diff options
author | Jan Cholasta <jcholast@redhat.com> | 2014-07-17 11:47:26 +0200 |
---|---|---|
committer | Petr Viktorin <pviktori@redhat.com> | 2014-07-30 16:04:21 +0200 |
commit | 044c5c833a83a541f97785279acfe8e113035b3d (patch) | |
tree | f2f0dcabd1c2754a9e07060acf919cb0cdf9437b | |
parent | 03b29b4c8e4109bbfbc1468baa60b521bc32cdb1 (diff) | |
download | freeipa-044c5c833a83a541f97785279acfe8e113035b3d.tar.gz freeipa-044c5c833a83a541f97785279acfe8e113035b3d.tar.xz freeipa-044c5c833a83a541f97785279acfe8e113035b3d.zip |
Enable NSS PKIX certificate path discovery and validation for Dogtag.
Part of https://fedorahosted.org/freeipa/ticket/3737
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
-rw-r--r-- | install/tools/ipa-upgradeconfig | 18 | ||||
-rw-r--r-- | ipaplatform/base/paths.py | 1 | ||||
-rw-r--r-- | ipapython/dogtag.py | 2 | ||||
-rw-r--r-- | ipaserver/install/cainstance.py | 6 |
4 files changed, 27 insertions, 0 deletions
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig index e24a6658c..adf6c8d84 100644 --- a/install/tools/ipa-upgradeconfig +++ b/install/tools/ipa-upgradeconfig @@ -833,6 +833,23 @@ def migrate_crl_publish_dir(ca): 'request pki-ca restart') return True + +def ca_enable_pkix(ca): + root_logger.info('[Enable PKIX certificate path discovery and validation]') + if sysupgrade.get_upgrade_state('dogtag', 'pkix_enabled'): + root_logger.info('PKIX already enabled') + return False + + if not ca.is_configured(): + root_logger.info('CA is not configured') + return False + + ca.enable_pkix() + sysupgrade.set_upgrade_state('dogtag', 'pkix_enabled', True) + + return True + + def add_ca_dns_records(): root_logger.info('[Add missing CA DNS records]') @@ -1227,6 +1244,7 @@ def main(): ca_restart, upgrade_ipa_profile(ca, api.env.domain, fqdn), certificate_renewal_update(ca), + ca_enable_pkix(ca), ]) if ca_restart: diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py index 6ff778b51..6f2a29ecb 100644 --- a/ipaplatform/base/paths.py +++ b/ipaplatform/base/paths.py @@ -99,6 +99,7 @@ class BasePathNamespace(object): SSSD_CONF = "/etc/sssd/sssd.conf" SSSD_CONF_BKP = "/etc/sssd/sssd.conf.bkp" SSSD_CONF_DELETED = "/etc/sssd/sssd.conf.deleted" + ETC_SYSCONFIG_DIR = "/etc/sysconfig" ETC_SYSCONFIG_AUTHCONFIG = "/etc/sysconfig/authconfig" SYSCONFIG_AUTOFS = "/etc/sysconfig/autofs" SYSCONFIG_DIRSRV = "/etc/sysconfig/dirsrv" diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py index 178d2942b..14824b994 100644 --- a/ipapython/dogtag.py +++ b/ipapython/dogtag.py @@ -62,6 +62,7 @@ class Dogtag10Constants(object): PASSWORD_CONF_PATH = '%s/conf/password.conf' % PKI_ROOT SERVICE_PROFILE_DIR = '%s/ca/profiles/ca' % PKI_ROOT ALIAS_DIR = paths.PKI_TOMCAT_ALIAS_DIR.rstrip('/') + SYSCONFIG_FILE_PATH = '%s/%s' % (paths.ETC_SYSCONFIG_DIR, PKI_INSTANCE_NAME) SERVICE_NAME = 'pki_tomcatd' @@ -94,6 +95,7 @@ class Dogtag9Constants(object): PASSWORD_CONF_PATH = '%s/conf/password.conf' % PKI_ROOT SERVICE_PROFILE_DIR = '%s/profiles/ca' % PKI_ROOT ALIAS_DIR = '%s/alias' % PKI_ROOT + SYSCONFIG_FILE_PATH = '%s/%s' % (paths.ETC_SYSCONFIG_DIR, PKI_INSTANCE_NAME) SERVICE_NAME = 'pki-cad' diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 1d1e9a01c..b64588c0f 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -457,6 +457,7 @@ class CAInstance(service.Service): self.step("stopping certificate server instance to update CS.cfg", self.__stop) self.step("disabling nonces", self.__disable_nonce) self.step("set up CRL publishing", self.__enable_crl_publish) + self.step("enable PKIX certificate path discovery and validation", self.enable_pkix) self.step("starting certificate server instance", self.__start) # Step 1 of external is getting a CSR so we don't need to do these # steps until we get a cert back from the external CA. @@ -807,6 +808,11 @@ class CAInstance(service.Service): os.chown(self.dogtag_constants.CS_CFG_PATH, pent.pw_uid, pent.pw_gid) + def enable_pkix(self): + installutils.set_directive(self.dogtag_constants.SYSCONFIG_FILE_PATH, + 'NSS_ENABLE_PKIX_VERIFY', '1', + quotes=False, separator='=') + def __issue_ra_cert(self): # The CA certificate is in the agent DB but isn't trusted (admin_fd, admin_name) = tempfile.mkstemp() |