IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Configuring CA with ConfigParser.

Browse Source 
The configuration code has been modified to use the ConfigParser to
set the parameters in the CA section in the deployment configuration.
This allows IPA to define additional PKI subsystems in the same
configuration file.

PKI Ticket #399 (https://fedorahosted.org/pki/ticket/399)
This commit is contained in:
Endi Sukma Dewata 2012-11-28 03:05:53 -05:00 committed by Rob Crittenden
parent 378ed3c971
commit dae4ea4c7e
2 changed files with 85 additions and 78 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
freeipa.spec.in
View File

@ -114,7 +114,7 @@ Requires(post): systemd-units
Requires: selinux-policy >= 3.11.1-60 Requires: selinux-policy >= 3.11.1-60
Requires(post): selinux-policy-base Requires(post): selinux-policy-base
Requires: slapi-nis >= 0.44 Requires: slapi-nis >= 0.44
Requires: pki-ca >= 10.0.0-0.52.b3 Requires: pki-ca >= 10.0.0-0.54.b3
Requires: dogtag-pki-server-theme Requires: dogtag-pki-server-theme
%if 0%{?rhel} %if 0%{?rhel}
Requires: subscription-manager Requires: subscription-manager
@ -752,6 +752,9 @@ fi
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt
%changelog %changelog
* Fri Dec 7 2012 Endi S. Dewata <edewata@redhat.com> - 3.0.99-9
- Bump minimum version of pki-ca to 10.0.0-0.54.b3
* Fri Dec 7 2012 Martin Kosek <mkosek@redhat.com> - 3.0.99-8 * Fri Dec 7 2012 Martin Kosek <mkosek@redhat.com> - 3.0.99-8
- Bump minimum version of 389-ds-base to 1.3.0 to get transaction support - Bump minimum version of 389-ds-base to 1.3.0 to get transaction support

158
ipaserver/install/cainstance.py
View File

@ -35,6 +35,7 @@ import urllib
import xml.dom.minidom import xml.dom.minidom
import stat import stat
import socket import socket
import ConfigParser
from ipapython import dogtag from ipapython import dogtag
from ipapython.certdb import get_ca_nickname from ipapython.certdb import get_ca_nickname
from ipapython import certmonger from ipapython import certmonger
@ -620,96 +621,99 @@ class CAInstance(service.Service):
def __spawn_instance(self): def __spawn_instance(self):
""" """
Create and configure a new instance using pkispawn. Create and configure a new CA instance using pkispawn.
pkispawn requires a configuration file with the appropriate pkispawn requires a configuration file with IPA-specific
values substituted in. parameters.
""" """
# create a new config file for this installation # Create an empty and secured file
(cfg_fd, cfg_file) = tempfile.mkstemp() (cfg_fd, cfg_file) = tempfile.mkstemp()
os.close(cfg_fd) os.close(cfg_fd)
shutil.copy("/usr/share/pki/deployment/config/pkideployment.cfg",
cfg_file)
pent = pwd.getpwnam(PKI_USER) pent = pwd.getpwnam(PKI_USER)
os.chown(cfg_file, pent.pw_uid, pent.pw_gid ) os.chown(cfg_file, pent.pw_uid, pent.pw_gid)
replacevars = {
"pki_enable_proxy": "True", # Create CA configuration
"pki_restart_configured_instance": "False", config = ConfigParser.ConfigParser()
"pki_client_database_dir": self.ca_agent_db, config.optionxform = str
"pki_client_database_password": self.admin_password, config.add_section("CA")
"pki_client_database_purge": "False",
"pki_client_pkcs12_password": self.admin_password, # Server
"pki_security_domain_name": self.security_domain_name, config.set("CA", "pki_security_domain_name", self.security_domain_name)
"pki_admin_name": "admin", config.set("CA", "pki_enable_proxy", "True")
"pki_admin_uid": "admin", config.set("CA", "pki_restart_configured_instance", "False")
"pki_admin_email": "root@localhost", config.set("CA", "pki_backup_keys", "True")
"pki_admin_password": self.admin_password, config.set("CA", "pki_backup_password", self.admin_password)
"pki_admin_nickname": "ipa-ca-agent",
"pki_admin_subject_dn": "CN=ipa-ca-agent,%s" % self.subject_base, # Client security database
"pki_ds_ldap_port": str(self.ds_port), config.set("CA", "pki_client_database_dir", self.ca_agent_db)
"pki_ds_password": self.dm_password, config.set("CA", "pki_client_database_password", self.admin_password)
"pki_ds_base_dn": self.basedn, config.set("CA", "pki_client_database_purge", "False")
"pki_ds_database": "ipaca", config.set("CA", "pki_client_pkcs12_password", self.admin_password)
"pki_backup_keys": "True",
"pki_backup_password": self.admin_password, # Administrator
"pki_subsystem_subject_dn": \ config.set("CA", "pki_admin_name", "admin")
"CN=CA Subsystem,%s" % self.subject_base, config.set("CA", "pki_admin_uid", "admin")
"pki_ocsp_signing_subject_dn": \ config.set("CA", "pki_admin_email", "root@localhost")
"CN=OCSP Subsystem,%s" % self.subject_base, config.set("CA", "pki_admin_password", self.admin_password)
"pki_ssl_server_subject_dn": \ config.set("CA", "pki_admin_nickname", "ipa-ca-agent")
"CN=%s,%s" % (self.fqdn, self.subject_base), config.set("CA", "pki_admin_subject_dn", "CN=ipa-ca-agent,%s" % self.subject_base)
"pki_audit_signing_subject_dn": \
"CN=CA Audit,%s" % self.subject_base, # Directory server
"pki_ca_signing_subject_dn": \ config.set("CA", "pki_ds_ldap_port", str(self.ds_port))
"CN=Certificate Authority,%s" % self.subject_base, config.set("CA", "pki_ds_password", self.dm_password)
"pki_subsystem_nickname": "subsystemCert cert-pki-ca", config.set("CA", "pki_ds_base_dn", self.basedn)
"pki_ocsp_signing_nickname": "ocspSigningCert cert-pki-ca", config.set("CA", "pki_ds_database", "ipaca")
"pki_ssl_server_nickname": "Server-Cert cert-pki-ca",
"pki_audit_signing_nickname": "auditSigningCert cert-pki-ca", # Certificate subject DN's
"pki_ca_signing_nickname": "caSigningCert cert-pki-ca" config.set("CA", "pki_subsystem_subject_dn", "CN=CA Subsystem,%s" % self.subject_base)
} config.set("CA", "pki_ocsp_signing_subject_dn", "CN=OCSP Subsystem,%s" % self.subject_base)
config.set("CA", "pki_ssl_server_subject_dn", "CN=%s,%s" % (self.fqdn, self.subject_base))
config.set("CA", "pki_audit_signing_subject_dn", "CN=CA Audit,%s" % self.subject_base)
config.set("CA", "pki_ca_signing_subject_dn", "CN=Certificate Authority,%s" % self.subject_base)
# Certificate nicknames
config.set("CA", "pki_subsystem_nickname", "subsystemCert cert-pki-ca")
config.set("CA", "pki_ocsp_signing_nickname", "ocspSigningCert cert-pki-ca")
config.set("CA", "pki_ssl_server_nickname", "Server-Cert cert-pki-ca")
config.set("CA", "pki_audit_signing_nickname", "auditSigningCert cert-pki-ca")
config.set("CA", "pki_ca_signing_nickname", "caSigningCert cert-pki-ca")
if (self.clone): if (self.clone):
cafile = self.pkcs12_info[0] cafile = self.pkcs12_info[0]
shutil.copy(cafile, "/tmp/ca.p12") shutil.copy(cafile, "/tmp/ca.p12")
pent = pwd.getpwnam(PKI_USER) pent = pwd.getpwnam(PKI_USER)
os.chown("/tmp/ca.p12", pent.pw_uid, pent.pw_gid ) os.chown("/tmp/ca.p12", pent.pw_uid, pent.pw_gid)
clone_vars = { # Security domain registration
"pki_clone_pkcs12_password": self.dm_password, config.set("CA", "pki_security_domain_hostname", self.master_host)
"pki_clone": "True", config.set("CA", "pki_security_domain_https_port", "443")
"pki_clone_pkcs12_path": "/tmp/ca.p12", config.set("CA", "pki_security_domain_user", "admin")
"pki_security_domain_hostname": self.master_host, config.set("CA", "pki_security_domain_password", self.admin_password)
"pki_security_domain_https_port": "443",
"pki_security_domain_user": "admin",
"pki_security_domain_password": self.admin_password,
"pki_clone_replication_security": "TLS",
"pki_clone_replication_master_port":
str(self.master_replication_port),
"pki_clone_replication_clone_port":
dogtag.install_constants.DS_PORT,
"pki_clone_replicate_schema": "False",
"pki_clone_uri":
"https://%s" % ipautil.format_netloc(self.master_host, 443)
}
replacevars.update(clone_vars)
# Clone
config.set("CA", "pki_clone", "True")
config.set("CA", "pki_clone_pkcs12_path", "/tmp/ca.p12")
config.set("CA", "pki_clone_pkcs12_password", self.dm_password)
config.set("CA", "pki_clone_replication_security", "TLS")
config.set("CA", "pki_clone_replication_master_port", str(self.master_replication_port))
config.set("CA", "pki_clone_replication_clone_port", dogtag.install_constants.DS_PORT)
config.set("CA", "pki_clone_replicate_schema", "False")
config.set("CA", "pki_clone_uri", "https://%s" % ipautil.format_netloc(self.master_host, 443))
# External CA
if self.external == 1: if self.external == 1:
external_vars = { config.set("CA", "pki_external", "True")
"pki_external": "True", config.set("CA", "pki_external_csr_path", self.csr_file)
"pki_external_csr_path": self.csr_file
}
replacevars.update(external_vars)
elif self.external == 2:
external_vars = {
"pki_external": "True",
"pki_external_ca_cert_path": self.cert_file,
"pki_external_ca_cert_chain_path": self.cert_chain_file,
"pki_external_step_two": "True"
}
replacevars.update(external_vars)
ipautil.config_replace_variables(cfg_file, replacevars=replacevars) elif self.external == 2:
config.set("CA", "pki_external", "True")
config.set("CA", "pki_external_ca_cert_path", self.cert_file)
config.set("CA", "pki_external_ca_cert_chain_path", self.cert_chain_file)
config.set("CA", "pki_external_step_two", "True")
# Generate configuration file
with open(cfg_file, "wb") as f:
config.write(f)
# Define the things we don't want logged # Define the things we don't want logged
nolog = (self.admin_password, self.dm_password,) nolog = (self.admin_password, self.dm_password,)
@ -730,7 +734,7 @@ class CAInstance(service.Service):
os.remove(cfg_file) os.remove(cfg_file)
if not self.clone: if not self.clone:
shutil.move("/var/lib/pki/pki-tomcat/alias/ca_admin_cert.p12", \ shutil.move("/root/.pki/pki-tomcat/ca_admin_cert.p12", \
"/root/ca-agent.p12") "/root/ca-agent.p12")
shutil.move("/var/lib/pki/pki-tomcat/alias/ca_backup_keys.p12", \ shutil.move("/var/lib/pki/pki-tomcat/alias/ca_backup_keys.p12", \
"/root/cacert.p12") "/root/cacert.p12")