diff options
author | Ade Lee <alee@redhat.com> | 2014-03-18 11:23:30 -0400 |
---|---|---|
committer | Petr Viktorin <pviktori@redhat.com> | 2014-08-22 09:59:31 +0200 |
commit | a25fe00c62117cb11a1e75fbcc4960a0cfa72aab (patch) | |
tree | e68182a6cd474c034fc14d83c3a9a4ce840b35c6 /install | |
parent | 981b399c4e6938b4ab096dee9411cb025e221703 (diff) | |
download | freeipa-a25fe00c62117cb11a1e75fbcc4960a0cfa72aab.tar.gz freeipa-a25fe00c62117cb11a1e75fbcc4960a0cfa72aab.tar.xz freeipa-a25fe00c62117cb11a1e75fbcc4960a0cfa72aab.zip |
Add a KRA to IPA
This patch adds the capability of installing a Dogtag KRA
to an IPA instance. With this patch, a KRA is NOT configured
by default when ipa-server-install is run. Rather, the command
ipa-kra-install must be executed on an instance on which a Dogtag
CA has already been configured.
The KRA shares the same tomcat instance and DS instance as the
Dogtag CA. Moreover, the same admin user/agent (and agent cert) can
be used for both subsystems. Certmonger is also confgured to
monitor the new subsystem certificates.
To create a clone KRA, simply execute ipa-kra-install <replica_file>
on a replica on which a Dogtag CA has already been replicated.
ipa-kra-install will use the security domain to detect whether the
system being installed is a replica, and will error out if a needed
replica file is not provided.
The install scripts have been refactored somewhat to minimize
duplication of code. A new base class dogtagintance.py has
been introduced containing code that is common to KRA and CA
installs. This will become very useful when we add more PKI
subsystems.
The KRA will install its database as a subtree of o=ipaca,
specifically o=ipakra,o=ipaca. This means that replication
agreements created to replicate CA data will also replicate KRA
data. No new replication agreements are required.
Added dogtag plugin for KRA. This is an initial commit providing
the basic vault functionality needed for vault. This plugin will
likely be modified as we create the code to call some of these
functions.
Part of the work for: https://fedorahosted.org/freeipa/ticket/3872
The uninstallation option in ipa-kra-install is temporarily disabled.
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Diffstat (limited to 'install')
-rw-r--r-- | install/conf/ipa-pki-proxy.conf | 6 | ||||
-rw-r--r-- | install/po/Makefile.in | 1 | ||||
-rw-r--r-- | install/restart_scripts/renew_ca_cert | 11 | ||||
-rw-r--r-- | install/tools/Makefile.am | 1 | ||||
-rwxr-xr-x | install/tools/ipa-ca-install | 82 | ||||
-rwxr-xr-x | install/tools/ipa-dns-install | 1 | ||||
-rw-r--r-- | install/tools/ipa-kra-install | 23 | ||||
-rwxr-xr-x | install/tools/ipa-replica-install | 87 | ||||
-rwxr-xr-x | install/tools/ipa-server-install | 46 | ||||
-rw-r--r-- | install/tools/ipa-upgradeconfig | 86 |
10 files changed, 158 insertions, 186 deletions
diff --git a/install/conf/ipa-pki-proxy.conf b/install/conf/ipa-pki-proxy.conf index 224cdd45b..57175390b 100644 --- a/install/conf/ipa-pki-proxy.conf +++ b/install/conf/ipa-pki-proxy.conf @@ -1,4 +1,4 @@ -# VERSION 4 - DO NOT REMOVE THIS LINE +# VERSION 5 - DO NOT REMOVE THIS LINE ProxyRequests Off @@ -11,7 +11,7 @@ ProxyRequests Off </LocationMatch> # matches for admin port and installer -<LocationMatch "^/ca/admin/ca/getCertChain|^/ca/admin/ca/getConfigEntries|^/ca/admin/ca/getCookie|^/ca/admin/ca/getStatus|^/ca/admin/ca/securityDomainLogin|^/ca/admin/ca/getDomainXML|^/ca/rest/installer/installToken|^/ca/admin/ca/updateNumberRange|^/ca/rest/securityDomain/domainInfo|^/ca/rest/account/login|^/ca/admin/ca/tokenAuthenticate|^/ca/admin/ca/updateNumberRange|^/ca/admin/ca/updateDomainXML|^/ca/rest/account/logout|^/ca/rest/securityDomain/installToken"> +<LocationMatch "^/ca/admin/ca/getCertChain|^/ca/admin/ca/getConfigEntries|^/ca/admin/ca/getCookie|^/ca/admin/ca/getStatus|^/ca/admin/ca/securityDomainLogin|^/ca/admin/ca/getDomainXML|^/ca/rest/installer/installToken|^/ca/admin/ca/updateNumberRange|^/ca/rest/securityDomain/domainInfo|^/ca/rest/account/login|^/ca/admin/ca/tokenAuthenticate|^/ca/admin/ca/updateNumberRange|^/ca/admin/ca/updateDomainXML|^/ca/rest/account/logout|^/ca/rest/securityDomain/installToken|^/ca/admin/ca/updateConnector|^/ca/admin/ca/getSubsystemCert|^/kra/admin/kra/updateNumberRange|^/kra/admin/kra/getConfigEntries|^/kra/rest/config/cert/transport"> NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate NSSVerifyClient none ProxyPassMatch ajp://localhost:$DOGTAG_PORT @@ -19,7 +19,7 @@ ProxyRequests Off </LocationMatch> # matches for agent port and eeca port -<LocationMatch "^/ca/agent/ca/displayBySerial|^/ca/agent/ca/doRevoke|^/ca/agent/ca/doUnrevoke|^/ca/agent/ca/updateDomainXML|^/ca/eeca/ca/profileSubmitSSLClient"> +<LocationMatch "^/ca/agent/ca/displayBySerial|^/ca/agent/ca/doRevoke|^/ca/agent/ca/doUnrevoke|^/ca/agent/ca/updateDomainXML|^/ca/eeca/ca/profileSubmitSSLClient|^/kra/agent/kra/connector|^/kra/rest/agent/keyrequests|^/kra/rest/agent/keys|^/kra/rest/admin/kraconnector/remove"> NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate NSSVerifyClient require ProxyPassMatch ajp://localhost:$DOGTAG_PORT diff --git a/install/po/Makefile.in b/install/po/Makefile.in index 6dca615c1..de711dffb 100644 --- a/install/po/Makefile.in +++ b/install/po/Makefile.in @@ -47,6 +47,7 @@ PY_EXPLICIT_FILES = \ install/tools/ipa-csreplica-manage \ install/tools/ipactl \ install/tools/ipa-dns-install \ + install/tools/ipa-kra-install \ install/tools/ipa-ldap-updater \ install/tools/ipa-managed-entries \ install/tools/ipa-nis-manage \ diff --git a/install/restart_scripts/renew_ca_cert b/install/restart_scripts/renew_ca_cert index 2ad203870..a205b0e36 100644 --- a/install/restart_scripts/renew_ca_cert +++ b/install/restart_scripts/renew_ca_cert @@ -21,13 +21,12 @@ # along with this program. If not, see <http://www.gnu.org/licenses/>. import sys -import os import syslog import tempfile import shutil import traceback -from ipapython import dogtag, certmonger, ipautil +from ipapython import dogtag, ipautil from ipapython.dn import DN from ipalib import api, errors, x509, certstore from ipaserver.install import certs, cainstance, installutils @@ -35,6 +34,7 @@ from ipaserver.plugins.ldap2 import ldap2 from ipaplatform import services from ipaplatform.paths import paths + def main(): nickname = sys.argv[1] @@ -70,8 +70,6 @@ def main(): syslog.syslog(syslog.LOG_ERR, 'No certificate %s found.' % nickname) sys.exit(1) - cainstance.update_cert_config(nickname, cert, configured_constants) - tmpdir = tempfile.mkdtemp(prefix="tmp-") try: principal = str('host/%s@%s' % (api.env.host, api.env.realm)) @@ -79,6 +77,7 @@ def main(): principal) ca = cainstance.CAInstance(host_name=api.env.host, ldapi=False) + ca.update_cert_config(nickname, cert, configured_constants) if ca.is_renewal_master(): cainstance.update_people_entry(cert) @@ -198,7 +197,9 @@ def main(): # off the servlet to verify that the CA is actually up and responding so # when this returns it should be good-to-go. The CA was stopped in the # pre-save state. - syslog.syslog(syslog.LOG_NOTICE, 'Starting %s' % dogtag_service.service_name) + syslog.syslog( + syslog.LOG_NOTICE, + 'Starting %s' % dogtag_service.service_name) try: dogtag_service.start(dogtag_instance) except Exception, e: diff --git a/install/tools/Makefile.am b/install/tools/Makefile.am index 0b38d2c77..b791a8c74 100644 --- a/install/tools/Makefile.am +++ b/install/tools/Makefile.am @@ -7,6 +7,7 @@ SUBDIRS = \ sbin_SCRIPTS = \ ipa-ca-install \ ipa-dns-install \ + ipa-kra-install \ ipa-server-install \ ipa-adtrust-install \ ipa-replica-conncheck \ diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install index fc8941248..475794bb6 100755 --- a/install/tools/ipa-ca-install +++ b/install/tools/ipa-ca-install @@ -19,23 +19,20 @@ # import sys -import socket - -import os, shutil +import os +import shutil from ConfigParser import RawConfigParser - from ipapython import ipautil -from ipaserver.install import installutils, service +from ipaserver.install import installutils from ipaserver.install import certs -from ipaserver.install.installutils import (HostnameLocalhost, ReplicaConfig, - expand_replica_info, read_replica_info, get_host_name, BadHostError, - private_ccache, read_replica_info_dogtag_port, validate_external_cert) +from ipaserver.install.installutils import ( + ReplicaConfig, private_ccache, create_replica_config, + validate_external_cert) from ipaserver.install import dsinstance, cainstance, bindinstance from ipaserver.install.replication import replica_conn_check from ipapython import version -from ipalib import api, util, certstore, x509 -from ipalib.constants import CACERT +from ipalib import api, certstore, x509 from ipapython.dn import DN from ipapython.config import IPAOptionParser from ipapython import sysrestore @@ -95,8 +92,11 @@ def parse_options(): return safe_options, options, filename + def get_dirman_password(): - return installutils.read_password("Directory Manager (existing master)", confirm=False, validate=False) + return installutils.read_password( + "Directory Manager (existing master)", confirm=False, validate=False) + def install_dns_records(config, options): @@ -115,13 +115,15 @@ def install_dns_records(config, options): bind.add_ipa_ca_dns_records(config.host_name, config.domain_name) finally: if api.Backend.ldap2.isconnected() and disconnect: - api.Backend.ldap2.disconnect() + api.Backend.ldap2.disconnect() + def install_replica(safe_options, options, filename): standard_logging_setup(log_file_name, debug=options.debug) - root_logger.debug('%s was invoked with argument "%s" and options: %s' % (sys.argv[0], filename, safe_options)) - root_logger.debug('IPA version %s' % version.VENDOR_VERSION) + root_logger.debug('%s was invoked with argument "%s" and options: %s', + sys.argv[0], filename, safe_options) + root_logger.debug('IPA version %s', version.VENDOR_VERSION) if not ipautil.file_exists(filename): sys.exit("Replica file %s does not exist" % filename) @@ -151,38 +153,13 @@ def install_replica(safe_options, options, filename): sys.exit("Directory Manager password required") if not options.admin_password and not options.skip_conncheck and \ - options.unattended: - sys.exit('admin password required') + options.unattended: + sys.exit('admin password required') - try: - top_dir, dir = expand_replica_info(filename, dirman_password) - global REPLICA_INFO_TOP_DIR - REPLICA_INFO_TOP_DIR = top_dir - except Exception, e: - print "ERROR: Failed to decrypt or open the replica file." - print "Verify you entered the correct Directory Manager password." - sys.exit(1) - - config = ReplicaConfig() - read_replica_info(dir, config) - config.dirman_password = dirman_password - try: - host = get_host_name(options.no_host_dns) - except BadHostError, e: - root_logger.error(str(e)) - sys.exit(1) - if config.host_name != host: - try: - print "This replica was created for '%s' but this machine is named '%s'" % (config.host_name, host) - if not ipautil.user_input("This may cause problems. Continue?", True): - sys.exit(0) - config.host_name = host - print "" - except KeyboardInterrupt: - sys.exit(0) - config.dir = dir + config = create_replica_config(dirman_password, filename, options) + global REPLICA_INFO_TOP_DIR + REPLICA_INFO_TOP_DIR = config.top_dir config.setup_ca = True - config.ca_ds_port = read_replica_info_dogtag_port(config.dir) if not ipautil.file_exists(config.dir + "/cacert.p12"): print 'CA cannot be installed in CA-less setup.' @@ -206,7 +183,7 @@ def install_replica(safe_options, options, filename): ipautil.realm_to_suffix(config.realm_name)) # This is done within stopped_service context, which restarts CA - CA.enable_client_auth_to_db() + CA.enable_client_auth_to_db(CA.dogtag_constants.CS_CFG_PATH) # Install CA DNS records install_dns_records(config, options) @@ -225,12 +202,13 @@ def install_replica(safe_options, options, filename): root_logger.error(str(e)) sys.exit(1) + def install_master(safe_options, options): standard_logging_setup(paths.IPASERVER_CA_INSTALL_LOG, debug=options.debug) root_logger.debug( - "%s was invoked with options: %s" % (sys.argv[0], safe_options)) - root_logger.debug("IPA version %s" % version.VENDOR_VERSION) + "%s was invoked with options: %s", sys.argv[0], safe_options) + root_logger.debug("IPA version %s", version.VENDOR_VERSION) global sstore sstore = sysrestore.StateFile(paths.SYSRESTORE) @@ -316,7 +294,8 @@ def install_master(safe_options, options): "cannot continue." % (subject, db.secdir)) sys.exit(1) - ca = cainstance.CAInstance(realm_name, certs.NSS_DIR, + ca = cainstance.CAInstance( + realm_name, certs.NSS_DIR, dogtag_constants=dogtag.install_constants) ca.create_ra_agent_db = False if external == 0: @@ -338,7 +317,7 @@ def install_master(safe_options, options): ca.ldap_enable('CA', host_name, dm_password, ipautil.realm_to_suffix(realm_name), ['caRenewalMaster']) - ca.enable_client_auth_to_db() + ca.enable_client_auth_to_db(ca.dogtag_constants.CS_CFG_PATH) # Install CA DNS records config = ReplicaConfig() @@ -396,6 +375,7 @@ def install_master(safe_options, options): ca.start(ca.dogtag_constants.PKI_INSTANCE_NAME) + def main(): safe_options, options, filename = parse_options() @@ -416,8 +396,8 @@ if __name__ == '__main__': try: with private_ccache(): installutils.run_script(main, log_file_name=log_file_name, - operation_name='ipa-ca-install', - fail_message=fail_message) + operation_name='ipa-ca-install', + fail_message=fail_message) finally: # always try to remove decrypted replica file try: diff --git a/install/tools/ipa-dns-install b/install/tools/ipa-dns-install index 5e191974b..c9ea63ce3 100755 --- a/install/tools/ipa-dns-install +++ b/install/tools/ipa-dns-install @@ -32,6 +32,7 @@ from ipalib import api, errors, util from ipaplatform.paths import paths from ipapython.config import IPAOptionParser from ipapython.ipa_log_manager import standard_logging_setup, root_logger +from ipapython.ipautil import DN log_file_name = paths.IPASERVER_INSTALL_LOG diff --git a/install/tools/ipa-kra-install b/install/tools/ipa-kra-install new file mode 100644 index 000000000..bc92d26fe --- /dev/null +++ b/install/tools/ipa-kra-install @@ -0,0 +1,23 @@ +#! /usr/bin/python2 -E +# Authors: Ade Lee <alee@redhat.com> +# +# Copyright (C) 2014 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +# + +from ipaserver.install.ipa_kra_install import KRAInstall + +KRAInstall.run_cli() diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install index eca73441b..7c9e27e2b 100755 --- a/install/tools/ipa-replica-install +++ b/install/tools/ipa-replica-install @@ -36,12 +36,12 @@ from ipaserver.install import bindinstance, httpinstance, ntpinstance from ipaserver.install import memcacheinstance from ipaserver.install import otpdinstance from ipaserver.install.replication import replica_conn_check, ReplicationManager -from ipaserver.install.installutils import (ReplicaConfig, expand_replica_info, - read_replica_info, get_host_name, BadHostError, private_ccache, - read_replica_info_dogtag_port) +from ipaserver.install.installutils import ( + create_replica_config, read_replica_info_kra_enabled, private_ccache) from ipaserver.plugins.ldap2 import ldap2 from ipaserver.install import cainstance -from ipalib import api, errors, util, x509, certstore +from ipaserver.install import krainstance +from ipalib import api, errors, util, certstore, x509 from ipalib.constants import CACERT from ipapython import version from ipapython.config import IPAOptionParser @@ -55,8 +55,8 @@ from ipaplatform import services from ipaplatform.paths import paths log_file_name = paths.IPAREPLICA_INSTALL_LOG -REPLICA_INFO_TOP_DIR = None DIRMAN_DN = DN(('cn', 'directory manager')) +REPLICA_INFO_TOP_DIR = None def parse_options(): usage = "%prog [options] REPLICA_FILE" @@ -65,6 +65,8 @@ def parse_options(): basic_group = OptionGroup(parser, "basic options") basic_group.add_option("--setup-ca", dest="setup_ca", action="store_true", default=False, help="configure a dogtag CA") + basic_group.add_option("--setup-kra", dest="setup_kra", action="store_true", + default=False, help="configure a dogtag KRA") basic_group.add_option("--ip-address", dest="ip_address", type="ip", ip_local=True, help="Replica server IP Address") @@ -206,6 +208,7 @@ def install_krb(config, setup_pkinit=False): return krb + def install_ca_cert(ldap, base_dn, realm, cafile): try: try: @@ -508,44 +511,24 @@ def main(): if dirman_password is None: sys.exit("Directory Manager password required") - try: - top_dir, dir = expand_replica_info(filename, dirman_password) - global REPLICA_INFO_TOP_DIR - REPLICA_INFO_TOP_DIR = top_dir - except Exception, e: - print "ERROR: Failed to decrypt or open the replica file." - print "Verify you entered the correct Directory Manager password." - sys.exit(1) - - config = ReplicaConfig() - read_replica_info(dir, config) - root_logger.debug('Installing replica file with version %d (0 means no version in prepared file).' % config.version) - if config.version and config.version > version.NUM_VERSION: - root_logger.error('A replica file from a newer release (%d) cannot be installed on an older version (%d)' % (config.version, version.NUM_VERSION)) - sys.exit(1) - config.dirman_password = dirman_password - try: - host = get_host_name(options.no_host_dns) - except BadHostError, e: - root_logger.error(str(e)) - sys.exit(1) - if config.host_name != host: - try: - print "This replica was created for '%s' but this machine is named '%s'" % (config.host_name, host) - if not ipautil.user_input("This may cause problems. Continue?", False): - sys.exit(0) - config.host_name = host - print "" - except KeyboardInterrupt: - sys.exit(0) - config.dir = dir + config = create_replica_config(dirman_password, filename, options) + global REPLICA_INFO_TOP_DIR + REPLICA_INFO_TOP_DIR = config.top_dir config.setup_ca = options.setup_ca - config.ca_ds_port = read_replica_info_dogtag_port(config.dir) if config.setup_ca and not ipautil.file_exists(config.dir + "/cacert.p12"): print 'CA cannot be installed in CA-less setup.' sys.exit(1) + config.setup_kra = options.setup_kra + if config.setup_kra: + if not config.setup_ca: + print "CA must be installed with the KRA" + sys.exit(1) + if not read_replica_info_kra_enabled(config.dir): + print "KRA is not installed on the master system" + sys.exit(1) + installutils.verify_fqdn(config.master_host_name, options.no_host_dns) # check connection @@ -579,6 +562,9 @@ def main(): else: fd.write("enable_ra=False\n") fd.write("ra_plugin=none\n") + + fd.write("enable_kra=%s\n" % config.setup_kra) + fd.write("mode=production\n") fd.close() finally: @@ -611,7 +597,7 @@ def main(): # Check that we don't already have a replication agreement try: - (agreement_cn, agreement_dn) = replman.agreement_dn(host) + (agreement_cn, agreement_dn) = replman.agreement_dn(config.host_name) entry = conn.get_entry(agreement_dn, ['*']) except errors.NotFound: pass @@ -621,20 +607,20 @@ def main(): print ('A replication agreement for this host already exists. ' 'It needs to be removed.') print "Run this on the master that generated the info file:" - print " %% ipa-replica-manage del %s --force" % host + print " %% ipa-replica-manage del %s --force" % config.host_name exit(3) # Check pre-existing host entry try: - entry = conn.find_entries(u'fqdn=%s' % host, ['fqdn'], DN(api.env.container_host, api.env.basedn)) + entry = conn.find_entries(u'fqdn=%s' % config.host_name, ['fqdn'], DN(api.env.container_host, api.env.basedn)) except errors.NotFound: pass else: root_logger.info( - 'Error: Host %s already exists on the master server.' % host) - print 'The host %s already exists on the master server.' % host + 'Error: Host %s already exists on the master server.' % config.host_name) + print 'The host %s already exists on the master server.' % config.host_name print "You should remove it before proceeding:" - print " %% ipa host-del %s" % host + print " %% ipa host-del %s" % config.host_name exit(3) # Install CA cert so that we can do SSL connections with ldap @@ -694,7 +680,7 @@ def main(): ipautil.realm_to_suffix(config.realm_name)) # This is done within stopped_service context, which restarts CA - CA.enable_client_auth_to_db() + CA.enable_client_auth_to_db(CA.dogtag_constants.CS_CFG_PATH) krb = install_krb(config, setup_pkinit=options.setup_pkinit) http = install_http(config, auto_redirect=options.ui_redirect) @@ -705,7 +691,7 @@ def main(): if CA: CA.configure_certmonger_renewal() - CA.import_ra_cert(dir + "/ra.p12") + CA.import_ra_cert(config.dir + "/ra.p12") CA.fix_ra_perms() services.knownservices.httpd.restart() @@ -717,9 +703,14 @@ def main(): service.print_msg("Applying LDAP updates") ds.apply_updates() - # Restart ds and krb after configurations have been changed - service.print_msg("Restarting the directory server") - ds.restart() + if options.setup_kra: + kra = krainstance.install_replica_kra(config) + service.print_msg("Restarting the directory server") + ds.restart() + kra.enable_client_auth_to_db(kra.dogtag_constants.KRA_CS_CFG_PATH) + else: + service.print_msg("Restarting the directory server") + ds.restart() service.print_msg("Restarting the KDC") krb.restart() diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index a54725458..6e77b434a 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -3,7 +3,7 @@ # Simo Sorce <ssorce@redhat.com> # Rob Crittenden <rcritten@redhat.com> # -# Copyright (C) 2007-2010 Red Hat +# Copyright (C) 2007-2014 Red Hat # see file 'COPYING' for use and warranty information # # This program is free software; you can redistribute it and/or modify @@ -53,6 +53,7 @@ from ipaserver.install import httpinstance from ipaserver.install import ntpinstance from ipaserver.install import certs from ipaserver.install import cainstance +from ipaserver.install import krainstance from ipaserver.install import memcacheinstance from ipaserver.install import otpdinstance from ipaserver.install import sysupgrade @@ -520,11 +521,20 @@ def uninstall(): dogtag_constants=dogtag_constants) if cads_instance.is_configured(): cads_instance.uninstall() - cainstance.stop_tracking_certificates(dogtag_constants) + + kra_instance = krainstance.KRAInstance( + api.env.realm, dogtag_constants=dogtag_constants) + kra_instance.stop_tracking_certificates(dogtag_constants) + if kra_instance.is_installed(): + kra_instance.uninstall() + ca_instance = cainstance.CAInstance( api.env.realm, certs.NSS_DIR, dogtag_constants=dogtag_constants) + ca_instance.stop_tracking_certificates(dogtag_constants) + ca_instance.stop_tracking_agent_certificate(dogtag_constants) if ca_instance.is_configured(): ca_instance.uninstall() + bindinstance.BindInstance(fstore).uninstall() httpinstance.HTTPInstance(fstore).uninstall() krbinstance.KrbInstance(fstore).uninstall() @@ -757,8 +767,13 @@ def main(): # We only set up the CA if the PKCS#12 options are not given. if options.dirsrv_pkcs12: setup_ca = False + setup_kra = False else: setup_ca = True + # setup_kra is set to False until Dogtag 10.2 is available for IPA to consume + # Until then users that want to install the KRA need to use ipa-install-kra + # TODO set setup_kra = True when Dogtag 10.2 is available + setup_kra = False # Figure out what external CA step we're in. See cainstance.py for more # info on the 3 states. @@ -775,6 +790,8 @@ def main(): print "This includes:" if setup_ca: print " * Configure a stand-alone CA (dogtag) for certificate management" + if setup_kra: + print " * Configure a stand-alone KRA (dogtag) for key storage" if options.conf_ntp: print " * Configure the Network Time Daemon (ntpd)" print " * Create and configure an instance of Directory Server" @@ -1021,6 +1038,7 @@ def main(): else: fd.write("enable_ra=False\n") fd.write("ra_plugin=none\n") + fd.write("enable_kra=%s\n" % setup_kra) fd.write("mode=production\n") fd.close() @@ -1122,7 +1140,7 @@ def main(): ipautil.realm_to_suffix(realm_name), ['caRenewalMaster']) # This is done within stopped_service context, which restarts CA - ca.enable_client_auth_to_db() + ca.enable_client_auth_to_db(ca.dogtag_constants.CS_CFG_PATH) krb = krbinstance.KrbInstance(fstore) if options.pkinit_pkcs12: @@ -1204,6 +1222,20 @@ def main(): service.print_msg("Restarting the web server") http.restart() + if setup_kra: + kra = krainstance.KRAInstance(realm_name, + dogtag_constants=dogtag.install_constants) + kra.configure_instance(host_name, domain_name, dm_password, + dm_password, subject_base=options.subject) + + # This is done within stopped_service context, which restarts KRA + service.print_msg("Restarting the directory server") + ds.restart() + + service.print_msg("Enabling KRA to authenticate with the database " + "using client certificates") + kra.enable_client_auth_to_db(kra.dogtag_constants.KRA_CS_CFG_PATH) + # Set the admin user kerberos password ds.change_admin_password(admin_password) @@ -1256,9 +1288,11 @@ def main(): print "" if setup_ca: - print "Be sure to back up the CA certificate stored in /root/cacert.p12" - print "This file is required to create replicas. The password for this" - print "file is the Directory Manager password" + print "Be sure to back up the CA certificates stored in " + paths.CACERT_P12 + if setup_kra: + print "and the KRA certificates stored in " + paths.KRACERT_P12 + print "These files are required to create replicas. The password for these" + print "files is the Directory Manager password" else: print "In order for Firefox autoconfiguration to work you will need to" print "use a SSL signing certificate. See the IPA documentation for more details." diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig index adf6c8d84..9c9de033c 100644 --- a/install/tools/ipa-upgradeconfig +++ b/install/tools/ipa-upgradeconfig @@ -537,12 +537,15 @@ def named_update_gssapi_configuration(): return False try: - bindinstance.named_conf_set_directive('tkey-gssapi-credential', None, - bindinstance.NAMED_SECTION_OPTIONS) - bindinstance.named_conf_set_directive('tkey-domain', None, - bindinstance.NAMED_SECTION_OPTIONS) - bindinstance.named_conf_set_directive('tkey-gssapi-keytab', paths.NAMED_KEYTAB, - bindinstance.NAMED_SECTION_OPTIONS) + bindinstance.named_conf_set_directive( + 'tkey-gssapi-credential', None, + bindinstance.NAMED_SECTION_OPTIONS) + bindinstance.named_conf_set_directive( + 'tkey-domain', None, + bindinstance.NAMED_SECTION_OPTIONS) + bindinstance.named_conf_set_directive( + 'tkey-gssapi-keytab', paths.NAMED_KEYTAB, + bindinstance.NAMED_SECTION_OPTIONS) except IOError, e: root_logger.error('Cannot update GSSAPI configuration in %s: %s', bindinstance.NAMED_CONF, e) @@ -553,6 +556,7 @@ def named_update_gssapi_configuration(): sysupgrade.set_upgrade_state('named.conf', 'gssapi_updated', True) return True + def named_update_pid_file(): """ Make sure that named reads the pid file from the right file @@ -723,7 +727,7 @@ def certificate_renewal_update(ca): # Ok, now we need to stop tracking, then we can start tracking them # again with new configuration: - cainstance.stop_tracking_certificates(dogtag_constants) + ca.stop_tracking_certificates(dogtag_constants) if not sysupgrade.get_upgrade_state('dogtag', 'certificate_renewal_update_1'): @@ -884,71 +888,9 @@ def add_ca_dns_records(): def find_subject_base(): """ Try to find the current value of certificate subject base. - 1) Look in sysupgrade first - 2) If no value is found there, look in DS (start DS if necessary) - 3) Last resort, look in the certmap.conf itself - 4) If all fails, log loudly and return None + See the docstring in dsinstance.DsInstance for details. """ - root_logger.debug('Trying to find certificate subject base in sysupgrade') - subject_base = sysupgrade.get_upgrade_state('certmap.conf', 'subject_base') - - if subject_base: - root_logger.debug( - 'Found certificate subject base in sysupgrade: %s', - subject_base - ) - return subject_base - - root_logger.debug('Unable to find certificate subject base in sysupgrade') - root_logger.debug('Trying to find certificate subject base in DS') - - ds_is_running = services.knownservices.dirsrv.is_running() - if not ds_is_running: - try: - services.knownservices.dirsrv.start() - except ipautil.CalledProcessError as e: - root_logger.error('Cannot start DS to find certificate ' - 'subject base: %s', e) - else: - ds_is_running = True - - if ds_is_running: - try: - api.Backend.ldap2.connect(autobind=True) - except ipalib.errors.PublicError, e: - root_logger.error('Cannot connect to DS to find certificate ' - 'subject base: %s', e) - else: - ret = api.Command['config_show']() - api.Backend.ldap2.disconnect() - subject_base = str(ret['result']['ipacertificatesubjectbase'][0]) - root_logger.debug( - 'Found certificate subject base in DS: %s', - subject_base - ) - - if not subject_base: - root_logger.debug('Unable to find certificate subject base in DS') - root_logger.debug('Trying to find certificate subject base in ' - 'certmap.conf') - - certmap_dir = dsinstance.config_dirname( - dsinstance.realm_to_serverid(api.env.realm) - ) - try: - with open(os.path.join(certmap_dir, 'certmap.conf')) as f: - for line in f: - if line.startswith('certmap ipaca'): - subject_base = line.strip().split(',')[-1] - root_logger.debug( - 'Found certificate subject base in certmap.conf: ' - '%s', - subject_base - ) - - except IOError as e: - root_logger.error('Cannot open certmap.conf to find certificate ' - 'subject base: %s', e.strerror) + subject_base = dsinstance.DsInstance().find_subject_base() if subject_base: sysupgrade.set_upgrade_state( @@ -958,8 +900,6 @@ def find_subject_base(): ) return subject_base - root_logger.debug('Unable to find certificate subject base in ' - 'certmap.conf') root_logger.error('Unable to determine certificate subject base. ' 'certmap.conf will not be updated.') |