Run all commands as pkiuser when validating that the HSM token
is available, that the token library path is correct and that
the password can read keys. This will avoid issues where the
initial validation is ok but the pkiuser is not granted read
access to some part of the token. This is very possible
when using softhsm2.
Fixes: https://pagure.io/freeipa/issue/9626
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
I made a mistake when trying to detect which HSM is being used
to ensure that the appropriate SELinux subpackage is installed.
Fixes: https://pagure.io/freeipa/issue/9636
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
hsm_validator() was more or less bolted in place late in the
development cycle in in order to catch some of the more common
problems: bad token name, bad password, etc.
There was a fair bit of duplication and had the side-effect of not
reading in the token password from the --token-password-file option
in some cases.
This patch also re-adds a lost feature where an exception is raised if
both the --token-password and --token-password-file options are passed
in.
This also needs to be enforced on initial server, replica and when
called by ipa-kra-install. Given that each has a unique subject of
options some duplication remains.
Fixes: https://pagure.io/freeipa/issue/9603
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
If there is no token name it is safe to assume that an HSM
installation is not requested. The validator assumes that if
there is a token name then the library and password are also
provided.
Fixes: https://pagure.io/freeipa/issue/9593
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Don't blow up if the expected module is not installed but warn
about it. Hopefully users will actually read the output and/or the
installation log.
This is done by looking for strings in the path. Not great but
it's at least something.
Related: https://pagure.io/freeipa/issue/9273
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
hsm_validator was validating that the token was available but
not that the provided password worked. Add that capability.
Also call it early in the CA and KRA installation cycle so that
it errors out early. This is particularly important for the KRA
because there is no uninstaller.
Bump the minimum PKI release to 11.5.0 as that contains important
fixes for the HSM.
Remove an unused arguments to hsm_version and hsm_validator.
Related: https://pagure.io/freeipa/issue/9273
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
If the password wasn't provided by --token-password then an empty
value would be passed into the CA installer which promptly failed.
Related: https://pagure.io/freeipa/issue/9273
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
It would fail eventually with the output in the CA logs but it
wasn't always very obvious and you had to wait a while to find
out about a typo.
Scraping modutil output is a bit ugly but it is guaranteed
to be installed and this should work both with p11-kit and
without.
Related: https://pagure.io/freeipa/issue/9273
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
The bulk of the installer effort to enable HSM support without
having to provide an override file.
This pulls the HSM configuration from a remote server when installing
a replica so that the token name and library don't need to be
passed with every installation.
Fixes: https://pagure.io/freeipa/issue/9273
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
We don't export the CA certificates on an HSM installation
because an HSM won't allow the private keys to leave the
HSM, by design.
Fixes: https://pagure.io/freeipa/issue/9273
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
This should not have been gated on options.setup_ca because we need
the RA agent on all servers if there is a CA in the topology otherwise
the non-CA servers won't be able to communicate with the CA.
Fixes: https://pagure.io/freeipa/issue/9510
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
The uninstaller is stopping all the services before
calling pkidestroy to uninstall the CA.
With PKI 11.4+ this sequence fails as pkidestroy tries
to connect to PKI server in order to unregister from the
security domain. The error interrupts the full completion
of pkidestroy, is logged but doesn't make ipa uninstallation
fail.
The issue is that trying to re-install later on would fail because
pkidestroy did not completely uninstall the CA.
To avoid this, call pkidestroy before shutting down the services.
Also add an uninstall_check method that restarts IPA if it is
not running, and use pkidestroy --force to make sure that PKI
is uninstalled even if restart failed.
Fixes: https://pagure.io/freeipa/issue/9330
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Cleanup up no longer used Pylint's disables where possible.
Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
It required support in dogtag which was added in 10.5.0.
This is only easily configurable during installation because
it will set ca.signing.defaultSigningAlgorithm to the
selected algorithm in CS.cfg
The certificate profiles will generally by default set
default.params.signingAlg=- which means use the CA default.
So while an existing installation will technically allow
SHA384withRSA it will require profile changes and/or
changing the defaultSigningAlgorithm in CS.cfg and
restarting (completely untested). And that won't affect
already issued-certificates.
https://pagure.io/freeipa/issue/8906
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
This option was inconsistent between invocations and there is
no need to stop certmonger after stopping tracking. It was also
apparently causing dbus timeout errors, probably due to the amount
of work that certmonger does at startup.
https://pagure.io/freeipa/issue/8506https://pagure.io/freeipa/issue/8533
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
certmonger was later restarted to remove the custom CA entries
and the startup delay sometimes caused uninstallation to fail.
certmonger is stopped in cainstance.py::uninstall() so it will
still be stopped post-install.
https://pagure.io/freeipa/issue/8533
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
As we expand the integration tests for external CA functionality, it
is helpful (and avoids duplication) to use the MSCSTemplate*
classes. These currently live in ipaserver.install.cainstance, but
ipatests is no longer permitted to import from ipaserver (see commit
81714976e5e13131654c78eb734746a20237c933). So move these classes to
ipalib.
Part of: https://pagure.io/freeipa/issue/7548
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
When creating ipa-client-samba tool, few common routines from the server
installer code became useful for the client code as well.
Move them to ipapython.ipautil and update references as well.
Fixes: https://pagure.io/freeipa/issue/3999
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Allow to specify a pki.ini overlay file on the command line. The override
file can be used to override pkispawn settings.
Fixes: https://pagure.io/freeipa/issue/5608
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
When uninstalling a cluster and only hidden servers are left,
config-show can return a result set without ipa_master_server entry.
Fixes: https://pagure.io/freeipa/issue/7892
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
If ipa-server-install --uninstall is called on a server that
is CRL generation master, refuse uninstallation unless
--ignore-last-of-role is specified or (in interactive mode)
the admin is OK to force uninstallation.
Related to https://pagure.io/freeipa/issue/5803
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
On a replica, 389-DS is already configured for secure connections when
the CA is installed.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The helper function realm_to_serverid() and realm_to_ldap_uri() are
useful outside the server installation framework. They are now in
ipapython.ipaldap along other helpers for LDAP handling in FreeIPA.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
On Python 3, six.text_type (singular) is an alias for str.
See: https://pagure.io/freeipa/issue/7715
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
cainstance.replica_ca_install_check is only used in ca.install_check if
replica_config is not None (replica installation). As it is immediately
stopped if promote is not set, therefore it can be removed.
The check for cafile in ca.install_check has been dropped. promote is set
to True in ca.install_step_0 if replica_config is not None for
cainstance.configure_instance.
See: https://pagure.io/freeipa/issue/7689
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Fix 994f71ac8a was incomplete. Under some
circumstancs the DM hash and CA keys were still retrieved from two different
machines.
Custodia client now uses a single remote to upload keys and download all
secrets.
Fixes: https://pagure.io/freeipa/issue/7518
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
The installer reports the CA configuration that will be used,
including whether the CA is self-signed or externally-signed.
Installation with external CA takes two steps. The first step
correctly reports the externally signed configuration (like the
above), but the second step reports a self-signed configuration.
The CA *is* externally signed, but the configuration gets reported
incorrectly at step 2. This could confuse the administrator. Fix
the message.
Fixes: https://pagure.io/freeipa/issue/7523
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Installers now pass a single CustodiaInstance object around, instead of
creating new instances on demand. In case of replica promotion with CA,
the instance gets all secrets from a master with CA present. Before, an
installer created multiple instances and may have requested CA key
material from a different machine than DM password hash.
In case of Domain Level 1 and replica promotion, the CustodiaInstance no
longer adds the keys to the local instance and waits for replication to
other replica. Instead the installer directly uploads the new public
keys to the remote 389-DS instance.
Without promotion, new Custodia public keys are still added to local
389-DS over LDAPI.
Fixes: https://pagure.io/freeipa/issue/7518
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Add absolute_import from __future__ so that pylint
does not fail and to achieve python3 behavior in
python2.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The installer now checks that port 8080 is available and not in use by
any other application.
The port checker has been rewritten to use bind() rather than just
checking if a server responds on localhost. It's much more reliable and
detects more problems.
Original patch by m3gat0nn4ge.
Co-authored-by: Mega Tonnage <m3gat0nn4ge@gmail.com>
Fixes: https://pagure.io/freeipa/issue/7415
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Rather than passing around the path to CS.cfg for the CA and KRA
set it at object creation and use everywhere.
Make update_cert_config() a real class method instead of a static
method. It wasn't being called that way in any case and makes it
possible to use the class config file.
Related: https://pagure.io/freeipa/issue/6703
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Currently we do not report what Subject DN or subject base will be
used for the CA installation. This leads to situations where the
administrator wants a different Subject DN later. Display these
data as part of the "summary" prior to the final go/no-go prompt in
ipa-server-install and ipa-ca-install.
The go/no-go prompt in ipa-ca-install is new. It is suppressed for
unattended installations.
Fixes: https://pagure.io/freeipa/issue/7246
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Replace custom file_exists() and dir_exists() functions with proper
functions from Python's stdlib.
The change also gets rid of pylint's invalid bad-python3-import error,
https://github.com/PyCQA/pylint/issues/1565
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Allow the MS/AD-CS target certificate template to be specified by
name or OID, via the new option --external-ca-profile.
Part of: https://pagure.io/freeipa/issue/6858
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
We were trying to load a certificate as a string even though it
was an object already.
https://pagure.io/freeipa/issue/4985
Reviewed-By: Martin Basti <mbasti@redhat.com>
Splitting the load_certificate() function into two separate helps
us word the requirements for the input explicitly. It also makes
our backend similar to the one of python-cryptography so eventually
we can swap python-cryptography for IPA x509 module.
https://pagure.io/freeipa/issue/4985
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Add named constants for common trust flag combinations.
Use the named constants instead of trust flags strings in the code.
https://pagure.io/freeipa/issue/6831
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
CertDB would have always created a directory on initialization. This
behavior changes here by replacing the truncate argument with create
which will only create the database when really required.
https://pagure.io/freeipa/issue/6853
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Re-introduce option groups in ipa-client-install, ipa-server-install and
ipa-replica-install.
https://pagure.io/freeipa/issue/6392
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
The "ipaCert" nicknamed certificate is not required to be
in /var/lib/ipa/radb NSSDB anymore as we were keeping a copy
of this file in a separate file anyway. Remove it from there
and track only the file. Remove the IPA_RADB_DIR as well as
it is not required anymore.
https://fedorahosted.org/freeipa/ticket/5695https://fedorahosted.org/freeipa/ticket/6680
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
The ra_db argument to CAInstance init is a constant so it can
be removed. This constant corresponds to the default CertDB directory
and since CertDB now passes passwords to its inner NSSDatabase instance
we do need to care about having our own run_certutil() method.
https://fedorahosted.org/freeipa/ticket/5695
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
This is in preparation for separating out the user under which the
ipa api framework runs as.
This commit also removes certs.NSS_DIR to avoid confusion and replaces
it where appropriate with the correct NSS DB directory, either the old
HTTPD_ALIAS_DIR ot the RA DB IPA_RADB_DIR. In some cases its use is
removed altogether as it was simply not necessary.
https://fedorahosted.org/freeipa/ticket/5959
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Update man pages and help output to indicate that --subject-base and
--ca-subject options interpret their arguments in LDAP order.
Fixes: https://fedorahosted.org/freeipa/ticket/6455
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Currently only the "subject base" of the IPA CA subject DN can be
customised, via the installer's --subject-base option. The RDN
"CN=Certificate Authority" is appended to form the subject DN, and
this composition is widely assumed.
Some administrators need more control over the CA subject DN,
especially to satisfy expectations of external CAs when the IPA CA
is to be externally signed.
This patch adds full customisability of the CA subject DN.
Specifically:
- Add the --ca-subject option for specifying the full IPA CA subject
DN. Defaults to "CN=Certificate Authority, O=$SUBJECT_BASE".
- ipa-ca-install, when installing a CA in a previous CA-less
topology, updates DS certmap.conf with the new new CA subject DN.
- DsInstance.find_subject_base no longer looks in certmap.conf,
because the CA subject DN can be unrelated to the subject base.
Fixes: https://fedorahosted.org/freeipa/ticket/2614
Reviewed-By: Jan Cholasta <jcholast@redhat.com>