diff options
author | Endi S. Dewata <edewata@redhat.com> | 2015-08-22 01:14:16 +0200 |
---|---|---|
committer | Petr Vobornik <pvoborni@redhat.com> | 2015-08-26 13:49:57 +0200 |
commit | 4e474c5a20b91d4eed75f514f801b40f1f291e65 (patch) | |
tree | c90597d162220f0186b65f0204cf1b6495a96bf7 | |
parent | b1f1dcaab3c2b4799ef12a417a9998d7556496af (diff) | |
download | freeipa-4e474c5a20b91d4eed75f514f801b40f1f291e65.tar.gz freeipa-4e474c5a20b91d4eed75f514f801b40f1f291e65.tar.xz freeipa-4e474c5a20b91d4eed75f514f801b40f1f291e65.zip |
Removed clear text passwords from KRA install log.
The ipa-kra-install tool has been modified to use password files
instead of clear text passwords when invoking pki tool such that
the passwords are no longer visible in ipaserver-kra-install.log.
https://fedorahosted.org/freeipa/ticket/5246
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
-rw-r--r-- | ipaplatform/base/paths.py | 2 | ||||
-rw-r--r-- | ipaserver/install/krainstance.py | 16 |
2 files changed, 10 insertions, 8 deletions
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py index 0dd3c7fda..5c8f25d6e 100644 --- a/ipaplatform/base/paths.py +++ b/ipaplatform/base/paths.py @@ -343,6 +343,8 @@ class BasePathNamespace(object): SLAPD_INSTANCE_SOCKET_TEMPLATE = "/var/run/slapd-%s.socket" ALL_SLAPD_INSTANCE_SOCKETS = "/var/run/slapd-*.socket" ADMIN_CERT_PATH = '/root/.dogtag/pki-tomcat/ca_admin.cert' + KRA_NSSDB_PASSWORD_FILE = "/root/.dogtag/pki-tomcat/kra/password.conf" + KRA_PKCS12_PASSWORD_FILE = "/root/.dogtag/pki-tomcat/kra/pkcs12_password.conf" ENTROPY_AVAIL = '/proc/sys/kernel/random/entropy_avail' LDIF2DB = '/usr/sbin/ldif2db' DB2LDIF = '/usr/sbin/db2ldif' diff --git a/ipaserver/install/krainstance.py b/ipaserver/install/krainstance.py index fa50c3dec..e5cdbf5e7 100644 --- a/ipaserver/install/krainstance.py +++ b/ipaserver/install/krainstance.py @@ -275,16 +275,16 @@ class KRAInstance(DogtagInstance): # import CA certificate into temporary security database args = ["/usr/bin/pki", "-d", self.agent_db, - "-c", self.admin_password, + "-C", paths.KRA_NSSDB_PASSWORD_FILE, "client-cert-import", "--pkcs12", paths.KRACERT_P12, - "--pkcs12-password", self.admin_password] + "--pkcs12-password-file", paths.KRA_PKCS12_PASSWORD_FILE] ipautil.run(args) # trust CA certificate args = ["/usr/bin/pki", "-d", self.agent_db, - "-c", self.admin_password, + "-C", paths.KRA_NSSDB_PASSWORD_FILE, "client-cert-mod", "Certificate Authority - %s" % api.env.realm, "--trust", "CT,c,"] ipautil.run(args) @@ -292,16 +292,16 @@ class KRAInstance(DogtagInstance): # import Dogtag admin certificate into temporary security database args = ["/usr/bin/pki", "-d", self.agent_db, - "-c", self.admin_password, + "-C", paths.KRA_NSSDB_PASSWORD_FILE, "client-cert-import", "--pkcs12", paths.DOGTAG_ADMIN_P12, - "--pkcs12-password", self.admin_password] + "--pkcs12-password-file", paths.KRA_PKCS12_PASSWORD_FILE] ipautil.run(args) # as Dogtag admin, create ipakra user in KRA args = ["/usr/bin/pki", "-d", self.agent_db, - "-c", self.admin_password, + "-C", paths.KRA_NSSDB_PASSWORD_FILE, "-n", "ipa-ca-agent", "kra-user-add", "ipakra", "--fullName", "IPA KRA User"] @@ -310,7 +310,7 @@ class KRAInstance(DogtagInstance): # as Dogtag admin, add ipakra into KRA agents group args = ["/usr/bin/pki", "-d", self.agent_db, - "-c", self.admin_password, + "-C", paths.KRA_NSSDB_PASSWORD_FILE, "-n", "ipa-ca-agent", "kra-user-membership-add", "ipakra", "Data Recovery Manager Agents"] ipautil.run(args) @@ -330,7 +330,7 @@ class KRAInstance(DogtagInstance): # as Dogtag admin, upload and assign ipaCert to ipakra args = ["/usr/bin/pki", "-d", self.agent_db, - "-c", self.admin_password, + "-C", paths.KRA_NSSDB_PASSWORD_FILE, "-n", "ipa-ca-agent", "kra-user-cert-add", "ipakra", "--input", filename] |