Use new pki_ipaca.ini to spawn instances

Note: Some configuration stanzas are deprecated and have been replaced with new stanzas, e.g. pki_cert_chain_path instead of pki_external_ca_cert_chain_path. Fixes: https://pagure.io/freeipa/issue/5608 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Fraser Tweedale <ftweedal@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2025-02-25 18:55:28 -06:00 · 2018-08-30 16:42:40 +02:00 · 2018-08-30 16:42:40 +02:00 · f847d7756f
commit f847d7756f
parent 70beccada2
6 changed files with 227 additions and 289 deletions
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@ -1082,6 +1082,7 @@ fi
 # END
 %{_usr}/share/ipa/wsgi.py*
 %{_usr}/share/ipa/kdcproxy.wsgi
 %{_usr}/share/ipa/ipaca*.ini
 %{_usr}/share/ipa/*.ldif
 %{_usr}/share/ipa/*.uldif
 %{_usr}/share/ipa/*.template
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@ -95,6 +95,7 @@ dist_app_DATA =				\
 	ipa-pki-proxy.conf.template	\
 	ipa-rewrite.conf.template	\
 	min-ssf.ldif			\
 	ipaca_default.ini		\
 	$(NULL)
 kdcproxyconfdir = $(IPA_SYSCONF_DIR)/kdcproxy
--- a/install/share/ipaca_default.ini
+++ b/install/share/ipaca_default.ini
@ -6,6 +6,7 @@
 [DEFAULT]
 ipa_admin_email=root@localhost
 # default algorithms for all certificates
 ipa_key_algorithm=SHA256withRSA
 ipa_key_size=2048
@ -21,31 +22,31 @@ ipa_ca_key_type=%(ipa_key_type)s
 # hard-coded IPA default settings
 ipa_security_domain_name=IPA
 ipa_ds_database=ipaca
 ipa_ds_base_dn=o=%(ipa_ds_database)s
 ipa_admin_user=admin
 ipa_admin_nickname=ipa-ca-agent
 ipa_ca_pem_file=/etc/ipa/ca.crt
-# dynamic values
+## dynamic values
-ipa_ca_subject=
+# ipa_ca_subject=
-ipa_subject_base=
+# ipa_ds_base_dn=
-ipa_fqdn=
+# ipa_subject_base=
-ipa_ocsp_uri=
+# ipa_fqdn=
-ipa_admin_cert_p12=
+# ipa_ocsp_uri=
-ipa_master_host=
+# ipa_admin_cert_p12=
 ipa_clone_uri=
 # sensitive dynamic values
-pki_admin_password=
+# pki_admin_password=
-pki_ds_password=
+# pki_ds_password=
-pki_token_password=
+# pki_token_password=
 # HSM support
-ipa_backup_keys=True
+pki_hsm_enable=False
-ipa_hsm_enable=False
+pki_hsm_libfile=
-ipa_hsm_libfile=
+pki_hsm_modulename=
-ipa_hsm_modulename=
+pki_token_name=internal
-ipa_token_name=internal
+# backup is automatically disabled when HSM support is enabled
 pki_backup_keys=True
 pki_backup_password=%(pki_admin_password)s
 # Dogtag defaults
 pki_instance_name=pki-tomcat
@ -64,10 +65,8 @@ pki_audit_signing_key_algorithm=%(ipa_key_algorithm)s
 pki_audit_signing_key_size=%(ipa_key_size)s
 pki_audit_signing_key_type=%(ipa_key_type)s
 pki_audit_signing_signing_algorithm=%(ipa_signing_algorithm)s
-pki_audit_signing_token=%(ipa_token_name)s
+pki_audit_signing_token=%(pki_token_name)s
 pki_backup_keys=True
 pki_backup_password=%(pki_admin_password)s
 pki_ca_hostname=%(pki_security_domain_hostname)s
 pki_ca_port=%(pki_security_domain_https_port)s
@ -86,11 +85,9 @@ pki_ds_ldaps_port=636
 pki_ds_remove_data=True
 pki_ds_secure_connection=False
 pki_ds_secure_connection_ca_nickname=Directory Server CA certificate
-pki_ds_secure_connection_ca_pem_file=
+pki_ds_secure_connection_ca_pem_file=%(ipa_ca_pem_file)s
 pki_group=pkiuser
-pki_hsm_enable=False
+
 pki_hsm_libfile=
 pki_hsm_modulename=
 pki_issuing_ca_hostname=%(pki_security_domain_hostname)s
 pki_issuing_ca_https_port=%(pki_security_domain_https_port)s
 pki_issuing_ca_uri=https://%(ipa_fqdn)s:443
@ -142,15 +139,13 @@ pki_sslserver_subject_dn=cn=%(ipa_fqdn)s,%(ipa_subject_base)s
 pki_subsystem_key_algorithm=%(ipa_key_algorithm)s
 pki_subsystem_key_size=%(ipa_key_size)s
 pki_subsystem_key_type=%(ipa_key_type)s
-pki_subsystem_token=%(ipa_token_name)s
+pki_subsystem_token=%(pki_token_name)s
 # nickname and subject are hard-coded
 pki_subsystem_nickname=subsystemCert cert-pki-ca
 pki_subsystem_subject_dn=cn=CA Subsystem,%(ipa_subject_base)s
 pki_theme_enable=True
 pki_theme_server_dir=/usr/share/pki/common-ui
 pki_token_name=%(ipa_token_name)s
 # pki_token_password
 pki_user=pkiuser
 pki_existing=False
@ -173,28 +168,28 @@ pki_ca_signing_record_create=True
 pki_ca_signing_serial_number=1
 pki_ca_signing_signing_algorithm=%(ipa_ca_signing_algorithm)s
 pki_ca_signing_subject_dn=%(ipa_ca_subject)s
-pki_ca_signing_token=%(ipa_token_name)s
+pki_ca_signing_token=%(pki_token_name)s
-pki_ca_signing_csr_path=%(pki_instance_configuration_path)s/external_ca.csr
+pki_ca_signing_csr_path=/root/ipa.csr
-pki_ocsp_signing_csr_path=
+# pki_ocsp_signing_csr_path=
-pki_audit_signing_csr_path=
+# pki_audit_signing_csr_path=
-pki_sslserver_csr_path=
+# pki_sslserver_csr_path=
-pki_subsystem_csr_path=
+# pki_subsystem_csr_path=
-pki_ocsp_signing_cert_path=
+# pki_ocsp_signing_cert_path=
-pki_audit_signing_cert_path=
+# pki_audit_signing_cert_path=
-pki_sslserver_cert_path=
+# pki_sslserver_cert_path=
-pki_subsystem_cert_path=
+# pki_subsystem_cert_path=
 pki_ca_starting_crl_number=0
 pki_external=False
 pki_external_step_two=False
 pki_req_ext_add=False
 # MS subca request ext data
 pki_req_ext_oid=1.3.6.1.4.1.311.20.2
 pki_req_ext_critical=False
 pki_req_ext_data=1E0A00530075006200430041
 pki_external_step_two=False
 pki_external_pkcs12_path=%(pki_pkcs12_path)s
 pki_external_pkcs12_password=%(pki_pkcs12_password)s
@ -204,7 +199,7 @@ pki_ocsp_signing_key_algorithm=%(ipa_key_algorithm)s
 pki_ocsp_signing_key_size=%(ipa_key_size)s
 pki_ocsp_signing_key_type=%(ipa_key_type)s
 pki_ocsp_signing_signing_algorithm=%(ipa_signing_algorithm)s
-pki_ocsp_signing_token=%(ipa_token_name)s
+pki_ocsp_signing_token=%(pki_token_name)s
 # nickname and subject are hard-coded
 pki_ocsp_signing_nickname=ocspSigningCert cert-pki-ca
 pki_ocsp_signing_subject_dn=cn=OCSP Subsystem,%(ipa_subject_base)s
@ -213,7 +208,7 @@ pki_profiles_in_ldap=True
 pki_random_serial_numbers_enable=False
 pki_subordinate=False
 pki_subordinate_create_new_security_domain=False
-pki_subordinate_security_domain_name=%(pki_dns_domainname)s Subordinate Security Domain
+### pki_subordinate_security_domain_name=%(pki_dns_domainname)s Subordinate Security Domain
 pki_admin_email=%(ipa_admin_email)s
 pki_admin_name=%(ipa_admin_user)s
@ -242,7 +237,7 @@ pki_replica_number_range_end=100
 pki_import_admin_cert=True
 pki_standalone=False
 pki_kra_ephemeral_requests=True
-pki_ds_create_new_db=True
+pki_ds_create_new_db=False
 # pki_admin_csr_path=
 # pki_audit_signing_csr_path=
@ -266,7 +261,7 @@ pki_storage_key_type=%(ipa_key_type)s
 pki_storage_nickname=storageCert cert-pki-kra
 pki_storage_signing_algorithm=SHA256withRSA
 pki_storage_subject_dn=cn=KRA Storage Certificate,%(ipa_subject_base)s
-pki_storage_token=%(ipa_token_name)s
+pki_storage_token=%(pki_token_name)s
 pki_transport_key_algorithm=%(ipa_key_algorithm)s
 pki_transport_key_size=%(ipa_key_size)s
@ -274,7 +269,7 @@ pki_transport_key_type=%(ipa_key_type)s
 pki_transport_nickname=transportCert cert-pki-kra
 pki_transport_signing_algorithm=SHA256withRSA
 pki_transport_subject_dn=cn=KRA Transport Certificate,%(ipa_subject_base)s
-pki_transport_token=%(ipa_token_name)s
+pki_transport_token=%(pki_token_name)s
 pki_admin_email=%(ipa_admin_email)s
 pki_admin_name=%(ipa_admin_user)s
@ -285,5 +280,7 @@ pki_admin_uid=%(ipa_admin_user)s
 pki_audit_signing_nickname=auditSigningCert cert-pki-kra
 pki_audit_signing_subject_dn=cn=KRA Audit,%(ipa_subject_base)s
 # Needed because CA and KRA share the same database
 # We will use the dbuser created for the CA.
 pki_share_db=True
 pki_share_dbuser_dn=uid=pkidbuser,ou=people,o=%(ipa_ds_database)s
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@ -322,7 +322,7 @@ class CAInstance(DogtagInstance):
    def configure_instance(self, host_name, dm_password, admin_password,
                           pkcs12_info=None, master_host=None, csr_file=None,
                           cert_file=None, cert_chain_file=None,
-                           master_replication_port=None,
+                           master_replication_port=389,
                           subject_base=None, ca_subject=None,
                           ca_signing_algorithm=None,
                           ca_type=None, external_ca_profile=None,
@ -361,10 +361,7 @@ class CAInstance(DogtagInstance):
        self.ca_subject = \
            ca_subject or installutils.default_ca_subject_dn(self.subject_base)
-        if ca_signing_algorithm is None:
+        self.ca_signing_algorithm = ca_signing_algorithm
            self.ca_signing_algorithm = 'SHA256withRSA'
        else:
            self.ca_signing_algorithm = ca_signing_algorithm
        if ca_type is not None:
            self.ca_type = ca_type
        else:
@ -490,131 +487,46 @@ class CAInstance(DogtagInstance):
        Creates the config file with IPA specific parameters
        and passes it to the base class to call pkispawn
        """
        cfg = dict(
            pki_ds_secure_connection=self.use_ldaps
        )
-        # Create an empty and secured file
+        if self.ca_signing_algorithm is not None:
-        (cfg_fd, cfg_file) = tempfile.mkstemp()
+            cfg['ipa_ca_signing_algorithm'] = self.ca_signing_algorithm
        os.close(cfg_fd)
        pent = pwd.getpwnam(self.service_user)
        # Create CA configuration
        config = RawConfigParser()
        config.optionxform = str
        config.add_section("CA")
        # Server
        config.set("CA", "pki_security_domain_name", self.security_domain_name)
        config.set("CA", "pki_enable_proxy", "True")
        config.set("CA", "pki_restart_configured_instance", "False")
        config.set("CA", "pki_backup_keys", "True")
        config.set("CA", "pki_backup_password", self.admin_password)
        config.set("CA", "pki_profiles_in_ldap", "True")
        config.set("CA", "pki_default_ocsp_uri",
            "http://{}.{}/ca/ocsp".format(
                ipalib.constants.IPA_CA_RECORD,
                ipautil.format_netloc(api.env.domain)))
        # Configures the status request timeout, i.e. the connect/data
        # timeout on the HTTP request to get the status of Dogtag.
        #
        # This configuration is needed in "multiple IP address" scenarios
        # where this server's hostname has multiple IP addresses but the
        # HTTP server is only listening on one of them.  Without a timeout,
        # if a "wrong" IP address is tried first, it will take a long time
        # to timeout, exceeding the overall timeout hence the request will
        # not be re-tried.  Setting a shorter timeout allows the request
        # to be re-tried.
        #
        # Note that HSMs cause different behaviour so this value might
        # not be suitable for when we implement HSM support.  It is
        # known that a value of 5s is too short in HSM environment.
        #
        config.set("CA", "pki_status_request_timeout", "15")  # 15 seconds
        # Client security database
        config.set("CA", "pki_client_pkcs12_password", self.admin_password)
        # Administrator
        config.set("CA", "pki_admin_name", self.admin_user)
        config.set("CA", "pki_admin_uid", self.admin_user)
        config.set("CA", "pki_admin_email", "root@localhost")
        config.set("CA", "pki_admin_password", self.admin_password)
        config.set("CA", "pki_admin_nickname", "ipa-ca-agent")
        config.set("CA", "pki_admin_subject_dn",
            str(DN(('cn', 'ipa-ca-agent'), self.subject_base)))
        config.set("CA", "pki_client_admin_cert_p12", paths.DOGTAG_ADMIN_P12)
        # Directory server
        config.set("CA", "pki_ds_ldap_port", "389")
        config.set("CA", "pki_ds_password", self.dm_password)
        config.set("CA", "pki_ds_base_dn", str(self.basedn))
        config.set("CA", "pki_ds_database", "ipaca")
        if self.use_ldaps:
            self._use_ldaps_during_spawn(config)
        # Certificate subject DN's
        config.set("CA", "pki_subsystem_subject_dn",
            str(DN(('cn', 'CA Subsystem'), self.subject_base)))
        config.set("CA", "pki_ocsp_signing_subject_dn",
            str(DN(('cn', 'OCSP Subsystem'), self.subject_base)))
        config.set("CA", "pki_sslserver_subject_dn",
            str(DN(('cn', self.fqdn), self.subject_base)))
        config.set("CA", "pki_audit_signing_subject_dn",
            str(DN(('cn', 'CA Audit'), self.subject_base)))
        config.set(
            "CA", "pki_ca_signing_subject_dn",
            str(self.ca_subject))
        # Certificate nicknames
        config.set("CA", "pki_subsystem_nickname", "subsystemCert cert-pki-ca")
        config.set("CA", "pki_ocsp_signing_nickname", "ocspSigningCert cert-pki-ca")
        config.set("CA", "pki_sslserver_nickname", "Server-Cert cert-pki-ca")
        config.set("CA", "pki_audit_signing_nickname", "auditSigningCert cert-pki-ca")
        config.set("CA", "pki_ca_signing_nickname", "caSigningCert cert-pki-ca")
        # CA key algorithm
        config.set("CA", "pki_ca_signing_key_algorithm", self.ca_signing_algorithm)
        if not (os.path.isdir(paths.PKI_TOMCAT_ALIAS_DIR) and
                os.path.isfile(paths.PKI_TOMCAT_PASSWORD_CONF)):
            # generate pin which we know can be used for FIPS NSS database
            pki_pin = ipautil.ipa_generate_password()
-            config.set("CA", "pki_pin", pki_pin)
+            cfg['pki_pin'] = pki_pin
        else:
            pki_pin = None
        if self.clone:
            if self.no_db_setup:
-                config.set("CA", "pki_ds_create_new_db", "False")
+                cfg.update(
-                config.set("CA", "pki_clone_setup_replication", "False")
+                    pki_ds_create_new_db=False,
-                config.set("CA", "pki_clone_reindex_data", "True")
+                    pki_clone_setup_replication=False,
                    pki_clone_reindex_data=True,
                )
            cafile = self.pkcs12_info[0]
            shutil.copy(cafile, paths.TMP_CA_P12)
            pent = pwd.getpwnam(self.service_user)
            os.chown(paths.TMP_CA_P12, pent.pw_uid, pent.pw_gid)
-            # Security domain registration
+            self._configure_clone(
-            config.set("CA", "pki_security_domain_hostname", self.master_host)
+                cfg,
-            config.set("CA", "pki_security_domain_https_port", "443")
+                security_domain_hostname=self.master_host,
-            config.set("CA", "pki_security_domain_user", self.admin_user)
+                clone_pkcs12_path=paths.TMP_CA_P12,
-            config.set("CA", "pki_security_domain_password", self.admin_password)
+            )
            # Clone
            config.set("CA", "pki_clone", "True")
            config.set("CA", "pki_clone_pkcs12_path", paths.TMP_CA_P12)
            config.set("CA", "pki_clone_pkcs12_password", self.dm_password)
            config.set("CA", "pki_clone_replication_security", "TLS")
            config.set("CA", "pki_clone_replication_master_port", str(self.master_replication_port))
            config.set("CA", "pki_clone_replication_clone_port", "389")
            config.set("CA", "pki_clone_replicate_schema", "False")
            config.set("CA", "pki_clone_uri", "https://%s" % ipautil.format_netloc(self.master_host, 443))
        # External CA
        if self.external == 1:
-            config.set("CA", "pki_external", "True")
+            cfg.update(
-            config.set("CA", "pki_external_csr_path", self.csr_file)
+                pki_external=True,
                pki_ca_signing_csr_path=self.csr_file,
            )
            if self.ca_type == ExternalCAType.MS_CS.value:
                # Include MS template name extension in the CSR
@ -624,11 +536,12 @@ class CAInstance(DogtagInstance):
                    template = MSCSTemplateV1(u"SubCA")
                ext_data = binascii.hexlify(template.get_ext_data())
-                config.set("CA", "pki_req_ext_add", "True")
+                cfg.update(
-                config.set("CA", "pki_req_ext_oid", template.ext_oid)
+                    pki_req_ext_add=True,
-                config.set("CA", "pki_req_ext_critical", "False")
+                    pki_req_ext_oid=template.ext_oid,
-                config.set("CA", "pki_req_ext_data", ext_data.decode('ascii'))
+                    pki_req_ext_critical=False,
-
+                    pki_req_ext_data=ext_data.decode('ascii'),
                )
        elif self.external == 2:
            cert_file = tempfile.NamedTemporaryFile()
            with open(self.cert_file, 'rb') as f:
@ -649,28 +562,26 @@ class CAInstance(DogtagInstance):
                cert_chain, re.DOTALL).group(0)
            cert_chain_file = ipautil.write_tmp_file(cert_chain)
-            config.set("CA", "pki_external", "True")
+            cfg.update(
-            config.set("CA", "pki_external_ca_cert_path", cert_file.name)
+                pki_external=True,
-            config.set("CA", "pki_external_ca_cert_chain_path", cert_chain_file.name)
+                pki_ca_signing_cert_path=cert_file.name,
-            config.set("CA", "pki_external_step_two", "True")
+                pki_cert_chain_path=cert_chain_file.name,
-
+                pki_external_step_two=True,
-        # Generate configuration file
+            )
-        with open(cfg_file, "w") as f:
+
-            config.write(f)
+        config = self._create_spawn_config(cfg)
-
+        pent = pwd.getpwnam(self.service_user)
-        # Finally chown the config file (rhbz#1677027)
+        with tempfile.NamedTemporaryFile('w') as f:
-        os.chown(cfg_file, pent.pw_uid, pent.pw_gid)
+            config.write(f)
-
+            f.flush()
-        self.backup_state('installed', True)
+            os.fchown(f.fileno(), pent.pw_uid, pent.pw_gid)
-        try:
+
-            DogtagInstance.spawn_instance(
+            self.backup_state('installed', True)
-                self, cfg_file,
+
-                nolog_list=(self.dm_password,
+            DogtagInstance.spawn_instance(
-                            self.admin_password,
+                self, f.name,
-                            pki_pin)
+                nolog_list=(self.dm_password, self.admin_password, pki_pin)
            )
        finally:
            os.remove(cfg_file)
        if self.external == 1:
            print("The next step is to get %s signed by your CA and re-run %s as:" % (self.csr_file, sys.argv[0]))
--- a/ipaserver/install/dogtaginstance.py
+++ b/ipaserver/install/dogtaginstance.py
@ -29,12 +29,14 @@ import shutil
 import traceback
 import dbus
 import six
 from pki.client import PKIConnection
 import pki.system
 from ipalib import api, errors, x509
 from ipalib.install import certmonger
-from ipalib.constants import CA_DBUS_TIMEOUT
+from ipalib.constants import CA_DBUS_TIMEOUT, IPA_CA_RECORD
 from ipaplatform import services
 from ipaplatform.constants import constants
 from ipaplatform.paths import paths
@ -47,6 +49,14 @@ from ipaserver.install import sysupgrade
 from ipaserver.install import replication
 from ipaserver.install.installutils import stopped_service
 # pylint: disable=import-error
 if six.PY3:
    from configparser import DEFAULTSECT, ConfigParser, RawConfigParser
 else:
    from ConfigParser import DEFAULTSECT, RawConfigParser
    from ConfigParser import SafeConfigParser as ConfigParser
 # pylint: enable=import-error
 logger = logging.getLogger(__name__)
@ -102,6 +112,10 @@ class DogtagInstance(service.Service):
        b'userdn="ldap:///uid=*,ou=people,o=ipaca";)'
    )
    ipaca_default = os.path.join(
        paths.USR_SHARE_IPA_DIR, "ipaca_default.ini"
    )
    def __init__(self, realm, subsystem, service_desc, host_name=None,
                 nss_db=paths.PKI_TOMCAT_ALIAS_DIR, service_prefix=None,
                 config=None):
@ -131,11 +145,15 @@ class DogtagInstance(service.Service):
        self.security_domain_name = "IPA"
        # replication parameters
        self.master_host = None
-        self.master_replication_port = None
+        self.master_replication_port = 389
        self.subject_base = None
        self.nss_db = nss_db
        self.config = config  # Path to CS.cfg
        self.ca_subject = None
        self.subject_base = None
        # filled out by configure_instance
    def is_installed(self):
        """
        Determine if subsystem instance has been installed.
@ -515,16 +533,6 @@ class DogtagInstance(service.Service):
            self.__remove_admin_from_group(group)
        api.Backend.ldap2.delete_entry(self.admin_dn)
    def _use_ldaps_during_spawn(self, config, ds_cacert=paths.IPA_CA_CRT):
        """
        config is a RawConfigParser object
        cs_cacert is path to a PEM CA certificate
        """
        config.set(self.subsystem, "pki_ds_ldaps_port", "636")
        config.set(self.subsystem, "pki_ds_secure_connection", "True")
        config.set(self.subsystem, "pki_ds_secure_connection_ca_pem_file",
                   ds_cacert)
    def backup_config(self):
        """
        Create a backup copy of CS.cfg
@ -583,3 +591,98 @@ class DogtagInstance(service.Service):
            dn, exitcode
        )
        sysupgrade.set_upgrade_state('dogtag', state_name, True)
    def _configure_clone(self, subsystem_config, security_domain_hostname,
                         clone_pkcs12_path):
        subsystem_config.update(
            # Security domain registration
            pki_security_domain_hostname=security_domain_hostname,
            pki_security_domain_https_port=443,
            pki_security_domain_user=self.admin_user,
            pki_security_domain_password=self.admin_password,
            # Clone
            pki_clone=True,
            pki_clone_pkcs12_path=clone_pkcs12_path,
            pki_clone_pkcs12_password=self.dm_password,
            pki_clone_replication_security="TLS",
            pki_clone_replication_master_port=self.master_replication_port,
            pki_clone_replication_clone_port=389,
            pki_clone_replicate_schema=False,
            pki_clone_uri="https://%s" % ipautil.format_netloc(
                self.master_host, 443),
        )
    def _create_spawn_config(self, subsystem_config):
        """Create config instance
        """
        defaults = dict(
            # pretty much static
            ipa_security_domain_name=self.security_domain_name,
            ipa_ds_database=u"ipaca",
            ipa_ds_base_dn=self.basedn,
            ipa_admin_user=self.admin_user,
            ipa_admin_nickname="ipa-ca-agent",
            ipa_ca_pem_file=paths.IPA_CA_CRT,
            # variable
            ipa_ca_subject=self.ca_subject,
            ipa_subject_base=self.subject_base,
            ipa_fqdn=self.fqdn,
            ipa_ocsp_uri="http://{}.{}/ca/ocsp".format(
                IPA_CA_RECORD, ipautil.format_netloc(api.env.domain)),
            ipa_admin_cert_p12=paths.DOGTAG_ADMIN_P12,
            pki_admin_password=self.admin_password,
            pki_ds_password=self.dm_password,
            # Dogtag's pkiparser defines these config vars by default:
            pki_dns_domainname=api.env.domain,
            pki_hostname=self.fqdn,
            pki_subsystem=self.subsystem.upper(),
            pki_subsystem_type=self.subsystem.lower(),
            home_dir=os.path.expanduser("~"),
        )
        def mangle_values(d):
            """Stringify and quote % as %% to avoid interpolation errors
            * booleans are converted to 'True', 'False'
            * DN and numbers are converted to string
            * None is turned into empty string ''
            """
            result = {}
            for k, v in d.items():
                if isinstance(v, (DN, bool, six.integer_types)):
                    v = six.text_type(v)
                elif v is None:
                    v = ''
                result[k] = v.replace('%', '%%')
            return result
        defaults = mangle_values(defaults)
        subsystem_config = mangle_values(subsystem_config)
        # create a config template with interpolation support
        # read base config
        cfgtpl = ConfigParser(defaults=defaults)
        cfgtpl.optionxform = str
        with open(self.ipaca_default) as f:
            cfgtpl.readfp(f)  # pylint: disable=deprecated-method
        # overwrite defaults with our defaults
        for key, value in defaults.items():
            cfgtpl.set(DEFAULTSECT, key, value)
        # overwrite CA/KRA config with subsystem settings
        section_name = self.subsystem.upper()
        for key, value in subsystem_config.items():
            cfgtpl.set(section_name, key, value)
        # Next up, get rid of interpolation variables, DEFAULT,
        # irrelevant sections and unused variables. Only the subsystem
        # section is copied into a new raw config parser. A raw config
        # parser is necessary, because ConfigParser.write() write passwords
        # with '%' in a way, that is not accepted by Dogtag.
        config = RawConfigParser()
        config.optionxform = str
        config.add_section(section_name)
        for key, value in sorted(cfgtpl.items(section=section_name)):
            if key.startswith('pki_'):
                config.set(section_name, key, value)
        return config
--- a/ipaserver/install/krainstance.py
+++ b/ipaserver/install/krainstance.py
@ -25,7 +25,6 @@ import pwd
 import shutil
 import tempfile
 import base64
 from configparser import RawConfigParser
 from ipalib import api
 from ipalib import x509
@ -159,93 +158,25 @@ class KRAInstance(DogtagInstance):
        (admin_p12_fd, admin_p12_file) = tempfile.mkstemp()
        os.close(admin_p12_fd)
-        # Create KRA configuration
+        cfg = dict(
-        config = RawConfigParser()
+            pki_issuing_ca_uri="https://{}".format(
-        config.optionxform = str
+                ipautil.format_netloc(self.fqdn, 443)),
-        config.add_section("KRA")
+            # Client security database
-
+            pki_client_database_dir=self.tmp_agent_db,
-        # Security Domain Authentication
+            pki_client_database_password=tmp_agent_pwd,
-        config.set("KRA", "pki_security_domain_https_port", "443")
+            pki_client_database_purge=True,
-        config.set("KRA", "pki_security_domain_password", self.admin_password)
+            pki_client_pkcs12_password=self.admin_password,
-        config.set("KRA", "pki_security_domain_user", self.admin_user)
+            pki_import_admin_cert=False,
-
+            pki_client_admin_cert_p12=admin_p12_file,
-        # issuing ca
+            pki_ds_secure_connection=True,  # always LDAPS
-        config.set("KRA", "pki_issuing_ca_uri", "https://%s" %
+            pki_ds_create_new_db=False,
-                   ipautil.format_netloc(self.fqdn, 443))
+        )
        # Server
        config.set("KRA", "pki_enable_proxy", "True")
        config.set("KRA", "pki_restart_configured_instance", "False")
        config.set("KRA", "pki_backup_keys", "True")
        config.set("KRA", "pki_backup_password", self.admin_password)
        # Client security database
        config.set("KRA", "pki_client_database_dir", self.tmp_agent_db)
        config.set("KRA", "pki_client_database_password", tmp_agent_pwd)
        config.set("KRA", "pki_client_database_purge", "True")
        config.set("KRA", "pki_client_pkcs12_password", self.admin_password)
        # Administrator
        config.set("KRA", "pki_admin_name", self.admin_user)
        config.set("KRA", "pki_admin_uid", self.admin_user)
        config.set("KRA", "pki_admin_email", "root@localhost")
        config.set("KRA", "pki_admin_password", self.admin_password)
        config.set("KRA", "pki_admin_nickname", "ipa-ca-agent")
        config.set("KRA", "pki_admin_subject_dn",
                   str(DN(('cn', 'ipa-ca-agent'), self.subject_base)))
        config.set("KRA", "pki_import_admin_cert", "False")
        config.set("KRA", "pki_client_admin_cert_p12", admin_p12_file)
        # Directory server
        config.set("KRA", "pki_ds_ldap_port", "389")
        config.set("KRA", "pki_ds_password", self.dm_password)
        config.set("KRA", "pki_ds_base_dn", str(self.basedn))
        config.set("KRA", "pki_ds_database", "ipaca")
        config.set("KRA", "pki_ds_create_new_db", "False")
        self._use_ldaps_during_spawn(config)
        # Certificate subject DNs
        config.set("KRA", "pki_subsystem_subject_dn",
                   str(DN(('cn', 'CA Subsystem'), self.subject_base)))
        config.set("KRA", "pki_sslserver_subject_dn",
                   str(DN(('cn', self.fqdn), self.subject_base)))
        config.set("KRA", "pki_audit_signing_subject_dn",
                   str(DN(('cn', 'KRA Audit'), self.subject_base)))
        config.set(
            "KRA", "pki_transport_subject_dn",
            str(DN(('cn', 'KRA Transport Certificate'), self.subject_base)))
        config.set(
            "KRA", "pki_storage_subject_dn",
            str(DN(('cn', 'KRA Storage Certificate'), self.subject_base)))
        # Certificate nicknames
        # Note that both the server certs and subsystem certs reuse
        # the ca certs.
        config.set("KRA", "pki_subsystem_nickname",
                   "subsystemCert cert-pki-ca")
        config.set("KRA", "pki_sslserver_nickname",
                   "Server-Cert cert-pki-ca")
        config.set("KRA", "pki_audit_signing_nickname",
                   "auditSigningCert cert-pki-kra")
        config.set("KRA", "pki_transport_nickname",
                   "transportCert cert-pki-kra")
        config.set("KRA", "pki_storage_nickname",
                   "storageCert cert-pki-kra")
        # Shared db settings
        # Needed because CA and KRA share the same database
        # We will use the dbuser created for the CA
        config.set("KRA", "pki_share_db", "True")
        config.set(
            "KRA", "pki_share_dbuser_dn",
            str(DN(('uid', 'pkidbuser'), ('ou', 'people'), ('o', 'ipaca'))))
        if not (os.path.isdir(paths.PKI_TOMCAT_ALIAS_DIR) and
                os.path.isfile(paths.PKI_TOMCAT_PASSWORD_CONF)):
            # generate pin which we know can be used for FIPS NSS database
            pki_pin = ipautil.ipa_generate_password()
-            config.set("KRA", "pki_pin", pki_pin)
+            cfg['pki_pin'] = pki_pin
        else:
            pki_pin = None
@ -257,21 +188,14 @@ class KRAInstance(DogtagInstance):
            pent = pwd.getpwnam(self.service_user)
            os.chown(p12_tmpfile_name, pent.pw_uid, pent.pw_gid)
-            # Security domain registration
+            self._configure_clone(
-            config.set("KRA", "pki_security_domain_hostname", self.fqdn)
+                cfg,
-            config.set("KRA", "pki_security_domain_https_port", "443")
+                security_domain_hostname=self.fqdn,
-            config.set("KRA", "pki_security_domain_user", self.admin_user)
+                clone_pkcs12_path=p12_tmpfile_name,
-            config.set("KRA", "pki_security_domain_password",
+            )
-                       self.admin_password)
+            cfg.update(
-
+                pki_clone_setup_replication=False,
-            # Clone
+            )
            config.set("KRA", "pki_clone", "True")
            config.set("KRA", "pki_clone_pkcs12_path", p12_tmpfile_name)
            config.set("KRA", "pki_clone_pkcs12_password", self.dm_password)
            config.set("KRA", "pki_clone_setup_replication", "False")
            config.set(
                "KRA", "pki_clone_uri",
                "https://%s" % ipautil.format_netloc(self.master_host, 443))
        else:
            # the admin cert file is needed for the first instance of KRA
            cert = self.get_admin_cert()
@ -285,6 +209,7 @@ class KRAInstance(DogtagInstance):
                )
        # Generate configuration file
        config = self._create_spawn_config(cfg)
        with open(cfg_file, "w") as f:
            config.write(f)