After CA certificate renewal, the ``renew_ca_cert`` helper updates
certificate data in CS.cfg. An unrecognised nickname will raise
``KeyError``. To allow the helper to be used for arbitrary
certificates (e.g. lightweight CAs), do not fail if the nickname is
unrecognised - just skip the update.
Part of: https://fedorahosted.org/freeipa/ticket/4559
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Use ipaplatform.constants in every corner instead of importing other bits or calling
some platform specific things, and remove most of the remaining hardcoded uid's.
https://fedorahosted.org/freeipa/ticket/5343
Reviewed-By: David Kupka <dkupka@redhat.com>
Bind DN is not used for client certificate authentication so they can be
safely removed.
https://fedorahosted.org/freeipa/ticket/5298
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
The deployment descriptor used during CA/KRA install was modified to use LDAPS
to communicate with DS backend. This will enable standalone CA/KRA
installation on top of hardened directory server configuration.
https://fedorahosted.org/freeipa/ticket/5570
Reviewed-By: Tomas Babej <tbabej@redhat.com>
Dogtag 9 CA and CA DS install and uninstall code was removed. Existing
Dogtag 9 CA and CA DS instances are disabled on upgrade.
Creating a replica of a Dogtag 9 IPA master is still supported.
https://fedorahosted.org/freeipa/ticket/5197
Reviewed-By: David Kupka <dkupka@redhat.com>
This patch makes --setup-ca work to set upa clone CA while creating
a new replica. The standalone ipa-ca-install script is not converted
yet though.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
In the dogtag/ca/kra instances self.domain is never used.
Remove it.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Python DBus binding could fail to guess the type signature from empty list.
This issue was seen but we don't have a reproducer. There is no harm in making
sure that it will not happen.
Reviewed-By: Martin Basti <mbasti@redhat.com>
IPA creates own instance of CA, so there is no need to check if previous
instance was enabled, because there could not be any.
Reviewed-By: Martin Basti <mbasti@redhat.com>
This patch adds an error handler which prints out the paths to logs related to
configuration and installation of Dogtag/CA in the case of failure.
https://fedorahosted.org/freeipa/ticket/4900
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
The underlying Dogtag issue (Dogtag ticket 1113) has been fixed.
We can therefore re-enable the uninstall option for ipa-kra-install.
Also, fixes an incorrect path in the ipa-pki-proxy.conf, and adds
a debug statement to provide status to the user when an uninstall
is done. Also, re-added the no_host_dns option which is used when
unpacking a replica file.
Part of the work for: https://fedorahosted.org/freeipa/ticket/3872
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Remove internaldb password from password.conf after switching over to
client certificate authentication. The password is no longer needed.
https://fedorahosted.org/freeipa/ticket/4005
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
FreeIPA certmonger module changed to use D-Bus to communicate with certmonger.
Using the D-Bus API should be more stable and supported way of using cermonger than
tampering with its files.
>=certmonger-0.75.13 is needed for this to work.
https://fedorahosted.org/freeipa/ticket/4280
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
This patch adds the capability of installing a Dogtag KRA
to an IPA instance. With this patch, a KRA is NOT configured
by default when ipa-server-install is run. Rather, the command
ipa-kra-install must be executed on an instance on which a Dogtag
CA has already been configured.
The KRA shares the same tomcat instance and DS instance as the
Dogtag CA. Moreover, the same admin user/agent (and agent cert) can
be used for both subsystems. Certmonger is also confgured to
monitor the new subsystem certificates.
To create a clone KRA, simply execute ipa-kra-install <replica_file>
on a replica on which a Dogtag CA has already been replicated.
ipa-kra-install will use the security domain to detect whether the
system being installed is a replica, and will error out if a needed
replica file is not provided.
The install scripts have been refactored somewhat to minimize
duplication of code. A new base class dogtagintance.py has
been introduced containing code that is common to KRA and CA
installs. This will become very useful when we add more PKI
subsystems.
The KRA will install its database as a subtree of o=ipaca,
specifically o=ipakra,o=ipaca. This means that replication
agreements created to replicate CA data will also replicate KRA
data. No new replication agreements are required.
Added dogtag plugin for KRA. This is an initial commit providing
the basic vault functionality needed for vault. This plugin will
likely be modified as we create the code to call some of these
functions.
Part of the work for: https://fedorahosted.org/freeipa/ticket/3872
The uninstallation option in ipa-kra-install is temporarily disabled.
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
