summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSimo Sorce <ssorce@redhat.com>2010-11-01 13:51:14 -0400
committerSimo Sorce <ssorce@redhat.com>2010-11-18 15:09:31 -0500
commit74ba0cc7c1bdb9c560324a68c16593755bcda5d8 (patch)
tree13165adebe5ee440606b76e735e49787fb94657a
parent775fc23738d8a882bdd9cff9064b50594901e518 (diff)
downloadfreeipa-74ba0cc7c1bdb9c560324a68c16593755bcda5d8.zip
freeipa-74ba0cc7c1bdb9c560324a68c16593755bcda5d8.tar.gz
freeipa-74ba0cc7c1bdb9c560324a68c16593755bcda5d8.tar.xz
Use Realm as certs subject base name
Also use the realm name as nickname for the CA certificate
-rwxr-xr-xinstall/tools/ipa-replica-install2
-rwxr-xr-xinstall/tools/ipa-replica-prepare6
-rwxr-xr-xinstall/tools/ipa-server-certinstall2
-rwxr-xr-xinstall/tools/ipa-server-install14
-rw-r--r--install/tools/man/ipa-server-install.12
-rwxr-xr-xipa-client/ipa-install/ipa-client-install4
-rw-r--r--ipapython/certdb.py4
-rw-r--r--ipaserver/install/cainstance.py16
-rw-r--r--ipaserver/install/certs.py15
-rw-r--r--ipaserver/install/dsinstance.py8
-rw-r--r--ipaserver/install/httpinstance.py14
-rw-r--r--ipaserver/plugins/selfsign.py5
12 files changed, 53 insertions, 39 deletions
diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
index e4aae4a..2beadae 100755
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
@@ -48,7 +48,7 @@ class ReplicaConfig:
self.host_name = ""
self.repl_password = ""
self.dir = ""
- self.subject_base = "O=IPA"
+ self.subject_base = ""
def parse_options():
usage = "%prog [options] REPLICA_FILE"
diff --git a/install/tools/ipa-replica-prepare b/install/tools/ipa-replica-prepare
index 6e9d649..059b011 100755
--- a/install/tools/ipa-replica-prepare
+++ b/install/tools/ipa-replica-prepare
@@ -103,14 +103,14 @@ def export_certdb(realm_name, ds_dir, dir, passwd_fname, fname, hostname, subjec
try:
self_signed = certs.ipa_self_signed()
- db = certs.CertDB(dir, subject_base=subject_base)
+ db = certs.CertDB(dir, realm_name, subject_base=subject_base)
db.create_passwd_file()
# if self_signed:
# ca_db = certs.CertDB(dsinstance.config_dirname(dsinstance.realm_to_serverid(realm_name)))
# db.create_from_cacert(ca_db.cacert_fname)
# else:
# ca_db = certs.CertDB(httpinstance.NSS_DIR, host_name=api.env.host)
- ca_db = certs.CertDB(httpinstance.NSS_DIR, host_name=api.env.host, subject_base=subject_base)
+ ca_db = certs.CertDB(httpinstance.NSS_DIR, realm_name, host_name=api.env.host, subject_base=subject_base)
db.create_from_cacert(ca_db.cacert_fname)
db.create_server_cert("Server-Cert", hostname, ca_db)
except Exception, e:
@@ -148,7 +148,7 @@ def export_ra_pkcs12(dir, dm_password):
try:
try:
- db = certs.CertDB(httpinstance.NSS_DIR, host_name=api.env.host)
+ db = certs.CertDB(httpinstance.NSS_DIR, api.env.realm, host_name=api.env.host)
if db.has_nickname("ipaCert"):
pkcs12_fname = "%s/ra.p12" % dir
diff --git a/install/tools/ipa-server-certinstall b/install/tools/ipa-server-certinstall
index d853f71..9d69853 100755
--- a/install/tools/ipa-server-certinstall
+++ b/install/tools/ipa-server-certinstall
@@ -89,7 +89,7 @@ def choose_server_cert(server_certs):
return server_certs[num - 1]
def import_cert(dirname, pkcs12_fname, pkcs12_passwd, db_password):
- cdb = certs.CertDB(dirname)
+ cdb = certs.CertDB(dirname, api.env.realm)
cdb.create_passwd_file(db_password)
cdb.create_certdbs()
[pw_fd, pw_name] = tempfile.mkstemp()
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index c8a17c9..569079d 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -122,8 +122,8 @@ def parse_options():
help="The starting uid value (default random)")
parser.add_option("--gidstart", dest="gidstart", default=namespace, type=int,
help="The starting gid value (default random)")
- parser.add_option("--subject", dest="subject", default="O=IPA",
- help="The certificate subject base (default O=IPA)")
+ parser.add_option("--subject", dest="subject",
+ help="The certificate subject base (default O=<realm-name>)")
parser.add_option("--no_hbac_allow", dest="hbac_allow", default=False,
action="store_true",
help="Don't install allow_all HBAC rule")
@@ -402,8 +402,8 @@ def uninstall():
ntpinstance.NTPInstance(fstore).uninstall()
if cainstance.CADSInstance().is_configured():
cainstance.CADSInstance().uninstall()
- if cainstance.CAInstance().is_configured():
- cainstance.CAInstance().uninstall()
+ if cainstance.CAInstance(api.env.realm).is_configured():
+ cainstance.CAInstance(api.env.realm).uninstall()
bindinstance.BindInstance(fstore).uninstall()
httpinstance.HTTPInstance(fstore).uninstall()
krbinstance.KrbInstance(fstore).uninstall()
@@ -465,7 +465,6 @@ def main():
global fstore
fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore')
-
# Configuration for ipalib, we will bootstrap and finalize later, after
# we are sure we have the configuration file ready.
cfg = dict(
@@ -610,6 +609,9 @@ def main():
else:
realm_name = options.realm_name.upper()
+ if not options.subject:
+ options.subject = "O=%s" % realm_name
+
if not options.dm_password:
dm_password = read_dm_password()
else:
@@ -689,7 +691,7 @@ def main():
if options.external_cert_file is None:
cs = cainstance.CADSInstance()
cs.create_instance("pkisrv", realm_name, host_name, domain_name, dm_password)
- ca = cainstance.CAInstance()
+ ca = cainstance.CAInstance(realm_name)
if external == 0:
ca.configure_instance("pkiuser", host_name, dm_password, dm_password, subject_base=options.subject)
elif external == 1:
diff --git a/install/tools/man/ipa-server-install.1 b/install/tools/man/ipa-server-install.1
index 943a420..0d4d8c5 100644
--- a/install/tools/man/ipa-server-install.1
+++ b/install/tools/man/ipa-server-install.1
@@ -102,7 +102,7 @@ The starting user id number (default random)
The starting group id number (default random)
.TP
\fB\-\-subject\fR=\fISUBJECT\fR
- The certificate subject base (default O=IPA)
+ The certificate subject base (default O=REALM.NAME)
.TP
\fB\-\-no_hbac_allow\fR
Don't install allow_all HBAC rule. This rule lets any user from any host access any service on any other host. It is expected that users will remove this rule before moving to production.
diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index 8f4b9d2..fa9d275 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -521,8 +521,7 @@ def main():
cli_server = None
cli_realm = None
cli_basedn = None
-
- subject_base = "O=IPA"
+ subject_base = None
if options.unattended and (options.password is None and options.principal is None and options.prompt_password is False) and not options.on_master:
print "One of password and principal are required."
@@ -597,6 +596,7 @@ def main():
cli_realm = ds.getRealmName()
cli_basedn = ds.getBaseDN()
+ subject_base = "O=%s" % ds.getRealmName()
print "Realm: "+cli_realm
print "DNS Domain: "+cli_domain
diff --git a/ipapython/certdb.py b/ipapython/certdb.py
index a2fbb0e..4e83802 100644
--- a/ipapython/certdb.py
+++ b/ipapython/certdb.py
@@ -25,7 +25,9 @@ from ipalib.compat import sha1
import shutil
import os
-CA_NICKNAME = "IPA CA"
+CA_NICKNAME_FMT = "%s IPA CA"
+def get_ca_nickname(realm, format=CA_NICKNAME_FMT):
+ return format % realm
class CertDB(object):
"""
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 1998928..5f13b72 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -36,7 +36,7 @@ import urllib
import xml.dom.minidom
import stat
from ipapython import dogtag
-from ipapython.certdb import CA_NICKNAME
+from ipapython.certdb import get_ca_nickname
from ipalib import pkcs10
import subprocess
@@ -365,8 +365,9 @@ class CAInstance(service.Service):
2 = have signed cert, continue installation
"""
- def __init__(self):
+ def __init__(self, realm):
service.Service.__init__(self, "pki-cad")
+ self.realm = realm
self.pki_user = "pkiuser"
self.dm_password = None
self.admin_password = None
@@ -382,7 +383,7 @@ class CAInstance(service.Service):
# The same database is used for mod_nss because the NSS context
# will already have been initialized by Apache by the time
# mod_python wants to do things.
- self.canickname = CA_NICKNAME
+ self.canickname = get_ca_nickname(realm)
self.basedn = "o=ipaca"
self.ca_agent_db = tempfile.mkdtemp(prefix = "tmp-")
self.ra_agent_db = "/etc/httpd/alias"
@@ -400,7 +401,7 @@ class CAInstance(service.Service):
admin_password, ds_port=DEFAULT_DSPORT,
pkcs12_info=None, master_host=None, csr_file=None,
cert_file=None, cert_chain_file=None,
- subject_base="O=IPA"):
+ subject_base=None):
"""Create a CA instance. This may involve creating the pki-ca instance
dogtag instance.
@@ -420,7 +421,10 @@ class CAInstance(service.Service):
if self.pkcs12_info is not None:
self.clone = True
self.master_host = master_host
- self.subject_base = subject_base
+ if subject_base is None:
+ self.subject_base = "O=%s" % self.realm
+ else:
+ self.subject_base = subject_base
# Determine if we are installing as an externally-signed CA and
# what stage we're in.
@@ -1000,5 +1004,5 @@ if __name__ == "__main__":
installutils.standard_logging_setup("install.log", False)
cs = CADSInstance()
cs.create_instance("dirsrv", "EXAMPLE.COM", "catest.example.com", "example.com", "password")
- ca = CAInstance()
+ ca = CAInstance("EXAMPLE.COM")
ca.configure_instance("pkiuser", "catest.example.com", "password", "password")
diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index 4f8b4e7..d4728b8 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -33,7 +33,7 @@ from ipapython import dogtag
from ipapython import sysrestore
from ipapython import ipautil
from ipapython import certmonger
-from ipapython.certdb import CA_NICKNAME
+from ipapython.certdb import get_ca_nickname
from ipalib import pkcs10
from ConfigParser import RawConfigParser, MissingSectionHeaderError
import service
@@ -163,8 +163,9 @@ def next_replica(serial_file=CA_SERIALNO):
return str(serial)
class CertDB(object):
- def __init__(self, nssdir, fstore=None, host_name=None, subject_base=None):
+ def __init__(self, nssdir, realm, fstore=None, host_name=None, subject_base=None):
self.secdir = nssdir
+ self.realm = realm
self.noise_fname = self.secdir + "/noise.txt"
self.passwd_fname = self.secdir + "/pwdfile.txt"
@@ -191,7 +192,7 @@ class CertDB(object):
else:
self.subject_format = "CN=%s,O=IPA"
- self.cacert_name = CA_NICKNAME
+ self.cacert_name = get_ca_nickname(self.realm)
self.valid_months = "120"
self.keysize = "1024"
@@ -345,10 +346,11 @@ class CertDB(object):
def create_ca_cert(self):
os.chdir(self.secdir)
+ subject = "cn=%s Certificate Authority" % self.realm
p = subprocess.Popen(["/usr/bin/certutil",
"-d", self.secdir,
"-S", "-n", self.cacert_name,
- "-s", "cn=IPA Test Certificate Authority",
+ "-s", subject,
"-x",
"-t", "CT,,C",
"-1",
@@ -853,7 +855,10 @@ class CertDB(object):
else:
raise RuntimeError("unknown error import pkcs#12 file")
- def export_pkcs12(self, pkcs12_fname, pkcs12_pwd_fname, nickname=CA_NICKNAME):
+ def export_pkcs12(self, pkcs12_fname, pkcs12_pwd_fname, nickname=None):
+ if nickname is None:
+ nickname = get_ca_nickname(api.env.realm)
+
ipautil.run(["/usr/bin/pk12util", "-d", self.secdir,
"-o", pkcs12_fname,
"-n", nickname,
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 89613bc..48b6f55 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -404,7 +404,7 @@ class DsInstance(service.Service):
def __enable_ssl(self):
dirname = config_dirname(self.serverid)
- dsdb = certs.CertDB(dirname, subject_base=self.subject_base)
+ dsdb = certs.CertDB(dirname, self.realm_name, subject_base=self.subject_base)
if self.pkcs12_info:
dsdb.create_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1])
server_certs = dsdb.find_server_certs()
@@ -416,7 +416,7 @@ class DsInstance(service.Service):
self.dercert = dsdb.get_cert_from_db(nickname)
else:
nickname = "Server-Cert"
- cadb = certs.CertDB(httpinstance.NSS_DIR, host_name=self.fqdn, subject_base=self.subject_base)
+ cadb = certs.CertDB(httpinstance.NSS_DIR, self.realm_name, host_name=self.fqdn, subject_base=self.subject_base)
if self.self_signed_ca:
cadb.create_self_signed()
dsdb.create_from_cacert(cadb.cacert_fname, passwd=None)
@@ -529,7 +529,7 @@ class DsInstance(service.Service):
# drop the trailing / off the config_dirname so the directory
# will match what is in certmonger
dirname = config_dirname(serverid)[:-1]
- dsdb = certs.CertDB(dirname)
+ dsdb = certs.CertDB(dirname, self.realm_name)
dsdb.untrack_server_cert("Server-Cert")
erase_ds_instance_data(serverid)
@@ -571,7 +571,7 @@ class DsInstance(service.Service):
self.stop()
dirname = config_dirname(realm_to_serverid(self.realm_name))
- certdb = certs.CertDB(dirname, subject_base=self.subject_base)
+ certdb = certs.CertDB(dirname, self.realm_name, subject_base=self.subject_base)
if not cacert_name or len(cacert_name) == 0:
cacert_name = "Imported CA"
# we can't pass in the nickname, so we set the instance variable
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index 13d7a66..f55995b 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -30,7 +30,7 @@ import dsinstance
import installutils
from ipapython import sysrestore
from ipapython import ipautil
-from ipalib import util
+from ipalib import util, api
HTTPD_DIR = "/etc/httpd"
SSL_CONF = HTTPD_DIR + "/conf.d/ssl.conf"
@@ -164,10 +164,10 @@ class HTTPInstance(service.Service):
def __setup_ssl(self):
if self.self_signed_ca:
- ca_db = certs.CertDB(NSS_DIR, subject_base=self.subject_base)
+ ca_db = certs.CertDB(NSS_DIR, self.realm, subject_base=self.subject_base)
else:
- ca_db = certs.CertDB(NSS_DIR, host_name=self.fqdn, subject_base=self.subject_base)
- db = certs.CertDB(NSS_DIR, subject_base=self.subject_base)
+ ca_db = certs.CertDB(NSS_DIR, self.realm, host_name=self.fqdn, subject_base=self.subject_base)
+ db = certs.CertDB(NSS_DIR, self.realm, subject_base=self.subject_base)
if self.pkcs12_info:
db.create_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1], passwd="")
server_certs = db.find_server_certs()
@@ -223,7 +223,7 @@ class HTTPInstance(service.Service):
prefs_fd.close()
# The signing cert is generated in __setup_ssl
- db = certs.CertDB(NSS_DIR, subject_base=self.subject_base)
+ db = certs.CertDB(NSS_DIR, self.realm, subject_base=self.subject_base)
pwdfile = open(db.passwd_fname)
pwd = pwdfile.read()
@@ -238,7 +238,7 @@ class HTTPInstance(service.Service):
shutil.rmtree(tmpdir)
def __publish_ca_cert(self):
- ca_db = certs.CertDB(NSS_DIR)
+ ca_db = certs.CertDB(NSS_DIR, self.realm)
shutil.copy(ca_db.cacert_fname, "/usr/share/ipa/html/ca.crt")
os.chmod("/usr/share/ipa/html/ca.crt", 0444)
@@ -252,7 +252,7 @@ class HTTPInstance(service.Service):
if not running is None:
self.stop()
- db = certs.CertDB(NSS_DIR)
+ db = certs.CertDB(NSS_DIR, api.env.realm)
db.untrack_server_cert("Server-Cert")
if not enabled is None and not enabled:
self.chkconfig_off()
diff --git a/ipaserver/plugins/selfsign.py b/ipaserver/plugins/selfsign.py
index 9943f73..741fb0d 100644
--- a/ipaserver/plugins/selfsign.py
+++ b/ipaserver/plugins/selfsign.py
@@ -39,7 +39,7 @@ from ipalib import Backend
from ipalib import errors
from ipalib import x509
from ipalib import pkcs10
-from ipapython.certdb import CA_NICKNAME
+from ipapython.certdb import get_ca_nickname
import subprocess
import os
import re
@@ -47,6 +47,7 @@ from ipaserver.plugins import rabase
from ipaserver.install import certs
import tempfile
from ipalib import _
+from ipalib import api
from ipalib.plugins.cert import get_csr_hostname
from nss.error import NSPRError
@@ -157,7 +158,7 @@ class ra(rabase.rabase):
"/usr/bin/certutil",
"-C",
"-d", self.sec_dir,
- "-c", CA_NICKNAME,
+ "-c", get_ca_nickname(api.env.realm),
"-i", csr_name,
"-o", cert_name,
"-m", str(serialno),