diff options
| author | Fraser Tweedale <ftweedal@redhat.com> | 2015-05-11 21:17:48 -0400 |
|---|---|---|
| committer | Jan Cholasta <jcholast@redhat.com> | 2015-06-04 08:27:33 +0000 |
| commit | b24fe0eb733c68af4042cdd78fca6f609efe843b (patch) | |
| tree | 3bf04bdc6db9f0f6f3a70beee7f5563d9c4866ad | |
| parent | ba075b195c5c6a78416f15fb06c765858a0b2069 (diff) | |
| download | freeipa-b24fe0eb733c68af4042cdd78fca6f609efe843b.tar.gz freeipa-b24fe0eb733c68af4042cdd78fca6f609efe843b.tar.xz freeipa-b24fe0eb733c68af4042cdd78fca6f609efe843b.zip | |
Import included profiles during install or upgrade
Add a default service profile template as part of FreeIPA and format
and import it as part of installation or upgrade process.
Also remove the code that modifies the old (file-based)
`caIPAserviceCert' profile.
Fixes https://fedorahosted.org/freeipa/ticket/4002
Reviewed-By: Martin Basti <mbasti@redhat.com>
| -rw-r--r-- | freeipa.spec.in | 2 | ||||
| -rw-r--r-- | install/configure.ac | 1 | ||||
| -rw-r--r-- | install/share/Makefile.am | 1 | ||||
| -rw-r--r-- | install/share/profiles/Makefile.am | 14 | ||||
| -rw-r--r-- | install/share/profiles/caIPAserviceCert.cfg | 109 | ||||
| -rwxr-xr-x | install/tools/ipa-upgradeconfig | 1 | ||||
| -rw-r--r-- | ipapython/dogtag.py | 7 | ||||
| -rw-r--r-- | ipaserver/install/cainstance.py | 253 | ||||
| -rw-r--r-- | ipaserver/install/ipa_server_upgrade.py | 1 | ||||
| -rw-r--r-- | ipaserver/install/server/install.py | 6 | ||||
| -rw-r--r-- | ipaserver/install/server/upgrade.py | 42 | ||||
| -rw-r--r-- | ipaserver/plugins/dogtag.py | 14 |
12 files changed, 228 insertions, 223 deletions
diff --git a/freeipa.spec.in b/freeipa.spec.in index 2f2592349..a9757a194 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -720,6 +720,8 @@ fi %dir %{_usr}/share/ipa/advise %dir %{_usr}/share/ipa/advise/legacy %{_usr}/share/ipa/advise/legacy/*.template +%dir %{_usr}/share/ipa/profiles +%{_usr}/share/ipa/profiles/*.cfg %dir %{_usr}/share/ipa/ffextension %{_usr}/share/ipa/ffextension/bootstrap.js %{_usr}/share/ipa/ffextension/install.rdf diff --git a/install/configure.ac b/install/configure.ac index 2e48aa5cc..57f4219b6 100644 --- a/install/configure.ac +++ b/install/configure.ac @@ -88,6 +88,7 @@ AC_CONFIG_FILES([ share/Makefile share/advise/Makefile share/advise/legacy/Makefile + share/profiles/Makefile ui/Makefile ui/css/Makefile ui/src/Makefile diff --git a/install/share/Makefile.am b/install/share/Makefile.am index f44772b20..31f391be2 100644 --- a/install/share/Makefile.am +++ b/install/share/Makefile.am @@ -2,6 +2,7 @@ NULL = SUBDIRS = \ advise \ + profiles \ $(NULL) appdir = $(IPA_DATA_DIR) diff --git a/install/share/profiles/Makefile.am b/install/share/profiles/Makefile.am new file mode 100644 index 000000000..4e6cf975a --- /dev/null +++ b/install/share/profiles/Makefile.am @@ -0,0 +1,14 @@ +NULL = + +appdir = $(IPA_DATA_DIR)/profiles +app_DATA = \ + caIPAserviceCert.cfg \ + $(NULL) + +EXTRA_DIST = \ + $(app_DATA) \ + $(NULL) + +MAINTAINERCLEANFILES = \ + *~ \ + Makefile.in diff --git a/install/share/profiles/caIPAserviceCert.cfg b/install/share/profiles/caIPAserviceCert.cfg new file mode 100644 index 000000000..6c5102f0d --- /dev/null +++ b/install/share/profiles/caIPAserviceCert.cfg @@ -0,0 +1,109 @@ +profileId=caIPAserviceCert +classId=caEnrollImpl +desc=This certificate profile is for enrolling server certificates with IPA-RA agent authentication. +visible=false +enable=true +enableBy=admin +auth.instance_id=raCertAuth +name=IPA-RA Agent-Authenticated Server Certificate Enrollment +input.list=i1,i2 +input.i1.class_id=certReqInputImpl +input.i2.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=serverCertSet +policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11 +policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.serverCertSet.1.constraint.name=Subject Name Constraint +policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+ +policyset.serverCertSet.1.constraint.params.accept=true +policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl +policyset.serverCertSet.1.default.name=Subject Name Default +policyset.serverCertSet.1.default.params.name=CN=$$request.req_subject_name.cn$$, $SUBJECT_DN_O +policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl +policyset.serverCertSet.2.constraint.name=Validity Constraint +policyset.serverCertSet.2.constraint.params.range=740 +policyset.serverCertSet.2.constraint.params.notBeforeCheck=false +policyset.serverCertSet.2.constraint.params.notAfterCheck=false +policyset.serverCertSet.2.default.class_id=validityDefaultImpl +policyset.serverCertSet.2.default.name=Validity Default +policyset.serverCertSet.2.default.params.range=731 +policyset.serverCertSet.2.default.params.startTime=0 +policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl +policyset.serverCertSet.3.constraint.name=Key Constraint +policyset.serverCertSet.3.constraint.params.keyType=RSA +policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 +policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl +policyset.serverCertSet.3.default.name=Key Default +policyset.serverCertSet.4.constraint.class_id=noConstraintImpl +policyset.serverCertSet.4.constraint.name=No Constraint +policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.serverCertSet.4.default.name=Authority Key Identifier Default +policyset.serverCertSet.5.constraint.class_id=noConstraintImpl +policyset.serverCertSet.5.constraint.name=No Constraint +policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl +policyset.serverCertSet.5.default.name=AIA Extension Default +policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true +policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName +policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=http://$IPA_CA_RECORD.$DOMAIN/ca/ocsp +policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +policyset.serverCertSet.5.default.params.authInfoAccessCritical=false +policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1 +policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl +policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint +policyset.serverCertSet.6.constraint.params.keyUsageCritical=true +policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true +policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true +policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true +policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true +policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false +policyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false +policyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false +policyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false +policyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false +policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl +policyset.serverCertSet.6.default.name=Key Usage Default +policyset.serverCertSet.6.default.params.keyUsageCritical=true +policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true +policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true +policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true +policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true +policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false +policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false +policyset.serverCertSet.6.default.params.keyUsageCrlSign=false +policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false +policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false +policyset.serverCertSet.7.constraint.class_id=noConstraintImpl +policyset.serverCertSet.7.constraint.name=No Constraint +policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl +policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default +policyset.serverCertSet.7.default.params.exKeyUsageCritical=false +policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 +policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl +policyset.serverCertSet.8.constraint.name=No Constraint +policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC +policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl +policyset.serverCertSet.8.default.name=Signing Alg +policyset.serverCertSet.8.default.params.signingAlg=- +policyset.serverCertSet.9.constraint.class_id=noConstraintImpl +policyset.serverCertSet.9.constraint.name=No Constraint +policyset.serverCertSet.9.default.class_id=crlDistributionPointsExtDefaultImpl +policyset.serverCertSet.9.default.name=CRL Distribution Points Extension Default +policyset.serverCertSet.9.default.params.crlDistPointsCritical=false +policyset.serverCertSet.9.default.params.crlDistPointsNum=1 +policyset.serverCertSet.9.default.params.crlDistPointsEnable_0=true +policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0=$CRL_ISSUER +policyset.serverCertSet.9.default.params.crlDistPointsIssuerType_0=DirectoryName +policyset.serverCertSet.9.default.params.crlDistPointsPointName_0=http://$IPA_CA_RECORD.$DOMAIN/ipa/crl/MasterCRL.bin +policyset.serverCertSet.9.default.params.crlDistPointsPointType_0=URIName +policyset.serverCertSet.9.default.params.crlDistPointsReasons_0= +policyset.serverCertSet.10.constraint.class_id=noConstraintImpl +policyset.serverCertSet.10.constraint.name=No Constraint +policyset.serverCertSet.10.default.class_id=subjectKeyIdentifierExtDefaultImpl +policyset.serverCertSet.10.default.name=Subject Key Identifier Extension Default +policyset.serverCertSet.10.default.params.critical=false +policyset.serverCertSet.11.constraint.class_id=noConstraintImpl +policyset.serverCertSet.11.constraint.name=No Constraint +policyset.serverCertSet.11.default.class_id=userExtensionDefaultImpl +policyset.serverCertSet.11.default.name=User Supplied Extension Default +policyset.serverCertSet.11.default.params.userExtOID=2.5.29.17 diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig index 43292966a..5f3a2b4a2 100755 --- a/install/tools/ipa-upgradeconfig +++ b/install/tools/ipa-upgradeconfig @@ -21,7 +21,6 @@ import sys - if __name__ == '__main__': sys.exit("Please run the 'ipa-server-upgrade' command to upgrade the " "IPA server.") diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py index 11311cf7b..2b4d23335 100644 --- a/ipapython/dogtag.py +++ b/ipapython/dogtag.py @@ -42,6 +42,11 @@ from ipapython.ipa_log_manager import * # the configured version. +INCLUDED_PROFILES = { + # ( profile_id , description , store_issued) + (u'caIPAserviceCert', u'Standard profile for network services', True), + } + class Dogtag10Constants(object): DOGTAG_VERSION = 10 UNSECURE_PORT = 8080 @@ -71,7 +76,6 @@ class Dogtag10Constants(object): RACERT_LINE_SEP = '\n' - IPA_SERVICE_PROFILE = '%s/caIPAserviceCert.cfg' % SERVICE_PROFILE_DIR SIGN_PROFILE = '%s/caJarSigningCert.cfg' % SERVICE_PROFILE_DIR SHARED_DB = True DS_USER = "dirsrv" @@ -110,7 +114,6 @@ class Dogtag9Constants(object): EE_CLIENT_AUTH_PORT = 9446 TOMCAT_SERVER_PORT = 9701 - IPA_SERVICE_PROFILE = '%s/caIPAserviceCert.cfg' % SERVICE_PROFILE_DIR SIGN_PROFILE = '%s/caJarSigningCert.cfg' % SERVICE_PROFILE_DIR SHARED_DB = False DS_USER = "pkisrv" diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 871581b4a..ca0b6df5d 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -459,10 +459,6 @@ class CAInstance(DogtagInstance): self.step("importing CA chain to RA certificate database", self.__import_ca_chain) self.step("fixing RA database permissions", self.fix_ra_perms) self.step("setting up signing cert profile", self.__setup_sign_profile) - self.step("set certificate subject base", self.__set_subject_in_config) - self.step("enabling Subject Key Identifier", self.enable_subject_key_identifier) - self.step("enabling Subject Alternative Name", self.enable_subject_alternative_name) - self.step("enabling CRL and OCSP extensions for certificates", self.__set_crl_ocsp_extensions) self.step("setting audit signing renewal to 2 years", self.set_audit_renewal) if not self.clone: self.step("restarting certificate server", self.restart_instance) @@ -1125,94 +1121,6 @@ class CAInstance(DogtagInstance): return publishdir - def __set_crl_ocsp_extensions(self): - self.set_crl_ocsp_extensions(self.domain, self.fqdn) - - def set_crl_ocsp_extensions(self, domain, fqdn): - """ - Configure CRL and OCSP extensions in default IPA certificate profile - if not done already. - """ - changed = False - - # OCSP extension - ocsp_url = 'http://%s.%s/ca/ocsp' % (IPA_CA_RECORD, ipautil.format_netloc(domain)) - - ocsp_location_0 = installutils.get_directive( - self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0', - separator='=') - - if ocsp_location_0 != ocsp_url: - # Set the first OCSP URI - installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0', - ocsp_url, quotes=False, separator='=') - changed = True - - ocsp_profile_count = installutils.get_directive( - self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.5.default.params.authInfoAccessNumADs', - separator='=') - - if ocsp_profile_count != '1': - installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.5.default.params.authInfoAccessNumADs', - '1', quotes=False, separator='=') - changed = True - - - # CRL extension - crl_url = 'http://%s.%s/ipa/crl/MasterCRL.bin'% (IPA_CA_RECORD, ipautil.format_netloc(domain)) - - crl_point_0 = installutils.get_directive( - self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.9.default.params.crlDistPointsPointName_0', - separator='=') - - if crl_point_0 != crl_url: - installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0', - 'CN=Certificate Authority,o=ipaca', quotes=False, separator='=') - installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.9.default.params.crlDistPointsIssuerType_0', - 'DirectoryName', quotes=False, separator='=') - installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.9.default.params.crlDistPointsPointName_0', - crl_url, quotes=False, separator='=') - changed = True - - crl_profile_count = installutils.get_directive( - self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.9.default.params.crlDistPointsNum', - separator='=') - - if crl_profile_count != '1': - installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.9.default.params.crlDistPointsNum', - '1', quotes=False, separator='=') - changed = True - - # CRL extension is not enabled by default - setlist = installutils.get_directive(self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.list', separator='=') - new_set_list = None - - if setlist == '1,2,3,4,5,6,7,8': - new_set_list = '1,2,3,4,5,6,7,8,9' - elif setlist == '1,2,3,4,5,6,7,8,10': - new_set_list = '1,2,3,4,5,6,7,8,9,10' - elif setlist == '1,2,3,4,5,6,7,8,10,11': - new_set_list = '1,2,3,4,5,6,7,8,9,10,11' - - if new_set_list: - installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.list', - new_set_list, quotes=False, separator='=') - changed = True - - return changed - def __enable_crl_publish(self): """ @@ -1267,13 +1175,6 @@ class CAInstance(DogtagInstance): installutils.set_directive(caconfig, 'ca.crl.MasterCRL.enableCRLUpdates', 'false', quotes=False, separator='=') installutils.set_directive(caconfig, 'ca.listenToCloneModifications', 'false', quotes=False, separator='=') - def __set_subject_in_config(self): - # dogtag ships with an IPA-specific profile that forces a subject - # format. We need to update that template with our base subject - if installutils.update_file(self.dogtag_constants.IPA_SERVICE_PROFILE, - 'OU=pki-ipa, O=IPA', str(self.subject_base)): - print "Updating subject_base in CA template failed" - def uninstall(self): # just eat state self.restore_state("enabled") @@ -1407,100 +1308,6 @@ class CAInstance(DogtagInstance): services.knownservices.certmonger.stop() - def enable_subject_key_identifier(self): - """ - See if Subject Key Identifier is set in the profile and if not, add it. - """ - setlist = installutils.get_directive( - self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.list', separator='=') - - # this is the default setting from pki-ca/pki-tomcat. Don't touch it - # if a user has manually modified it. - if setlist == '1,2,3,4,5,6,7,8' or setlist == '1,2,3,4,5,6,7,8,9': - setlist += ',10' - installutils.set_directive( - self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.list', - setlist, - quotes=False, separator='=') - installutils.set_directive( - self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.10.constraint.class_id', - 'noConstraintImpl', - quotes=False, separator='=') - installutils.set_directive( - self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.10.constraint.name', - 'No Constraint', - quotes=False, separator='=') - installutils.set_directive( - self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.10.default.class_id', - 'subjectKeyIdentifierExtDefaultImpl', - quotes=False, separator='=') - installutils.set_directive( - self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.10.default.name', - 'Subject Key Identifier Extension Default', - quotes=False, separator='=') - installutils.set_directive( - self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.10.default.params.critical', - 'false', - quotes=False, separator='=') - return True - - # No update was done - return False - - def enable_subject_alternative_name(self): - """ - See if Subject Alternative Name is set in the profile and if not, add - it. - """ - setlist = installutils.get_directive( - self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.list', separator='=') - - # this is the default setting from pki-ca/pki-tomcat. Don't touch it - # if a user has manually modified it. - if setlist == '1,2,3,4,5,6,7,8,10' or setlist == '1,2,3,4,5,6,7,8,9,10': - setlist += ',11' - installutils.set_directive( - self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.list', - setlist, - quotes=False, separator='=') - installutils.set_directive( - self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.11.constraint.class_id', - 'noConstraintImpl', - quotes=False, separator='=') - installutils.set_directive( - self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.11.constraint.name', - 'No Constraint', - quotes=False, separator='=') - installutils.set_directive( - self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.11.default.class_id', - 'userExtensionDefaultImpl', - quotes=False, separator='=') - installutils.set_directive( - self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.11.default.name', - 'User Supplied Extension Default', - quotes=False, separator='=') - installutils.set_directive( - self.dogtag_constants.IPA_SERVICE_PROFILE, - 'policyset.serverCertSet.11.default.params.userExtOID', - '2.5.29.17', - quotes=False, separator='=') - return True - - # No update was done - return False def set_audit_renewal(self): """ @@ -1586,7 +1393,6 @@ class CAInstance(DogtagInstance): master_entry['ipaConfigString'].append('caRenewalMaster') self.admin_conn.update_entry(master_entry) - @staticmethod def update_cert_config(nickname, cert, dogtag_constants=None): """ @@ -1854,6 +1660,65 @@ def configure_profiles_acl(): conn.disconnect() return updated +def import_included_profiles(): + sub_dict = dict( + DOMAIN=ipautil.format_netloc(api.env.domain), + IPA_CA_RECORD=IPA_CA_RECORD, + CRL_ISSUER='CN=Certificate Authority,o=ipaca', + SUBJECT_DN_O=str(DN(('O', api.env.realm))), + ) + + server_id = installutils.realm_to_serverid(api.env.realm) + dogtag_uri = 'ldapi://%%2fvar%%2frun%%2fslapd-%s.socket' % server_id + conn = ldap2.ldap2(shared_instance=False, ldap_uri=dogtag_uri) + if not conn.isconnected(): + conn.connect(autobind=True) + + for (profile_id, desc, store_issued) in dogtag.INCLUDED_PROFILES: + dn = DN(('cn', profile_id), + api.env.container_certprofile, api.env.basedn) + try: + conn.get_entry(dn) + continue # the profile is present + except errors.NotFound: + # profile not found; add it + profile_data = ipautil.template_file( + '/usr/share/ipa/profiles/{}.cfg'.format(profile_id), sub_dict) + + entry = conn.make_entry( + dn, + objectclass=['ipacertprofile'], + cn=[profile_id], + description=[desc], + ipacertprofilestoreissued=['TRUE' if store_issued else 'FALSE'], + ) + conn.add_entry(entry) + api.Backend.ra_certprofile._read_password() + with api.Backend.ra_certprofile as profile_api: + # import the profile + try: + profile_api.create_profile(profile_data) + except errors.RemoteRetrieveError: + # conflicting profile; replace it if we are + # installing IPA, but keep it for upgrades + if api.env.context == 'installer': + try: + profile_api.disable_profile(profile_id) + except errors.RemoteRetrieveError: + pass + profile_api.delete_profile(profile_id) + profile_api.create_profile(profile_data) + + # enable the profile + try: + profile_api.enable_profile(profile_id) + except errors.RemoteRetrieveError: + pass + + root_logger.info("Imported profile '%s'", profile_id) + + conn.disconnect() + if __name__ == "__main__": standard_logging_setup("install.log") ds = dsinstance.DsInstance() diff --git a/ipaserver/install/ipa_server_upgrade.py b/ipaserver/install/ipa_server_upgrade.py index d0a839d0a..8373b2134 100644 --- a/ipaserver/install/ipa_server_upgrade.py +++ b/ipaserver/install/ipa_server_upgrade.py @@ -41,6 +41,7 @@ class ServerUpgrade(admintool.AdminTool): super(ServerUpgrade, self).run() api.bootstrap(in_server=True, context='updates') + import ipaserver.plugins.dogtag # ensure profile backend gets loaded api.finalize() try: diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py index aea1f9915..955e4cc11 100644 --- a/ipaserver/install/server/install.py +++ b/ipaserver/install/server/install.py @@ -748,6 +748,9 @@ def install(options): api.env.ca_host = host_name api.bootstrap(**cfg) + if setup_ca: + # ensure profile backend is available + import ipaserver.plugins.dogtag api.finalize() # Create DS user/group if it doesn't exist yet @@ -903,6 +906,9 @@ def install(options): service.print_msg("Restarting the certificate server") ca.restart(dogtag.configured_constants().PKI_INSTANCE_NAME) + service.print_msg("Importing certificate profiles") + cainstance.import_included_profiles() + if options.setup_dns: api.Backend.ldap2.connect(autobind=True) dns.install(False, False, options) diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 820533d6f..c5f4d37cc 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -338,32 +338,28 @@ def ca_enable_ldap_profile_subsystem(ca): return needs_update -def upgrade_ipa_profile(ca, domain, fqdn): +def ca_import_included_profiles(ca): + root_logger.info('[Ensuring presence of included profiles]') + + if not ca.is_configured(): + root_logger.info('CA is not configured') + return False + + return cainstance.import_included_profiles() + + +def upgrade_ca_audit_cert_validity(ca): """ - Update the IPA Profile provided by dogtag + Update the Dogtag audit signing certificate. Returns True if restart is needed, False otherwise. """ - root_logger.info('[Verifying that CA service certificate profile is updated]') + root_logger.info('[Verifying that CA audit signing cert has 2 year validity]') if ca.is_configured(): - ski = ca.enable_subject_key_identifier() - if ski: - root_logger.debug('Subject Key Identifier updated.') - else: - root_logger.debug('Subject Key Identifier already set.') - san = ca.enable_subject_alternative_name() - if san: - root_logger.debug('Subject Alternative Name updated.') - else: - root_logger.debug('Subject Alternative Name already set.') - audit = ca.set_audit_renewal() - uri = ca.set_crl_ocsp_extensions(domain, fqdn) - if audit or ski or san or uri: - return True + return ca.set_audit_renewal() else: root_logger.info('CA is not configured') - - return False + return False def named_remove_deprecated_options(): @@ -1416,7 +1412,7 @@ def upgrade_configuration(): ca_restart = any([ ca_restart, - upgrade_ipa_profile(ca, api.env.domain, fqdn), + upgrade_ca_audit_cert_validity(ca), certificate_renewal_update(ca), ca_enable_pkix(ca), ca_configure_profiles_acl(ca), @@ -1430,6 +1426,12 @@ def upgrade_configuration(): except ipautil.CalledProcessError as e: root_logger.error("Failed to restart %s: %s", ca.service_name, e) + # This step MUST be done after ca_enable_ldap_profile_subsystem and + # ca_configure_profiles_acl, and the consequent restart, but does not + # itself require a restart. + # + ca_import_included_profiles(ca) + set_sssd_domain_option('ipa_server_mode', 'True') diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py index 9654123b1..880b319d6 100644 --- a/ipaserver/plugins/dogtag.py +++ b/ipaserver/plugins/dogtag.py @@ -1966,17 +1966,19 @@ class RestClient(Backend): self.ipa_key_size = "2048" self.ipa_certificate_nickname = "ipaCert" self.ca_certificate_nickname = "caCert" - try: - f = open(self.pwd_file, "r") - self.password = f.readline().strip() - f.close() - except IOError: - self.password = '' + self._read_password() super(RestClient, self).__init__() # session cookie self.cookie = None + def _read_password(self): + try: + with open(self.pwd_file) as f: + self.password = f.readline().strip() + except IOError: + self.password = '' + @cachedproperty def ca_host(self): """ |