py
View File

@ -21,7 +21,7 @@ from ipaserver.install import installutils, certs, cainstance
from ipalib import errors
from ipalib import Updater
from ipalib.plugable import Registry
from ipapython import certmonger, dogtag
from ipapython import certmonger
from ipaplatform.paths import paths
from ipapython.dn import DN
@ -83,8 +83,7 @@ class update_ca_renewal_master(Updater):
self.debug("certmonger request for ipaCert not found")
config = installutils.get_directive(
dogtag.configured_constants().CS_CFG_PATH,
'subsystem.select', '=')
paths.CA_CS_CFG_PATH, 'subsystem.select', '=')
if config == 'New':
pass

11
ipaserver/install/replication.py
View File

@ -30,7 +30,7 @@ import ldap
from ipalib import api, errors
from ipalib.constants import CACERT
from ipapython.ipa_log_manager import *
from ipapython import ipautil, dogtag, ipaldap
from ipapython import ipautil, ipaldap
from ipapython.dn import DN
from ipaplatform import services
from ipaplatform.paths import paths
@ -86,7 +86,7 @@ def replica_conn_check(master_host, host_name, realm, check_ca,
args.extend(["--password", admin_password])
nolog=(admin_password,)
if check_ca and dogtag_master_ds_port == dogtag.Dogtag9Constants.DS_PORT:
if check_ca and dogtag_master_ds_port == 7389:
args.append('--check-ca')
(stdin, stderr, returncode) = ipautil.run(
args, raiseonerr=False, capture_output=False, nolog=nolog)
@ -1737,7 +1737,7 @@ class CSReplicationManager(ReplicationManager):
if self.conn.port == 7389:
instance_name = 'pki-ca'
else:
instance_name = dogtag.configured_constants(api).PKI_INSTANCE_NAME
instance_name = 'pki-tomcat'
# if master is not None we know what dn to return:
if master is not None:
@ -1797,10 +1797,7 @@ def get_cs_replication_manager(realm, host, dirman_passwd):
# Fall back to the old PKI-only DS port. Check that it has the ipaca tree
# (IPA with merged DB theoretically leaves port 7389 free for anyone).
# If it doesn't, raise exception.
ports = [
dogtag.Dogtag10Constants.DS_PORT,
dogtag.Dogtag9Constants.DS_PORT,
]
ports = [389, 7389]
for port in ports:
root_logger.debug('Looking for PKI DS on %s:%s' % (host, port))
replication_manager = CSReplicationManager(

21
ipaserver/install/server/install.py
View File

@ -15,7 +15,7 @@ import textwrap
import six
from ipapython import certmonger, dogtag, ipaldap, ipautil, sysrestore
from ipapython import certmonger, ipaldap, ipautil, sysrestore
from ipapython.dn import DN
from ipapython.install import common, core
from ipapython.install.common import step
@ -303,8 +303,6 @@ def install_check(installer):
external_ca_file = installer._external_ca_file
http_ca_cert = installer._ca_cert
dogtag_constants = dogtag.install_constants
tasks.check_selinux_status()
if options.master_password:
@ -575,7 +573,7 @@ def install_check(installer):
if setup_ca:
fd.write("enable_ra=True\n")
fd.write("ra_plugin=dogtag\n")
fd.write("dogtag_version=%s\n" % dogtag_constants.DOGTAG_VERSION)
fd.write("dogtag_version=10\n")
else:
fd.write("enable_ra=False\n")
fd.write("ra_plugin=none\n")
@ -700,8 +698,6 @@ def install(installer):
setup_ca = options.setup_ca
setup_kra = options.setup_kra
dogtag_constants = dogtag.install_constants
# Installation has started. No IPA sysrestore items are restored in case of
# failure to enable root cause investigation
installer._installation_cleanup = False
@ -777,8 +773,7 @@ def install(installer):
ca.install_step_0(False, None, options)
# Now put the CA cert where other instances exepct it
ca_instance = cainstance.CAInstance(realm_name, certs.NSS_DIR,
dogtag_constants=dogtag_constants)
ca_instance = cainstance.CAInstance(realm_name, certs.NSS_DIR)
ca_instance.publish_ca_cert(CACERT)
else:
# Put the CA cert where other instances expect it
@ -856,8 +851,7 @@ def install(installer):
krb.restart()
if setup_ca:
dogtag_service = services.knownservices[dogtag_constants.SERVICE_NAME]
dogtag_service.restart(dogtag_constants.PKI_INSTANCE_NAME)
services.knownservices['pki_tomcatd'].restart('pki-tomcat')
if options.setup_dns:
api.Backend.ldap2.connect(autobind=True)
@ -1052,9 +1046,6 @@ def uninstall(installer):
except Exception as e:
pass
# Need to get dogtag info before /etc/ipa/default.conf is removed
dogtag_constants = dogtag.configured_constants()
print("Removing IPA client configuration")
try:
(stdout, stderr, rc) = run([paths.IPA_CLIENT_INSTALL, "--on-master",
@ -1072,7 +1063,7 @@ def uninstall(installer):
kra.uninstall(False)
ca.uninstall(dogtag_constants)
ca.uninstall()
dns.uninstall()
@ -1134,7 +1125,7 @@ def uninstall(installer):
# Note that this name will be wrong after the first uninstall.
dirname = dsinstance.config_dirname(
installutils.realm_to_serverid(api.env.realm))
dirs = [dirname, dogtag_constants.ALIAS_DIR, certs.NSS_DIR]
dirs = [dirname, paths.PKI_TOMCAT_ALIAS_DIR, certs.NSS_DIR]
ids = certmonger.check_state(dirs)
if ids:
root_logger.error('Some certificates may still be tracked by '

26
ipaserver/install/server/replicainstall.py
View File

@ -14,7 +14,7 @@ import socket
import sys
import tempfile
from ipapython import certmonger, dogtag, ipaldap, ipautil, sysrestore
from ipapython import certmonger, ipaldap, ipautil, sysrestore
from ipapython.dn import DN
from ipapython.install import common, core
from ipapython.install.common import step
@ -465,8 +465,7 @@ def install_check(installer):
if ipautil.file_exists(config.dir + "/cacert.p12"):
fd.write("enable_ra=True\n")
fd.write("ra_plugin=dogtag\n")
fd.write("dogtag_version=%s\n" %
dogtag.install_constants.DOGTAG_VERSION)
fd.write("dogtag_version=10\n")
else:
fd.write("enable_ra=False\n")
fd.write("ra_plugin=none\n")
@ -631,8 +630,6 @@ def install(installer):
sstore = installer._sstore
config = installer._config
dogtag_constants = dogtag.install_constants
if installer._update_hosts_file:
installutils.update_hosts_file(config.ips, config.host_name, fstore)
@ -685,9 +682,7 @@ def install(installer):
ipautil.realm_to_suffix(config.realm_name))
if ipautil.file_exists(config.dir + "/cacert.p12"):
CA = cainstance.CAInstance(
config.realm_name, certs.NSS_DIR,
dogtag_constants=dogtag_constants)
CA = cainstance.CAInstance(config.realm_name, certs.NSS_DIR)
CA.dm_password = config.dirman_password
CA.configure_certmonger_renewal()
@ -716,8 +711,7 @@ def install(installer):
krb.restart()
if config.setup_ca:
dogtag_service = services.knownservices[dogtag_constants.SERVICE_NAME]
dogtag_service.restart(dogtag_constants.PKI_INSTANCE_NAME)
services.knownservices['pki_tomcatd'].restart('pki-tomcat')
if options.setup_dns:
api.Backend.ldap2.connect(autobind=True)
@ -965,7 +959,7 @@ def promote_check(installer):
if not options.skip_conncheck:
replica_conn_check(
config.master_host_name, config.host_name, config.realm_name,
options.setup_ca, dogtag.Dogtag10Constants.DS_PORT,
options.setup_ca, 389,
options.admin_password, principal=options.principal)
if not ipautil.file_exists(cafile):
@ -994,8 +988,6 @@ def promote(installer):
config.promote = installer.promote
config.dirman_password = hexlify(ipautil.ipa_generate_password())
dogtag_constants = dogtag.install_constants
# FIXME: allow to use passed in certs instead
if installer._ca_enabled:
configure_certmonger()
@ -1032,8 +1024,7 @@ def promote(installer):
ipaconf.setOption('mode', 'production'),
ipaconf.setOption('enable_ra', 'True'),
ipaconf.setOption('ra_plugin', 'dogtag'),
ipaconf.setOption('dogtag_version',
dogtag.install_constants.DOGTAG_VERSION)]
ipaconf.setOption('dogtag_version', '10')]
opts = [ipaconf.setSection('global', gopts)]
ipaconf.changeConf(target_fname, opts)
@ -1069,7 +1060,6 @@ def promote(installer):
custodia.get_ca_keys(config.ca_host_name, ca_data[0], ca_data[1])
ca = cainstance.CAInstance(config.realm_name, certs.NSS_DIR,
dogtag_constants=dogtag.install_constants,
host_name=config.host_name,
dm_password=config.dirman_password)
ca.configure_replica(config.ca_host_name,
@ -1081,9 +1071,7 @@ def promote(installer):
config.dirman_password)
custodia.get_kra_keys(config.kra_host_name, ca_data[0], ca_data[1])
constants = dogtag.install_constants
kra = krainstance.KRAInstance(config.realm_name,
dogtag_constants=constants)
kra = krainstance.KRAInstance(config.realm_name)
kra.configure_replica(config.host_name, config.kra_host_name,
config.dirman_password,
kra_cert_bundle=ca_data)

148
ipaserver/install/server/upgrade.py
View File

@ -24,7 +24,7 @@ from ipapython import ipautil, sysrestore, version, certdb
from ipapython import ipaldap
from ipapython.ipa_log_manager import *
from ipapython import certmonger
from ipapython import dogtag
from ipapython.dn import DN
from ipaplatform.paths import paths
from ipaserver.install import installutils
from ipaserver.install import dsinstance
@ -40,6 +40,7 @@ from ipaserver.install import custodiainstance
from ipaserver.install import sysupgrade
from ipaserver.install import dnskeysyncinstance
from ipaserver.install import krainstance
from ipaserver.install import dogtaginstance
from ipaserver.install.upgradeinstance import IPAUpgrade
from ipaserver.install.ldapupdate import BadSyntax
@ -201,7 +202,6 @@ def upgrade_pki(ca, fstore):
This requires enabling SSL renegotiation.
"""
configured_constants = dogtag.configured_constants()
root_logger.info('[Verifying that CA proxy configuration is correct]')
if not ca.is_configured():
root_logger.info('CA is not configured')
@ -209,16 +209,8 @@ def upgrade_pki(ca, fstore):
http = httpinstance.HTTPInstance(fstore)
http.enable_mod_nss_renegotiate()
if not installutils.get_directive(configured_constants.CS_CFG_PATH,
'proxy.securePort', '=') and \
os.path.exists(paths.PKI_SETUP_PROXY):
# update proxy configuration with stopped dogtag to prevent corruption
# of CS.cfg
ipautil.run([paths.PKI_SETUP_PROXY, '-pki_instance_root=/var/lib',
'-pki_instance_name=pki-ca','-subsystem_type=ca'])
root_logger.debug('Proxy configuration updated')
else:
root_logger.debug('Proxy configuration up-to-date')
root_logger.debug('Proxy configuration up-to-date')
def update_dbmodules(realm, filename=paths.KRB5_CONF):
newfile = []
@ -315,15 +307,13 @@ def ca_enable_ldap_profile_subsystem(ca):
root_logger.info('CA is not configured')
return False
caconfig = dogtag.configured_constants()
needs_update = False
directive = None
try:
for i in range(15):
directive = "subsystem.{}.class".format(i)
value = installutils.get_directive(
caconfig.CS_CFG_PATH,
paths.CA_CS_CFG_PATH,
directive,
separator='=')
if value == 'com.netscape.cmscore.profile.ProfileSubsystem':
@ -331,18 +321,18 @@ def ca_enable_ldap_profile_subsystem(ca):
break
except OSError as e:
root_logger.error('Cannot read CA configuration file "%s": %s',
caconfig.CS_CFG_PATH, e)
paths.CA_CS_CFG_PATH, e)
return False
if needs_update:
installutils.set_directive(
caconfig.CS_CFG_PATH,
paths.CA_CS_CFG_PATH,
directive,
'com.netscape.cmscore.profile.LDAPProfileSubsystem',
quotes=False,
separator='=')
ca.restart(dogtag.configured_constants().PKI_INSTANCE_NAME)
ca.restart('pki-tomcat')
cainstance.migrate_profiles_to_ldap()
return needs_update
@ -803,13 +793,12 @@ def certificate_renewal_update(ca):
"""
Update certmonger certificate renewal configuration.
"""
dogtag_constants = dogtag.configured_constants()
# bump version when requests is changed
version = 4
requests = (
(
dogtag_constants.ALIAS_DIR,
paths.PKI_TOMCAT_ALIAS_DIR,
'auditSigningCert cert-pki-ca',
'dogtag-ipa-ca-renew-agent',
'stop_pkicad',
@ -817,7 +806,7 @@ def certificate_renewal_update(ca):
None,
),
(
dogtag_constants.ALIAS_DIR,
paths.PKI_TOMCAT_ALIAS_DIR,
'ocspSigningCert cert-pki-ca',
'dogtag-ipa-ca-renew-agent',
'stop_pkicad',
@ -825,7 +814,7 @@ def certificate_renewal_update(ca):
None,
),
(
dogtag_constants.ALIAS_DIR,
paths.PKI_TOMCAT_ALIAS_DIR,
'subsystemCert cert-pki-ca',
'dogtag-ipa-ca-renew-agent',
'stop_pkicad',
@ -833,7 +822,7 @@ def certificate_renewal_update(ca):
None,
),
(
dogtag_constants.ALIAS_DIR,
paths.PKI_TOMCAT_ALIAS_DIR,
'caSigningCert cert-pki-ca',
'dogtag-ipa-ca-renew-agent',
'stop_pkicad',
@ -849,7 +838,7 @@ def certificate_renewal_update(ca):
None,
),
(
dogtag_constants.ALIAS_DIR,
paths.PKI_TOMCAT_ALIAS_DIR,
'Server-Cert cert-pki-ca',
'dogtag-ipa-renew-agent',
'stop_pkicad',
@ -928,15 +917,13 @@ def copy_crl_file(old_path, new_path=None):
"""
if new_path is None:
filename = os.path.basename(old_path)
new_path = os.path.join(dogtag.configured_constants().CRL_PUBLISH_PATH,
filename)
new_path = os.path.join(paths.PKI_CA_PUBLISH_DIR, filename)
root_logger.debug('copy_crl_file: %s -> %s', old_path, new_path)
if os.path.islink(old_path):
# update symlink to the most most recent CRL file
filename = os.path.basename(os.readlink(old_path))
realpath = os.path.join(dogtag.configured_constants().CRL_PUBLISH_PATH,
filename)
realpath = os.path.join(paths.PKI_CA_PUBLISH_DIR, filename)
root_logger.debug('copy_crl_file: Create symlink %s -> %s',
new_path, realpath)
os.symlink(realpath, new_path)
@ -961,22 +948,21 @@ def migrate_crl_publish_dir(ca):
root_logger.info('CA is not configured')
return False
caconfig = dogtag.configured_constants()
try:
old_publish_dir = installutils.get_directive(caconfig.CS_CFG_PATH,
old_publish_dir = installutils.get_directive(
paths.CA_CS_CFG_PATH,
'ca.publish.publisher.instance.FileBaseCRLPublisher.directory',
separator='=')
except OSError as e:
root_logger.error('Cannot read CA configuration file "%s": %s',
caconfig.CS_CFG_PATH, e)
paths.CA_CS_CFG_PATH, e)
return False
# Prepare target publish dir (creation, permissions, SELinux context)
# Run this every update to ensure proper values
publishdir = ca.prepare_crl_publish_dir()
if old_publish_dir == caconfig.CRL_PUBLISH_PATH:
if old_publish_dir == paths.PKI_CA_PUBLISH_DIR:
# publish dir is already updated
root_logger.info('Publish directory already set to new location')
sysupgrade.set_upgrade_state('dogtag', 'moved_crl_publish_dir', True)
@ -1000,16 +986,17 @@ def migrate_crl_publish_dir(ca):
root_logger.error('Cannot move CRL file to new directory: %s', e)
try:
installutils.set_directive(caconfig.CS_CFG_PATH,
installutils.set_directive(
paths.CA_CS_CFG_PATH,
'ca.publish.publisher.instance.FileBaseCRLPublisher.directory',
publishdir, quotes=False, separator='=')
except OSError as e:
root_logger.error('Cannot update CA configuration file "%s": %s',
caconfig.CS_CFG_PATH, e)
paths.CA_CS_CFG_PATH, e)
return False
sysupgrade.set_upgrade_state('dogtag', 'moved_crl_publish_dir', True)
root_logger.info('CRL publish directory has been migrated, '
'request pki-ca restart')
'request pki-tomcat restart')
return True
@ -1101,6 +1088,76 @@ def uninstall_selfsign(ds, http):
http.stop_tracking_certificates()
def uninstall_dogtag_9(ds, http):
root_logger.info('[Removing Dogtag 9 CA]')
if api.env.ra_plugin != 'dogtag':
root_logger.debug('Dogtag CA is not installed')
return
if api.env.dogtag_version >= 10:
root_logger.debug('Dogtag is version 10 or above')
return
if not api.Backend.ldap2.isconnected():
try:
api.Backend.ldap2.connect(autobind=True)
except ipalib.errors.PublicError as e:
root_logger.error("Cannot connect to LDAP: %s", e)
dn = DN(('cn', 'CA'), ('cn', api.env.host), ('cn', 'masters'),
('cn', 'ipa'), ('cn', 'etc'), api.env.basedn)
try:
api.Backend.ldap2.delete_entry(dn)
except ipalib.errors.PublicError as e:
root_logger.error("Cannot delete %s: %s", dn, e)
p = SafeConfigParser()
p.read(paths.IPA_DEFAULT_CONF)
p.set('global', 'dogtag_version', '10')
with open(paths.IPA_DEFAULT_CONF, 'w') as f:
p.write(f)
sstore = sysrestore.StateFile(paths.SYSRESTORE)
sstore.restore_state('pkids', 'enabled')
sstore.restore_state('pkids', 'running')
sstore.restore_state('pkids', 'user_exists')
serverid = sstore.restore_state('pkids', 'serverid')
sstore.save()
ca = dogtaginstance.DogtagInstance(
api.env.realm, "CA", "certificate server",
nss_db=paths.VAR_LIB_PKI_CA_ALIAS_DIR)
ca.stop_tracking_certificates(False)
if serverid is not None:
# drop the trailing / off the config_dirname so the directory
# will match what is in certmonger
dirname = dsinstance.config_dirname(serverid)[:-1]
dsdb = certs.CertDB(api.env.realm, nssdir=dirname)
dsdb.untrack_server_cert("Server-Cert")
try:
services.service('pki-cad').disable('pki-ca')
except Exception as e:
root_logger.warning("Failed to disable pki-cad: %s", e)
try:
services.service('pki-cad').stop('pki-ca')
except Exception as e:
root_logger.warning("Failed to stop pki-cad: %s", e)
if serverid is not None:
try:
services.service('dirsrv').disable(serverid)
except Exception as e:
root_logger.warning("Failed to disable dirsrv: %s", e)
try:
services.service('dirsrv').stop(serverid)
except Exception as e:
root_logger.warning("Failed to stop dirsrv: %s", e)
http.restart()
def mask_named_regular():
"""Disable named, we need to run only named-pkcs11, running both named and
named-pkcs can cause unexpected errors"""
@ -1359,13 +1416,12 @@ def upgrade_configuration():
check_certs()
auto_redirect = find_autoredirect(fqdn)
configured_constants = dogtag.configured_constants()
sub_dict = dict(
REALM=api.env.realm,
FQDN=fqdn,
AUTOREDIR='' if auto_redirect else '#',
CRL_PUBLISH_PATH=configured_constants.CRL_PUBLISH_PATH,
DOGTAG_PORT=configured_constants.AJP_PORT,
CRL_PUBLISH_PATH=paths.PKI_CA_PUBLISH_DIR,
DOGTAG_PORT=8009,
CLONE='#'
)
@ -1375,9 +1431,7 @@ def upgrade_configuration():
ca = cainstance.CAInstance(api.env.realm, certs.NSS_DIR)
with installutils.stopped_service(configured_constants.SERVICE_NAME,
configured_constants.PKI_INSTANCE_NAME):
with installutils.stopped_service('pki-tomcatd', 'pki-tomcat'):
# Dogtag must be stopped to be able to backup CS.cfg config
ca.backup_config()
@ -1385,8 +1439,8 @@ def upgrade_configuration():
ca_restart = migrate_crl_publish_dir(ca)
if ca.is_configured():
crl = installutils.get_directive(configured_constants.CS_CFG_PATH,
'ca.crl.MasterCRL.enableCRLUpdates', '=')
crl = installutils.get_directive(
paths.CA_CS_CFG_PATH, 'ca.crl.MasterCRL.enableCRLUpdates', '=')
sub_dict['CLONE']='#' if crl.lower() == 'true' else ''
ds_dirname = dsinstance.config_dirname(ds_serverid)
@ -1470,6 +1524,7 @@ def upgrade_configuration():
http.start()
uninstall_selfsign(ds, http)
uninstall_dogtag_9(ds, http)
simple_service_list = (
(memcacheinstance.MemcacheInstance(), 'MEMCACHE'),
@ -1542,9 +1597,10 @@ def upgrade_configuration():
])
if ca_restart:
root_logger.info('pki-ca configuration changed, restart pki-ca')
root_logger.info(
'pki-tomcat configuration changed, restart pki-tomcat')
try:
ca.restart(dogtag.configured_constants().PKI_INSTANCE_NAME)
ca.restart('pki-tomcat')
except ipautil.CalledProcessError as e:
root_logger.error("Failed to restart %s: %s", ca.service_name, e)

6
ipaserver/install/service.py
View File

@ -24,7 +24,7 @@ import time
import datetime
import traceback
from ipapython import sysrestore, ipautil, dogtag, ipaldap
from ipapython import sysrestore, ipautil, ipaldap
from ipapython.dn import DN
from ipapython.ipa_log_manager import *
from ipalib import api, errors, certstore
@ -41,8 +41,8 @@ SERVICE_LIST = {
'MEMCACHE': ('ipa_memcached', 39),
'HTTP': ('httpd', 40),
'KEYS': ('ipa-custodia', 41),
'CA': ('%sd' % dogtag.configured_constants().PKI_INSTANCE_NAME, 50),
'KRA': ('%sd' % dogtag.configured_constants().PKI_INSTANCE_NAME, 51),
'CA': ('pki-tomcatd', 50),
'KRA': ('pki-tomcatd', 51),
'ADTRUST': ('smb', 60),
'EXTID': ('winbind', 70),
'OTPD': ('ipa-otpd', 80),

4
ipaserver/plugins/dogtag.py
View File

@ -1841,7 +1841,9 @@ class ra(rabase.rabase):
payload = etree.tostring(doc, pretty_print=False, xml_declaration=True, encoding='UTF-8')
self.debug('%s.find(): request: %s', self.fullname, payload)
url = 'http://%s/ca/rest/certs/search?size=%d' % (ipautil.format_netloc(self.ca_host, ipapython.dogtag.configured_constants().UNSECURE_PORT), options.get('sizelimit', 100))
url = 'http://%s/ca/rest/certs/search?size=%d' % (
ipautil.format_netloc(self.ca_host, 8080),
options.get('sizelimit', 100))
opener = urllib.request.build_opener()
opener.addheaders = [('Accept-Encoding', 'gzip, deflate'),