Allow replicas of an IPA server using an internal dogtag server as the CA

This involves creating a new CA instance on the replica and using pkisilent
to create a clone of the master CA.

Also generally fixes IPA to work with the latest dogtag SVN tip. A lot of
changes to ports and configuration have been done recently.

3 files changed, 91 insertions, 18 deletions

diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
index a92db3029..1a471b2a0 100755
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
@@ -101,6 +101,25 @@ def set_owner(config, dir):
     pw = pwd.getpwnam(config.ds_user)
     os.chown(dir, pw.pw_uid, pw.pw_gid)
 
+def install_ca(config):
+    cafile = config.dir + "/ca.p12"
+    if not ipautil.file_exists(cafile):
+        return None
+
+    try:
+        from ipaserver.install import cainstance
+    except ImportError:
+        print >> sys.stderr, "Import failed: %s" % sys.exc_value
+        sys.exit(1)
+
+    cs = cainstance.CADSInstance()
+    cs.create_instance(config.ds_user, config.realm_name, config.host_name, config.domain_name, config.dirman_password)
+
+    ca = cainstance.CAInstance()
+    ca.configure_instance("pkiuser", config.host_name, config.dirman_password, config.dirman_password, pkcs12_info=(cafile,), master_host=config.master_host_name)
+
+    return ca
+
 def install_ds(config):
     dsinstance.check_existing_installation()
     dsinstance.check_ports()
@@ -237,17 +256,20 @@ def main():
     except ldap.INVALID_CREDENTIALS, e :
         sys.exit("\nThe password provided is incorrect for LDAP server %s" % config.master_host_name)
 
+    # Install CA cert so that we can do SSL connections with ldap
+    install_ca_cert(config)
+
     # Configure ntpd
     if options.conf_ntp:
         ntp = ntpinstance.NTPInstance()
         ntp.create_instance()
 
+    # Configure the CA if necessary
+    CA = install_ca(config)
+
     # Configure dirsrv
     ds = install_ds(config)
 
-    # Install CA cert so that we can do SSL connections with ldap
-    install_ca_cert(config)
-
     try:
         repl = replication.ReplicationManager(config.host_name, config.dirman_password)
         ret = repl.setup_replication(config.master_host_name, config.realm_name)
@@ -259,6 +281,10 @@ def main():
 
     install_krb(config)
     install_http(config)
+    if CA:
+        CA.import_ra_cert(dir + "/ra.p12")
+        CA.fix_ra_perms()
+        service.restart("httpd")
 
     # Create the config file
     fd = open("/etc/ipa/ipa.conf", "w")
@@ -275,8 +301,7 @@ def main():
     fd.write("realm=" + config.realm_name + "\n")
     fd.write("domain=" + config.domain_name + "\n")
     fd.write("xmlrpc_uri=https://%s/ipa/xml\n" % config.host_name)
-    # FIXME: detect when we are installing a cloned CA
-    if False:
+    if ipautil.file_exists(config.dir + "/ca.p12"):
         fd.write("enable_ra=True\n")
     fd.close()
 
diff --git a/install/tools/ipa-replica-prepare b/install/tools/ipa-replica-prepare
index c2424652b..bb8df1d93 100755
--- a/install/tools/ipa-replica-prepare
+++ b/install/tools/ipa-replica-prepare
@@ -28,7 +28,7 @@ from optparse import OptionParser
 
 import ipapython.config
 from ipapython import ipautil
-from ipaserver.install import dsinstance, installutils, certs
+from ipaserver.install import dsinstance, installutils, certs, httpinstance
 from ipaserver import ipaldap
 from ipapython import version
 import ldap
@@ -98,28 +98,37 @@ def check_ipa_configuration(realm_name):
         logging.error("could not find directory instance: %s" % config_dir)
         sys.exit(1)
 
-def export_certdb(realm_name, ds_dir, dir, passwd_fname, fname, subject):
+def export_certdb(realm_name, ds_dir, dir, passwd_fname, fname, hostname):
     """realm is the kerberos realm for the IPA server.
        ds_dir is the location of the master DS we are creating a replica for.
        dir is the location of the files for the replica we are creating.
        passwd_fname is the file containing the PKCS#12 password
        fname is the filename of the PKCS#12 file for this cert (minus the .p12).
-       subject is the subject of the certificate we are creating
+       hostname is the FQDN of the server we're creating a cert for.
+
+       The subject is handled by certs.CertDB:create_server_cert()
     """
     try:
-        ds_ca = certs.CertDB(dsinstance.config_dirname(dsinstance.realm_to_serverid(realm_name)))
-        ca = certs.CertDB(dir)
-        ca.create_from_cacert(ds_ca.cacert_fname)
-        ca.create_server_cert("Server-Cert", subject, ds_ca)
+        self_signed = certs.ipa_self_signed()
+
+        db = certs.CertDB(dir)
+        db.create_passwd_file()
+        db.create_certdbs()
+        if self_signed:
+            ca_db = certs.CertDB(dsinstance.config_dirname(dsinstance.realm_to_serverid(realm_name)))
+            db.create_from_cacert(ca_db.cacert_fname)
+        else:
+            ca_db = certs.CertDB(httpinstance.NSS_DIR, host_name=get_host_name())
+        db.create_server_cert("Server-Cert", hostname, ca_db)
     except Exception, e:
         raise e
 
     pkcs12_fname = dir + "/" + fname + ".p12"
 
     try:
-        ca.export_pkcs12(pkcs12_fname, passwd_fname, "Server-Cert")
+        db.export_pkcs12(pkcs12_fname, passwd_fname, "Server-Cert")
     except ipautil.CalledProcessError, e:
-        print "error exporting CA certificate: " + str(e)
+        print "error exporting Server certificate: " + str(e)
         remove_file(pkcs12_fname)
         remove_file(passwd_fname)
 
@@ -130,6 +139,32 @@ def export_certdb(realm_name, ds_dir, dir, passwd_fname, fname, subject):
     if ipautil.file_exists(passwd_fname + ".orig"):
         remove_file(passwd_fname + ".orig")
 
+def export_ra_pkcs12(dir, dm_password):
+    """
+       dir is the location of the files for the replica we are creating.
+       dm_password is the Directory Manager password
+
+       If this install is using dogtag/RHCS then export the RA certificate.
+    """
+    if certs.ipa_self_signed():
+        return
+
+    (agent_fd, agent_name) = tempfile.mkstemp()
+    os.write(agent_fd, dm_password)
+    os.close(agent_fd)
+
+    try:
+        try:
+            db = certs.CertDB(httpinstance.NSS_DIR, host_name=get_host_name())
+
+            if db.has_nickname("ipaCert"):
+                pkcs12_fname = "%s/ra.p12" % dir
+                db.export_pkcs12(pkcs12_fname, agent_name, "ipaCert")
+        except Exception, e:
+            raise e
+    finally:
+        os.remove(agent_name)
+
 def get_ds_user(ds_dir):
     uid = os.stat(ds_dir).st_uid
     user = pwd.getpwuid(uid)[0]
@@ -176,7 +211,8 @@ def main():
 
     replica_fqdn = args[0]
 
-    if not ipautil.file_exists(certs.CA_SERIALNO) and not options.dirsrv_pin:
+    # FIXME: need more robust way to determine if dogtag is configured
+    if not certs.ipa_self_signed() and not ipautil.file_exists("/var/lib/pki-ca") and not options.dirsrv_pin:
         sys.exit("The replica must be created on the primary IPA server.\nIf you installed IPA with your own certificates using PKCS#12 files you must provide PKCS#12 files for any replicas you create as well.")
 
     print "Determining current realm name"
@@ -244,8 +280,18 @@ def main():
             print "Copy failed %s" %  e
             sys.exit(1)
     else:
+        try:
+            if not certs.ipa_self_signed():
+                # FIXME, need option for location of CA backup
+                if ipautil.file_exists("/root/tmp-ca.p12"):
+                    shutil.copy("/root/tmp-ca.p12", dir + "/ca.p12")
+                else:
+                    raise RuntimeError("Root CA PKCS#12 not found in /root/tmp-ca.p12")
+        except IOError, e:
+            print "Copy failed %s" %  e
+            sys.exit(1)
         print "Creating SSL certificate for the Directory Server"
-        export_certdb(realm_name, ds_dir, dir, passwd_fname, "dscert", "cn=%s,ou=Fedora Directory Server" % replica_fqdn)
+        export_certdb(realm_name, ds_dir, dir, passwd_fname, "dscert", replica_fqdn)
 
     if options.http_pin:
         passwd = options.http_pin
@@ -266,7 +312,9 @@ def main():
             sys.exit(1)
     else:
         print "Creating SSL certificate for the Web Server"
-        export_certdb(realm_name, ds_dir, dir, passwd_fname, "httpcert", "cn=%s,ou=Apache Web Server" % replica_fqdn)
+        export_certdb(realm_name, ds_dir, dir, passwd_fname, "httpcert", replica_fqdn)
+        print "Exporting RA certificate"
+        export_ra_pkcs12(dir, dirman_password)
     print "Copying additional files"
     copy_files(realm_name, dir)
     print "Finalizing configuration"
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index a19d8f44c..d24b0e9f9 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -521,7 +521,7 @@ def main():
             pass
 
         cs = cainstance.CADSInstance()
-        cs.create_instance("dirsrv", realm_name, host_name, domain_name, dm_password)
+        cs.create_instance(ds_user, realm_name, host_name, domain_name, dm_password)
         ca = cainstance.CAInstance()
         ca.configure_instance("pkiuser", host_name, dm_password, dm_password)