summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJan Cholasta <jcholast@redhat.com>2014-07-17 11:47:26 +0200
committerPetr Viktorin <pviktori@redhat.com>2014-07-30 16:04:21 +0200
commit044c5c833a83a541f97785279acfe8e113035b3d (patch)
treef2f0dcabd1c2754a9e07060acf919cb0cdf9437b
parent03b29b4c8e4109bbfbc1468baa60b521bc32cdb1 (diff)
downloadfreeipa-044c5c833a83a541f97785279acfe8e113035b3d.tar.gz
freeipa-044c5c833a83a541f97785279acfe8e113035b3d.tar.xz
freeipa-044c5c833a83a541f97785279acfe8e113035b3d.zip
Enable NSS PKIX certificate path discovery and validation for Dogtag.
Part of https://fedorahosted.org/freeipa/ticket/3737 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
-rw-r--r--install/tools/ipa-upgradeconfig18
-rw-r--r--ipaplatform/base/paths.py1
-rw-r--r--ipapython/dogtag.py2
-rw-r--r--ipaserver/install/cainstance.py6
4 files changed, 27 insertions, 0 deletions
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index e24a6658c..adf6c8d84 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -833,6 +833,23 @@ def migrate_crl_publish_dir(ca):
'request pki-ca restart')
return True
+
+def ca_enable_pkix(ca):
+ root_logger.info('[Enable PKIX certificate path discovery and validation]')
+ if sysupgrade.get_upgrade_state('dogtag', 'pkix_enabled'):
+ root_logger.info('PKIX already enabled')
+ return False
+
+ if not ca.is_configured():
+ root_logger.info('CA is not configured')
+ return False
+
+ ca.enable_pkix()
+ sysupgrade.set_upgrade_state('dogtag', 'pkix_enabled', True)
+
+ return True
+
+
def add_ca_dns_records():
root_logger.info('[Add missing CA DNS records]')
@@ -1227,6 +1244,7 @@ def main():
ca_restart,
upgrade_ipa_profile(ca, api.env.domain, fqdn),
certificate_renewal_update(ca),
+ ca_enable_pkix(ca),
])
if ca_restart:
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index 6ff778b51..6f2a29ecb 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -99,6 +99,7 @@ class BasePathNamespace(object):
SSSD_CONF = "/etc/sssd/sssd.conf"
SSSD_CONF_BKP = "/etc/sssd/sssd.conf.bkp"
SSSD_CONF_DELETED = "/etc/sssd/sssd.conf.deleted"
+ ETC_SYSCONFIG_DIR = "/etc/sysconfig"
ETC_SYSCONFIG_AUTHCONFIG = "/etc/sysconfig/authconfig"
SYSCONFIG_AUTOFS = "/etc/sysconfig/autofs"
SYSCONFIG_DIRSRV = "/etc/sysconfig/dirsrv"
diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py
index 178d2942b..14824b994 100644
--- a/ipapython/dogtag.py
+++ b/ipapython/dogtag.py
@@ -62,6 +62,7 @@ class Dogtag10Constants(object):
PASSWORD_CONF_PATH = '%s/conf/password.conf' % PKI_ROOT
SERVICE_PROFILE_DIR = '%s/ca/profiles/ca' % PKI_ROOT
ALIAS_DIR = paths.PKI_TOMCAT_ALIAS_DIR.rstrip('/')
+ SYSCONFIG_FILE_PATH = '%s/%s' % (paths.ETC_SYSCONFIG_DIR, PKI_INSTANCE_NAME)
SERVICE_NAME = 'pki_tomcatd'
@@ -94,6 +95,7 @@ class Dogtag9Constants(object):
PASSWORD_CONF_PATH = '%s/conf/password.conf' % PKI_ROOT
SERVICE_PROFILE_DIR = '%s/profiles/ca' % PKI_ROOT
ALIAS_DIR = '%s/alias' % PKI_ROOT
+ SYSCONFIG_FILE_PATH = '%s/%s' % (paths.ETC_SYSCONFIG_DIR, PKI_INSTANCE_NAME)
SERVICE_NAME = 'pki-cad'
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 1d1e9a01c..b64588c0f 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -457,6 +457,7 @@ class CAInstance(service.Service):
self.step("stopping certificate server instance to update CS.cfg", self.__stop)
self.step("disabling nonces", self.__disable_nonce)
self.step("set up CRL publishing", self.__enable_crl_publish)
+ self.step("enable PKIX certificate path discovery and validation", self.enable_pkix)
self.step("starting certificate server instance", self.__start)
# Step 1 of external is getting a CSR so we don't need to do these
# steps until we get a cert back from the external CA.
@@ -807,6 +808,11 @@ class CAInstance(service.Service):
os.chown(self.dogtag_constants.CS_CFG_PATH,
pent.pw_uid, pent.pw_gid)
+ def enable_pkix(self):
+ installutils.set_directive(self.dogtag_constants.SYSCONFIG_FILE_PATH,
+ 'NSS_ENABLE_PKIX_VERIFY', '1',
+ quotes=False, separator='=')
+
def __issue_ra_cert(self):
# The CA certificate is in the agent DB but isn't trusted
(admin_fd, admin_name) = tempfile.mkstemp()