diff options
| author | Martin Kosek <mkosek@redhat.com> | 2012-11-19 10:32:28 -0500 |
|---|---|---|
| committer | Rob Crittenden <rcritten@redhat.com> | 2012-12-07 11:00:17 -0500 |
| commit | 867f7691e9e8d4dc101d227ca56a94f9b947897f (patch) | |
| tree | dcd1529b6a530091bdb1f446b34bf71bae3836a9 | |
| parent | 0d836cd6ee9d7b29808cbf36582eed71a5b6a32a (diff) | |
| download | freeipa-867f7691e9e8d4dc101d227ca56a94f9b947897f.tar.gz freeipa-867f7691e9e8d4dc101d227ca56a94f9b947897f.tar.xz freeipa-867f7691e9e8d4dc101d227ca56a94f9b947897f.zip | |
Add OCSP and CRL URIs to certificates
Modify the default IPA CA certificate profile to include CRL and
OCSP extensions which will add URIs to IPA CRL&OCSP to published
certificates.
Both CRL and OCSP extensions have 2 URIs, one pointing directly to
the IPA CA which published the certificate and one to a new CNAME
ipa-ca.$DOMAIN which was introduced as a general CNAME pointing
to all IPA replicas which have CA configured.
The new CNAME is added either during new IPA server/replica/CA
installation or during upgrade.
https://fedorahosted.org/freeipa/ticket/3074
https://fedorahosted.org/freeipa/ticket/1431
| -rw-r--r-- | install/share/bind.zone.db.template | 3 | ||||
| -rwxr-xr-x | install/tools/ipa-ca-install | 23 | ||||
| -rwxr-xr-x | install/tools/ipa-replica-install | 6 | ||||
| -rwxr-xr-x | install/tools/ipa-server-install | 14 | ||||
| -rw-r--r-- | install/tools/ipa-upgradeconfig | 38 | ||||
| -rw-r--r-- | ipaserver/install/bindinstance.py | 62 | ||||
| -rw-r--r-- | ipaserver/install/cainstance.py | 150 |
7 files changed, 256 insertions, 40 deletions
diff --git a/install/share/bind.zone.db.template b/install/share/bind.zone.db.template index 157d05e55..5ee71d688 100644 --- a/install/share/bind.zone.db.template +++ b/install/share/bind.zone.db.template @@ -24,3 +24,6 @@ _kerberos-master._udp IN SRV 0 100 88 $HOST _kpasswd._tcp IN SRV 0 100 464 $HOST _kpasswd._udp IN SRV 0 100 464 $HOST $OPTIONAL_NTP + +; CNAME for IPA CA replicas (used for CRL, OCSP) +$IPA_CA_CNAME IN CNAME $HOST diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install index aefcee8e5..f8f7e1d5d 100755 --- a/install/tools/ipa-ca-install +++ b/install/tools/ipa-ca-install @@ -31,17 +31,17 @@ from ipaserver.install import certs from ipaserver.install.installutils import HostnameLocalhost from ipaserver.install.installutils import ReplicaConfig, expand_replica_info, read_replica_info from ipaserver.install.installutils import get_host_name, BadHostError -from ipaserver.install import dsinstance, cainstance +from ipaserver.install import dsinstance, cainstance, bindinstance from ipaserver.install.replication import replica_conn_check from ipapython import version from ipalib import api, util +from ipapython.dn import DN from ipapython.config import IPAOptionParser from ipapython import sysrestore from ipapython import dogtag from ipapython.ipa_log_manager import * log_file_name = "/var/log/ipareplica-ca-install.log" -CACERT = "/etc/ipa/ca.crt" REPLICA_INFO_TOP_DIR = None def parse_options(): @@ -74,6 +74,22 @@ def parse_options(): def get_dirman_password(): return installutils.read_password("Directory Manager (existing master)", confirm=False, validate=False) +def install_dns_records(config, options): + + if not bindinstance.dns_container_exists(config.master_host_name, + ipautil.realm_to_suffix(config.realm_name), + dm_password=config.dirman_password): + return + + bind = bindinstance.BindInstance(dm_password=config.dirman_password) + try: + api.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')), + bind_pw=config.dirman_password) + bind.add_ipa_ca_cname(config.host_name, config.domain_name) + finally: + if api.Backend.ldap2.isconnected(): + api.Backend.ldap2.disconnect() + def main(): safe_options, options, filename = parse_options() @@ -176,6 +192,9 @@ def main(): CA.enable_client_auth_to_db() CA.restart() + # Install CA DNS records + install_dns_records(config, options) + # We need to restart apache as we drop a new config file in there ipaservices.knownservices.httpd.restart(capture_output=True) diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install index f041c58a8..7d7115cfd 100755 --- a/install/tools/ipa-replica-install +++ b/install/tools/ipa-replica-install @@ -247,7 +247,8 @@ def install_bind(config, options): print "Using reverse zone %s" % reverse_zone bind.setup(config.host_name, config.ip_address, config.realm_name, - config.domain_name, forwarders, options.conf_ntp, reverse_zone) + config.domain_name, forwarders, options.conf_ntp, reverse_zone, + ca_configured=options.setup_ca) bind.create_instance() print "" @@ -296,7 +297,8 @@ def install_dns_records(config, options): bind.add_master_dns_records(config.host_name, config.ip_address, config.realm_name, config.domain_name, - reverse_zone, options.conf_ntp) + reverse_zone, options.conf_ntp, + options.setup_ca) def check_dirsrv(): (ds_unsecure, ds_secure) = dsinstance.check_ports() diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index 92e9dcf2f..306d1e07b 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -965,8 +965,8 @@ def main(): ca = cainstance.CAInstance(realm_name, certs.NSS_DIR, dogtag_constants=dogtag.install_constants) if external == 0: - ca.configure_instance(host_name, dm_password, dm_password, - subject_base=options.subject) + ca.configure_instance(host_name, domain_name, dm_password, + dm_password, subject_base=options.subject) elif external == 1: # stage 1 of external CA installation options.realm_name = realm_name @@ -979,12 +979,13 @@ def main(): options.forwarders = dns_forwarders options.reverse_zone = reverse_zone write_cache(vars(options)) - ca.configure_instance(host_name, dm_password, dm_password, - csr_file="/root/ipa.csr", + ca.configure_instance(host_name, domain_name, dm_password, + dm_password, csr_file="/root/ipa.csr", subject_base=options.subject) else: # stage 2 of external CA installation - ca.configure_instance(host_name, dm_password, dm_password, + ca.configure_instance(host_name, domain_name, dm_password, + dm_password, cert_file=options.external_cert_file, cert_chain_file=options.external_ca_file, subject_base=options.subject) @@ -1079,7 +1080,8 @@ def main(): options.conf_ntp, reverse_zone, zonemgr=options.zonemgr, zone_refresh=options.zone_refresh, persistent_search=options.persistent_search, - serial_autoincrement=options.serial_autoincrement) + serial_autoincrement=options.serial_autoincrement, + ca_configured=not options.selfsign) if options.setup_dns: api.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')), bind_pw=dm_password) diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig index 12e96cfb7..096d4d649 100644 --- a/install/tools/ipa-upgradeconfig +++ b/install/tools/ipa-upgradeconfig @@ -30,6 +30,7 @@ try: from ipapython.ipa_log_manager import * from ipapython import certmonger from ipapython import dogtag + from ipapython.dn import DN from ipaserver.install import installutils from ipaserver.install import dsinstance from ipaserver.install import httpinstance @@ -47,6 +48,7 @@ try: import pwd import fileinput from ipalib import api + import ipalib.util import ipalib.errors except ImportError: print >> sys.stderr, """\ @@ -307,7 +309,7 @@ def setup_firefox_extension(fstore): http.setup_firefox_extension(realm, domain) -def upgrade_ipa_profile(ca): +def upgrade_ipa_profile(ca, domain, fqdn): """ Update the IPA Profile provided by dogtag @@ -321,7 +323,8 @@ def upgrade_ipa_profile(ca): else: root_logger.debug('Subject Key Identifier already set.') audit = ca.set_audit_renewal() - if audit or ski: + uri = ca.set_crl_ocsp_extensions(domain, fqdn) + if audit or ski or uri: return True else: root_logger.info('CA is not configured') @@ -575,6 +578,32 @@ def migrate_crl_publish_dir(ca): 'request pki-ca restart') return True +def add_server_cname_records(): + root_logger.info('[Add missing server CNAME records]') + + if not sysupgrade.get_upgrade_state('dns', 'ipa_ca_cname'): + try: + api.Backend.ldap2.connect(autobind=True) + except ipalib.errors.PublicError, e: + root_logger.error("Cannot connect to LDAP to add DNS records: %s", e) + else: + ret = api.Command['dns_is_enabled']() + if not ret['result']: + root_logger.info('DNS is not configured') + sysupgrade.set_upgrade_state('dns', 'ipa_ca_cname', True) + return + + bind = bindinstance.BindInstance() + # DNS is enabled, so let bindinstance find out if CA is enabled + # and let it add the CNAME in that case + bind.add_ipa_ca_cname(api.env.host, api.env.domain, ca_configured=None) + sysupgrade.set_upgrade_state('dns', 'ipa_ca_cname', True) + finally: + if api.Backend.ldap2.isconnected(): + api.Backend.ldap2.disconnect() + else: + root_logger.info('IPA CA CNAME already processed') + def main(): """ Get some basics about the system. If getting those basics fail then @@ -602,7 +631,7 @@ def main(): fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore') - api.bootstrap(context='restart') + api.bootstrap(context='restart', in_server=True) api.finalize() fqdn = find_hostname() @@ -667,13 +696,14 @@ def main(): cleanup_kdc(fstore) setup_firefox_extension(fstore) + add_server_cname_records() changed_psearch = named_enable_psearch() changed_autoincrement = named_enable_serial_autoincrement() if changed_psearch or changed_autoincrement: # configuration has changed, restart the name server root_logger.info('Changes to named.conf have been made, restart named') bindinstance.BindInstance(fstore).restart() - ca_restart = ca_restart or enable_certificate_renewal(ca) or upgrade_ipa_profile(ca) + ca_restart = ca_restart or enable_certificate_renewal(ca) or upgrade_ipa_profile(ca, api.env.domain, fqdn) if ca_restart: root_logger.info('pki-ca configuration changed, restart pki-ca') diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py index 8a77edfa0..a528320c8 100644 --- a/ipaserver/install/bindinstance.py +++ b/ipaserver/install/bindinstance.py @@ -28,6 +28,7 @@ import ldap import service from ipaserver import ipaldap from ipaserver.install.dsinstance import realm_to_serverid +from ipaserver.install.cainstance import IPA_CA_CNAME from ipaserver.install.installutils import resolve_host from ipapython import sysrestore from ipapython import ipautil @@ -330,7 +331,7 @@ def del_rr(zone, name, type, rdata): delkw = { '%srecord' % str(type.lower()) : unicode(rdata) } try: api.Command.dnsrecord_del(unicode(zone), unicode(name), **delkw) - except (errors.NotFound, errors.EmptyModlist): + except (errors.NotFound, errors.AttrValueNotFound, errors.EmptyModlist): pass def get_rr(zone, name, type): @@ -430,7 +431,8 @@ class BindInstance(service.Service): def setup(self, fqdn, ip_address, realm_name, domain_name, forwarders, ntp, reverse_zone, named_user="named", zonemgr=None, - zone_refresh=0, persistent_search=True, serial_autoincrement=True): + zone_refresh=0, persistent_search=True, serial_autoincrement=True, + ca_configured=None): self.named_user = named_user self.fqdn = fqdn self.ip_address = ip_address @@ -444,6 +446,7 @@ class BindInstance(service.Service): self.zone_refresh = zone_refresh self.persistent_search = persistent_search self.serial_autoincrement = serial_autoincrement + self.ca_configured = ca_configured if not zonemgr: self.zonemgr = 'hostmaster.%s' % self.domain @@ -497,6 +500,7 @@ class BindInstance(service.Service): if self.reverse_zone is not None: self.step("setting up reverse zone", self.__setup_reverse_zone) self.step("setting up our own record", self.__add_self) + self.step("setting up CA CNAME record", self.__add_ipa_ca_cname) self.step("setting up kerberos principal", self.__setup_principal) self.step("setting up named.conf", self.__setup_named_conf) @@ -556,6 +560,7 @@ class BindInstance(service.Service): OPTIONAL_NTP=optional_ntp, ZONEMGR=self.zonemgr, ZONE_REFRESH=self.zone_refresh, + IPA_CA_CNAME=IPA_CA_CNAME, PERSISTENT_SEARCH=boolean_var['persistent_search'], SERIAL_AUTOINCREMENT=boolean_var['serial_autoincrement'],) @@ -582,6 +587,28 @@ class BindInstance(service.Service): def __add_self_ns(self): add_ns_rr(self.domain, api.env.host, self.dns_backup, force=True) + def __add_ipa_ca_cname(self): + if self.ca_configured is False: + root_logger.debug("CA is not configured, skip this step") + return + elif self.ca_configured is None: + # we do not know if CA is configured for this host and we can + # add the CA CNAME record. So we need to find out + root_logger.debug("Check if CA is enabled for this host") + base_dn = DN(('cn', api.env.host), ('cn', 'masters'), ('cn', 'ipa'), + ('cn', 'etc'), api.env.basedn) + ldap_filter = '(&(objectClass=ipaConfigObject)(cn=CA))' + try: + api.Backend.ldap2.find_entries(filter=ldap_filter, base_dn=base_dn) + except ipalib.errors.NotFound: + # CA is not configured + root_logger.debug("CA is not configured") + return + else: + root_logger.debug("CA is configured for this host, continue") + + add_rr(self.domain, IPA_CA_CNAME, "CNAME", self.host_in_rr) + def __add_self(self): zone = self.domain resource_records = ( @@ -681,7 +708,7 @@ class BindInstance(service.Service): resolv_fd.close() def add_master_dns_records(self, fqdn, ip_address, realm_name, domain_name, - reverse_zone, ntp=False): + reverse_zone, ntp=False, ca_configured=None): self.fqdn = fqdn self.ip_address = ip_address self.realm = realm_name @@ -690,23 +717,36 @@ class BindInstance(service.Service): self.suffix = ipautil.realm_to_suffix(self.realm) self.ntp = ntp self.reverse_zone = reverse_zone + self.ca_configured = ca_configured self.__add_self() + self.__add_ipa_ca_cname() + + def add_ipa_ca_cname(self, fqdn, domain_name, ca_configured=True): + self.host = fqdn.split(".")[0] + self.fqdn = fqdn + self.domain = domain_name + self.ca_configured = ca_configured + self.__add_ipa_ca_cname() def remove_master_dns_records(self, fqdn, realm_name, domain_name): host = fqdn.split(".")[0] + self.host = host + self.fqdn = fqdn + self.domain = domain_name suffix = ipautil.realm_to_suffix(realm_name) zone = domain_name resource_records = ( - ("_ldap._tcp", "SRV", "0 100 389 %s" % host), - ("_kerberos._tcp", "SRV", "0 100 88 %s" % host), - ("_kerberos._udp", "SRV", "0 100 88 %s" % host), - ("_kerberos-master._tcp", "SRV", "0 100 88 %s" % host), - ("_kerberos-master._udp", "SRV", "0 100 88 %s" % host), - ("_kpasswd._tcp", "SRV", "0 100 464 %s" % host), - ("_kpasswd._udp", "SRV", "0 100 464 %s" % host), - ("_ntp._udp", "SRV", "0 100 123 %s" % host), + ("_ldap._tcp", "SRV", "0 100 389 %s" % self.host_in_rr), + ("_kerberos._tcp", "SRV", "0 100 88 %s" % self.host_in_rr), + ("_kerberos._udp", "SRV", "0 100 88 %s" % self.host_in_rr), + ("_kerberos-master._tcp", "SRV", "0 100 88 %s" % self.host_in_rr), + ("_kerberos-master._udp", "SRV", "0 100 88 %s" % self.host_in_rr), + ("_kpasswd._tcp", "SRV", "0 100 464 %s" % self.host_in_rr), + ("_kpasswd._udp", "SRV", "0 100 464 %s" % self.host_in_rr), + ("_ntp._udp", "SRV", "0 100 123 %s" % self.host_in_rr), + (IPA_CA_CNAME, "CNAME", self.host_in_rr), ("@", "NS", fqdn+"."), ) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 418267f6c..18c787769 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -66,6 +66,9 @@ DEFAULT_DSPORT = dogtag.install_constants.DS_PORT PKI_USER = "pkiuser" PKI_DS_USER = dogtag.install_constants.DS_USER +# When IPA is installed with DNS support, this CNAME should hold all IPA +# replicas with CA configured +IPA_CA_CNAME = "ipa-ca" # We need to reset the template because the CA uses the regular boot # information @@ -497,6 +500,7 @@ class CAInstance(service.Service): self.dm_password = None self.admin_password = None self.fqdn = None + self.domain = None self.pkcs12_info = None self.clone = False @@ -516,7 +520,7 @@ class CAInstance(service.Service): self.ra_agent_db = ra_db self.ra_agent_pwd = self.ra_agent_db + "/pwdfile.txt" self.ds_port = DEFAULT_DSPORT - self.domain_name = "IPA" + self.security_domain_name = "IPA" self.server_root = dogtag_constants.SERVER_ROOT self.ra_cert = None self.requestId = None @@ -534,7 +538,7 @@ class CAInstance(service.Service): return os.path.exists(os.path.join( self.server_root, self.dogtag_constants.PKI_INSTANCE_NAME)) - def configure_instance(self, host_name, dm_password, + def configure_instance(self, host_name, domain, dm_password, admin_password, ds_port=DEFAULT_DSPORT, pkcs12_info=None, master_host=None, csr_file=None, cert_file=None, cert_chain_file=None, @@ -552,6 +556,7 @@ class CAInstance(service.Service): csr_file. For step 2 set cert_file and cert_chain_file. """ self.fqdn = host_name + self.domain = domain self.dm_password = dm_password self.admin_password = admin_password self.ds_port = ds_port @@ -596,6 +601,7 @@ class CAInstance(service.Service): self.step("set up CRL publishing", self.__enable_crl_publish) self.step("set certificate subject base", self.__set_subject_in_config) self.step("enabling Subject Key Identifier", self.enable_subject_key_identifier) + self.step("enabling CRL and OCSP extensions for certificates", self.__set_crl_ocsp_extensions) self.step("setting audit signing renewal to 2 years", self.set_audit_renewal) self.step("configuring certificate server to start on boot", self.__enable) if not self.clone: @@ -633,7 +639,7 @@ class CAInstance(service.Service): "pki_client_database_password": self.admin_password, "pki_client_database_purge": "False", "pki_client_pkcs12_password": self.admin_password, - "pki_security_domain_name": self.domain_name, + "pki_security_domain_name": self.security_domain_name, "pki_admin_name": "admin", "pki_admin_uid": "admin", "pki_admin_email": "root@localhost", @@ -800,7 +806,7 @@ class CAInstance(service.Service): "-client_certdb_dir", self.ca_agent_db, "-client_certdb_pwd", self.admin_password, "-preop_pin" , preop_pin, - "-domain_name", self.domain_name, + "-domain_name", self.security_domain_name, "-admin_user", "admin", "-admin_email", "root@localhost", "-admin_password", self.admin_password, @@ -1239,6 +1245,124 @@ class CAInstance(service.Service): return publishdir + def __set_crl_ocsp_extensions(self): + self.set_crl_ocsp_extensions(self.domain, self.fqdn) + + def set_crl_ocsp_extensions(self, domain, fqdn): + """ + Configure CRL and OCSP extensions in default IPA certificate profile + if not done already. + """ + changed = False + + # OCSP extension + ocsp_location_0 = installutils.get_directive( + self.dogtag_constants.IPA_SERVICE_PROFILE, + 'policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0', + separator='=') + + if not ocsp_location_0: + # Set the first OCSP URI + installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE, + 'policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0', + 'https://%s.%s/ca/ocsp' % (IPA_CA_CNAME, ipautil.format_netloc(domain)), + quotes=False, separator='=') + changed = True + + ocsp_profile_count = installutils.get_directive( + self.dogtag_constants.IPA_SERVICE_PROFILE, + 'policyset.serverCertSet.5.default.params.authInfoAccessNumADs', + separator='=') + + if ocsp_profile_count == '1': + # add the second OCSP URI + installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE, + 'policyset.serverCertSet.5.default.params.authInfoAccessADEnable_1', + 'true', quotes=False, separator='=') + installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE, + 'policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_1', + 'URIName', quotes=False, separator='=') + installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE, + 'policyset.serverCertSet.5.default.params.authInfoAccessADLocation_1', + 'http://%s/ca/ocsp' % ipautil.format_netloc(fqdn), + quotes=False, separator='=') + installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE, + 'policyset.serverCertSet.5.default.params.authInfoAccessADMethod_1', + '1.3.6.1.5.5.7.48.1', quotes=False, separator='=') + installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE, + 'policyset.serverCertSet.5.default.params.authInfoAccessNumADs', + '2', quotes=False, separator='=') + changed = True + + + # CRL extension + crl_issuer_0 = installutils.get_directive( + self.dogtag_constants.IPA_SERVICE_PROFILE, + 'policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0', + separator='=') + + if not crl_issuer_0: + installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE, + 'policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0', + 'CN=Certificate Authority,o=ipaca', quotes=False, separator='=') + installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE, + 'policyset.serverCertSet.9.default.params.crlDistPointsIssuerType_0', + 'DirectoryName', quotes=False, separator='=') + installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE, + 'policyset.serverCertSet.9.default.params.crlDistPointsPointName_0', + 'https://%s.%s/ipa/crl/MasterCRL.bin'% (IPA_CA_CNAME, ipautil.format_netloc(domain)), + quotes=False, separator='=') + changed = True + + crl_profile_count = installutils.get_directive( + self.dogtag_constants.IPA_SERVICE_PROFILE, + 'policyset.serverCertSet.9.default.params.crlDistPointsNum', + separator='=') + + if crl_profile_count == '1': + installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE, + 'policyset.serverCertSet.9.default.params.crlDistPointsEnable_1', + 'true', quotes=False, separator='=') + installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE, + 'policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_1', + 'CN=Certificate Authority,o=ipaca', quotes=False, separator='=') + installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE, + 'policyset.serverCertSet.9.default.params.crlDistPointsIssuerType_1', + 'DirectoryName', quotes=False, separator='=') + installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE, + 'policyset.serverCertSet.9.default.params.crlDistPointsPointName_1', + 'https://%s/ipa/crl/MasterCRL.bin' % ipautil.format_netloc(fqdn), + quotes=False, separator='=') + installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE, + 'policyset.serverCertSet.9.default.params.crlDistPointsPointType_1', + 'URIName', quotes=False, separator='=') + installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE, + 'policyset.serverCertSet.9.default.params.crlDistPointsReasons_1', + '', quotes=False, separator='=') + installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE, + 'policyset.serverCertSet.9.default.params.crlDistPointsNum', + '2', quotes=False, separator='=') + changed = True + + # CRL extension is not enabled by default + setlist = installutils.get_directive(self.dogtag_constants.IPA_SERVICE_PROFILE, + 'policyset.serverCertSet.list', separator='=') + new_set_list = None + + if setlist == '1,2,3,4,5,6,7,8': + new_set_list = '1,2,3,4,5,6,7,8,9' + elif setlist == '1,2,3,4,5,6,7,8,10': + new_set_list = '1,2,3,4,5,6,7,8,9,10' + + if new_set_list: + installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE, + 'policyset.serverCertSet.list', + new_set_list, quotes=False, separator='=') + changed = True + + return changed + + def __enable_crl_publish(self): """ Enable file-based CRL publishing and disable LDAP publishing. @@ -1279,12 +1403,6 @@ class CAInstance(service.Service): installutils.set_directive(caconfig, 'ca.publish.rule.instance.LdapUserCertRule.enable', 'false', quotes=False, separator='=') installutils.set_directive(caconfig, 'ca.publish.rule.instance.LdapXCertRule.enable', 'false', quotes=False, separator='=') - # Fix the CRL URI in the profile - installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.9.default.params.crlDistPointsPointName_0', - 'https://%s/ipa/crl/MasterCRL.bin' % ipautil.format_netloc(self.fqdn), - quotes=False, separator='=') - # If we are the initial master then we are the CRL generator, otherwise # we point to that master for CRLs. if not self.clone: @@ -1484,11 +1602,12 @@ class CAInstance(service.Service): # this is the default setting from pki-ca/pki-tomcat. Don't touch it # if a user has manually modified it. - if setlist == '1,2,3,4,5,6,7,8': + if setlist == '1,2,3,4,5,6,7,8' or setlist == '1,2,3,4,5,6,7,8,9': + setlist = setlist + ',10' installutils.set_directive( self.dogtag_constants.IPA_SERVICE_PROFILE, 'policyset.serverCertSet.list', - '1,2,3,4,5,6,7,8,10', + setlist, quotes=False, separator='=') installutils.set_directive( self.dogtag_constants.IPA_SERVICE_PROFILE, @@ -1676,8 +1795,9 @@ def install_replica_ca(config, master_ds_port, postinstall=False): # If installing this afterward the Apache NSS database already # exists, don't remove it. ca.create_ra_agent_db = False - ca.configure_instance(config.host_name, config.dirman_password, - config.dirman_password, pkcs12_info=(cafile,), + ca.configure_instance(config.host_name, config.domain_name, + config.dirman_password, config.dirman_password, + pkcs12_info=(cafile,), master_host=config.master_host_name, master_replication_port=master_ds_port, subject_base=config.subject_base) @@ -1740,4 +1860,4 @@ if __name__ == "__main__": ds = dsinstance.DsInstance() ca = CAInstance("EXAMPLE.COM", "/etc/httpd/alias") - ca.configure_instance("catest.example.com", "password", "password") + ca.configure_instance("catest.example.com", "example.com", "password", "password") |