Commit Graph

22 Commits

Author SHA1 Message Date
Timo Aaltonen
2a2d63669d ipaplatform: Move remaining user/group constants to ipaplatform.constants.
Use ipaplatform.constants in every corner instead of importing other bits or calling
some platform specific things, and remove most of the remaining hardcoded uid's.

https://fedorahosted.org/freeipa/ticket/5343

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-03-23 13:32:55 +01:00
Christian Heimes
49be6c8d3c Move user/group constants for PKI and DS into ipaplatform
https://fedorahosted.org/freeipa/ticket/5619

Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2016-03-22 10:40:44 +01:00
Martin Basti
0cb870e565 Remove redundant parameters from CS.cfg in dogtaginstance
Bind DN is not used for client certificate authentication so they can be
safely removed.

https://fedorahosted.org/freeipa/ticket/5298

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-03-16 09:28:21 +01:00
Martin Babinsky
276d16775a use LDAPS during standalone CA/KRA subsystem deployment
The deployment descriptor used during CA/KRA install was modified to use LDAPS
to communicate with DS backend. This will enable standalone CA/KRA
installation on top of hardened directory server configuration.

https://fedorahosted.org/freeipa/ticket/5570

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2016-03-01 13:44:09 +01:00
Timo Aaltonen
67c367d0db Use HTTPD_USER in dogtaginstance.py
https://fedorahosted.org/freeipa/ticket/5587

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-01-27 14:58:28 +01:00
Fraser Tweedale
38861428e7 dogtaginstance: remove unused function 'check_inst'
Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-12-14 14:32:36 +01:00
Jan Cholasta
aeffe2da42 install: drop support for Dogtag 9
Dogtag 9 CA and CA DS install and uninstall code was removed. Existing
Dogtag 9 CA and CA DS instances are disabled on upgrade.

Creating a replica of a Dogtag 9 IPA master is still supported.

https://fedorahosted.org/freeipa/ticket/5197

Reviewed-By: David Kupka <dkupka@redhat.com>
2015-11-25 09:12:25 +01:00
Simo Sorce
bc39cc9f81 Allow to install the KRA on a promoted server
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-10-22 17:53:14 +02:00
Simo Sorce
2606f5aecd Allow to setup the CA when promoting a replica
This patch makes --setup-ca work to set upa clone CA while creating
a new replica. The standalone ipa-ca-install script is not converted
yet though.

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-10-15 14:24:33 +02:00
Jan Cholasta
110e85cc74 install: fix KRA agent PEM file permissions
This fixes CVE-2015-5284.

https://fedorahosted.org/freeipa/ticket/5347

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-10-08 13:41:08 +02:00
Simo Sorce
953b1079cf Remove unused arguments
In the dogtag/ca/kra instances self.domain is never used.
Remove it.

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-09-22 10:44:45 +02:00
David Kupka
fe91c375d0 dbus: Create empty dbus.Array with specified signature
Python DBus binding could fail to guess the type signature from empty list.
This issue was seen but we don't have a reproducer. There is no harm in making
sure that it will not happen.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-08-14 12:48:45 +02:00
Petr Viktorin
27dabb4528 Modernize 'except' clauses
The 'as' syntax works from Python 2 on, and Python 3 will
drop the "comma" syntax.

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-08-12 18:17:23 +02:00
David Kupka
0167919ba8 Do not store state if CA is enabled
IPA creates own instance of CA, so there is no need to check if previous
instance was enabled, because there could not be any.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-05-19 12:53:58 +00:00
Martin Babinsky
a1f91247cc point the users to PKI-related logs when CA configuration fails
This patch adds an error handler which prints out the paths to logs related to
configuration and installation of Dogtag/CA in the case of failure.

https://fedorahosted.org/freeipa/ticket/4900

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-04-29 05:19:29 +00:00
Jan Cholasta
b9ae769048 Make certificate renewal process synchronized
Synchronization is achieved using a global renewal lock.

https://fedorahosted.org/freeipa/ticket/4803

Reviewed-By: David Kupka <dkupka@redhat.com>
2015-01-13 18:34:59 +00:00
Jan Cholasta
6a1304324f Restart dogtag when its server certificate is renewed
https://fedorahosted.org/freeipa/ticket/4803

Reviewed-By: David Kupka <dkupka@redhat.com>
2015-01-13 18:34:59 +00:00
Jan Cholasta
92a08266af Fix certmonger configuration in installer code
https://fedorahosted.org/freeipa/ticket/4619

Reviewed-By: David Kupka <dkupka@redhat.com>
2014-10-10 08:48:25 +02:00
Ade Lee
9ca5a4e420 Re-enable uninstall feature for ipa-kra-install
The underlying Dogtag issue (Dogtag ticket 1113) has been fixed.
We can therefore re-enable the uninstall option for ipa-kra-install.
Also, fixes an incorrect path in the ipa-pki-proxy.conf, and adds
a debug statement to provide status to the user when an uninstall
is done.  Also, re-added the no_host_dns option which is used when
unpacking a replica file.

Part of the work for: https://fedorahosted.org/freeipa/ticket/3872

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-09-15 10:58:29 +02:00
Ana Krivokapic
d2793a3ca5 Remove internaldb password from password.conf
Remove internaldb password from password.conf after switching over to
client certificate authentication. The password is no longer needed.

https://fedorahosted.org/freeipa/ticket/4005

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-09-09 10:36:50 +02:00
David Kupka
6d94cdf250 Use certmonger D-Bus API instead of messing with its files.
FreeIPA certmonger module changed to use D-Bus to communicate with certmonger.
Using the D-Bus API should be more stable and supported way of using cermonger than
tampering with its files.

>=certmonger-0.75.13 is needed for this to work.

https://fedorahosted.org/freeipa/ticket/4280

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-09-05 10:51:42 +02:00
Ade Lee
a25fe00c62 Add a KRA to IPA
This patch adds the capability of installing a Dogtag KRA
to an IPA instance.  With this patch,  a KRA is NOT configured
by default when ipa-server-install is run.  Rather, the command
ipa-kra-install must be executed on an instance on which a Dogtag
CA has already been configured.

The KRA shares the same tomcat instance and DS instance as the
Dogtag CA.  Moreover, the same admin user/agent (and agent cert) can
be used for both subsystems.  Certmonger is also confgured to
monitor the new subsystem certificates.

To create a clone KRA, simply execute ipa-kra-install <replica_file>
on a replica on which a Dogtag CA has already been replicated.
ipa-kra-install will use the security domain to detect whether the
system being installed is a replica, and will error out if a needed
replica file is not provided.

The install scripts have been refactored somewhat to minimize
duplication of code.  A new base class dogtagintance.py has
been introduced containing code that is common to KRA and CA
installs.  This will become very useful when we add more PKI
subsystems.

The KRA will install its database as a subtree of o=ipaca,
specifically o=ipakra,o=ipaca.  This means that replication
agreements created to replicate CA data will also replicate KRA
data.  No new replication agreements are required.

Added dogtag plugin for KRA.  This is an initial commit providing
the basic vault functionality needed for vault.  This plugin will
likely be modified as we create the code to call some of these
functions.

Part of the work for: https://fedorahosted.org/freeipa/ticket/3872

The uninstallation option in ipa-kra-install is temporarily disabled.

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-08-22 09:59:31 +02:00