Use Dogtag 10 only when it is available

Put the changes from Ade's dogtag 10 patch into namespaced constants in dogtag.py, which are then referenced in the code. Make ipaserver.install.CAInstance use the service name specified in the configuration. Uninstallation, where config is removed before CA uninstall, also uses the (previously) configured value. This and Ade's patch address https://fedorahosted.org/freeipa/ticket/2846
author: Petr Viktorin <pviktori@redhat.com> 2012-08-23 12:38:45 -0400
committer: Rob Crittenden <rcritten@redhat.com> 2012-09-17 18:43:59 -0400
commit: 4f76c143d2f2036af02677469c542f563a10158d (patch)
tree: 8ed4716135c53486710950b453f17bb71f36c658 /install
parent: 3dd31a875650c7fe7c67ca6b47f2058c1181dafb (diff)
download: freeipa-4f76c143d2f2036af02677469c542f563a10158d.tar.gz
freeipa-4f76c143d2f2036af02677469c542f563a10158d.tar.xz
freeipa-4f76c143d2f2036af02677469c542f563a10158d.zip
11 files changed, 63 insertions, 40 deletions
diff --git a/install/conf/ipa-pki-proxy.conf b/install/conf/ipa-pki-proxy.conf
index 7a067ca9c..20c09217a 100644
--- a/install/conf/ipa-pki-proxy.conf
+++ b/install/conf/ipa-pki-proxy.conf
@@ -1,4 +1,4 @@
-# VERSION 1 - DO NOT REMOVE THIS LINE
+# VERSION 2 - DO NOT REMOVE THIS LINE
 
 ProxyRequests Off
 
@@ -6,22 +6,22 @@ ProxyRequests Off
 <LocationMatch "^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange">
     NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
     NSSVerifyClient none
-    ProxyPassMatch ajp://localhost:8009
-    ProxyPassReverse ajp://localhost:8009
+    ProxyPassMatch ajp://localhost:$DOGTAG_PORT
+    ProxyPassReverse ajp://localhost:$DOGTAG_PORT
 </LocationMatch>
 
 # matches for admin port and installer
 <LocationMatch "^/ca/admin/ca/getCertChain|^/ca/admin/ca/getConfigEntries|^/ca/admin/ca/getCookie|^/ca/admin/ca/getStatus|^/ca/admin/ca/securityDomainLogin|^/ca/admin/ca/getDomainXML|^/ca/rest/installer/installToken">
     NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
     NSSVerifyClient none
-    ProxyPassMatch ajp://localhost:8009
-    ProxyPassReverse ajp://localhost:8009
+    ProxyPassMatch ajp://localhost:$DOGTAG_PORT
+    ProxyPassReverse ajp://localhost:$DOGTAG_PORT
 </LocationMatch>
 
 # matches for agent port and eeca port
 <LocationMatch "^/ca/agent/ca/displayBySerial|^/ca/agent/ca/doRevoke|^/ca/agent/ca/doUnrevoke|^/ca/agent/ca/updateDomainXML|^/ca/eeca/ca/profileSubmitSSLClient">
     NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
     NSSVerifyClient require
-    ProxyPassMatch ajp://localhost:8009
-    ProxyPassReverse ajp://localhost:8009
+    ProxyPassMatch ajp://localhost:$DOGTAG_PORT
+    ProxyPassReverse ajp://localhost:$DOGTAG_PORT
 </LocationMatch>
diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf
index d428460fe..ed50a35b5 100644
--- a/install/conf/ipa.conf
+++ b/install/conf/ipa.conf
@@ -1,5 +1,5 @@
 #
-# VERSION 7 - DO NOT REMOVE THIS LINE
+# VERSION 8 - DO NOT REMOVE THIS LINE
 #
 # This file may be overwritten on upgrades.
 #
@@ -105,8 +105,8 @@ Alias /ipa/config "/usr/share/ipa/html"
 
 
 # For CRL publishing
-Alias /ipa/crl "/var/lib/pki/tomcat-ca/ca/publish"
-<Directory "/var/lib/pki/tomcat-ca/ca/publish">
+Alias /ipa/crl "$CRL_PUBLISH_PATH"
+<Directory "$CRL_PUBLISH_PATH">
   SetHandler None
   AllowOverride None
   Options Indexes FollowSymLinks
diff --git a/install/restart_scripts/renew_ca_cert b/install/restart_scripts/renew_ca_cert
index 4c3af9775..5317835fc 100644
--- a/install/restart_scripts/renew_ca_cert
+++ b/install/restart_scripts/renew_ca_cert
@@ -32,6 +32,7 @@ from ipapython.dn import DN
 from ipalib import errors
 from ipapython import services as ipaservices
 from ipapython import ipautil
+from ipapython import dogtag
 from ipaserver.install import certs
 from ipaserver.plugins.ldap2 import ldap2
 from ipaserver.install.cainstance import update_cert_config
@@ -45,11 +46,9 @@ nickname = sys.argv[1]
 api.bootstrap(context='restart')
 api.finalize()
 
-alias_dir = '/etc/pki/pki-tomcat/alias'
-dogtag_instance = 'pki-tomcat'
-if 'dogtag_version' not in api.env:
-    alias_dir = '/var/lib/pki-ca/alias'
-    dogtag_instance = 'pki-ca'
+configured_constants = dogtag.configured_constants(api)
+alias_dir = configured_constants.ALIAS_DIR
+dogtag_instance = configured_constants.PKI_INSTANCE_NAME
 
 # Fetch the new certificate
 db = certs.CertDB(api.env.realm, nssdir=alias_dir)
@@ -112,5 +111,5 @@ time.sleep(pause)
 try:
     ipaservices.knownservices.pki_cad.restart(dogtag_instance)
 except Exception, e:
-    syslog.syslog(syslog.LOG_ERR, "Cannot restart %sd: %s" % \
+    syslog.syslog(syslog.LOG_ERR, "Cannot restart %sd: %s" %
                   (dogtag_instance, str(e)))
diff --git a/install/restart_scripts/restart_pkicad b/install/restart_scripts/restart_pkicad
index c21fb802f..0b6040a9d 100644
--- a/install/restart_scripts/restart_pkicad
+++ b/install/restart_scripts/restart_pkicad
@@ -22,6 +22,7 @@
 import sys
 import syslog
 from ipapython import services as ipaservices
+from ipapython import dogtag
 from ipaserver.install import certs
 from ipalib import api
 
@@ -30,18 +31,16 @@ nickname = sys.argv[1]
 api.bootstrap(context='restart')
 api.finalize()
 
-alias_dir = '/etc/pki/pki-tomcat/alias'
-dogtag_instance = 'pki-tomcat'
-if 'dogtag_version' not in api.env:
-    alias_dir = '/var/lib/pki-ca/alias'
-    dogtag_instance = 'pki-ca'
+configured_constants = dogtag.configured_constants(api)
+alias_dir = configured_constants.ALIAS_DIR
+dogtag_instance = configured_constants.PKI_INSTANCE_NAME
 
-syslog.syslog(syslog.LOG_NOTICE, "certmonger restarted %sd, nickname '%s'" % \
+syslog.syslog(syslog.LOG_NOTICE, "certmonger restarted %sd, nickname '%s'" %
               (dogtag_instance, nickname))
 
 # Fix permissions on the audit cert if we're updating it
 if nickname == 'auditSigningCert cert-pki-ca':
-    db = certs.CertDB(api.env.realm, nssdir = alias_dir )
+    db = certs.CertDB(api.env.realm, nssdir=alias_dir)
     args = ['-M',
             '-n', nickname,
             '-t', 'u,u,Pu',
@@ -54,5 +53,5 @@ try:
     ipaservices.knownservices.pki_cad.stop(dogtag_instance)
     ipaservices.knownservices.pki_cad.start(dogtag_instance)
 except Exception, e:
-    syslog.syslog(syslog.LOG_ERR, "Cannot restart %sd: %s" % \
+    syslog.syslog(syslog.LOG_ERR, "Cannot restart %sd: %s" %
                   (dogtag_instance, str(e)))
diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install
index d52832239..1c1b96a91 100755
--- a/install/tools/ipa-ca-install
+++ b/install/tools/ipa-ca-install
@@ -37,6 +37,7 @@ from ipapython import version
 from ipalib import api, util
 from ipapython.config import IPAOptionParser
 from ipapython import sysrestore
+from ipapython import dogtag
 from ipapython.ipa_log_manager import *
 
 log_file_name = "/var/log/ipareplica-ca-install.log"
@@ -156,10 +157,11 @@ def main():
     # We need to restart apache as we drop a new config file in there
     ipaservices.knownservices.httpd.restart(capture_output=True)
 
-    #update dogtag version in config file to denote new instance
+    #update dogtag version in config file
     try:
         fd = open("/etc/ipa/default.conf", "a")
-        fd.write("dogtag_version=10\n")
+        fd.write(
+            "dogtag_version=%s\n" % dogtag.install_constants.DOGTAG_VERSION)
         fd.close()
     except IOError, e:
         print "Failed to update /etc/ipa/default.conf"
diff --git a/install/tools/ipa-csreplica-manage b/install/tools/ipa-csreplica-manage
index 884956fd1..39cfa5851 100755
--- a/install/tools/ipa-csreplica-manage
+++ b/install/tools/ipa-csreplica-manage
@@ -29,6 +29,7 @@ from ipapython import ipautil
 from ipaserver.install import replication, installutils
 from ipaserver import ipaldap
 from ipapython import version
+from ipapython import dogtag
 from ipalib import api, errors, util
 from ipapython.dn import DN
 
@@ -80,7 +81,7 @@ class CSReplicationManager(replication.ReplicationManager):
         """
         dn = None
         cn = None
-        instance_name = 'pki-tomcat'
+        instance_name = dogtag.configured_constants(api).PKI_INSTANCE_NAME
 
         # if master is not None we know what dn to return:
         if master is not None:
diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
index a7b34cf1b..0378827d5 100755
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
@@ -42,6 +42,7 @@ from ipapython.config import IPAOptionParser
 from ipapython import sysrestore
 from ipapython import services as ipaservices
 from ipapython.ipa_log_manager import *
+from ipapython import dogtag
 from ipapython.dn import DN
 
 log_file_name = "/var/log/ipareplica-install.log"
@@ -376,7 +377,8 @@ def main():
         if ipautil.file_exists(config.dir + "/cacert.p12"):
             fd.write("enable_ra=True\n")
             fd.write("ra_plugin=dogtag\n")
-            fd.write("dogtag_version=10\n")
+            fd.write("dogtag_version=%s\n" %
+                dogtag.install_constants.DOGTAG_VERSION)
         fd.write("mode=production\n")
         fd.close()
     finally:
diff --git a/install/tools/ipa-replica-prepare b/install/tools/ipa-replica-prepare
index ce25681f4..56f132a38 100755
--- a/install/tools/ipa-replica-prepare
+++ b/install/tools/ipa-replica-prepare
@@ -33,6 +33,7 @@ from ipaserver.install.replication import enable_replication_version_checking
 from ipaserver.install.installutils import resolve_host, BadHostError, HostLookupError
 from ipaserver.plugins.ldap2 import ldap2
 from ipapython import version
+from ipapython import dogtag
 from ipapython.config import IPAOptionParser
 from ipalib import api, errors, util
 from ipapython.dn import DN
@@ -304,7 +305,9 @@ def main():
         if options.reverse_zone and not bindinstance.verify_reverse_zone(options.reverse_zone, options.ip_address):
             sys.exit(1)
 
-    if not certs.ipa_self_signed() and not ipautil.file_exists("/var/lib/pki/pki-tomcat/conf/ca/CS.cfg") and not options.dirsrv_pin:
+    if (not certs.ipa_self_signed() and
+            not ipautil.file_exists(dogtag.configured_constants().CS_CFG_PATH) and
+            not options.dirsrv_pin):
         sys.exit("The replica must be created on the primary IPA server.\nIf you installed IPA with your own certificates using PKCS#12 files you must provide PKCS#12 files for any replicas you create as well.")
 
     check_ipa_configuration(api.env.realm)
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index 639a72701..201e2fb18 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -58,6 +58,7 @@ from ipaserver.plugins.ldap2 import ldap2
 from ipapython import sysrestore
 from ipapython.ipautil import *
 from ipapython import ipautil
+from ipapython import dogtag
 from ipalib import api, errors, util
 from ipapython.config import IPAOptionParser
 from ipalib.x509 import load_certificate_from_file, load_certificate_chain_from_file
@@ -465,6 +466,9 @@ def uninstall():
     except Exception, e:
         pass
 
+    # Need to get dogtag info before /etc/ipa/default.conf is removed
+    dogtag_constants = dogtag.configured_constants()
+
     print "Removing IPA client configuration"
     try:
         (stdout, stderr, rc) = run(["/usr/sbin/ipa-client-install", "--on-master", "--unattended", "--uninstall"], raiseonerr=False)
@@ -477,10 +481,13 @@ def uninstall():
         print "ipa-client-install returned: " + str(e)
 
     ntpinstance.NTPInstance(fstore).uninstall()
-    if cainstance.CADSInstance().is_configured():
-        cainstance.CADSInstance().uninstall()
-    if cainstance.CAInstance(api.env.realm, certs.NSS_DIR).is_configured():
-        cainstance.CAInstance(api.env.realm, certs.NSS_DIR).uninstall()
+    cads_instance = cainstance.CADSInstance(dogtag_constants=dogtag_constants)
+    if cads_instance.is_configured():
+        cads_instance.uninstall()
+    ca_instance = cainstance.CAInstance(
+        api.env.realm, certs.NSS_DIR, dogtag_constants=dogtag_constants)
+    if ca_instance.is_configured():
+        ca_instance.uninstall()
     bindinstance.BindInstance(fstore).uninstall()
     httpinstance.HTTPInstance(fstore).uninstall()
     krbinstance.KrbInstance(fstore).uninstall()
@@ -853,7 +860,8 @@ def main():
     fd.write("enable_ra=True\n")
     if not options.selfsign:
         fd.write("ra_plugin=dogtag\n")
-        fd.write("dogtag_version=10\n")
+        fd.write("dogtag_version=%s\n" %
+            dogtag.install_constants.DOGTAG_VERSION)
     fd.write("mode=production\n")
     fd.close()
 
@@ -916,7 +924,8 @@ def main():
         cs = cainstance.CADSInstance(host_name, realm_name, domain_name, dm_password)
         if not cs.is_configured():
             cs.create_instance(realm_name, host_name, domain_name, dm_password, subject_base=options.subject)
-        ca = cainstance.CAInstance(realm_name, certs.NSS_DIR)
+        ca = cainstance.CAInstance(realm_name, certs.NSS_DIR,
+            dogtag_constants=dogtag.install_constants)
         if external == 0:
             ca.configure_instance(host_name, dm_password, dm_password,
                                   subject_base=options.subject)
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index 3041cb60b..6c0437180 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -29,6 +29,7 @@ try:
     from ipapython.config import IPAOptionParser
     from ipapython.ipa_log_manager import *
     from ipapython import certmonger
+    from ipapython import dogtag
     from ipaserver.install import installutils
     from ipaserver.install import dsinstance
     from ipaserver.install import httpinstance
@@ -458,7 +459,7 @@ def enable_certificate_renewal(realm):
             ca.configure_agent_renewal()
         ca.track_servercert()
         sysupgrade.set_upgrade_state('dogtag', 'renewal_configured', True)
-        ca.restart(cainstance.PKI_INSTANCE_NAME)
+        ca.restart(dogtag.configured_constants().PKI_INSTANCE_NAME)
         root_logger.debug('CA subsystem certificate renewal enabled')
 
 def main():
@@ -495,7 +496,14 @@ def main():
     check_certs()
 
     auto_redirect = find_autoredirect(fqdn)
-    sub_dict = { "REALM" : api.env.realm, "FQDN": fqdn, "AUTOREDIR": '' if auto_redirect else '#'}
+    configured_constants = dogtag.configured_constants()
+    sub_dict = dict(
+        REALM=api.env.realm,
+        FQDN=fqdn,
+        AUTOREDIR='' if auto_redirect else '#',
+        CRL_PUBLISH_PATH=configured_constants.CRL_PUBLISH_PATH,
+        DOGTAG_PORT=configured_constants.AJP_PORT,
+    )
 
     upgrade(sub_dict, "/etc/httpd/conf.d/ipa.conf", ipautil.SHARE_DIR + "ipa.conf")
     upgrade(sub_dict, "/etc/httpd/conf.d/ipa-rewrite.conf", ipautil.SHARE_DIR + "ipa-rewrite.conf")
diff --git a/install/ui/test/data/ipa_init.json b/install/ui/test/data/ipa_init.json
index bccc31b19..0d94d9b02 100644
--- a/install/ui/test/data/ipa_init.json
+++ b/install/ui/test/data/ipa_init.json
@@ -669,12 +669,12 @@
                 "result": {
                     "basedn": "dc=dev,dc=example,dc=com",
                     "bin": "/var/www",
-                    "ca_agent_install_port": 8443,
+                    "ca_agent_install_port": 9443,
                     "ca_agent_port": 443,
-                    "ca_ee_install_port": 8443,
+                    "ca_ee_install_port": 9444,
                     "ca_ee_port": 443,
                     "ca_host": "dev.example.com",
-                    "ca_install_port": 8080,
+                    "ca_install_port": 9180,
                     "ca_port": 80,
                     "conf": "/etc/ipa/server.conf",
                     "conf_default": "/etc/ipa/default.conf",
author	Petr Viktorin <pviktori@redhat.com>	2012-08-23 12:38:45 -0400
committer	Rob Crittenden <rcritten@redhat.com>	2012-09-17 18:43:59 -0400
commit	4f76c143d2f2036af02677469c542f563a10158d (patch)
tree	8ed4716135c53486710950b453f17bb71f36c658 /install
parent	3dd31a875650c7fe7c67ca6b47f2058c1181dafb (diff)
download	freeipa-4f76c143d2f2036af02677469c542f563a10158d.tar.gz freeipa-4f76c143d2f2036af02677469c542f563a10158d.tar.xz freeipa-4f76c143d2f2036af02677469c542f563a10158d.zip