summaryrefslogtreecommitdiffstats
path: root/install/tools
diff options
context:
space:
mode:
authorRob Crittenden <rcritten@redhat.com>2011-03-10 00:06:15 -0500
committerRob Crittenden <rcritten@redhat.com>2011-03-10 09:57:36 -0500
commit9dfb0f05b03176dd8478b56ce684c9a2f4f07b0e (patch)
tree4294d10a6d09fa0dd4c5989c63477c5936d53318 /install/tools
parented5cffd026a6528ea47802d16417139dd2734980 (diff)
downloadfreeipa-9dfb0f05b03176dd8478b56ce684c9a2f4f07b0e.tar.gz
freeipa-9dfb0f05b03176dd8478b56ce684c9a2f4f07b0e.tar.xz
freeipa-9dfb0f05b03176dd8478b56ce684c9a2f4f07b0e.zip
Use TLS for dogtag replication agreements.
Configure the dogtag 389-ds instance with SSL so we can enable TLS for the dogtag replication agreements. The NSS database we use is a symbolic link to the IPA 389-ds instance. ticket 1060
Diffstat (limited to 'install/tools')
-rwxr-xr-xinstall/tools/ipa-replica-install26
-rwxr-xr-xinstall/tools/ipa-server-install16
2 files changed, 39 insertions, 3 deletions
diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
index d9a9748a8..cfaeaa4a5 100755
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
@@ -167,9 +167,22 @@ def install_ca(config):
print "Please install dogtag and restart the setup program"
sys.exit(1)
+ # We replicate to the master using TLS. In order for this to work we
+ # need an SSL server cert. To make things easier we'll re-use the
+ # IPA 389-ds instance certificate loaded directly into the
+ # dogtag 389-ds instance. Later we will replace the NSS databases with
+ # symbolic links.
+ pkcs12_info = None
+ if ipautil.file_exists(config.dir + "/dscert.p12"):
+ pkcs12_info = (config.dir + "/dscert.p12",
+ config.dir + "/dirsrv_pin.txt")
cs = cainstance.CADSInstance()
cs.create_instance(config.realm_name, config.host_name,
- config.domain_name, config.dirman_password)
+ config.domain_name, config.dirman_password,
+ pkcs12_info)
+ cs.load_pkcs12()
+ cs.enable_ssl()
+ cs.restart_instance()
ca = cainstance.CAInstance(config.realm_name, certs.NSS_DIR)
ca.configure_instance(config.host_name, config.dirman_password,
config.dirman_password, pkcs12_info=(cafile,),
@@ -187,8 +200,8 @@ def install_ca(config):
service_name = cs.service_name
service.print_msg("Restarting the directory and certificate servers")
cs.service_name = "dirsrv"
- cs.stop("PKI-IPA")
ca.stop()
+ cs.stop("PKI-IPA")
cs.start("PKI-IPA")
ca.start()
cs.service_name = service_name
@@ -487,6 +500,15 @@ def main():
CA.ldap_enable('CA', config.host_name, config.dirman_password,
util.realm_to_suffix(config.realm_name))
+ # Now we will replace the existing dogtag 389-ds instance NSS
+ # database with a symbolic link to the IPA 389-ds NSS database.
+ caconfigdir = dsinstance.config_dirname(dsinstance.realm_to_serverid('PKI-IPA'))
+ for filename in ['cert8.db', 'key3.db', 'secmod.db', 'pin.txt']:
+ os.unlink('%s%s' % (caconfigdir, filename))
+ dsconfigdir = dsinstance.config_dirname(dsinstance.realm_to_serverid(config.realm_name))
+ for filename in ['cert8.db', 'key3.db', 'secmod.db', 'pin.txt']:
+ os.symlink('%s%s' % (dsconfigdir, filename), '%s%s' % (caconfigdir, filename))
+
install_krb(config, setup_pkinit=options.setup_pkinit)
install_http(config)
if CA:
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index 29c3f785f..9c0947c83 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -760,6 +760,7 @@ def main():
ca.configure_instance(host_name, dm_password, dm_password,
subject_base=options.subject)
elif external == 1:
+ # stage 2 of external CA installation
options.realm_name = realm_name
options.domain_name = domain_name
options.master_password = master_password
@@ -776,6 +777,7 @@ def main():
# This can happen if someone passes external_ca_file without
# already having done the first stage of the CA install.
sys.exit('CA is not installed yet. To install with an external CA is a two-stage process.\nFirst run the installer with --external-ca.')
+ cs = cainstance.CADSInstance(dm_password=dm_password)
ca.configure_instance(host_name, dm_password, dm_password,
cert_file=options.external_cert_file,
cert_chain_file=options.external_ca_file,
@@ -810,11 +812,23 @@ def main():
subject_base=options.subject,
hbac_allow=not options.hbac_allow)
- # We ned to ldap_enable the CA now that DS is up and running
+ # We need to ldap_enable the CA now that DS is up and running
if not options.selfsign:
ca.ldap_enable('CA', host_name, dm_password,
util.realm_to_suffix(realm_name))
+ # Symlink the IPA LDAP server NSS database to this one.
+ caconfigdir = dsinstance.config_dirname(dsinstance.realm_to_serverid('PKI-IPA'))
+ for filename in ['cert8.db', 'key3.db', 'secmod.db']:
+ os.unlink('%s%s' % (caconfigdir, filename))
+ dsconfigdir = dsinstance.config_dirname(dsinstance.realm_to_serverid(realm_name))
+ for filename in ['cert8.db', 'key3.db', 'secmod.db', 'pin.txt']:
+ os.symlink('%s%s' % (dsconfigdir, filename), '%s%s' % (caconfigdir, filename))
+
+ # Turn on SSL in the dogtag LDAP instance. This will get restarted
+ # later, we don't need SSL now.
+ cs.enable_ssl()
+
# Create a kerberos instance
if options.pkinit_pin:
[pw_fd, pw_name] = tempfile.mkstemp()