diff --git a/freeipa.spec.in b/freeipa.spec.in index 6739ebceb..613983286 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -1082,6 +1082,7 @@ fi # END %{_usr}/share/ipa/wsgi.py* %{_usr}/share/ipa/kdcproxy.wsgi +%{_usr}/share/ipa/ipaca*.ini %{_usr}/share/ipa/*.ldif %{_usr}/share/ipa/*.uldif %{_usr}/share/ipa/*.template diff --git a/install/share/Makefile.am b/install/share/Makefile.am index 8c7522b81..881e29123 100644 --- a/install/share/Makefile.am +++ b/install/share/Makefile.am @@ -95,6 +95,7 @@ dist_app_DATA = \ ipa-pki-proxy.conf.template \ ipa-rewrite.conf.template \ min-ssf.ldif \ + ipaca_default.ini \ $(NULL) kdcproxyconfdir = $(IPA_SYSCONF_DIR)/kdcproxy diff --git a/install/share/ipaca_default.ini b/install/share/ipaca_default.ini index d58b8a48b..262e1ca75 100644 --- a/install/share/ipaca_default.ini +++ b/install/share/ipaca_default.ini @@ -6,6 +6,7 @@ [DEFAULT] ipa_admin_email=root@localhost + # default algorithms for all certificates ipa_key_algorithm=SHA256withRSA ipa_key_size=2048 @@ -21,31 +22,31 @@ ipa_ca_key_type=%(ipa_key_type)s # hard-coded IPA default settings ipa_security_domain_name=IPA ipa_ds_database=ipaca -ipa_ds_base_dn=o=%(ipa_ds_database)s ipa_admin_user=admin ipa_admin_nickname=ipa-ca-agent ipa_ca_pem_file=/etc/ipa/ca.crt -# dynamic values -ipa_ca_subject= -ipa_subject_base= -ipa_fqdn= -ipa_ocsp_uri= -ipa_admin_cert_p12= -ipa_master_host= -ipa_clone_uri= +## dynamic values +# ipa_ca_subject= +# ipa_ds_base_dn= +# ipa_subject_base= +# ipa_fqdn= +# ipa_ocsp_uri= +# ipa_admin_cert_p12= # sensitive dynamic values -pki_admin_password= -pki_ds_password= -pki_token_password= +# pki_admin_password= +# pki_ds_password= +# pki_token_password= # HSM support -ipa_backup_keys=True -ipa_hsm_enable=False -ipa_hsm_libfile= -ipa_hsm_modulename= -ipa_token_name=internal +pki_hsm_enable=False +pki_hsm_libfile= +pki_hsm_modulename= +pki_token_name=internal +# backup is automatically disabled when HSM support is enabled +pki_backup_keys=True +pki_backup_password=%(pki_admin_password)s # Dogtag defaults pki_instance_name=pki-tomcat @@ -64,10 +65,8 @@ pki_audit_signing_key_algorithm=%(ipa_key_algorithm)s pki_audit_signing_key_size=%(ipa_key_size)s pki_audit_signing_key_type=%(ipa_key_type)s pki_audit_signing_signing_algorithm=%(ipa_signing_algorithm)s -pki_audit_signing_token=%(ipa_token_name)s +pki_audit_signing_token=%(pki_token_name)s -pki_backup_keys=True -pki_backup_password=%(pki_admin_password)s pki_ca_hostname=%(pki_security_domain_hostname)s pki_ca_port=%(pki_security_domain_https_port)s @@ -86,11 +85,9 @@ pki_ds_ldaps_port=636 pki_ds_remove_data=True pki_ds_secure_connection=False pki_ds_secure_connection_ca_nickname=Directory Server CA certificate -pki_ds_secure_connection_ca_pem_file= +pki_ds_secure_connection_ca_pem_file=%(ipa_ca_pem_file)s pki_group=pkiuser -pki_hsm_enable=False -pki_hsm_libfile= -pki_hsm_modulename= + pki_issuing_ca_hostname=%(pki_security_domain_hostname)s pki_issuing_ca_https_port=%(pki_security_domain_https_port)s pki_issuing_ca_uri=https://%(ipa_fqdn)s:443 @@ -142,15 +139,13 @@ pki_sslserver_subject_dn=cn=%(ipa_fqdn)s,%(ipa_subject_base)s pki_subsystem_key_algorithm=%(ipa_key_algorithm)s pki_subsystem_key_size=%(ipa_key_size)s pki_subsystem_key_type=%(ipa_key_type)s -pki_subsystem_token=%(ipa_token_name)s +pki_subsystem_token=%(pki_token_name)s # nickname and subject are hard-coded pki_subsystem_nickname=subsystemCert cert-pki-ca pki_subsystem_subject_dn=cn=CA Subsystem,%(ipa_subject_base)s pki_theme_enable=True pki_theme_server_dir=/usr/share/pki/common-ui -pki_token_name=%(ipa_token_name)s -# pki_token_password pki_user=pkiuser pki_existing=False @@ -173,28 +168,28 @@ pki_ca_signing_record_create=True pki_ca_signing_serial_number=1 pki_ca_signing_signing_algorithm=%(ipa_ca_signing_algorithm)s pki_ca_signing_subject_dn=%(ipa_ca_subject)s -pki_ca_signing_token=%(ipa_token_name)s +pki_ca_signing_token=%(pki_token_name)s -pki_ca_signing_csr_path=%(pki_instance_configuration_path)s/external_ca.csr +pki_ca_signing_csr_path=/root/ipa.csr -pki_ocsp_signing_csr_path= -pki_audit_signing_csr_path= -pki_sslserver_csr_path= -pki_subsystem_csr_path= +# pki_ocsp_signing_csr_path= +# pki_audit_signing_csr_path= +# pki_sslserver_csr_path= +# pki_subsystem_csr_path= -pki_ocsp_signing_cert_path= -pki_audit_signing_cert_path= -pki_sslserver_cert_path= -pki_subsystem_cert_path= +# pki_ocsp_signing_cert_path= +# pki_audit_signing_cert_path= +# pki_sslserver_cert_path= +# pki_subsystem_cert_path= pki_ca_starting_crl_number=0 pki_external=False +pki_external_step_two=False pki_req_ext_add=False # MS subca request ext data pki_req_ext_oid=1.3.6.1.4.1.311.20.2 pki_req_ext_critical=False pki_req_ext_data=1E0A00530075006200430041 -pki_external_step_two=False pki_external_pkcs12_path=%(pki_pkcs12_path)s pki_external_pkcs12_password=%(pki_pkcs12_password)s @@ -204,7 +199,7 @@ pki_ocsp_signing_key_algorithm=%(ipa_key_algorithm)s pki_ocsp_signing_key_size=%(ipa_key_size)s pki_ocsp_signing_key_type=%(ipa_key_type)s pki_ocsp_signing_signing_algorithm=%(ipa_signing_algorithm)s -pki_ocsp_signing_token=%(ipa_token_name)s +pki_ocsp_signing_token=%(pki_token_name)s # nickname and subject are hard-coded pki_ocsp_signing_nickname=ocspSigningCert cert-pki-ca pki_ocsp_signing_subject_dn=cn=OCSP Subsystem,%(ipa_subject_base)s @@ -213,7 +208,7 @@ pki_profiles_in_ldap=True pki_random_serial_numbers_enable=False pki_subordinate=False pki_subordinate_create_new_security_domain=False -pki_subordinate_security_domain_name=%(pki_dns_domainname)s Subordinate Security Domain +### pki_subordinate_security_domain_name=%(pki_dns_domainname)s Subordinate Security Domain pki_admin_email=%(ipa_admin_email)s pki_admin_name=%(ipa_admin_user)s @@ -242,7 +237,7 @@ pki_replica_number_range_end=100 pki_import_admin_cert=True pki_standalone=False pki_kra_ephemeral_requests=True -pki_ds_create_new_db=True +pki_ds_create_new_db=False # pki_admin_csr_path= # pki_audit_signing_csr_path= @@ -266,7 +261,7 @@ pki_storage_key_type=%(ipa_key_type)s pki_storage_nickname=storageCert cert-pki-kra pki_storage_signing_algorithm=SHA256withRSA pki_storage_subject_dn=cn=KRA Storage Certificate,%(ipa_subject_base)s -pki_storage_token=%(ipa_token_name)s +pki_storage_token=%(pki_token_name)s pki_transport_key_algorithm=%(ipa_key_algorithm)s pki_transport_key_size=%(ipa_key_size)s @@ -274,7 +269,7 @@ pki_transport_key_type=%(ipa_key_type)s pki_transport_nickname=transportCert cert-pki-kra pki_transport_signing_algorithm=SHA256withRSA pki_transport_subject_dn=cn=KRA Transport Certificate,%(ipa_subject_base)s -pki_transport_token=%(ipa_token_name)s +pki_transport_token=%(pki_token_name)s pki_admin_email=%(ipa_admin_email)s pki_admin_name=%(ipa_admin_user)s @@ -285,5 +280,7 @@ pki_admin_uid=%(ipa_admin_user)s pki_audit_signing_nickname=auditSigningCert cert-pki-kra pki_audit_signing_subject_dn=cn=KRA Audit,%(ipa_subject_base)s +# Needed because CA and KRA share the same database +# We will use the dbuser created for the CA. pki_share_db=True pki_share_dbuser_dn=uid=pkidbuser,ou=people,o=%(ipa_ds_database)s diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index b128e44ff..cec27e42c 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -322,7 +322,7 @@ class CAInstance(DogtagInstance): def configure_instance(self, host_name, dm_password, admin_password, pkcs12_info=None, master_host=None, csr_file=None, cert_file=None, cert_chain_file=None, - master_replication_port=None, + master_replication_port=389, subject_base=None, ca_subject=None, ca_signing_algorithm=None, ca_type=None, external_ca_profile=None, @@ -361,10 +361,7 @@ class CAInstance(DogtagInstance): self.ca_subject = \ ca_subject or installutils.default_ca_subject_dn(self.subject_base) - if ca_signing_algorithm is None: - self.ca_signing_algorithm = 'SHA256withRSA' - else: - self.ca_signing_algorithm = ca_signing_algorithm + self.ca_signing_algorithm = ca_signing_algorithm if ca_type is not None: self.ca_type = ca_type else: @@ -490,131 +487,46 @@ class CAInstance(DogtagInstance): Creates the config file with IPA specific parameters and passes it to the base class to call pkispawn """ + cfg = dict( + pki_ds_secure_connection=self.use_ldaps + ) - # Create an empty and secured file - (cfg_fd, cfg_file) = tempfile.mkstemp() - os.close(cfg_fd) - pent = pwd.getpwnam(self.service_user) - - # Create CA configuration - config = RawConfigParser() - config.optionxform = str - config.add_section("CA") - - # Server - config.set("CA", "pki_security_domain_name", self.security_domain_name) - config.set("CA", "pki_enable_proxy", "True") - config.set("CA", "pki_restart_configured_instance", "False") - config.set("CA", "pki_backup_keys", "True") - config.set("CA", "pki_backup_password", self.admin_password) - config.set("CA", "pki_profiles_in_ldap", "True") - config.set("CA", "pki_default_ocsp_uri", - "http://{}.{}/ca/ocsp".format( - ipalib.constants.IPA_CA_RECORD, - ipautil.format_netloc(api.env.domain))) - - # Configures the status request timeout, i.e. the connect/data - # timeout on the HTTP request to get the status of Dogtag. - # - # This configuration is needed in "multiple IP address" scenarios - # where this server's hostname has multiple IP addresses but the - # HTTP server is only listening on one of them. Without a timeout, - # if a "wrong" IP address is tried first, it will take a long time - # to timeout, exceeding the overall timeout hence the request will - # not be re-tried. Setting a shorter timeout allows the request - # to be re-tried. - # - # Note that HSMs cause different behaviour so this value might - # not be suitable for when we implement HSM support. It is - # known that a value of 5s is too short in HSM environment. - # - config.set("CA", "pki_status_request_timeout", "15") # 15 seconds - - # Client security database - config.set("CA", "pki_client_pkcs12_password", self.admin_password) - - # Administrator - config.set("CA", "pki_admin_name", self.admin_user) - config.set("CA", "pki_admin_uid", self.admin_user) - config.set("CA", "pki_admin_email", "root@localhost") - config.set("CA", "pki_admin_password", self.admin_password) - config.set("CA", "pki_admin_nickname", "ipa-ca-agent") - config.set("CA", "pki_admin_subject_dn", - str(DN(('cn', 'ipa-ca-agent'), self.subject_base))) - config.set("CA", "pki_client_admin_cert_p12", paths.DOGTAG_ADMIN_P12) - - # Directory server - config.set("CA", "pki_ds_ldap_port", "389") - config.set("CA", "pki_ds_password", self.dm_password) - config.set("CA", "pki_ds_base_dn", str(self.basedn)) - config.set("CA", "pki_ds_database", "ipaca") - - if self.use_ldaps: - self._use_ldaps_during_spawn(config) - - # Certificate subject DN's - config.set("CA", "pki_subsystem_subject_dn", - str(DN(('cn', 'CA Subsystem'), self.subject_base))) - config.set("CA", "pki_ocsp_signing_subject_dn", - str(DN(('cn', 'OCSP Subsystem'), self.subject_base))) - config.set("CA", "pki_sslserver_subject_dn", - str(DN(('cn', self.fqdn), self.subject_base))) - config.set("CA", "pki_audit_signing_subject_dn", - str(DN(('cn', 'CA Audit'), self.subject_base))) - config.set( - "CA", "pki_ca_signing_subject_dn", - str(self.ca_subject)) - - # Certificate nicknames - config.set("CA", "pki_subsystem_nickname", "subsystemCert cert-pki-ca") - config.set("CA", "pki_ocsp_signing_nickname", "ocspSigningCert cert-pki-ca") - config.set("CA", "pki_sslserver_nickname", "Server-Cert cert-pki-ca") - config.set("CA", "pki_audit_signing_nickname", "auditSigningCert cert-pki-ca") - config.set("CA", "pki_ca_signing_nickname", "caSigningCert cert-pki-ca") - - # CA key algorithm - config.set("CA", "pki_ca_signing_key_algorithm", self.ca_signing_algorithm) + if self.ca_signing_algorithm is not None: + cfg['ipa_ca_signing_algorithm'] = self.ca_signing_algorithm if not (os.path.isdir(paths.PKI_TOMCAT_ALIAS_DIR) and os.path.isfile(paths.PKI_TOMCAT_PASSWORD_CONF)): # generate pin which we know can be used for FIPS NSS database pki_pin = ipautil.ipa_generate_password() - config.set("CA", "pki_pin", pki_pin) + cfg['pki_pin'] = pki_pin else: pki_pin = None if self.clone: - if self.no_db_setup: - config.set("CA", "pki_ds_create_new_db", "False") - config.set("CA", "pki_clone_setup_replication", "False") - config.set("CA", "pki_clone_reindex_data", "True") + cfg.update( + pki_ds_create_new_db=False, + pki_clone_setup_replication=False, + pki_clone_reindex_data=True, + ) cafile = self.pkcs12_info[0] shutil.copy(cafile, paths.TMP_CA_P12) pent = pwd.getpwnam(self.service_user) os.chown(paths.TMP_CA_P12, pent.pw_uid, pent.pw_gid) - # Security domain registration - config.set("CA", "pki_security_domain_hostname", self.master_host) - config.set("CA", "pki_security_domain_https_port", "443") - config.set("CA", "pki_security_domain_user", self.admin_user) - config.set("CA", "pki_security_domain_password", self.admin_password) - - # Clone - config.set("CA", "pki_clone", "True") - config.set("CA", "pki_clone_pkcs12_path", paths.TMP_CA_P12) - config.set("CA", "pki_clone_pkcs12_password", self.dm_password) - config.set("CA", "pki_clone_replication_security", "TLS") - config.set("CA", "pki_clone_replication_master_port", str(self.master_replication_port)) - config.set("CA", "pki_clone_replication_clone_port", "389") - config.set("CA", "pki_clone_replicate_schema", "False") - config.set("CA", "pki_clone_uri", "https://%s" % ipautil.format_netloc(self.master_host, 443)) + self._configure_clone( + cfg, + security_domain_hostname=self.master_host, + clone_pkcs12_path=paths.TMP_CA_P12, + ) # External CA if self.external == 1: - config.set("CA", "pki_external", "True") - config.set("CA", "pki_external_csr_path", self.csr_file) + cfg.update( + pki_external=True, + pki_ca_signing_csr_path=self.csr_file, + ) if self.ca_type == ExternalCAType.MS_CS.value: # Include MS template name extension in the CSR @@ -624,11 +536,12 @@ class CAInstance(DogtagInstance): template = MSCSTemplateV1(u"SubCA") ext_data = binascii.hexlify(template.get_ext_data()) - config.set("CA", "pki_req_ext_add", "True") - config.set("CA", "pki_req_ext_oid", template.ext_oid) - config.set("CA", "pki_req_ext_critical", "False") - config.set("CA", "pki_req_ext_data", ext_data.decode('ascii')) - + cfg.update( + pki_req_ext_add=True, + pki_req_ext_oid=template.ext_oid, + pki_req_ext_critical=False, + pki_req_ext_data=ext_data.decode('ascii'), + ) elif self.external == 2: cert_file = tempfile.NamedTemporaryFile() with open(self.cert_file, 'rb') as f: @@ -649,28 +562,26 @@ class CAInstance(DogtagInstance): cert_chain, re.DOTALL).group(0) cert_chain_file = ipautil.write_tmp_file(cert_chain) - config.set("CA", "pki_external", "True") - config.set("CA", "pki_external_ca_cert_path", cert_file.name) - config.set("CA", "pki_external_ca_cert_chain_path", cert_chain_file.name) - config.set("CA", "pki_external_step_two", "True") - - # Generate configuration file - with open(cfg_file, "w") as f: - config.write(f) - - # Finally chown the config file (rhbz#1677027) - os.chown(cfg_file, pent.pw_uid, pent.pw_gid) - - self.backup_state('installed', True) - try: - DogtagInstance.spawn_instance( - self, cfg_file, - nolog_list=(self.dm_password, - self.admin_password, - pki_pin) + cfg.update( + pki_external=True, + pki_ca_signing_cert_path=cert_file.name, + pki_cert_chain_path=cert_chain_file.name, + pki_external_step_two=True, + ) + + config = self._create_spawn_config(cfg) + pent = pwd.getpwnam(self.service_user) + with tempfile.NamedTemporaryFile('w') as f: + config.write(f) + f.flush() + os.fchown(f.fileno(), pent.pw_uid, pent.pw_gid) + + self.backup_state('installed', True) + + DogtagInstance.spawn_instance( + self, f.name, + nolog_list=(self.dm_password, self.admin_password, pki_pin) ) - finally: - os.remove(cfg_file) if self.external == 1: print("The next step is to get %s signed by your CA and re-run %s as:" % (self.csr_file, sys.argv[0])) diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py index 5edb4674e..60b422513 100644 --- a/ipaserver/install/dogtaginstance.py +++ b/ipaserver/install/dogtaginstance.py @@ -29,12 +29,14 @@ import shutil import traceback import dbus +import six + from pki.client import PKIConnection import pki.system from ipalib import api, errors, x509 from ipalib.install import certmonger -from ipalib.constants import CA_DBUS_TIMEOUT +from ipalib.constants import CA_DBUS_TIMEOUT, IPA_CA_RECORD from ipaplatform import services from ipaplatform.constants import constants from ipaplatform.paths import paths @@ -47,6 +49,14 @@ from ipaserver.install import sysupgrade from ipaserver.install import replication from ipaserver.install.installutils import stopped_service +# pylint: disable=import-error +if six.PY3: + from configparser import DEFAULTSECT, ConfigParser, RawConfigParser +else: + from ConfigParser import DEFAULTSECT, RawConfigParser + from ConfigParser import SafeConfigParser as ConfigParser +# pylint: enable=import-error + logger = logging.getLogger(__name__) @@ -102,6 +112,10 @@ class DogtagInstance(service.Service): b'userdn="ldap:///uid=*,ou=people,o=ipaca";)' ) + ipaca_default = os.path.join( + paths.USR_SHARE_IPA_DIR, "ipaca_default.ini" + ) + def __init__(self, realm, subsystem, service_desc, host_name=None, nss_db=paths.PKI_TOMCAT_ALIAS_DIR, service_prefix=None, config=None): @@ -131,11 +145,15 @@ class DogtagInstance(service.Service): self.security_domain_name = "IPA" # replication parameters self.master_host = None - self.master_replication_port = None + self.master_replication_port = 389 self.subject_base = None self.nss_db = nss_db self.config = config # Path to CS.cfg + self.ca_subject = None + self.subject_base = None + # filled out by configure_instance + def is_installed(self): """ Determine if subsystem instance has been installed. @@ -515,16 +533,6 @@ class DogtagInstance(service.Service): self.__remove_admin_from_group(group) api.Backend.ldap2.delete_entry(self.admin_dn) - def _use_ldaps_during_spawn(self, config, ds_cacert=paths.IPA_CA_CRT): - """ - config is a RawConfigParser object - cs_cacert is path to a PEM CA certificate - """ - config.set(self.subsystem, "pki_ds_ldaps_port", "636") - config.set(self.subsystem, "pki_ds_secure_connection", "True") - config.set(self.subsystem, "pki_ds_secure_connection_ca_pem_file", - ds_cacert) - def backup_config(self): """ Create a backup copy of CS.cfg @@ -583,3 +591,98 @@ class DogtagInstance(service.Service): dn, exitcode ) sysupgrade.set_upgrade_state('dogtag', state_name, True) + + def _configure_clone(self, subsystem_config, security_domain_hostname, + clone_pkcs12_path): + subsystem_config.update( + # Security domain registration + pki_security_domain_hostname=security_domain_hostname, + pki_security_domain_https_port=443, + pki_security_domain_user=self.admin_user, + pki_security_domain_password=self.admin_password, + # Clone + pki_clone=True, + pki_clone_pkcs12_path=clone_pkcs12_path, + pki_clone_pkcs12_password=self.dm_password, + pki_clone_replication_security="TLS", + pki_clone_replication_master_port=self.master_replication_port, + pki_clone_replication_clone_port=389, + pki_clone_replicate_schema=False, + pki_clone_uri="https://%s" % ipautil.format_netloc( + self.master_host, 443), + ) + + def _create_spawn_config(self, subsystem_config): + """Create config instance + """ + defaults = dict( + # pretty much static + ipa_security_domain_name=self.security_domain_name, + ipa_ds_database=u"ipaca", + ipa_ds_base_dn=self.basedn, + ipa_admin_user=self.admin_user, + ipa_admin_nickname="ipa-ca-agent", + ipa_ca_pem_file=paths.IPA_CA_CRT, + # variable + ipa_ca_subject=self.ca_subject, + ipa_subject_base=self.subject_base, + ipa_fqdn=self.fqdn, + ipa_ocsp_uri="http://{}.{}/ca/ocsp".format( + IPA_CA_RECORD, ipautil.format_netloc(api.env.domain)), + ipa_admin_cert_p12=paths.DOGTAG_ADMIN_P12, + pki_admin_password=self.admin_password, + pki_ds_password=self.dm_password, + # Dogtag's pkiparser defines these config vars by default: + pki_dns_domainname=api.env.domain, + pki_hostname=self.fqdn, + pki_subsystem=self.subsystem.upper(), + pki_subsystem_type=self.subsystem.lower(), + home_dir=os.path.expanduser("~"), + ) + + def mangle_values(d): + """Stringify and quote % as %% to avoid interpolation errors + + * booleans are converted to 'True', 'False' + * DN and numbers are converted to string + * None is turned into empty string '' + """ + result = {} + for k, v in d.items(): + if isinstance(v, (DN, bool, six.integer_types)): + v = six.text_type(v) + elif v is None: + v = '' + result[k] = v.replace('%', '%%') + return result + + defaults = mangle_values(defaults) + subsystem_config = mangle_values(subsystem_config) + + # create a config template with interpolation support + # read base config + cfgtpl = ConfigParser(defaults=defaults) + cfgtpl.optionxform = str + with open(self.ipaca_default) as f: + cfgtpl.readfp(f) # pylint: disable=deprecated-method + # overwrite defaults with our defaults + for key, value in defaults.items(): + cfgtpl.set(DEFAULTSECT, key, value) + # overwrite CA/KRA config with subsystem settings + section_name = self.subsystem.upper() + for key, value in subsystem_config.items(): + cfgtpl.set(section_name, key, value) + + # Next up, get rid of interpolation variables, DEFAULT, + # irrelevant sections and unused variables. Only the subsystem + # section is copied into a new raw config parser. A raw config + # parser is necessary, because ConfigParser.write() write passwords + # with '%' in a way, that is not accepted by Dogtag. + config = RawConfigParser() + config.optionxform = str + config.add_section(section_name) + for key, value in sorted(cfgtpl.items(section=section_name)): + if key.startswith('pki_'): + config.set(section_name, key, value) + + return config diff --git a/ipaserver/install/krainstance.py b/ipaserver/install/krainstance.py index 1ea2cdcf9..f53d171ec 100644 --- a/ipaserver/install/krainstance.py +++ b/ipaserver/install/krainstance.py @@ -25,7 +25,6 @@ import pwd import shutil import tempfile import base64 -from configparser import RawConfigParser from ipalib import api from ipalib import x509 @@ -159,93 +158,25 @@ class KRAInstance(DogtagInstance): (admin_p12_fd, admin_p12_file) = tempfile.mkstemp() os.close(admin_p12_fd) - # Create KRA configuration - config = RawConfigParser() - config.optionxform = str - config.add_section("KRA") - - # Security Domain Authentication - config.set("KRA", "pki_security_domain_https_port", "443") - config.set("KRA", "pki_security_domain_password", self.admin_password) - config.set("KRA", "pki_security_domain_user", self.admin_user) - - # issuing ca - config.set("KRA", "pki_issuing_ca_uri", "https://%s" % - ipautil.format_netloc(self.fqdn, 443)) - - # Server - config.set("KRA", "pki_enable_proxy", "True") - config.set("KRA", "pki_restart_configured_instance", "False") - config.set("KRA", "pki_backup_keys", "True") - config.set("KRA", "pki_backup_password", self.admin_password) - - # Client security database - config.set("KRA", "pki_client_database_dir", self.tmp_agent_db) - config.set("KRA", "pki_client_database_password", tmp_agent_pwd) - config.set("KRA", "pki_client_database_purge", "True") - config.set("KRA", "pki_client_pkcs12_password", self.admin_password) - - # Administrator - config.set("KRA", "pki_admin_name", self.admin_user) - config.set("KRA", "pki_admin_uid", self.admin_user) - config.set("KRA", "pki_admin_email", "root@localhost") - config.set("KRA", "pki_admin_password", self.admin_password) - config.set("KRA", "pki_admin_nickname", "ipa-ca-agent") - config.set("KRA", "pki_admin_subject_dn", - str(DN(('cn', 'ipa-ca-agent'), self.subject_base))) - config.set("KRA", "pki_import_admin_cert", "False") - config.set("KRA", "pki_client_admin_cert_p12", admin_p12_file) - - # Directory server - config.set("KRA", "pki_ds_ldap_port", "389") - config.set("KRA", "pki_ds_password", self.dm_password) - config.set("KRA", "pki_ds_base_dn", str(self.basedn)) - config.set("KRA", "pki_ds_database", "ipaca") - config.set("KRA", "pki_ds_create_new_db", "False") - - self._use_ldaps_during_spawn(config) - - # Certificate subject DNs - config.set("KRA", "pki_subsystem_subject_dn", - str(DN(('cn', 'CA Subsystem'), self.subject_base))) - config.set("KRA", "pki_sslserver_subject_dn", - str(DN(('cn', self.fqdn), self.subject_base))) - config.set("KRA", "pki_audit_signing_subject_dn", - str(DN(('cn', 'KRA Audit'), self.subject_base))) - config.set( - "KRA", "pki_transport_subject_dn", - str(DN(('cn', 'KRA Transport Certificate'), self.subject_base))) - config.set( - "KRA", "pki_storage_subject_dn", - str(DN(('cn', 'KRA Storage Certificate'), self.subject_base))) - - # Certificate nicknames - # Note that both the server certs and subsystem certs reuse - # the ca certs. - config.set("KRA", "pki_subsystem_nickname", - "subsystemCert cert-pki-ca") - config.set("KRA", "pki_sslserver_nickname", - "Server-Cert cert-pki-ca") - config.set("KRA", "pki_audit_signing_nickname", - "auditSigningCert cert-pki-kra") - config.set("KRA", "pki_transport_nickname", - "transportCert cert-pki-kra") - config.set("KRA", "pki_storage_nickname", - "storageCert cert-pki-kra") - - # Shared db settings - # Needed because CA and KRA share the same database - # We will use the dbuser created for the CA - config.set("KRA", "pki_share_db", "True") - config.set( - "KRA", "pki_share_dbuser_dn", - str(DN(('uid', 'pkidbuser'), ('ou', 'people'), ('o', 'ipaca')))) + cfg = dict( + pki_issuing_ca_uri="https://{}".format( + ipautil.format_netloc(self.fqdn, 443)), + # Client security database + pki_client_database_dir=self.tmp_agent_db, + pki_client_database_password=tmp_agent_pwd, + pki_client_database_purge=True, + pki_client_pkcs12_password=self.admin_password, + pki_import_admin_cert=False, + pki_client_admin_cert_p12=admin_p12_file, + pki_ds_secure_connection=True, # always LDAPS + pki_ds_create_new_db=False, + ) if not (os.path.isdir(paths.PKI_TOMCAT_ALIAS_DIR) and os.path.isfile(paths.PKI_TOMCAT_PASSWORD_CONF)): # generate pin which we know can be used for FIPS NSS database pki_pin = ipautil.ipa_generate_password() - config.set("KRA", "pki_pin", pki_pin) + cfg['pki_pin'] = pki_pin else: pki_pin = None @@ -257,21 +188,14 @@ class KRAInstance(DogtagInstance): pent = pwd.getpwnam(self.service_user) os.chown(p12_tmpfile_name, pent.pw_uid, pent.pw_gid) - # Security domain registration - config.set("KRA", "pki_security_domain_hostname", self.fqdn) - config.set("KRA", "pki_security_domain_https_port", "443") - config.set("KRA", "pki_security_domain_user", self.admin_user) - config.set("KRA", "pki_security_domain_password", - self.admin_password) - - # Clone - config.set("KRA", "pki_clone", "True") - config.set("KRA", "pki_clone_pkcs12_path", p12_tmpfile_name) - config.set("KRA", "pki_clone_pkcs12_password", self.dm_password) - config.set("KRA", "pki_clone_setup_replication", "False") - config.set( - "KRA", "pki_clone_uri", - "https://%s" % ipautil.format_netloc(self.master_host, 443)) + self._configure_clone( + cfg, + security_domain_hostname=self.fqdn, + clone_pkcs12_path=p12_tmpfile_name, + ) + cfg.update( + pki_clone_setup_replication=False, + ) else: # the admin cert file is needed for the first instance of KRA cert = self.get_admin_cert() @@ -285,6 +209,7 @@ class KRAInstance(DogtagInstance): ) # Generate configuration file + config = self._create_spawn_config(cfg) with open(cfg_file, "w") as f: config.write(f)