Replace all uses of virtual profiles with `dogtag-ipa-ca-renew-agent-reuse`
and remove profile from the IPA CA certificate tracking request.
This prevents virtual profiles from making their way into CSRs and in turn
being rejected by certain CAs. This affected the IPA CA CSR with Microsoft
CS in particular.
https://pagure.io/freeipa/issue/5799
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Add a switch which makes `dogtag-ipa-ca-renew-agent-submit` reuse the
existing certificate rather than request a new one from the CA while
maintaining LDAP replication of the certificate.
Make this available as a new `dogtag-ipa-ca-renew-agent-reuse` certmonger
CA.
This allows redoing the LDAP replication and reexecuting pre- and post-save
commands of a tracking request without reissuing the certificate.
https://pagure.io/freeipa/issue/5799
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Use Dogtag's `caCACert` CA certificate profile rather than the
`ipaCACertRenewal` virtual profile for lightweight CA certificates.
The `ipaCACertRenewal` virtual profile adds special handling of externally
signed CA certificates and LDAP replication of issued certificates on top
of `caCACert`, neither of which is relevant for lightweight CA
certificates.
Remove all of the special casing of lightweight CA certificates from
dogtag-ipa-ca-renew-agent-submit.
Make sure existing lightweight CA certmonger tracking requests are updated
on server upgrade.
https://pagure.io/freeipa/issue/5799
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Do not bypass the renewal master check when a non-virtual profile is used
in dogtag-ipa-ca-renew-agent-submit.
This fixes dogtag-ipa-ca-renew-agent not respecting the CA renewal master
setting for certificates tracked with a real profile. (Note that there
currently aren't any such certificates tracked by us.)
Request the RA certificate using dogtag-submit rather than
dogtag-ipa-ca-renew-agent-submit as the CA renewal master setting is not
available so early in the install process.
https://pagure.io/freeipa/issue/5799
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Refresh the ca_host property of the Dogtag's RestClient class when
it's requested as a context manager.
This solves the problem which would occur on DL0 when installing
CA which needs to perform a set of steps against itself accessing
8443 port. This port should however only be available locally so
trying to connect to remote master would fail. We need to make
sure the right CA host is accessed.
https://pagure.io/freeipa/issue/6878
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
OpenSSL can't cope with empty files, add a newline after each password
https://pagure.io/freeipa/issue/6878
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Previous versions of FreeIPA add password to the ra.p12 file
contained in the password-protected tarball. This was forgotten
about in the recent changes and fixed now.
https://pagure.io/freeipa/issue/6878
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
The cert file would have been rewritten all over again with
any of the cert in the CA cert chain without this patch.
https://pagure.io/freeipa/issue/6872
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Previously system users needed by FreeIPA server services was created during
ipa-server-install. This led to problem when DBus policy was configured during
package installation but the user specified in the policy didn't exist yet
(and potentionally similar ones). Now the users will be created in package %pre
section so all users freeipa-server package needs exist before any installation
or configuration begins.
Another possibility would be using systemd-sysusers(8) for this purpose but
given that systemd is not available during container build the traditional
approach is superior.
Also dirsrv and pkiuser users are no longer created by FreeIPA instead it
depends on 389ds and dogtag to create those users.
https://pagure.io/freeipa/issue/6743
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
If both the pki-tomcat NSS database and its password.conf have been
created, don't try to override the password.conf file.
https://pagure.io/freeipa/issue/6839
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Dogtag is currently unable to generate a PIN it could use for
an NSS database creation in FIPS. Generate it for them so that
we don't fail.
https://pagure.io/freeipa/issue/6824
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
This script is used only for IPA <3.1, so it must be compatible with
ipa-3-0 branch, so it should be placed there
https://pagure.io/freeipa/issue/6540
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Time estimates have been updated to be more accurate. Only
tasks that are estimated to take longer than 10 seconds have
the estimate displayed.
https://pagure.io/freeipa/issue/6596
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
The "ipaCert" nicknamed certificate is not required to be
in /var/lib/ipa/radb NSSDB anymore as we were keeping a copy
of this file in a separate file anyway. Remove it from there
and track only the file. Remove the IPA_RADB_DIR as well as
it is not required anymore.
https://fedorahosted.org/freeipa/ticket/5695https://fedorahosted.org/freeipa/ticket/6680
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Currently, it was only possible to request an NSS certificate
via certmonger. Merged start_tracking methods and refactored them
to allow for OpenSSL certificates tracking.
https://fedorahosted.org/freeipa/ticket/5695
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Replaced NSSConnection with Python's httplib.HTTPSConnection.
This class is OpenSSL-based.
A client certificate with a private key is required to authenticate
against the certificate server. We facilitate the RA_AGENT_PEM which
already exists.
https://fedorahosted.org/freeipa/ticket/5695
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
IPAHTTPSConnection which is set up first time in certificate profiles
migration to LDAP requires CA cert to be stored in a file.
https://fedorahosted.org/freeipa/ticket/5695
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
HTTPS connection to certificate server requires client authentication
so we need a file with client certificate and private key prior to
its first occurence which happens during migration of certificate
profiles to LDAP.
https://fedorahosted.org/freeipa/ticket/5695https://fedorahosted.org/freeipa/ticket/6392
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
The ra_db argument to CAInstance init is a constant so it can
be removed. This constant corresponds to the default CertDB directory
and since CertDB now passes passwords to its inner NSSDatabase instance
we do need to care about having our own run_certutil() method.
https://fedorahosted.org/freeipa/ticket/5695
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
When ipa-server-install configures PKI, it provides a configuration file
with the parameter pki_ajp_host set to ::1. This parameter is used to configure
Tomcat redirection in /etc/pki/pki-tomcat/server.xml:
<Connector port="8009"
protocol="AJP/1.3"
redirectPort="8443"
address="::1" />
ie all requests to port 8009 are redirected to port 8443 on address ::1.
If the /etc/hosts config file does not define ::1 for localhost, then AJP
redirection fails and replica install is not able to request a certificate
for the replica.
Since PKI has been fixed (see PKI ticket 2570) to configure by default the AJP
redirection with "localhost", FreeIPA does not need any more to override
this setting.
The code now depends on pki 10.3.5-11 which provides the fix in the template
and the upgrade.
https://fedorahosted.org/freeipa/ticket/6575
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
NSSDatabases should call certutil with a password. Also, removed
`password_filename` argument from `.create_db()`.
https://fedorahosted.org/freeipa/ticket/5695
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
This is in preparation for separating out the user under which the
ipa api framework runs as.
This commit also removes certs.NSS_DIR to avoid confusion and replaces
it where appropriate with the correct NSS DB directory, either the old
HTTPD_ALIAS_DIR ot the RA DB IPA_RADB_DIR. In some cases its use is
removed altogether as it was simply not necessary.
https://fedorahosted.org/freeipa/ticket/5959
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Using raw pyldap interface we have to keep vaules as bytes. Is easier to
migrate to ipaldap and use strings without decoding and encoding.
https://fedorahosted.org/freeipa/ticket/4985
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
With Python3 files must be opened in textual mode to write text, and
best practise is to use fileobject instead fo os.write() and manual
encodig
https://fedorahosted.org/freeipa/ticket/4985
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
config parser writes data as text so CA/KRA should be opened in textual
mode otherwise type errors are raised from installer
https://fedorahosted.org/freeipa/ticket/4985
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
basedn is DN object it has to be converted to string before it can be
used with config parser
https://fedorahosted.org/freeipa/ticket/4985
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Do not configure renewal guard for dogtag-ipa-renew-agent, as it is not
used in IPA anymore.
https://fedorahosted.org/freeipa/ticket/5959
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Currently only the "subject base" of the IPA CA subject DN can be
customised, via the installer's --subject-base option. The RDN
"CN=Certificate Authority" is appended to form the subject DN, and
this composition is widely assumed.
Some administrators need more control over the CA subject DN,
especially to satisfy expectations of external CAs when the IPA CA
is to be externally signed.
This patch adds full customisability of the CA subject DN.
Specifically:
- Add the --ca-subject option for specifying the full IPA CA subject
DN. Defaults to "CN=Certificate Authority, O=$SUBJECT_BASE".
- ipa-ca-install, when installing a CA in a previous CA-less
topology, updates DS certmap.conf with the new new CA subject DN.
- DsInstance.find_subject_base no longer looks in certmap.conf,
because the CA subject DN can be unrelated to the subject base.
Fixes: https://fedorahosted.org/freeipa/ticket/2614
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Allow anonymous pkinit to be used so that unenrolled hosts can perform FAST
authentication (necessary for 2FA for example) using an anonymous krbtgt
obtained via Pkinit.
https://fedorahosted.org/freeipa/ticket/5678
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Add a single function for extracting X.509 certs in PEM format from
a PKCS #7 object. Refactor sites that execute ``openssl pkcs7`` to
use the new function.
Part of: https://fedorahosted.org/freeipa/ticket/6178
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
During the rebase of commit 822e1bc82a on top
of commit 808b1436b4, the call to track the
RA agent certificate with certmonger was accidentally removed from
ipa-replica-install.
Put the call back so that the certificate is tracked after replica install.
https://fedorahosted.org/freeipa/ticket/6392
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
SHARE_DIR and PLUGIN_SHARE_DIR depend on ipaplatform.
Replace all uses of SHARE_DIR with paths.USR_SHARE_IPA_DIR and remove
both SHARE_DIR and PLUGIN_SHARE_DIR.
https://fedorahosted.org/freeipa/ticket/6474
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
The certmonger and sysrestore modules depend on ipaplatform.
Move them to ipalib.install as they are used only from installers.
https://fedorahosted.org/freeipa/ticket/6474
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
The dnssec and secrets subpackages and the p11helper module depend on
ipaplatform.
Move them to ipaserver as they are used only on the server.
https://fedorahosted.org/freeipa/ticket/6474
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Since service.admin_conn is only an alias to api.Backend.ldap2,
replace it everywhere with the explicit api.Backend.ldap2 instead.
https://fedorahosted.org/freeipa/ticket/6461
Reviewed-By: Martin Basti <mbasti@redhat.com>
The Service class now accepts keytab path and service name part of Kerberos
principal as members. Kerberos principal is turned into a property computed
from service prefix, FQDN and realm. the handling of Kerberos principals and
keytabs in service installers was changed to use class members instead of
copy-pasted constants. This shall aid in the future refactoring of
principal/keytab handling code.
https://fedorahosted.org/freeipa/ticket/6392
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
This will aid further refactoring of service installers, since the user will
be defined only once during parent class initialization.
https://fedorahosted.org/freeipa/ticket/6392
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
pki-tomcat would have been restarted in install and replicainstall
for backward compatibility reasons. As Dogtag 9 is not supported
anymore, we can move this restart only for DL0 replica installation.
https://fedorahosted.org/freeipa/ticket/6392
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Commit 822e1bc82a undone the fix from commit
276d16775a, breaking ipa-ca-install on
servers with hardened DS configuration.
Put the fix back to make ipa-ca-install work on hardened DS configuration
again.
https://fedorahosted.org/freeipa/ticket/6392
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Merge all KRA agent cert export code paths into a single code path in KRA
install.
https://fedorahosted.org/freeipa/ticket/6392
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Merge CA install code paths use in ipa-server-install, ipa-replica-install
in either domain level and ipa-ca-install into one.
https://fedorahosted.org/freeipa/ticket/6392
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Remote master and CA host names may differ. Always use the remote CA host
name and never the remote master host name in CA replica install.
https://fedorahosted.org/freeipa/ticket/6392
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
In order to reduce coupling between httpinstance and other service installers,
the HTTP installer is now tasked with initialization of /etc/httpd/alias (RA
agent database) in the beginning of server/replica installation
Part of https://fedorahosted.org/freeipa/ticket/6429
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
- Temporary modify certmonger dogtag-ipa-ca-renew helper to request the IPA RA
agent cert, using the temp cert created during pkispawn. The cert request
is now processed through certmonger, and the helper arguments are restored
once the agent cert is obtained.
- Modify the installer code creating HTTP and LDAP certificates to use
certmonger's IPA helper with temporary parameters (calling dogtag-submit
instead of ipa-submit)
- Clean-up for the integration tests: sometimes ipa renewal.lock is not
released during ipa-server-uninstall. Make sure that the file is removed
to allow future installations.
https://fedorahosted.org/freeipa/ticket/6433
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Update x509.load_certificate and related functions to return
python-cryptography ``Certificate`` objects. Update the call sites
accordingly, including removal of NSS initialisation code.
Also update GeneralName parsing code to return python-cryptography
GeneralName values, for consistency with other code that processes
GeneralNames. The new function, `get_san_general_names`, and
associated helper functions, can be removed when python-cryptography
provides a way to deal with unrecognised critical extensions.
Part of: https://fedorahosted.org/freeipa/ticket/6398
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Remove ldap_connect and ldap_disconnect from services. admin_conn is
just an alias to api.Backend.ldap2 and therefore the connection should
be managed elsewhere.
https://fedorahosted.org/freeipa/ticket/6461
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Remove adhoc connects and disconnects of api.Backend.ldap2. Connection
should be established only at the start of the script, destroyed at the
end of the script and re-established when directory server is restarted.
https://fedorahosted.org/freeipa/ticket/6461
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Create a utility function to restart a directory server and
reconnect the api.Backend.ldap2 connection.
* Use restart_dirsrv instead of knownservices.dirsrv.restart to
ensure api.Backend.ldap2 is reconnected.
https://fedorahosted.org/freeipa/ticket/6461
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Installation of Certificate Server replica requires directory manager
password. Specify it explicitly in function call and pass it in
through an argument.
https://fedorahosted.org/freeipa/ticket/6461
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* move IPAdmin methods to LDAPClient
* add extra arguments (cacert, sasl_nocanon) to LDAPClient.__init__()
* add host, port, _protocol to LDAPClient (parsed from ldap_uri)
* create get_ldap_uri() method to create ldap_uri from former
IPAdmin.__init__() arguments
* replace IPAdmin with LDAPClient + get_ldap_uri()
* remove ununsed function argument hostname from
enable_replication_version_checking()
https://fedorahosted.org/freeipa/ticket/6461
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Use LDAPClient.simple_bind instead of extra call to IPAdmin.do_simple_bind
* Rename binddn to bind_dn
* Rename bindpw to bind_password
* Explicitly specify bind_dn in all calls
https://fedorahosted.org/freeipa/ticket/6461
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Check for import errors with pylint to make sure new python package
dependencies are not overlooked.
https://fedorahosted.org/freeipa/ticket/6418
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
cainstance.__spawn_instance() exits in rather weird manner on
successful external CA install. This masks the weird implementation
from the user. :-&
https://fedorahosted.org/freeipa/ticket/6230
Reviewed-By: David Kupka <dkupka@redhat.com>
Unused variables may:
* make code less readable
* create dead code
* potentialy hide issues/errors
Enabled check should prevent to leave unused variable in code
Check is locally disabled for modules that fix is not clear or easy or have too many occurences of
unused variables
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Backup and restore trust flags of existing certificates during CA
installation. This prevents marking a previously trusted certificate
as untrusted, as was the case when CA-less was converted to CA-full
with external CA when using the same certificate.
https://fedorahosted.org/freeipa/ticket/5791
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Add Certmonger tracking requests for lightweight CAs on replica
installation. As part of this change, extract most of the
lightweight CA tracking code out of ipa-certupdate and into
cainstance.
Fixes: https://fedorahosted.org/freeipa/ticket/6019
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Installation in pure IPv6 environment failed because pki-tomcat tried to use
IPv4 loopback. Configuring tomcat to use IPv6 loopback instead of IPv4 fixes
this issue.
https://fedorahosted.org/freeipa/ticket/4291
Reviewed-By: Martin Basti <mbasti@redhat.com>
sys.exit() calls sometimes make it hard to find bugs and mask code that
does not always work properly.
https://fedorahosted.org/freeipa/ticket/5750
Reviewed-By: Martin Basti <mbasti@redhat.com>
ipa-server-upgrade from pre-lightweight CAs version fails when
Dogtag is also being upgraded from pre-lightweight CAs version,
because Dogtag needs to be restarted after adding the lightweight
CAs container, before requesting information about the host
authority.
Move the addition of the Dogtag lightweight CAs container entry a
bit earlier in the upgrade procedure, ensuring restart.
Fixes: https://fedorahosted.org/freeipa/ticket/6011
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Some container objects are not added when migrating from a
pre-lightweight CAs master, causing replica installation to fail.
Make sure that the containers exist and add an explanatory comment.
Fixes: https://fedorahosted.org/freeipa/ticket/5963
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
For CA replicas to pick up renewed lightweight CA signing
certificates, the authoritySerial attribute can be updated with the
new serial number.
Update the renew_ca_cert script, which is executed by Certmonger
after writing a renewed CA certificate to the NSSDB, to update the
authoritySerial attribute if the certificate belongs to a
lightweight CA.
Part of: https://fedorahosted.org/freeipa/ticket/4559
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
After CA certificate renewal, the ``renew_ca_cert`` helper updates
certificate data in CS.cfg. An unrecognised nickname will raise
``KeyError``. To allow the helper to be used for arbitrary
certificates (e.g. lightweight CAs), do not fail if the nickname is
unrecognised - just skip the update.
Part of: https://fedorahosted.org/freeipa/ticket/4559
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Dogtag has been updated to support a default OCSP URI when the
profile includes AuthInfoAccess with URI method but does not specify
the URI (instead of constructing one based on Dogtag's hostname and
port).
Add the pkispawn config to ensure that the OCSP URI is set before
issuing CA and system certificates, and add the config to existing
CA instances on upgrade.
Fixes: https://fedorahosted.org/freeipa/ticket/5956
Reviewed-By: Martin Basti <mbasti@redhat.com>
After installing a replica, Dogtag's Lightweight CA key retrieval
fails until Dogtag is restarted, because the already-running
instance doesn't pick up the changes to CS.cfg. Configure the key
retriever before the instance is started.
Part of: https://fedorahosted.org/freeipa/ticket/4559
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
In addition to user-created lightweight CAs, CA ACLs need to be able
to refer to the "main" CA. Add an entry for the IPA CA on
installation and upgrade.
Part of: https://fedorahosted.org/freeipa/ticket/4559
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
This commit adds the 'ca' plugin for creating and managing
lightweight CAs. The initial implementation supports a single level
of sub-CAs underneath the IPA CA.
This commit also:
- adds the container for FreeIPA CA objects
- adds schema for the FreeIPA CA objects
- updates ipa-pki-proxy.conf to allow access to the Dogtag
lightweight CAs REST API.
Part of: https://fedorahosted.org/freeipa/ticket/4559
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Add Dogtag ACLs that authorise the CA Agent certificate to manage
lightweight CAs.
Part of: https://fedorahosted.org/freeipa/ticket/4559
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Add the ipa-pki-retrieve-key helper program and configure
lightweight CA key replication on installation and upgrade. The
specific configuration steps are:
- Add the 'dogtag/$HOSTNAME' service principal
- Create the pricipal's Custodia keys
- Retrieve the principal's keytab
- Configure Dogtag's CS.cfg to use ExternalProcessKeyRetriever
to invoke ipa-pki-retrieve-key for key retrieval
Also bump the minimum version of Dogtag to 10.3.2.
Part of: https://fedorahosted.org/freeipa/ticket/4559
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
The CA renewal master flag was uncoditionally set on every replica during
replica install. This causes the Dogtag certificates initially shared
among all replicas to differ after renewal.
Do not set the CA renewal master flag in replica install anymore. On
upgrade, remove the flag from all but one IPA masters.
https://fedorahosted.org/freeipa/ticket/5902
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
A regression caused replica installation to replace the FreeIPA
version of caIPAserviceCert with the version shipped by Dogtag.
During upgrade, detect and repair occurrences of this problem.
Part of: https://fedorahosted.org/freeipa/ticket/5881
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
An earlier change that unconditionally triggers import of file-based
profiles to LDAP during server or replica install results in
replicas overwriting FreeIPA-managed profiles with profiles of the
same name shipped with Dogtag. ('caIPAserviceCert' is the affected
profile).
Avoid this situation by never overwriting existing profiles during
the LDAP import.
Fixes: https://fedorahosted.org/freeipa/ticket/5881
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
The deployment descriptor used during CA/KRA install was modified to use LDAPS
to communicate with DS backend. This will enable standalone CA/KRA
installation on top of hardened directory server configuration.
https://fedorahosted.org/freeipa/ticket/5570
Reviewed-By: Tomas Babej <tbabej@redhat.com>
During IPA server upgrade, the migration of Dogtag profiles into LDAP
backend was bound to the update of CS.cfg which enabled the LDAP profile
subsystem. If the subsequent profile migration failed, the subsequent
upgrades were not executing the migration code leaving CA subsystem in
broken state. Therefore the migration code path should be executed
regardless of the status of the main Dogtag config file.
https://fedorahosted.org/freeipa/ticket/5682
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Without calling os.chmod(), umask is effective and may cause that
directory is created with permission that causes failure.
This can be related to https://fedorahosted.org/freeipa/ticket/5520
Reviewed-By: Tomas Babej <tbabej@redhat.com>
The ipautil.run function now returns an object with returncode and
output are accessible as attributes.
The stdout and stderr of all commands are logged (unless skip_output is given).
The stdout/stderr contents must be explicitly requested with a keyword
argument, otherwise they are None.
This is because in Python 3, the output needs to be decoded, and that can
fail if it's not decodable (human-readable) text.
The raw (bytes) output is always available from the result object,
as is "leniently" decoded output suitable for logging.
All calls are changed to reflect this.
A use of Popen in cainstance is changed to ipautil.run.
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
When a CA-less replica is installed, its IPA config file should be updated so
that ca_host points to nearest CA master and all certificate requests are
forwarded to it. A subsequent installation of CA subsystem on the replica
should clear this entry from the config so that all certificate requests are
handled by freshly installed local CA.
https://fedorahosted.org/freeipa/ticket/5506
Reviewed-By: Martin Basti <mbasti@redhat.com>
Return False does not mean that update failed, it mean that nothing has
been updated, respectively ldap is up to date.
https://fedorahosted.org/freeipa/ticket/5482
Reviewed-By: Tomas Babej <tbabej@redhat.com>
Dogtag 9 CA and CA DS install and uninstall code was removed. Existing
Dogtag 9 CA and CA DS instances are disabled on upgrade.
Creating a replica of a Dogtag 9 IPA master is still supported.
https://fedorahosted.org/freeipa/ticket/5197
Reviewed-By: David Kupka <dkupka@redhat.com>
ensure_default_caacl() was leaking open api.Backend.ldap2 connection which
could crash server/replica installation at later stages. This patch ensures
that after checking default CA ACL profiles the backend is disconnected.
https://fedorahosted.org/freeipa/ticket/5459
Reviewed-By: Tomas Babej <tbabej@redhat.com>
Profiles and the default CA ACL were not being added during replica
install from pre-4.2 servers. Update ipa-replica-install to add
these if they are missing.
Also update the caacl plugin to prevent deletion of the default CA
ACL and instruct the administrator to disable it instead.
To ensure that the cainstance installation can add profiles, supply
the RA certificate as part of the instance configuration.
Certmonger renewal setup is avoided at this point because the NSSDB
gets reinitialised later in installation procedure.
Also move the addition of the default CA ACL from dsinstance
installation to cainstance installation.
Fixes: https://fedorahosted.org/freeipa/ticket/5459
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
When importing IPA-managed certificate profiles into Dogtag,
profiles with the same name (usually caIPAserviceCert) are removed,
then immediately recreated with the new profile data. This causes a
race condition - Dogtag's LDAPProfileSystem profileChangeMonitor
thread could observe and process the deletion after the profile was
recreated, disappearing it again.
Update the profile instead of deleting and recreating it to avoid
this race condition.
Fixes: https://fedorahosted.org/freeipa/ticket/5269
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Added constants for domain levels
DOMAIN_LEVEL_0 = 0
DOMAIN_LEVEL_1 = 1
This allows to search for domain level easier in code.
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Tomas Babej <tbabej@redhat.com>
This patch makes --setup-ca work to set upa clone CA while creating
a new replica. The standalone ipa-ca-install script is not converted
yet though.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Configure IPA so that topology plugin will manage also CA replication
agreements.
upgrades if CA is congigured:
- ipaca suffix is added to cn=topology,cn=ipa,cn=etc,$SUFFIX
- ipaReplTopoManagedSuffix: o=ipaca is added to master entry
- binddngroup is added to o=ipaca replica entry
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
This patch implements a new flag --promote for the ipa-replica-install command
that allows an administrative user to 'promote' an already joined client to
become a full ipa server.
The only credentials used are that of an administrator. This code relies on
ipa-custodia being available on the peer master as well as a number of other
patches to allow a computer account to request certificates for its services.
Therefore this feature is marked to work only with domain level 1 and above
servers.
Ticket: https://fedorahosted.org/freeipa/ticket/2888
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Export the file even when KRA is not installed locally so that vault commands
work on all IPA replicas.
https://fedorahosted.org/freeipa/ticket/5302
Reviewed-By: Martin Basti <mbasti@redhat.com>
The module was renamed in Python 3.
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
The module name was lowercased in Python 3.
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
In Python 3, these modules are reorganized.
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Instantiate CAInstall only once instead of 3 times in a row always with the
same values.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
In the dogtag/ca/kra instances self.domain is never used.
Remove it.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
The CA and KRA installation code has been modified to use LDAPI
to create the CA and KRA agents directly in the CA and KRA
database. This way it's no longer necessary to use the Directory
Manager password or CA and KRA admin certificate.
https://fedorahosted.org/freeipa/ticket/5257
Reviewed-By: Martin Basti <mbasti@redhat.com>
In Python 3, range() behaves like the old xrange().
The difference between range() and xrange() is usually not significant,
especially if the whole result is iterated over.
Convert xrange() usage to range() for small ranges.
Use modern idioms in a few other uses of range().
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
In Python 3, `print` is no longer a statement. Call it as a function
everywhere, and include the future import to remove the statement
in Python 2 code as well.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Use Python-3 compatible syntax, without breaking compatibility with py 2.7
- Octals literals start with 0o to prevent confusion
- The "L" at the end of large int literals is not required as they use
long on Python 2 automatically.
- Using 'int' instead of 'long' for small numbers is OK in all cases except
strict type checking checking, e.g. type(0).
https://fedorahosted.org/freeipa/ticket/4985
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Currently, IPA certificate profile import happens at end of install.
Certificates issuance during the install process does work but uses
an un-customised caIPAserviceCert profile, resulting in incorrect
subject DNs and missing extensions. Furthermore, the
caIPAserviceCert profile shipped with Dogtag will eventually be
removed.
Move the import of included certificate profiles to the end of the
cainstance deployment phase, prior to the issuance of DS and HTTP
certificates.
Part of: https://fedorahosted.org/freeipa/ticket/4002
Reviewed-By: Martin Basti <mbasti@redhat.com>
Profile management patches introduced a regression where a custom
certificate subject base (if configured) is not used in the default
profile. Use the configured subject base.
Part of: https://fedorahosted.org/freeipa/ticket/4002
Reviewed-By: Martin Basti <mbasti@redhat.com>
Add a default service profile template as part of FreeIPA and format
and import it as part of installation or upgrade process.
Also remove the code that modifies the old (file-based)
`caIPAserviceCert' profile.
Fixes https://fedorahosted.org/freeipa/ticket/4002
Reviewed-By: Martin Basti <mbasti@redhat.com>
Install the Dogtag CA to use the LDAPProfileSubsystem instead of the
default (file-based) ProfileSubsystem.
Part of: https://fedorahosted.org/freeipa/ticket/4560
Reviewed-By: Martin Basti <mbasti@redhat.com>
IPA creates own instance of CA, so there is no need to check if previous
instance was enabled, because there could not be any.
Reviewed-By: Martin Basti <mbasti@redhat.com>
To avoid cyclic imports realm_to_serverid function had to be moved to
installutils from dsinstance.
Required for: https://fedorahosted.org/freeipa/ticket/4925
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
This patch adds an error handler which prints out the paths to logs related to
configuration and installation of Dogtag/CA in the case of failure.
https://fedorahosted.org/freeipa/ticket/4900
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Services hasn't been restored correctly, which causes disabling already
disabled services, or some service did not start. This patch fix these
issues.
Ticket: https://fedorahosted.org/freeipa/ticket/4869
Reviewed-By: David Kupka <dkupka@redhat.com>
The patch adds a function which calls 'remove-ds.pl' during DS instance
removal. This should allow for a more thorough removal of DS related data
during server uninstallation (such as closing custom ports, cleaning up
slapd-* entries etc.)
This patch is related to https://fedorahosted.org/freeipa/ticket/4487.
Reviewed-By: Martin Basti <mbasti@redhat.com>
The KRA backend has been simplified since most of the tasks have
been moved somewhere else. The transport certificate will be
installed on the client, and it is not needed by KRA backend. The
KRA agent's PEM certificate is now generated during installation
due to permission issue. The kra_host() for now is removed since
the current ldap_enable() cannot register the KRA service, so it
is using the kra_host environment variable.
The KRA installer has been modified to use Dogtag's CLI to create
KRA agent and setup the client authentication.
The proxy settings have been updated to include KRA's URLs.
Some constants have been renamed for clarity. The DOGTAG_AGENT_P12
has been renamed to DOGTAG_ADMIN_P12 since file actually contains
the Dogtag admin's certificate and private key and it can be used
to access both CA and KRA. The DOGTAG_AGENT_PEM has been renamed
to KRA_AGENT_PEM since it can only be used for KRA.
The Dogtag dependency has been updated to 10.2.1-0.1.
https://fedorahosted.org/freeipa/ticket/4503
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Modifying CS.cfg when dogtag is running may (and does) result in corrupting
this file.
https://fedorahosted.org/freeipa/ticket/4569
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Added a new option --external-ca-type which specifies the type of the
external CA. It can be either "generic" (the default) or "ms-cs". If "ms-cs"
is selected, the CSR generated for the IPA CA will include MS template name
extension (OID 1.3.6.1.4.1.311.20.2) with template name "SubCA".
https://fedorahosted.org/freeipa/ticket/4496
Reviewed-By: Martin Kosek <mkosek@redhat.com>
The --external_cert_file and --external_ca_file options of ipa-server-install
and ipa-ca-install have been replaced by --external-cert-file option which
accepts multiple files. The files are accepted in PEM and DER certificate and
PKCS#7 certificate chain formats.
https://fedorahosted.org/freeipa/ticket/4480
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
This is especially useful for external CA install, as the algorithm is also
used for the CSR signature.
https://fedorahosted.org/freeipa/ticket/4447
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Required to prevent code duplications
ipaldap.IPAdmin now has method do_bind, which tries several bind methods
ipaldap.IPAClient now has method object_exists(dn)
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Sytem users and their groups are always created together.
Also, users & groups should never be removed once they exist
on the system (see comit a5a55ce).
Use a single function for generic user creation, and specific
funtions in dsinstance and cainstance.
Remove code left over from when we used to delete the DS user.
Preparation for: https://fedorahosted.org/freeipa/ticket/3866
Reviewed-By: Tomas Babej <tbabej@redhat.com>
FreeIPA certmonger module changed to use D-Bus to communicate with certmonger.
Using the D-Bus API should be more stable and supported way of using cermonger than
tampering with its files.
>=certmonger-0.75.13 is needed for this to work.
https://fedorahosted.org/freeipa/ticket/4280
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
This patch adds the capability of installing a Dogtag KRA
to an IPA instance. With this patch, a KRA is NOT configured
by default when ipa-server-install is run. Rather, the command
ipa-kra-install must be executed on an instance on which a Dogtag
CA has already been configured.
The KRA shares the same tomcat instance and DS instance as the
Dogtag CA. Moreover, the same admin user/agent (and agent cert) can
be used for both subsystems. Certmonger is also confgured to
monitor the new subsystem certificates.
To create a clone KRA, simply execute ipa-kra-install <replica_file>
on a replica on which a Dogtag CA has already been replicated.
ipa-kra-install will use the security domain to detect whether the
system being installed is a replica, and will error out if a needed
replica file is not provided.
The install scripts have been refactored somewhat to minimize
duplication of code. A new base class dogtagintance.py has
been introduced containing code that is common to KRA and CA
installs. This will become very useful when we add more PKI
subsystems.
The KRA will install its database as a subtree of o=ipaca,
specifically o=ipakra,o=ipaca. This means that replication
agreements created to replicate CA data will also replicate KRA
data. No new replication agreements are required.
Added dogtag plugin for KRA. This is an initial commit providing
the basic vault functionality needed for vault. This plugin will
likely be modified as we create the code to call some of these
functions.
Part of the work for: https://fedorahosted.org/freeipa/ticket/3872
The uninstallation option in ipa-kra-install is temporarily disabled.
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
