IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Use new pki_ipaca.ini to spawn instances

Browse Source 
Note: Some configuration stanzas are deprecated and have been replaced
with new stanzas, e.g. pki_cert_chain_path instead of
pki_external_ca_cert_chain_path.

Fixes: https://pagure.io/freeipa/issue/5608
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This commit is contained in:
Christian Heimes
2018-08-30 16:42:40 +02:00
parent 70beccada2
commit f847d7756f
6 changed files with 227 additions and 289 deletions
Download Patch File Download Diff File Expand all files Collapse all files

183
ipaserver/install/cainstance.py
View File

@@ -322,7 +322,7 @@ class CAInstance(DogtagInstance):
def configure_instance(self, host_name, dm_password, admin_password,
pkcs12_info=None, master_host=None, csr_file=None,
cert_file=None, cert_chain_file=None,
master_replication_port=None,
master_replication_port=389,
subject_base=None, ca_subject=None,
ca_signing_algorithm=None,
ca_type=None, external_ca_profile=None,
@@ -361,10 +361,7 @@ class CAInstance(DogtagInstance):
self.ca_subject = \
ca_subject or installutils.default_ca_subject_dn(self.subject_base)
if ca_signing_algorithm is None:
self.ca_signing_algorithm = 'SHA256withRSA'
else:
self.ca_signing_algorithm = ca_signing_algorithm
self.ca_signing_algorithm = ca_signing_algorithm
if ca_type is not None:
self.ca_type = ca_type
else:
@@ -490,131 +487,46 @@ class CAInstance(DogtagInstance):
Creates the config file with IPA specific parameters
and passes it to the base class to call pkispawn
"""
cfg = dict(
pki_ds_secure_connection=self.use_ldaps
)
# Create an empty and secured file
(cfg_fd, cfg_file) = tempfile.mkstemp()
os.close(cfg_fd)
pent = pwd.getpwnam(self.service_user)
# Create CA configuration
config = RawConfigParser()
config.optionxform = str
config.add_section("CA")
# Server
config.set("CA", "pki_security_domain_name", self.security_domain_name)
config.set("CA", "pki_enable_proxy", "True")
config.set("CA", "pki_restart_configured_instance", "False")
config.set("CA", "pki_backup_keys", "True")
config.set("CA", "pki_backup_password", self.admin_password)
config.set("CA", "pki_profiles_in_ldap", "True")
config.set("CA", "pki_default_ocsp_uri",
"http://{}.{}/ca/ocsp".format(
ipalib.constants.IPA_CA_RECORD,
ipautil.format_netloc(api.env.domain)))
# Configures the status request timeout, i.e. the connect/data
# timeout on the HTTP request to get the status of Dogtag.
#
# This configuration is needed in "multiple IP address" scenarios
# where this server's hostname has multiple IP addresses but the
# HTTP server is only listening on one of them. Without a timeout,
# if a "wrong" IP address is tried first, it will take a long time
# to timeout, exceeding the overall timeout hence the request will
# not be re-tried. Setting a shorter timeout allows the request
# to be re-tried.
#
# Note that HSMs cause different behaviour so this value might
# not be suitable for when we implement HSM support. It is
# known that a value of 5s is too short in HSM environment.
#
config.set("CA", "pki_status_request_timeout", "15") # 15 seconds
# Client security database
config.set("CA", "pki_client_pkcs12_password", self.admin_password)
# Administrator
config.set("CA", "pki_admin_name", self.admin_user)
config.set("CA", "pki_admin_uid", self.admin_user)
config.set("CA", "pki_admin_email", "root@localhost")
config.set("CA", "pki_admin_password", self.admin_password)
config.set("CA", "pki_admin_nickname", "ipa-ca-agent")
config.set("CA", "pki_admin_subject_dn",
str(DN(('cn', 'ipa-ca-agent'), self.subject_base)))
config.set("CA", "pki_client_admin_cert_p12", paths.DOGTAG_ADMIN_P12)
# Directory server
config.set("CA", "pki_ds_ldap_port", "389")
config.set("CA", "pki_ds_password", self.dm_password)
config.set("CA", "pki_ds_base_dn", str(self.basedn))
config.set("CA", "pki_ds_database", "ipaca")
if self.use_ldaps:
self._use_ldaps_during_spawn(config)
# Certificate subject DN's
config.set("CA", "pki_subsystem_subject_dn",
str(DN(('cn', 'CA Subsystem'), self.subject_base)))
config.set("CA", "pki_ocsp_signing_subject_dn",
str(DN(('cn', 'OCSP Subsystem'), self.subject_base)))
config.set("CA", "pki_sslserver_subject_dn",
str(DN(('cn', self.fqdn), self.subject_base)))
config.set("CA", "pki_audit_signing_subject_dn",
str(DN(('cn', 'CA Audit'), self.subject_base)))
config.set(
"CA", "pki_ca_signing_subject_dn",
str(self.ca_subject))
# Certificate nicknames
config.set("CA", "pki_subsystem_nickname", "subsystemCert cert-pki-ca")
config.set("CA", "pki_ocsp_signing_nickname", "ocspSigningCert cert-pki-ca")
config.set("CA", "pki_sslserver_nickname", "Server-Cert cert-pki-ca")
config.set("CA", "pki_audit_signing_nickname", "auditSigningCert cert-pki-ca")
config.set("CA", "pki_ca_signing_nickname", "caSigningCert cert-pki-ca")
# CA key algorithm
config.set("CA", "pki_ca_signing_key_algorithm", self.ca_signing_algorithm)
if self.ca_signing_algorithm is not None:
cfg['ipa_ca_signing_algorithm'] = self.ca_signing_algorithm
if not (os.path.isdir(paths.PKI_TOMCAT_ALIAS_DIR) and
os.path.isfile(paths.PKI_TOMCAT_PASSWORD_CONF)):
# generate pin which we know can be used for FIPS NSS database
pki_pin = ipautil.ipa_generate_password()
config.set("CA", "pki_pin", pki_pin)
cfg['pki_pin'] = pki_pin
else:
pki_pin = None
if self.clone:
if self.no_db_setup:
config.set("CA", "pki_ds_create_new_db", "False")
config.set("CA", "pki_clone_setup_replication", "False")
config.set("CA", "pki_clone_reindex_data", "True")
cfg.update(
pki_ds_create_new_db=False,
pki_clone_setup_replication=False,
pki_clone_reindex_data=True,
)
cafile = self.pkcs12_info[0]
shutil.copy(cafile, paths.TMP_CA_P12)
pent = pwd.getpwnam(self.service_user)
os.chown(paths.TMP_CA_P12, pent.pw_uid, pent.pw_gid)
# Security domain registration
config.set("CA", "pki_security_domain_hostname", self.master_host)
config.set("CA", "pki_security_domain_https_port", "443")
config.set("CA", "pki_security_domain_user", self.admin_user)
config.set("CA", "pki_security_domain_password", self.admin_password)
# Clone
config.set("CA", "pki_clone", "True")
config.set("CA", "pki_clone_pkcs12_path", paths.TMP_CA_P12)
config.set("CA", "pki_clone_pkcs12_password", self.dm_password)
config.set("CA", "pki_clone_replication_security", "TLS")
config.set("CA", "pki_clone_replication_master_port", str(self.master_replication_port))
config.set("CA", "pki_clone_replication_clone_port", "389")
config.set("CA", "pki_clone_replicate_schema", "False")
config.set("CA", "pki_clone_uri", "https://%s" % ipautil.format_netloc(self.master_host, 443))
self._configure_clone(
cfg,
security_domain_hostname=self.master_host,
clone_pkcs12_path=paths.TMP_CA_P12,
)
# External CA
if self.external == 1:
config.set("CA", "pki_external", "True")
config.set("CA", "pki_external_csr_path", self.csr_file)
cfg.update(
pki_external=True,
pki_ca_signing_csr_path=self.csr_file,
)
if self.ca_type == ExternalCAType.MS_CS.value:
# Include MS template name extension in the CSR
@@ -624,11 +536,12 @@ class CAInstance(DogtagInstance):
template = MSCSTemplateV1(u"SubCA")
ext_data = binascii.hexlify(template.get_ext_data())
config.set("CA", "pki_req_ext_add", "True")
config.set("CA", "pki_req_ext_oid", template.ext_oid)
config.set("CA", "pki_req_ext_critical", "False")
config.set("CA", "pki_req_ext_data", ext_data.decode('ascii'))
cfg.update(
pki_req_ext_add=True,
pki_req_ext_oid=template.ext_oid,
pki_req_ext_critical=False,
pki_req_ext_data=ext_data.decode('ascii'),
)
elif self.external == 2:
cert_file = tempfile.NamedTemporaryFile()
with open(self.cert_file, 'rb') as f:
@@ -649,28 +562,26 @@ class CAInstance(DogtagInstance):
cert_chain, re.DOTALL).group(0)
cert_chain_file = ipautil.write_tmp_file(cert_chain)
config.set("CA", "pki_external", "True")
config.set("CA", "pki_external_ca_cert_path", cert_file.name)
config.set("CA", "pki_external_ca_cert_chain_path", cert_chain_file.name)
config.set("CA", "pki_external_step_two", "True")
# Generate configuration file
with open(cfg_file, "w") as f:
config.write(f)
# Finally chown the config file (rhbz#1677027)
os.chown(cfg_file, pent.pw_uid, pent.pw_gid)
self.backup_state('installed', True)
try:
DogtagInstance.spawn_instance(
self, cfg_file,
nolog_list=(self.dm_password,
self.admin_password,
pki_pin)
cfg.update(
pki_external=True,
pki_ca_signing_cert_path=cert_file.name,
pki_cert_chain_path=cert_chain_file.name,
pki_external_step_two=True,
)
config = self._create_spawn_config(cfg)
pent = pwd.getpwnam(self.service_user)
with tempfile.NamedTemporaryFile('w') as f:
config.write(f)
f.flush()
os.fchown(f.fileno(), pent.pw_uid, pent.pw_gid)
self.backup_state('installed', True)
DogtagInstance.spawn_instance(
self, f.name,
nolog_list=(self.dm_password, self.admin_password, pki_pin)
)
finally:
os.remove(cfg_file)
if self.external == 1:
print("The next step is to get %s signed by your CA and re-run %s as:" % (self.csr_file, sys.argv[0]))

127
ipaserver/install/dogtaginstance.py
View File

@@ -29,12 +29,14 @@ import shutil
import traceback
import dbus
import six
from pki.client import PKIConnection
import pki.system
from ipalib import api, errors, x509
from ipalib.install import certmonger
from ipalib.constants import CA_DBUS_TIMEOUT
from ipalib.constants import CA_DBUS_TIMEOUT, IPA_CA_RECORD
from ipaplatform import services
from ipaplatform.constants import constants
from ipaplatform.paths import paths
@@ -47,6 +49,14 @@ from ipaserver.install import sysupgrade
from ipaserver.install import replication
from ipaserver.install.installutils import stopped_service
# pylint: disable=import-error
if six.PY3:
from configparser import DEFAULTSECT, ConfigParser, RawConfigParser
else:
from ConfigParser import DEFAULTSECT, RawConfigParser
from ConfigParser import SafeConfigParser as ConfigParser
# pylint: enable=import-error
logger = logging.getLogger(__name__)
@@ -102,6 +112,10 @@ class DogtagInstance(service.Service):
b'userdn="ldap:///uid=*,ou=people,o=ipaca";)'
)
ipaca_default = os.path.join(
paths.USR_SHARE_IPA_DIR, "ipaca_default.ini"
)
def __init__(self, realm, subsystem, service_desc, host_name=None,
nss_db=paths.PKI_TOMCAT_ALIAS_DIR, service_prefix=None,
config=None):
@@ -131,11 +145,15 @@ class DogtagInstance(service.Service):
self.security_domain_name = "IPA"
# replication parameters
self.master_host = None
self.master_replication_port = None
self.master_replication_port = 389
self.subject_base = None
self.nss_db = nss_db
self.config = config # Path to CS.cfg
self.ca_subject = None
self.subject_base = None
# filled out by configure_instance
def is_installed(self):
"""
Determine if subsystem instance has been installed.
@@ -515,16 +533,6 @@ class DogtagInstance(service.Service):
self.__remove_admin_from_group(group)
api.Backend.ldap2.delete_entry(self.admin_dn)
def _use_ldaps_during_spawn(self, config, ds_cacert=paths.IPA_CA_CRT):
"""
config is a RawConfigParser object
cs_cacert is path to a PEM CA certificate
"""
config.set(self.subsystem, "pki_ds_ldaps_port", "636")
config.set(self.subsystem, "pki_ds_secure_connection", "True")
config.set(self.subsystem, "pki_ds_secure_connection_ca_pem_file",
ds_cacert)
def backup_config(self):
"""
Create a backup copy of CS.cfg
@@ -583,3 +591,98 @@ class DogtagInstance(service.Service):
dn, exitcode
)
sysupgrade.set_upgrade_state('dogtag', state_name, True)
def _configure_clone(self, subsystem_config, security_domain_hostname,
clone_pkcs12_path):
subsystem_config.update(
# Security domain registration
pki_security_domain_hostname=security_domain_hostname,
pki_security_domain_https_port=443,
pki_security_domain_user=self.admin_user,
pki_security_domain_password=self.admin_password,
# Clone
pki_clone=True,
pki_clone_pkcs12_path=clone_pkcs12_path,
pki_clone_pkcs12_password=self.dm_password,
pki_clone_replication_security="TLS",
pki_clone_replication_master_port=self.master_replication_port,
pki_clone_replication_clone_port=389,
pki_clone_replicate_schema=False,
pki_clone_uri="https://%s" % ipautil.format_netloc(
self.master_host, 443),
)
def _create_spawn_config(self, subsystem_config):
"""Create config instance
"""
defaults = dict(
# pretty much static
ipa_security_domain_name=self.security_domain_name,
ipa_ds_database=u"ipaca",
ipa_ds_base_dn=self.basedn,
ipa_admin_user=self.admin_user,
ipa_admin_nickname="ipa-ca-agent",
ipa_ca_pem_file=paths.IPA_CA_CRT,
# variable
ipa_ca_subject=self.ca_subject,
ipa_subject_base=self.subject_base,
ipa_fqdn=self.fqdn,
ipa_ocsp_uri="http://{}.{}/ca/ocsp".format(
IPA_CA_RECORD, ipautil.format_netloc(api.env.domain)),
ipa_admin_cert_p12=paths.DOGTAG_ADMIN_P12,
pki_admin_password=self.admin_password,
pki_ds_password=self.dm_password,
# Dogtag's pkiparser defines these config vars by default:
pki_dns_domainname=api.env.domain,
pki_hostname=self.fqdn,
pki_subsystem=self.subsystem.upper(),
pki_subsystem_type=self.subsystem.lower(),
home_dir=os.path.expanduser("~"),
)
def mangle_values(d):
"""Stringify and quote % as %% to avoid interpolation errors
* booleans are converted to 'True', 'False'
* DN and numbers are converted to string
* None is turned into empty string ''
"""
result = {}
for k, v in d.items():
if isinstance(v, (DN, bool, six.integer_types)):
v = six.text_type(v)
elif v is None:
v = ''
result[k] = v.replace('%', '%%')
return result
defaults = mangle_values(defaults)
subsystem_config = mangle_values(subsystem_config)
# create a config template with interpolation support
# read base config
cfgtpl = ConfigParser(defaults=defaults)
cfgtpl.optionxform = str
with open(self.ipaca_default) as f:
cfgtpl.readfp(f) # pylint: disable=deprecated-method
# overwrite defaults with our defaults
for key, value in defaults.items():
cfgtpl.set(DEFAULTSECT, key, value)
# overwrite CA/KRA config with subsystem settings
section_name = self.subsystem.upper()
for key, value in subsystem_config.items():
cfgtpl.set(section_name, key, value)
# Next up, get rid of interpolation variables, DEFAULT,
# irrelevant sections and unused variables. Only the subsystem
# section is copied into a new raw config parser. A raw config
# parser is necessary, because ConfigParser.write() write passwords
# with '%' in a way, that is not accepted by Dogtag.
config = RawConfigParser()
config.optionxform = str
config.add_section(section_name)
for key, value in sorted(cfgtpl.items(section=section_name)):
if key.startswith('pki_'):
config.set(section_name, key, value)
return config

121
ipaserver/install/krainstance.py
View File

@@ -25,7 +25,6 @@ import pwd
import shutil
import tempfile
import base64
from configparser import RawConfigParser
from ipalib import api
from ipalib import x509
@@ -159,93 +158,25 @@ class KRAInstance(DogtagInstance):
(admin_p12_fd, admin_p12_file) = tempfile.mkstemp()
os.close(admin_p12_fd)
# Create KRA configuration
config = RawConfigParser()
config.optionxform = str
config.add_section("KRA")
# Security Domain Authentication
config.set("KRA", "pki_security_domain_https_port", "443")
config.set("KRA", "pki_security_domain_password", self.admin_password)
config.set("KRA", "pki_security_domain_user", self.admin_user)
# issuing ca
config.set("KRA", "pki_issuing_ca_uri", "https://%s" %
ipautil.format_netloc(self.fqdn, 443))
# Server
config.set("KRA", "pki_enable_proxy", "True")
config.set("KRA", "pki_restart_configured_instance", "False")
config.set("KRA", "pki_backup_keys", "True")
config.set("KRA", "pki_backup_password", self.admin_password)
# Client security database
config.set("KRA", "pki_client_database_dir", self.tmp_agent_db)
config.set("KRA", "pki_client_database_password", tmp_agent_pwd)
config.set("KRA", "pki_client_database_purge", "True")
config.set("KRA", "pki_client_pkcs12_password", self.admin_password)
# Administrator
config.set("KRA", "pki_admin_name", self.admin_user)
config.set("KRA", "pki_admin_uid", self.admin_user)
config.set("KRA", "pki_admin_email", "root@localhost")
config.set("KRA", "pki_admin_password", self.admin_password)
config.set("KRA", "pki_admin_nickname", "ipa-ca-agent")
config.set("KRA", "pki_admin_subject_dn",
str(DN(('cn', 'ipa-ca-agent'), self.subject_base)))
config.set("KRA", "pki_import_admin_cert", "False")
config.set("KRA", "pki_client_admin_cert_p12", admin_p12_file)
# Directory server
config.set("KRA", "pki_ds_ldap_port", "389")
config.set("KRA", "pki_ds_password", self.dm_password)
config.set("KRA", "pki_ds_base_dn", str(self.basedn))
config.set("KRA", "pki_ds_database", "ipaca")
config.set("KRA", "pki_ds_create_new_db", "False")
self._use_ldaps_during_spawn(config)
# Certificate subject DNs
config.set("KRA", "pki_subsystem_subject_dn",
str(DN(('cn', 'CA Subsystem'), self.subject_base)))
config.set("KRA", "pki_sslserver_subject_dn",
str(DN(('cn', self.fqdn), self.subject_base)))
config.set("KRA", "pki_audit_signing_subject_dn",
str(DN(('cn', 'KRA Audit'), self.subject_base)))
config.set(
"KRA", "pki_transport_subject_dn",
str(DN(('cn', 'KRA Transport Certificate'), self.subject_base)))
config.set(
"KRA", "pki_storage_subject_dn",
str(DN(('cn', 'KRA Storage Certificate'), self.subject_base)))
# Certificate nicknames
# Note that both the server certs and subsystem certs reuse
# the ca certs.
config.set("KRA", "pki_subsystem_nickname",
"subsystemCert cert-pki-ca")
config.set("KRA", "pki_sslserver_nickname",
"Server-Cert cert-pki-ca")
config.set("KRA", "pki_audit_signing_nickname",
"auditSigningCert cert-pki-kra")
config.set("KRA", "pki_transport_nickname",
"transportCert cert-pki-kra")
config.set("KRA", "pki_storage_nickname",
"storageCert cert-pki-kra")
# Shared db settings
# Needed because CA and KRA share the same database
# We will use the dbuser created for the CA
config.set("KRA", "pki_share_db", "True")
config.set(
"KRA", "pki_share_dbuser_dn",
str(DN(('uid', 'pkidbuser'), ('ou', 'people'), ('o', 'ipaca'))))
cfg = dict(
pki_issuing_ca_uri="https://{}".format(
ipautil.format_netloc(self.fqdn, 443)),
# Client security database
pki_client_database_dir=self.tmp_agent_db,
pki_client_database_password=tmp_agent_pwd,
pki_client_database_purge=True,
pki_client_pkcs12_password=self.admin_password,
pki_import_admin_cert=False,
pki_client_admin_cert_p12=admin_p12_file,
pki_ds_secure_connection=True, # always LDAPS
pki_ds_create_new_db=False,
)
if not (os.path.isdir(paths.PKI_TOMCAT_ALIAS_DIR) and
os.path.isfile(paths.PKI_TOMCAT_PASSWORD_CONF)):
# generate pin which we know can be used for FIPS NSS database
pki_pin = ipautil.ipa_generate_password()
config.set("KRA", "pki_pin", pki_pin)
cfg['pki_pin'] = pki_pin
else:
pki_pin = None
@@ -257,21 +188,14 @@ class KRAInstance(DogtagInstance):
pent = pwd.getpwnam(self.service_user)
os.chown(p12_tmpfile_name, pent.pw_uid, pent.pw_gid)
# Security domain registration
config.set("KRA", "pki_security_domain_hostname", self.fqdn)
config.set("KRA", "pki_security_domain_https_port", "443")
config.set("KRA", "pki_security_domain_user", self.admin_user)
config.set("KRA", "pki_security_domain_password",
self.admin_password)
# Clone
config.set("KRA", "pki_clone", "True")
config.set("KRA", "pki_clone_pkcs12_path", p12_tmpfile_name)
config.set("KRA", "pki_clone_pkcs12_password", self.dm_password)
config.set("KRA", "pki_clone_setup_replication", "False")
config.set(
"KRA", "pki_clone_uri",
"https://%s" % ipautil.format_netloc(self.master_host, 443))
self._configure_clone(
cfg,
security_domain_hostname=self.fqdn,
clone_pkcs12_path=p12_tmpfile_name,
)
cfg.update(
pki_clone_setup_replication=False,
)
else:
# the admin cert file is needed for the first instance of KRA
cert = self.get_admin_cert()
@@ -285,6 +209,7 @@ class KRAInstance(DogtagInstance):
)
# Generate configuration file
config = self._create_spawn_config(cfg)
with open(cfg_file, "w") as f:
config.write(f)