Commit Graph

11 Commits

Author SHA1 Message Date
Christian Heimes
d9ab0097e1 Secure permissions of Custodia server.keys
Custodia's server.keys file contain the private RSA keys for encrypting
and signing Custodia messages. The file was created with permission 644
and is only secured by permission 700 of the directory
/etc/ipa/custodia. The installer and upgrader ensure that the file
has 600.

https://bugzilla.redhat.com/show_bug.cgi?id=1353936
https://fedorahosted.org/freeipa/ticket/6056

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-08-24 16:59:43 +02:00
Fraser Tweedale
f94ccca676 Allow CustodiaClient to be used by arbitrary principals
Currently CustodiaClient assumes that the client is the host
principal, and it is hard-coded to read the host keytab and server
keys.

For the Lightweight CAs feature, Dogtag on CA replicas will use
CustodiaClient to retrieve signing keys from the originating
replica.  Because this process runs as 'pkiuser', the host keys
cannot be used; instead, each Dogtag replica will have a service
principal to use for Custodia authentication.

Update CustodiaClient to require specifying the client keytab and
Custodia keyfile to use, and change the client argument to be a full
GSS service name (instead of hard-coding host service) to load from
the keytab.  Update call sites accordingly.

Also pass the given 'ldap_uri' argument through to IPAKEMKeys
because without it, the client tries to use LDAPI, but may not have
access.

Part of: https://fedorahosted.org/freeipa/ticket/4559

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-06-08 10:16:28 +02:00
Petr Viktorin
a9a1353098 Fix remaining relative import and enable Pylint check
Relative imports are not supported in Python 3.

Part of the work for: https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-05-10 12:41:15 +02:00
David Kupka
03a697489a Look up HTTPD_USER's UID and GID during installation.
Those values differ among distributions and there is no guarantee that they're
reserved. It's better to look them up based on HTTPD_USER's name.

https://fedorahosted.org/freeipa/ticket/5712

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-03-23 17:15:25 +01:00
David Kupka
2f51f0dce2 ipa-replica-install support caless install with promotion.
https://fedorahosted.org/freeipa/ticket/5441

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-12-03 09:32:39 +01:00
Tomas Babej
79f32a6dc4 custodia: Make sure container is created with first custodia replica
If a first 4.3+ replica is installed in the domain, the custodia
container does not exist. Make sure it is created to avoid failures
during key generation.

https://fedorahosted.org/freeipa/ticket/5474

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2015-11-30 11:54:44 +01:00
Martin Basti
a8c3d6fbb7 Upgrade: enable custodia service during upgrade
There was missing step in upgrade that enables the service in LDAP

https://fedorahosted.org/freeipa/ticket/5429

Reviewed-By: Gabe Alford <redhatrises@gmail.com>
2015-11-10 10:41:23 +01:00
Simo Sorce
bc39cc9f81 Allow to install the KRA on a promoted server
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-10-22 17:53:14 +02:00
Simo Sorce
86240938b5 Add function to extract CA certs for install
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-10-15 14:24:33 +02:00
Simo Sorce
d03619fff3 Implement replica promotion functionality
This patch implements a new flag --promote for the ipa-replica-install command
that allows an administrative user to 'promote' an already joined client to
become a full ipa server.

The only credentials used are that of an administrator. This code relies on
ipa-custodia being available on the peer master as well as a number of other
patches to allow a computer account to request certificates for its services.

Therefore this feature is marked to work only with domain level 1 and above
servers.

Ticket: https://fedorahosted.org/freeipa/ticket/2888

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-10-15 14:24:33 +02:00
Simo Sorce
463dda3067 Add ipa-custodia service
Add a customized Custodia daemon and enable it after installation.
Generates server keys and loads them in LDAP autonomously on install
or update.
Provides client code classes too.

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-10-15 14:24:33 +02:00