IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Use new pki_ipaca.ini to spawn instances

Browse Source 
Note: Some configuration stanzas are deprecated and have been replaced
with new stanzas, e.g. pki_cert_chain_path instead of
pki_external_ca_cert_chain_path.

Fixes: https://pagure.io/freeipa/issue/5608
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This commit is contained in:
Christian Heimes 2018-08-30 16:42:40 +02:00
parent 70beccada2
commit f847d7756f
6 changed files with 227 additions and 289 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
freeipa.spec.in
View File

@ -1082,6 +1082,7 @@ fi
# END
%{_usr}/share/ipa/wsgi.py*
%{_usr}/share/ipa/kdcproxy.wsgi
%{_usr}/share/ipa/ipaca*.ini
%{_usr}/share/ipa/*.ldif
%{_usr}/share/ipa/*.uldif
%{_usr}/share/ipa/*.template

1
install/share/Makefile.am
View File

@ -95,6 +95,7 @@ dist_app_DATA = \
ipa-pki-proxy.conf.template \
ipa-rewrite.conf.template \
min-ssf.ldif \
ipaca_default.ini \
$(NULL)
kdcproxyconfdir = $(IPA_SYSCONF_DIR)/kdcproxy

83
install/share/ipaca_default.ini
View File

@ -6,6 +6,7 @@
[DEFAULT]
ipa_admin_email=root@localhost
# default algorithms for all certificates
ipa_key_algorithm=SHA256withRSA
ipa_key_size=2048
@ -21,31 +22,31 @@ ipa_ca_key_type=%(ipa_key_type)s
# hard-coded IPA default settings
ipa_security_domain_name=IPA
ipa_ds_database=ipaca
ipa_ds_base_dn=o=%(ipa_ds_database)s
ipa_admin_user=admin
ipa_admin_nickname=ipa-ca-agent
ipa_ca_pem_file=/etc/ipa/ca.crt
# dynamic values
ipa_ca_subject=
ipa_subject_base=
ipa_fqdn=
ipa_ocsp_uri=
ipa_admin_cert_p12=
ipa_master_host=
ipa_clone_uri=
## dynamic values
# ipa_ca_subject=
# ipa_ds_base_dn=
# ipa_subject_base=
# ipa_fqdn=
# ipa_ocsp_uri=
# ipa_admin_cert_p12=
# sensitive dynamic values
pki_admin_password=
pki_ds_password=
pki_token_password=
# pki_admin_password=
# pki_ds_password=
# pki_token_password=
# HSM support
ipa_backup_keys=True
ipa_hsm_enable=False
ipa_hsm_libfile=
ipa_hsm_modulename=
ipa_token_name=internal
pki_hsm_enable=False
pki_hsm_libfile=
pki_hsm_modulename=
pki_token_name=internal
# backup is automatically disabled when HSM support is enabled
pki_backup_keys=True
pki_backup_password=%(pki_admin_password)s
# Dogtag defaults
pki_instance_name=pki-tomcat
@ -64,10 +65,8 @@ pki_audit_signing_key_algorithm=%(ipa_key_algorithm)s
pki_audit_signing_key_size=%(ipa_key_size)s
pki_audit_signing_key_type=%(ipa_key_type)s
pki_audit_signing_signing_algorithm=%(ipa_signing_algorithm)s
pki_audit_signing_token=%(ipa_token_name)s
pki_audit_signing_token=%(pki_token_name)s
pki_backup_keys=True
pki_backup_password=%(pki_admin_password)s
pki_ca_hostname=%(pki_security_domain_hostname)s
pki_ca_port=%(pki_security_domain_https_port)s
@ -86,11 +85,9 @@ pki_ds_ldaps_port=636
pki_ds_remove_data=True
pki_ds_secure_connection=False
pki_ds_secure_connection_ca_nickname=Directory Server CA certificate
pki_ds_secure_connection_ca_pem_file=
pki_ds_secure_connection_ca_pem_file=%(ipa_ca_pem_file)s
pki_group=pkiuser
pki_hsm_enable=False
pki_hsm_libfile=
pki_hsm_modulename=
pki_issuing_ca_hostname=%(pki_security_domain_hostname)s
pki_issuing_ca_https_port=%(pki_security_domain_https_port)s
pki_issuing_ca_uri=https://%(ipa_fqdn)s:443
@ -142,15 +139,13 @@ pki_sslserver_subject_dn=cn=%(ipa_fqdn)s,%(ipa_subject_base)s
pki_subsystem_key_algorithm=%(ipa_key_algorithm)s
pki_subsystem_key_size=%(ipa_key_size)s
pki_subsystem_key_type=%(ipa_key_type)s
pki_subsystem_token=%(ipa_token_name)s
pki_subsystem_token=%(pki_token_name)s
# nickname and subject are hard-coded
pki_subsystem_nickname=subsystemCert cert-pki-ca
pki_subsystem_subject_dn=cn=CA Subsystem,%(ipa_subject_base)s
pki_theme_enable=True
pki_theme_server_dir=/usr/share/pki/common-ui
pki_token_name=%(ipa_token_name)s
# pki_token_password
pki_user=pkiuser
pki_existing=False
@ -173,28 +168,28 @@ pki_ca_signing_record_create=True
pki_ca_signing_serial_number=1
pki_ca_signing_signing_algorithm=%(ipa_ca_signing_algorithm)s
pki_ca_signing_subject_dn=%(ipa_ca_subject)s
pki_ca_signing_token=%(ipa_token_name)s
pki_ca_signing_token=%(pki_token_name)s
pki_ca_signing_csr_path=%(pki_instance_configuration_path)s/external_ca.csr
pki_ca_signing_csr_path=/root/ipa.csr
pki_ocsp_signing_csr_path=
pki_audit_signing_csr_path=
pki_sslserver_csr_path=
pki_subsystem_csr_path=
# pki_ocsp_signing_csr_path=
# pki_audit_signing_csr_path=
# pki_sslserver_csr_path=
# pki_subsystem_csr_path=
pki_ocsp_signing_cert_path=
pki_audit_signing_cert_path=
pki_sslserver_cert_path=
pki_subsystem_cert_path=
# pki_ocsp_signing_cert_path=
# pki_audit_signing_cert_path=
# pki_sslserver_cert_path=
# pki_subsystem_cert_path=
pki_ca_starting_crl_number=0
pki_external=False
pki_external_step_two=False
pki_req_ext_add=False
# MS subca request ext data
pki_req_ext_oid=1.3.6.1.4.1.311.20.2
pki_req_ext_critical=False
pki_req_ext_data=1E0A00530075006200430041
pki_external_step_two=False
pki_external_pkcs12_path=%(pki_pkcs12_path)s
pki_external_pkcs12_password=%(pki_pkcs12_password)s
@ -204,7 +199,7 @@ pki_ocsp_signing_key_algorithm=%(ipa_key_algorithm)s
pki_ocsp_signing_key_size=%(ipa_key_size)s
pki_ocsp_signing_key_type=%(ipa_key_type)s
pki_ocsp_signing_signing_algorithm=%(ipa_signing_algorithm)s
pki_ocsp_signing_token=%(ipa_token_name)s
pki_ocsp_signing_token=%(pki_token_name)s
# nickname and subject are hard-coded
pki_ocsp_signing_nickname=ocspSigningCert cert-pki-ca
pki_ocsp_signing_subject_dn=cn=OCSP Subsystem,%(ipa_subject_base)s
@ -213,7 +208,7 @@ pki_profiles_in_ldap=True
pki_random_serial_numbers_enable=False
pki_subordinate=False
pki_subordinate_create_new_security_domain=False
pki_subordinate_security_domain_name=%(pki_dns_domainname)s Subordinate Security Domain
### pki_subordinate_security_domain_name=%(pki_dns_domainname)s Subordinate Security Domain
pki_admin_email=%(ipa_admin_email)s
pki_admin_name=%(ipa_admin_user)s
@ -242,7 +237,7 @@ pki_replica_number_range_end=100
pki_import_admin_cert=True
pki_standalone=False
pki_kra_ephemeral_requests=True
pki_ds_create_new_db=True
pki_ds_create_new_db=False
# pki_admin_csr_path=
# pki_audit_signing_csr_path=
@ -266,7 +261,7 @@ pki_storage_key_type=%(ipa_key_type)s
pki_storage_nickname=storageCert cert-pki-kra
pki_storage_signing_algorithm=SHA256withRSA
pki_storage_subject_dn=cn=KRA Storage Certificate,%(ipa_subject_base)s
pki_storage_token=%(ipa_token_name)s
pki_storage_token=%(pki_token_name)s
pki_transport_key_algorithm=%(ipa_key_algorithm)s
pki_transport_key_size=%(ipa_key_size)s
@ -274,7 +269,7 @@ pki_transport_key_type=%(ipa_key_type)s
pki_transport_nickname=transportCert cert-pki-kra
pki_transport_signing_algorithm=SHA256withRSA
pki_transport_subject_dn=cn=KRA Transport Certificate,%(ipa_subject_base)s
pki_transport_token=%(ipa_token_name)s
pki_transport_token=%(pki_token_name)s
pki_admin_email=%(ipa_admin_email)s
pki_admin_name=%(ipa_admin_user)s
@ -285,5 +280,7 @@ pki_admin_uid=%(ipa_admin_user)s
pki_audit_signing_nickname=auditSigningCert cert-pki-kra
pki_audit_signing_subject_dn=cn=KRA Audit,%(ipa_subject_base)s
# Needed because CA and KRA share the same database
# We will use the dbuser created for the CA.
pki_share_db=True
pki_share_dbuser_dn=uid=pkidbuser,ou=people,o=%(ipa_ds_database)s

183
ipaserver/install/cainstance.py
View File

@ -322,7 +322,7 @@ class CAInstance(DogtagInstance):
def configure_instance(self, host_name, dm_password, admin_password,
pkcs12_info=None, master_host=None, csr_file=None,
cert_file=None, cert_chain_file=None,
master_replication_port=None,
master_replication_port=389,
subject_base=None, ca_subject=None,
ca_signing_algorithm=None,
ca_type=None, external_ca_profile=None,
@ -361,10 +361,7 @@ class CAInstance(DogtagInstance):
self.ca_subject = \
ca_subject or installutils.default_ca_subject_dn(self.subject_base)
if ca_signing_algorithm is None:
self.ca_signing_algorithm = 'SHA256withRSA'
else:
self.ca_signing_algorithm = ca_signing_algorithm
self.ca_signing_algorithm = ca_signing_algorithm
if ca_type is not None:
self.ca_type = ca_type
else:
@ -490,131 +487,46 @@ class CAInstance(DogtagInstance):
Creates the config file with IPA specific parameters
and passes it to the base class to call pkispawn
"""
cfg = dict(
pki_ds_secure_connection=self.use_ldaps
)
# Create an empty and secured file
(cfg_fd, cfg_file) = tempfile.mkstemp()
os.close(cfg_fd)
pent = pwd.getpwnam(self.service_user)
# Create CA configuration
config = RawConfigParser()
config.optionxform = str
config.add_section("CA")
# Server
config.set("CA", "pki_security_domain_name", self.security_domain_name)
config.set("CA", "pki_enable_proxy", "True")
config.set("CA", "pki_restart_configured_instance", "False")
config.set("CA", "pki_backup_keys", "True")
config.set("CA", "pki_backup_password", self.admin_password)
config.set("CA", "pki_profiles_in_ldap", "True")
config.set("CA", "pki_default_ocsp_uri",
"http://{}.{}/ca/ocsp".format(
ipalib.constants.IPA_CA_RECORD,
ipautil.format_netloc(api.env.domain)))
# Configures the status request timeout, i.e. the connect/data
# timeout on the HTTP request to get the status of Dogtag.
#
# This configuration is needed in "multiple IP address" scenarios
# where this server's hostname has multiple IP addresses but the
# HTTP server is only listening on one of them. Without a timeout,
# if a "wrong" IP address is tried first, it will take a long time
# to timeout, exceeding the overall timeout hence the request will
# not be re-tried. Setting a shorter timeout allows the request
# to be re-tried.
#
# Note that HSMs cause different behaviour so this value might
# not be suitable for when we implement HSM support. It is
# known that a value of 5s is too short in HSM environment.
#
config.set("CA", "pki_status_request_timeout", "15") # 15 seconds
# Client security database
config.set("CA", "pki_client_pkcs12_password", self.admin_password)
# Administrator
config.set("CA", "pki_admin_name", self.admin_user)
config.set("CA", "pki_admin_uid", self.admin_user)
config.set("CA", "pki_admin_email", "root@localhost")
config.set("CA", "pki_admin_password", self.admin_password)
config.set("CA", "pki_admin_nickname", "ipa-ca-agent")
config.set("CA", "pki_admin_subject_dn",
str(DN(('cn', 'ipa-ca-agent'), self.subject_base)))
config.set("CA", "pki_client_admin_cert_p12", paths.DOGTAG_ADMIN_P12)
# Directory server
config.set("CA", "pki_ds_ldap_port", "389")
config.set("CA", "pki_ds_password", self.dm_password)
config.set("CA", "pki_ds_base_dn", str(self.basedn))
config.set("CA", "pki_ds_database", "ipaca")
if self.use_ldaps:
self._use_ldaps_during_spawn(config)
# Certificate subject DN's
config.set("CA", "pki_subsystem_subject_dn",
str(DN(('cn', 'CA Subsystem'), self.subject_base)))
config.set("CA", "pki_ocsp_signing_subject_dn",
str(DN(('cn', 'OCSP Subsystem'), self.subject_base)))
config.set("CA", "pki_sslserver_subject_dn",
str(DN(('cn', self.fqdn), self.subject_base)))
config.set("CA", "pki_audit_signing_subject_dn",
str(DN(('cn', 'CA Audit'), self.subject_base)))
config.set(
"CA", "pki_ca_signing_subject_dn",
str(self.ca_subject))
# Certificate nicknames
config.set("CA", "pki_subsystem_nickname", "subsystemCert cert-pki-ca")
config.set("CA", "pki_ocsp_signing_nickname", "ocspSigningCert cert-pki-ca")
config.set("CA", "pki_sslserver_nickname", "Server-Cert cert-pki-ca")
config.set("CA", "pki_audit_signing_nickname", "auditSigningCert cert-pki-ca")
config.set("CA", "pki_ca_signing_nickname", "caSigningCert cert-pki-ca")
# CA key algorithm
config.set("CA", "pki_ca_signing_key_algorithm", self.ca_signing_algorithm)
if self.ca_signing_algorithm is not None:
cfg['ipa_ca_signing_algorithm'] = self.ca_signing_algorithm
if not (os.path.isdir(paths.PKI_TOMCAT_ALIAS_DIR) and
os.path.isfile(paths.PKI_TOMCAT_PASSWORD_CONF)):
# generate pin which we know can be used for FIPS NSS database
pki_pin = ipautil.ipa_generate_password()
config.set("CA", "pki_pin", pki_pin)
cfg['pki_pin'] = pki_pin
else:
pki_pin = None
if self.clone:
if self.no_db_setup:
config.set("CA", "pki_ds_create_new_db", "False")
config.set("CA", "pki_clone_setup_replication", "False")
config.set("CA", "pki_clone_reindex_data", "True")
cfg.update(
pki_ds_create_new_db=False,
pki_clone_setup_replication=False,
pki_clone_reindex_data=True,
)
cafile = self.pkcs12_info[0]
shutil.copy(cafile, paths.TMP_CA_P12)
pent = pwd.getpwnam(self.service_user)
os.chown(paths.TMP_CA_P12, pent.pw_uid, pent.pw_gid)
# Security domain registration
config.set("CA", "pki_security_domain_hostname", self.master_host)
config.set("CA", "pki_security_domain_https_port", "443")
config.set("CA", "pki_security_domain_user", self.admin_user)
config.set("CA", "pki_security_domain_password", self.admin_password)
# Clone
config.set("CA", "pki_clone", "True")
config.set("CA", "pki_clone_pkcs12_path", paths.TMP_CA_P12)
config.set("CA", "pki_clone_pkcs12_password", self.dm_password)
config.set("CA", "pki_clone_replication_security", "TLS")
config.set("CA", "pki_clone_replication_master_port", str(self.master_replication_port))
config.set("CA", "pki_clone_replication_clone_port", "389")
config.set("CA", "pki_clone_replicate_schema", "False")
config.set("CA", "pki_clone_uri", "https://%s" % ipautil.format_netloc(self.master_host, 443))
self._configure_clone(
cfg,
security_domain_hostname=self.master_host,
clone_pkcs12_path=paths.TMP_CA_P12,
)
# External CA
if self.external == 1:
config.set("CA", "pki_external", "True")
config.set("CA", "pki_external_csr_path", self.csr_file)
cfg.update(
pki_external=True,
pki_ca_signing_csr_path=self.csr_file,
)
if self.ca_type == ExternalCAType.MS_CS.value:
# Include MS template name extension in the CSR
@ -624,11 +536,12 @@ class CAInstance(DogtagInstance):
template = MSCSTemplateV1(u"SubCA")
ext_data = binascii.hexlify(template.get_ext_data())
config.set("CA", "pki_req_ext_add", "True")
config.set("CA", "pki_req_ext_oid", template.ext_oid)
config.set("CA", "pki_req_ext_critical", "False")
config.set("CA", "pki_req_ext_data", ext_data.decode('ascii'))
cfg.update(
pki_req_ext_add=True,
pki_req_ext_oid=template.ext_oid,
pki_req_ext_critical=False,
pki_req_ext_data=ext_data.decode('ascii'),
)
elif self.external == 2:
cert_file = tempfile.NamedTemporaryFile()
with open(self.cert_file, 'rb') as f:
@ -649,28 +562,26 @@ class CAInstance(DogtagInstance):
cert_chain, re.DOTALL).group(0)
cert_chain_file = ipautil.write_tmp_file(cert_chain)
config.set("CA", "pki_external", "True")
config.set("CA", "pki_external_ca_cert_path", cert_file.name)
config.set("CA", "pki_external_ca_cert_chain_path", cert_chain_file.name)
config.set("CA", "pki_external_step_two", "True")
# Generate configuration file
with open(cfg_file, "w") as f:
config.write(f)
# Finally chown the config file (rhbz#1677027)
os.chown(cfg_file, pent.pw_uid, pent.pw_gid)
self.backup_state('installed', True)
try:
DogtagInstance.spawn_instance(
self, cfg_file,
nolog_list=(self.dm_password,
self.admin_password,
pki_pin)
cfg.update(
pki_external=True,
pki_ca_signing_cert_path=cert_file.name,
pki_cert_chain_path=cert_chain_file.name,
pki_external_step_two=True,
)
config = self._create_spawn_config(cfg)
pent = pwd.getpwnam(self.service_user)
with tempfile.NamedTemporaryFile('w') as f:
config.write(f)
f.flush()
os.fchown(f.fileno(), pent.pw_uid, pent.pw_gid)
self.backup_state('installed', True)
DogtagInstance.spawn_instance(
self, f.name,
nolog_list=(self.dm_password, self.admin_password, pki_pin)
)
finally:
os.remove(cfg_file)
if self.external == 1:
print("The next step is to get %s signed by your CA and re-run %s as:" % (self.csr_file, sys.argv[0]))

127
ipaserver/install/dogtaginstance.py
View File

@ -29,12 +29,14 @@ import shutil
import traceback
import dbus
import six
from pki.client import PKIConnection
import pki.system
from ipalib import api, errors, x509
from ipalib.install import certmonger
from ipalib.constants import CA_DBUS_TIMEOUT
from ipalib.constants import CA_DBUS_TIMEOUT, IPA_CA_RECORD
from ipaplatform import services
from ipaplatform.constants import constants
from ipaplatform.paths import paths
@ -47,6 +49,14 @@ from ipaserver.install import sysupgrade
from ipaserver.install import replication
from ipaserver.install.installutils import stopped_service
# pylint: disable=import-error
if six.PY3:
from configparser import DEFAULTSECT, ConfigParser, RawConfigParser
else:
from ConfigParser import DEFAULTSECT, RawConfigParser
from ConfigParser import SafeConfigParser as ConfigParser
# pylint: enable=import-error
logger = logging.getLogger(__name__)
@ -102,6 +112,10 @@ class DogtagInstance(service.Service):
b'userdn="ldap:///uid=*,ou=people,o=ipaca";)'
)
ipaca_default = os.path.join(
paths.USR_SHARE_IPA_DIR, "ipaca_default.ini"
)
def __init__(self, realm, subsystem, service_desc, host_name=None,
nss_db=paths.PKI_TOMCAT_ALIAS_DIR, service_prefix=None,
config=None):
@ -131,11 +145,15 @@ class DogtagInstance(service.Service):
self.security_domain_name = "IPA"
# replication parameters
self.master_host = None
self.master_replication_port = None
self.master_replication_port = 389
self.subject_base = None
self.nss_db = nss_db
self.config = config # Path to CS.cfg
self.ca_subject = None
self.subject_base = None
# filled out by configure_instance
def is_installed(self):
"""
Determine if subsystem instance has been installed.
@ -515,16 +533,6 @@ class DogtagInstance(service.Service):
self.__remove_admin_from_group(group)
api.Backend.ldap2.delete_entry(self.admin_dn)
def _use_ldaps_during_spawn(self, config, ds_cacert=paths.IPA_CA_CRT):
"""
config is a RawConfigParser object
cs_cacert is path to a PEM CA certificate
"""
config.set(self.subsystem, "pki_ds_ldaps_port", "636")
config.set(self.subsystem, "pki_ds_secure_connection", "True")
config.set(self.subsystem, "pki_ds_secure_connection_ca_pem_file",
ds_cacert)
def backup_config(self):
"""
Create a backup copy of CS.cfg
@ -583,3 +591,98 @@ class DogtagInstance(service.Service):
dn, exitcode
)
sysupgrade.set_upgrade_state('dogtag', state_name, True)
def _configure_clone(self, subsystem_config, security_domain_hostname,
clone_pkcs12_path):
subsystem_config.update(
# Security domain registration
pki_security_domain_hostname=security_domain_hostname,
pki_security_domain_https_port=443,
pki_security_domain_user=self.admin_user,
pki_security_domain_password=self.admin_password,
# Clone
pki_clone=True,
pki_clone_pkcs12_path=clone_pkcs12_path,
pki_clone_pkcs12_password=self.dm_password,
pki_clone_replication_security="TLS",
pki_clone_replication_master_port=self.master_replication_port,
pki_clone_replication_clone_port=389,
pki_clone_replicate_schema=False,
pki_clone_uri="https://%s" % ipautil.format_netloc(
self.master_host, 443),
)
def _create_spawn_config(self, subsystem_config):
"""Create config instance
"""
defaults = dict(
# pretty much static
ipa_security_domain_name=self.security_domain_name,
ipa_ds_database=u"ipaca",
ipa_ds_base_dn=self.basedn,
ipa_admin_user=self.admin_user,
ipa_admin_nickname="ipa-ca-agent",
ipa_ca_pem_file=paths.IPA_CA_CRT,
# variable
ipa_ca_subject=self.ca_subject,
ipa_subject_base=self.subject_base,
ipa_fqdn=self.fqdn,
ipa_ocsp_uri="http://{}.{}/ca/ocsp".format(
IPA_CA_RECORD, ipautil.format_netloc(api.env.domain)),
ipa_admin_cert_p12=paths.DOGTAG_ADMIN_P12,
pki_admin_password=self.admin_password,
pki_ds_password=self.dm_password,
# Dogtag's pkiparser defines these config vars by default:
pki_dns_domainname=api.env.domain,
pki_hostname=self.fqdn,
pki_subsystem=self.subsystem.upper(),
pki_subsystem_type=self.subsystem.lower(),
home_dir=os.path.expanduser("~"),
)
def mangle_values(d):
"""Stringify and quote % as %% to avoid interpolation errors
* booleans are converted to 'True', 'False'
* DN and numbers are converted to string
* None is turned into empty string ''
"""
result = {}
for k, v in d.items():
if isinstance(v, (DN, bool, six.integer_types)):
v = six.text_type(v)
elif v is None:
v = ''
result[k] = v.replace('%', '%%')
return result
defaults = mangle_values(defaults)
subsystem_config = mangle_values(subsystem_config)
# create a config template with interpolation support
# read base config
cfgtpl = ConfigParser(defaults=defaults)
cfgtpl.optionxform = str
with open(self.ipaca_default) as f:
cfgtpl.readfp(f) # pylint: disable=deprecated-method
# overwrite defaults with our defaults
for key, value in defaults.items():
cfgtpl.set(DEFAULTSECT, key, value)
# overwrite CA/KRA config with subsystem settings
section_name = self.subsystem.upper()
for key, value in subsystem_config.items():
cfgtpl.set(section_name, key, value)
# Next up, get rid of interpolation variables, DEFAULT,
# irrelevant sections and unused variables. Only the subsystem
# section is copied into a new raw config parser. A raw config
# parser is necessary, because ConfigParser.write() write passwords
# with '%' in a way, that is not accepted by Dogtag.
config = RawConfigParser()
config.optionxform = str
config.add_section(section_name)
for key, value in sorted(cfgtpl.items(section=section_name)):
if key.startswith('pki_'):
config.set(section_name, key, value)
return config

121
ipaserver/install/krainstance.py
View File

@ -25,7 +25,6 @@ import pwd
import shutil
import tempfile
import base64
from configparser import RawConfigParser
from ipalib import api
from ipalib import x509
@ -159,93 +158,25 @@ class KRAInstance(DogtagInstance):
(admin_p12_fd, admin_p12_file) = tempfile.mkstemp()
os.close(admin_p12_fd)
# Create KRA configuration
config = RawConfigParser()
config.optionxform = str
config.add_section("KRA")
# Security Domain Authentication
config.set("KRA", "pki_security_domain_https_port", "443")
config.set("KRA", "pki_security_domain_password", self.admin_password)
config.set("KRA", "pki_security_domain_user", self.admin_user)
# issuing ca
config.set("KRA", "pki_issuing_ca_uri", "https://%s" %
ipautil.format_netloc(self.fqdn, 443))
# Server
config.set("KRA", "pki_enable_proxy", "True")
config.set("KRA", "pki_restart_configured_instance", "False")
config.set("KRA", "pki_backup_keys", "True")
config.set("KRA", "pki_backup_password", self.admin_password)
# Client security database
config.set("KRA", "pki_client_database_dir", self.tmp_agent_db)
config.set("KRA", "pki_client_database_password", tmp_agent_pwd)
config.set("KRA", "pki_client_database_purge", "True")
config.set("KRA", "pki_client_pkcs12_password", self.admin_password)
# Administrator
config.set("KRA", "pki_admin_name", self.admin_user)
config.set("KRA", "pki_admin_uid", self.admin_user)
config.set("KRA", "pki_admin_email", "root@localhost")
config.set("KRA", "pki_admin_password", self.admin_password)
config.set("KRA", "pki_admin_nickname", "ipa-ca-agent")
config.set("KRA", "pki_admin_subject_dn",
str(DN(('cn', 'ipa-ca-agent'), self.subject_base)))
config.set("KRA", "pki_import_admin_cert", "False")
config.set("KRA", "pki_client_admin_cert_p12", admin_p12_file)
# Directory server
config.set("KRA", "pki_ds_ldap_port", "389")
config.set("KRA", "pki_ds_password", self.dm_password)
config.set("KRA", "pki_ds_base_dn", str(self.basedn))
config.set("KRA", "pki_ds_database", "ipaca")
config.set("KRA", "pki_ds_create_new_db", "False")
self._use_ldaps_during_spawn(config)
# Certificate subject DNs
config.set("KRA", "pki_subsystem_subject_dn",
str(DN(('cn', 'CA Subsystem'), self.subject_base)))
config.set("KRA", "pki_sslserver_subject_dn",
str(DN(('cn', self.fqdn), self.subject_base)))
config.set("KRA", "pki_audit_signing_subject_dn",
str(DN(('cn', 'KRA Audit'), self.subject_base)))
config.set(
"KRA", "pki_transport_subject_dn",
str(DN(('cn', 'KRA Transport Certificate'), self.subject_base)))
config.set(
"KRA", "pki_storage_subject_dn",
str(DN(('cn', 'KRA Storage Certificate'), self.subject_base)))
# Certificate nicknames
# Note that both the server certs and subsystem certs reuse
# the ca certs.
config.set("KRA", "pki_subsystem_nickname",
"subsystemCert cert-pki-ca")
config.set("KRA", "pki_sslserver_nickname",
"Server-Cert cert-pki-ca")
config.set("KRA", "pki_audit_signing_nickname",
"auditSigningCert cert-pki-kra")
config.set("KRA", "pki_transport_nickname",
"transportCert cert-pki-kra")
config.set("KRA", "pki_storage_nickname",
"storageCert cert-pki-kra")
# Shared db settings
# Needed because CA and KRA share the same database
# We will use the dbuser created for the CA
config.set("KRA", "pki_share_db", "True")
config.set(
"KRA", "pki_share_dbuser_dn",
str(DN(('uid', 'pkidbuser'), ('ou', 'people'), ('o', 'ipaca'))))
cfg = dict(
pki_issuing_ca_uri="https://{}".format(
ipautil.format_netloc(self.fqdn, 443)),
# Client security database
pki_client_database_dir=self.tmp_agent_db,
pki_client_database_password=tmp_agent_pwd,
pki_client_database_purge=True,
pki_client_pkcs12_password=self.admin_password,
pki_import_admin_cert=False,
pki_client_admin_cert_p12=admin_p12_file,
pki_ds_secure_connection=True, # always LDAPS
pki_ds_create_new_db=False,
)
if not (os.path.isdir(paths.PKI_TOMCAT_ALIAS_DIR) and
os.path.isfile(paths.PKI_TOMCAT_PASSWORD_CONF)):
# generate pin which we know can be used for FIPS NSS database
pki_pin = ipautil.ipa_generate_password()
config.set("KRA", "pki_pin", pki_pin)
cfg['pki_pin'] = pki_pin
else:
pki_pin = None
@ -257,21 +188,14 @@ class KRAInstance(DogtagInstance):
pent = pwd.getpwnam(self.service_user)
os.chown(p12_tmpfile_name, pent.pw_uid, pent.pw_gid)
# Security domain registration
config.set("KRA", "pki_security_domain_hostname", self.fqdn)
config.set("KRA", "pki_security_domain_https_port", "443")
config.set("KRA", "pki_security_domain_user", self.admin_user)
config.set("KRA", "pki_security_domain_password",
self.admin_password)
# Clone
config.set("KRA", "pki_clone", "True")
config.set("KRA", "pki_clone_pkcs12_path", p12_tmpfile_name)
config.set("KRA", "pki_clone_pkcs12_password", self.dm_password)
config.set("KRA", "pki_clone_setup_replication", "False")
config.set(
"KRA", "pki_clone_uri",
"https://%s" % ipautil.format_netloc(self.master_host, 443))
self._configure_clone(
cfg,
security_domain_hostname=self.fqdn,
clone_pkcs12_path=p12_tmpfile_name,
)
cfg.update(
pki_clone_setup_replication=False,
)
else:
# the admin cert file is needed for the first instance of KRA
cert = self.get_admin_cert()
@ -285,6 +209,7 @@ class KRAInstance(DogtagInstance):
)
# Generate configuration file
config = self._create_spawn_config(cfg)
with open(cfg_file, "w") as f:
config.write(f)