summaryrefslogtreecommitdiffstats
path: root/ipaserver
diff options
context:
space:
mode:
authorPetr Viktorin <pviktori@redhat.com>2012-08-23 12:38:45 -0400
committerRob Crittenden <rcritten@redhat.com>2012-09-17 18:43:59 -0400
commit4f76c143d2f2036af02677469c542f563a10158d (patch)
tree8ed4716135c53486710950b453f17bb71f36c658 /ipaserver
parent3dd31a875650c7fe7c67ca6b47f2058c1181dafb (diff)
downloadfreeipa-4f76c143d2f2036af02677469c542f563a10158d.tar.gz
freeipa-4f76c143d2f2036af02677469c542f563a10158d.tar.xz
freeipa-4f76c143d2f2036af02677469c542f563a10158d.zip
Use Dogtag 10 only when it is available
Put the changes from Ade's dogtag 10 patch into namespaced constants in dogtag.py, which are then referenced in the code. Make ipaserver.install.CAInstance use the service name specified in the configuration. Uninstallation, where config is removed before CA uninstall, also uses the (previously) configured value. This and Ade's patch address https://fedorahosted.org/freeipa/ticket/2846
Diffstat (limited to 'ipaserver')
-rw-r--r--ipaserver/install/cainstance.py336
-rw-r--r--ipaserver/install/certs.py18
-rw-r--r--ipaserver/install/httpinstance.py9
-rw-r--r--ipaserver/install/installutils.py4
-rw-r--r--ipaserver/install/service.py14
5 files changed, 310 insertions, 71 deletions
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 4ab58d062..e08df06a8 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -48,6 +48,7 @@ import nss.nss as nss
from ipapython import ipautil
from ipapython import nsslib
from ipapython import services as ipaservices
+from ipapython import dogtag
from ipaserver import ipaldap
from ipaserver.install import service
@@ -64,11 +65,6 @@ DEFAULT_DSPORT=7389
PKI_USER = "pkiuser"
PKI_DS_USER = "pkisrv"
-# These values come from /usr/share/pki/ca/setup/postinstall
-PKI_INSTANCE_NAME="pki-tomcat"
-AGENT_SECURE_PORT=8443
-
-IPA_SERVICE_PROFILE = '/var/lib/pki/%s/ca/profiles/ca/caIPAserviceCert.cfg' % PKI_INSTANCE_NAME
# We need to reset the template because the CA uses the regular boot
# information
@@ -92,9 +88,9 @@ def check_inst():
"""
# Check for a couple of binaries we need
- if not os.path.exists('/bin/pkispawn'):
+ if not os.path.exists(dogtag.install_constants.SPAWN_BINARY):
return False
- if not os.path.exists('/bin/pkidestroy'):
+ if not os.path.exists(dogtag.install_constants.DESTROY_BINARY):
return False
# This is the template tomcat file for a CA
@@ -103,6 +99,32 @@ def check_inst():
return True
+def get_preop_pin(instance_root, instance_name):
+ # Only used for Dogtag 9
+ preop_pin = None
+
+ filename = instance_root + "/" + instance_name + "/conf/CS.cfg"
+
+ # read the config file and get the preop pin
+ try:
+ f=open(filename)
+ except IOError, e:
+ root_logger.error("Cannot open configuration file." + str(e))
+ raise e
+ data = f.read()
+ data = data.split('\n')
+ pattern = re.compile("preop.pin=(.*)" )
+ for line in data:
+ match = re.search(pattern, line)
+ if (match):
+ preop_pin=match.group(1)
+ break
+
+ if preop_pin is None:
+ raise RuntimeError("Unable to find preop.pin in %s. Is your CA already configured?" % filename)
+
+ return preop_pin
+
def import_pkcs12(input_file, input_passwd, cert_database,
cert_passwd):
ipautil.run(["/usr/bin/pk12util", "-d", cert_database,
@@ -194,7 +216,7 @@ def get_outputList(data):
return outputdict
class CADSInstance(service.Service):
- def __init__(self, host_name=None, realm_name=None, domain_name=None, dm_password=None):
+ def __init__(self, host_name=None, realm_name=None, domain_name=None, dm_password=None, dogtag_constants=None):
service.Service.__init__(self, "pkids", dm_password=dm_password, ldapi=False, autobind=service.DISABLED)
self.serverid = "PKI-IPA"
self.realm_name = realm_name
@@ -215,6 +237,10 @@ class CADSInstance(service.Service):
else:
self.suffix = DN()
+ if dogtag_constants is None:
+ dogtag_constants = dogtag.configured_constants()
+ self.dogtag_constants = dogtag_constants
+
subject_base = ipautil.dn_attribute_property('_subject_base')
def create_instance(self, realm_name, host_name, domain_name,
@@ -385,7 +411,8 @@ class CADSInstance(service.Service):
'ocspSigningCert cert-pki-ca',
'subsystemCert cert-pki-ca']:
try:
- certmonger.stop_tracking('/etc/pki/pki-tomcat/alias', nickname=nickname)
+ certmonger.stop_tracking(
+ self.dogtag_constants.ALIAS_DIR, nickname=nickname)
except (ipautil.CalledProcessError, RuntimeError), e:
root_logger.error("certmonger failed to stop tracking certificate: %s" % str(e))
@@ -413,8 +440,12 @@ class CAInstance(service.Service):
2 = have signed cert, continue installation
"""
- def __init__(self, realm, ra_db):
- service.Service.__init__(self, "pki-tomcatd")
+ def __init__(self, realm, ra_db, dogtag_constants=None):
+ if dogtag_constants is None:
+ dogtag_constants = dogtag.configured_constants()
+ service.Service.__init__(self,
+ '%sd' % dogtag_constants.PKI_INSTANCE_NAME)
+ self.dogtag_constants = dogtag_constants
self.realm = realm
self.dm_password = None
self.admin_password = None
@@ -438,7 +469,7 @@ class CAInstance(service.Service):
self.ra_agent_pwd = self.ra_agent_db + "/pwdfile.txt"
self.ds_port = DEFAULT_DSPORT
self.domain_name = "IPA"
- self.server_root = "/var/lib/pki"
+ self.server_root = dogtag_constants.SERVER_ROOT
self.ra_cert = None
self.requestId = None
@@ -452,7 +483,8 @@ class CAInstance(service.Service):
Returns True/False
"""
- return os.path.exists(self.server_root + '/' + PKI_INSTANCE_NAME)
+ return os.path.exists(os.path.join(
+ self.server_root, self.dogtag_constants.PKI_INSTANCE_NAME))
def configure_instance(self, host_name, dm_password,
admin_password, ds_port=DEFAULT_DSPORT,
@@ -461,6 +493,8 @@ class CAInstance(service.Service):
subject_base=None):
"""Create a CA instance.
+ For Dogtag 9, this may involve creating the pki-ca instance.
+
To create a clone, pass in pkcs12_info.
Creating a CA with an external signer is a 2-step process. In
@@ -492,11 +526,18 @@ class CAInstance(service.Service):
self.external=2
self.step("creating certificate server user", self.__create_ca_user)
- self.step("configuring certificate server instance", self.__spawn_instance)
+ if self.dogtag_constants.DOGTAG_VERSION >= 10:
+ self.step("configuring certificate server instance", self.__spawn_instance)
+ else:
+ if not ipautil.dir_exists("/var/lib/pki-ca"):
+ self.step("creating pki-ca instance", self.create_instance)
+ self.step("configuring certificate server instance", self.__configure_instance)
self.step("disabling nonces", self.__disable_nonce)
# Step 1 of external is getting a CSR so we don't need to do these
# steps until we get a cert back from the external CA.
if self.external != 1:
+ if self.dogtag_constants.DOGTAG_VERSION < 10 and not self.clone:
+ self.step("creating CA agent PKCS#12 file in /root", self.__create_ca_agent_pkcs12)
if self.create_ra_agent_db:
self.step("creating RA agent certificate database", self.__create_ra_agent_db)
self.step("importing CA chain to RA certificate database", self.__import_ca_chain)
@@ -608,7 +649,12 @@ class CAInstance(service.Service):
# Define the things we don't want logged
nolog = (self.admin_password, self.dm_password,)
- args = ["/bin/pkispawn", "-s", "CA", "-f", cfg_file ]
+ args = ["/usr/sbin/pkispawn", "-s", "CA", "-f", cfg_file ]
+
+ with open(cfg_file) as f:
+ root_logger.debug(
+ 'Contents of pkispawn configuration file (%s):\n%s' %
+ (cfg_file, ipautil.nolog_replace(f.read(), nolog)))
try:
ipautil.run(args, nolog=nolog)
@@ -631,6 +677,33 @@ class CAInstance(service.Service):
root_logger.debug("completed creating ca instance")
+ def create_instance(self):
+ """
+ If for some reason the instance doesn't exist, create a new one."
+ """
+ # Only used for Dogtag 9
+
+ args = ['/usr/bin/pkicreate',
+ '-pki_instance_root', '/var/lib',
+ '-pki_instance_name',
+ self.dogtag_constants.PKI_INSTANCE_NAME,
+ '-subsystem_type', 'ca',
+ '-agent_secure_port',
+ str(self.dogtag_constants.AGENT_SECURE_PORT),
+ '-ee_secure_port',
+ str(self.dogtag_constants.EE_SECURE_PORT),
+ '-admin_secure_port',
+ str(self.dogtag_constants.ADMIN_SECURE_PORT),
+ '-ee_secure_client_auth_port',
+ str(self.dogtag_constants.EE_CLIENT_AUTH_PORT),
+ '-unsecure_port', str(self.dogtag_constants.UNSECURE_PORT),
+ '-tomcat_server_port',
+ str(self.dogtag_constants.TOMCAT_SERVER_PORT),
+ '-redirect', 'conf=/etc/pki-ca',
+ '-redirect', 'logs=/var/log/pki-ca',
+ '-enable_proxy'
+ ]
+ ipautil.run(args, env={'PKI_HOSTNAME':self.fqdn})
def __enable(self):
self.backup_state("enabled", self.is_enabled())
@@ -656,20 +729,128 @@ class CAInstance(service.Service):
except ipautil.CalledProcessError, e:
root_logger.critical("failed to add user %s" % e)
+ def __configure_instance(self):
+ # Only used for Dogtag 9
+ preop_pin = get_preop_pin(
+ self.server_root, self.dogtag_constants.PKI_INSTANCE_NAME)
+
+ try:
+ args = ["/usr/bin/perl", "/usr/bin/pkisilent", "ConfigureCA",
+ "-cs_hostname", self.fqdn,
+ "-cs_port", str(self.dogtag_constants.ADMIN_SECURE_PORT),
+ "-client_certdb_dir", self.ca_agent_db,
+ "-client_certdb_pwd", self.admin_password,
+ "-preop_pin" , preop_pin,
+ "-domain_name", self.domain_name,
+ "-admin_user", "admin",
+ "-admin_email", "root@localhost",
+ "-admin_password", self.admin_password,
+ "-agent_name", "ipa-ca-agent",
+ "-agent_key_size", "2048",
+ "-agent_key_type", "rsa",
+ "-agent_cert_subject", str(DN(('CN', 'ipa-ca-agent'), self.subject_base)),
+ "-ldap_host", self.fqdn,
+ "-ldap_port", str(self.ds_port),
+ "-bind_dn", "cn=Directory Manager",
+ "-bind_password", self.dm_password,
+ "-base_dn", str(self.basedn),
+ "-db_name", "ipaca",
+ "-key_size", "2048",
+ "-key_type", "rsa",
+ "-key_algorithm", "SHA256withRSA",
+ "-save_p12", "true",
+ "-backup_pwd", self.admin_password,
+ "-subsystem_name", self.service_name,
+ "-token_name", "internal",
+ "-ca_subsystem_cert_subject_name", str(DN(('CN', 'CA Subsystem'), self.subject_base)),
+ "-ca_subsystem_cert_subject_name", str(DN(('CN', 'CA Subsystem'), self.subject_base)),
+ "-ca_ocsp_cert_subject_name", str(DN(('CN', 'OCSP Subsystem'), self.subject_base)),
+ "-ca_server_cert_subject_name", str(DN(('CN', self.fqdn), self.subject_base)),
+ "-ca_audit_signing_cert_subject_name", str(DN(('CN', 'CA Audit'), self.subject_base)),
+ "-ca_sign_cert_subject_name", str(DN(('CN', 'Certificate Authority'), self.subject_base)) ]
+ if self.external == 1:
+ args.append("-external")
+ args.append("true")
+ args.append("-ext_csr_file")
+ args.append(self.csr_file)
+ elif self.external == 2:
+ args.append("-external")
+ args.append("true")
+ args.append("-ext_ca_cert_file")
+ args.append(self.cert_file)
+ args.append("-ext_ca_cert_chain_file")
+ args.append(self.cert_chain_file)
+ else:
+ args.append("-external")
+ args.append("false")
+ if (self.clone):
+ """sd = security domain --> all CS systems get registered to
+ a security domain. This is set to the hostname and port of
+ the master CA.
+ """
+ # The install wizard expects the file to be here.
+ cafile = self.pkcs12_info[0]
+ shutil.copy(cafile, "/var/lib/pki-ca/alias/ca.p12")
+ pent = pwd.getpwnam(PKI_USER)
+ os.chown("/var/lib/pki-ca/alias/ca.p12", pent.pw_uid, pent.pw_gid )
+ args.append("-clone")
+ args.append("true")
+ args.append("-clone_p12_file")
+ args.append("ca.p12")
+ args.append("-clone_p12_password")
+ args.append(self.dm_password)
+ args.append("-sd_hostname")
+ args.append(self.master_host)
+ args.append("-sd_admin_port")
+ args.append("443")
+ args.append("-sd_admin_name")
+ args.append("admin")
+ args.append("-sd_admin_password")
+ args.append(self.admin_password)
+ args.append("-clone_start_tls")
+ args.append("true")
+ args.append("-clone_uri")
+ args.append("https://%s" % ipautil.format_netloc(self.master_host, 443))
+ else:
+ args.append("-clone")
+ args.append("false")
+
+ # Define the things we don't want logged
+ nolog = (self.admin_password, self.dm_password,)
+
+ ipautil.run(args, env={'PKI_HOSTNAME':self.fqdn}, nolog=nolog)
+ except ipautil.CalledProcessError, e:
+ root_logger.critical("failed to configure ca instance %s" % e)
+ raise RuntimeError('Configuration of CA failed')
+
+ if self.external == 1:
+ print "The next step is to get %s signed by your CA and re-run ipa-server-install as:" % self.csr_file
+ print "ipa-server-install --external_cert_file=/path/to/signed_certificate --external_ca_file=/path/to/external_ca_certificate"
+ sys.exit(0)
+
+ # pkisilent makes a copy of the CA PKCS#12 file for us but gives
+ # it a lousy name.
+ if ipautil.file_exists("/root/tmp-ca.p12"):
+ shutil.move("/root/tmp-ca.p12", "/root/cacert.p12")
+
+ root_logger.debug("completed creating ca instance")
+
def __restart_instance(self):
try:
- self.restart(PKI_INSTANCE_NAME)
+ self.restart(self.dogtag_constants.PKI_INSTANCE_NAME)
except Exception:
# TODO: roll back here?
root_logger.critical("Failed to restart the certificate server. See the installation log for details.")
def __disable_nonce(self):
# Turn off Nonces
- cfg_file = '/var/lib/pki/pki-tomcat/conf/ca/CS.cfg'
- if installutils.update_file(cfg_file, 'ca.enableNonces=true', 'ca.enableNonces=false') != 0:
+ update_result = installutils.update_file(
+ self.dogtag_constants.CS_CFG_PATH, 'ca.enableNonces=true',
+ 'ca.enableNonces=false')
+ if update_result != 0:
raise RuntimeError("Disabling nonces failed")
pent = pwd.getpwnam(PKI_USER)
- os.chown(cfg_file, pent.pw_uid, pent.pw_gid )
+ os.chown(self.dogtag_constants.CS_CFG_PATH, pent.pw_uid, pent.pw_gid)
def __issue_ra_cert(self):
# The CA certificate is in the agent DB but isn't trusted
@@ -716,11 +897,12 @@ class CAInstance(service.Service):
'-p', self.admin_password,
'-d', self.ca_agent_db,
'-r', '/ca/agent/ca/profileReview?requestId=%s' % self.requestId,
- '%s' % ipautil.format_netloc(self.fqdn, AGENT_SECURE_PORT),
+ '%s' % ipautil.format_netloc(
+ self.fqdn, self.dogtag_constants.AGENT_SECURE_PORT),
]
(stdout, stderr, returncode) = ipautil.run(args, nolog=(self.admin_password,))
- data = stdout.split('\n')
+ data = stdout.split(self.dogtag_constants.RACERT_LINE_SEP)
params = get_defList(data)
params['requestId'] = find_substring(data, "requestId")
params['op'] = 'approve'
@@ -737,11 +919,12 @@ class CAInstance(service.Service):
'-d', self.ca_agent_db,
'-e', params,
'-r', '/ca/agent/ca/profileProcess',
- '%s' % ipautil.format_netloc(self.fqdn, AGENT_SECURE_PORT),
+ '%s' % ipautil.format_netloc(
+ self.fqdn, self.dogtag_constants.AGENT_SECURE_PORT),
]
(stdout, stderr, returncode) = ipautil.run(args, nolog=(self.admin_password,))
- data = stdout.split('\n')
+ data = stdout.split(self.dogtag_constants.RACERT_LINE_SEP)
outputList = get_outputList(data)
self.ra_cert = outputList['b64_cert']
@@ -858,6 +1041,21 @@ class CAInstance(service.Service):
except Exception, e:
raise RuntimeError("Unable to retrieve CA chain: %s" % str(e))
+ def __create_ca_agent_pkcs12(self):
+ # Only used for Dogtag 9
+ (pwd_fd, pwd_name) = tempfile.mkstemp()
+ os.write(pwd_fd, self.admin_password)
+ os.close(pwd_fd)
+ try:
+ ipautil.run(["/usr/bin/pk12util",
+ "-n", "ipa-ca-agent",
+ "-o", "/root/ca-agent.p12",
+ "-d", self.ca_agent_db,
+ "-k", pwd_name,
+ "-w", pwd_name])
+ finally:
+ os.remove(pwd_name)
+
def __import_ca_chain(self):
chain = self.__get_ca_chain()
@@ -921,7 +1119,8 @@ class CAInstance(service.Service):
csr = pkcs10.strip_header(stdout)
# Send the request to the CA
- conn = httplib.HTTPConnection(self.fqdn, 8080)
+ conn = httplib.HTTPConnection(
+ self.fqdn, self.dogtag_constants.UNSECURE_PORT)
params = urllib.urlencode({'profileId': 'caServerCert',
'cert_request_type': 'pkcs10',
'requestor_name': 'IPA Installer',
@@ -959,7 +1158,8 @@ class CAInstance(service.Service):
def __setup_sign_profile(self):
# Tell the profile to automatically issue certs for RAs
- installutils.set_directive('/var/lib/pki/pki-tomcat/ca/profiles/ca/caJarSigningCert.cfg', 'auth.instance_id', 'raCertAuth', quotes=False, separator='=')
+ installutils.set_directive(self.dogtag_constants.SIGN_PROFILE,
+ 'auth.instance_id', 'raCertAuth', quotes=False, separator='=')
def __enable_crl_publish(self):
"""
@@ -967,9 +1167,9 @@ class CAInstance(service.Service):
http://www.redhat.com/docs/manuals/cert-system/8.0/admin/html/Setting_up_Publishing.html
"""
- caconfig = "/var/lib/pki/pki-tomcat/conf/ca/CS.cfg"
+ caconfig = self.dogtag_constants.CS_CFG_PATH
- publishdir='/var/lib/pki/pki-tomcat/ca/publish'
+ publishdir = self.dogtag_constants.CRL_PUBLISH_PATH
os.mkdir(publishdir)
os.chmod(publishdir, 0755)
pent = pwd.getpwnam(PKI_USER)
@@ -1006,7 +1206,7 @@ class CAInstance(service.Service):
installutils.set_directive(caconfig, 'ca.publish.rule.instance.LdapXCertRule.enable', 'false', quotes=False, separator='=')
# Fix the CRL URI in the profile
- installutils.set_directive(IPA_SERVICE_PROFILE,
+ installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE,
'policyset.serverCertSet.9.default.params.crlDistPointsPointName_0',
'https://%s/ipa/crl/MasterCRL.bin' % ipautil.format_netloc(self.fqdn),
quotes=False, separator='=')
@@ -1016,7 +1216,8 @@ class CAInstance(service.Service):
def __set_subject_in_config(self):
# dogtag ships with an IPA-specific profile that forces a subject
# format. We need to update that template with our base subject
- if installutils.update_file(IPA_SERVICE_PROFILE, 'OU=pki-ipa, O=IPA', str(self.subject_base)):
+ if installutils.update_file(self.dogtag_constants.IPA_SERVICE_PROFILE,
+ 'OU=pki-ipa, O=IPA', str(self.subject_base)):
print "Updating subject_base in CA template failed"
def uninstall(self):
@@ -1028,8 +1229,16 @@ class CAInstance(service.Service):
self.disable()
try:
- ipautil.run(["/bin/pkidestroy", "-i", "pki-tomcat",
- "-s", "CA"])
+ if self.dogtag_constants.DOGTAG_VERSION >= 10:
+ ipautil.run(["/usr/sbin/pkidestroy", "-i",
+ self.dogtag_constants.PKI_INSTANCE_NAME,
+ "-s", "CA"])
+ else:
+ ipautil.run(["/usr/bin/pkiremove",
+ "-pki_instance_root=/var/lib",
+ "-pki_instance_name=%s" %
+ self.dogtag_constants.PKI_INSTANCE_NAME,
+ "--force"])
except ipautil.CalledProcessError, e:
root_logger.critical("failed to uninstall CA instance %s" % e)
@@ -1049,15 +1258,21 @@ class CAInstance(service.Service):
os.chmod(location, 0444)
def __http_proxy(self):
- shutil.copy(ipautil.SHARE_DIR + "ipa-pki-proxy.conf",
- HTTPD_CONFD + "ipa-pki-proxy.conf")
+ template_filename = ipautil.SHARE_DIR + "ipa-pki-proxy.conf"
+ sub_dict = dict(DOGTAG_PORT=self.dogtag_constants.AJP_PORT)
+ template = ipautil.template_file(template_filename, sub_dict)
+ with open(HTTPD_CONFD + "ipa-pki-proxy.conf", "w") as fd:
+ fd.write(template)
def track_servercert(self):
try:
pin = certmonger.get_pin('internal')
except IOError, e:
raise RuntimeError('Unable to determine PIN for CA instance: %s' % str(e))
- certmonger.dogtag_start_tracking('dogtag-ipa-renew-agent', 'Server-Cert cert-pki-ca', pin, None, '/etc/pki/pki-tomcat/alias', 'restart_pkicad "Server-Cert cert-pki-ca"')
+ certmonger.dogtag_start_tracking(
+ 'dogtag-ipa-renew-agent', 'Server-Cert cert-pki-ca', pin, None,
+ self.dogtag_constants.ALIAS_DIR,
+ 'restart_pkicad "Server-Cert cert-pki-ca"')
def configure_renewal(self):
cmonger = ipaservices.knownservices.certmonger
@@ -1074,7 +1289,9 @@ class CAInstance(service.Service):
for nickname in ['auditSigningCert cert-pki-ca',
'ocspSigningCert cert-pki-ca',
'subsystemCert cert-pki-ca']:
- certmonger.dogtag_start_tracking('dogtag-ipa-renew-agent', nickname, pin, None, '/etc/pki/pki-tomcat/alias', 'renew_ca_cert "%s"' % nickname)
+ certmonger.dogtag_start_tracking(
+ 'dogtag-ipa-renew-agent', nickname, pin, None,
+ self.dogtag_constants.ALIAS_DIR, 'renew_ca_cert "%s"' % nickname)
# Set up the agent cert for renewal
certmonger.dogtag_start_tracking('dogtag-ipa-renew-agent', 'ipaCert', None, '/etc/httpd/alias/pwdfile.txt', '/etc/httpd/alias', 'renew_ra_cert')
@@ -1118,7 +1335,10 @@ class CAInstance(service.Service):
for nickname in ['auditSigningCert cert-pki-ca',
'ocspSigningCert cert-pki-ca',
'subsystemCert cert-pki-ca']:
- certmonger.dogtag_start_tracking('dogtag-ipa-retrieve-agent-submit', nickname, pin, None, '/etc/pki/pki-tomcat/alias', 'restart_pkicad "%s"' % nickname)
+ certmonger.dogtag_start_tracking(
+ 'dogtag-ipa-retrieve-agent-submit', nickname, pin, None,
+ self.dogtag_constants.ALIAS_DIR,
+ 'restart_pkicad "%s"' % nickname)
# The agent renewal is configured in import_ra_cert which is called
# after the HTTP instance is created.
@@ -1127,33 +1347,40 @@ class CAInstance(service.Service):
"""
See if Subject Key Identifier is set in the profile and if not, add it.
"""
- setlist = installutils.get_directive(IPA_SERVICE_PROFILE,
+ setlist = installutils.get_directive(
+ self.dogtag_constants.IPA_SERVICE_PROFILE,
'policyset.serverCertSet.list', separator='=')
- # this is the default setting from pki-tomcat. Don't touch it if a user
- # has manually modified it.
+ # this is the default setting from pki-ca/pki-tomcat. Don't touch it
+ # if a user has manually modified it.
if setlist == '1,2,3,4,5,6,7,8':
- installutils.set_directive(IPA_SERVICE_PROFILE,
+ installutils.set_directive(
+ self.dogtag_constants.IPA_SERVICE_PROFILE,
'policyset.serverCertSet.list',
'1,2,3,4,5,6,7,8,10',
quotes=False, separator='=')
- installutils.set_directive(IPA_SERVICE_PROFILE,
+ installutils.set_directive(
+ self.dogtag_constants.IPA_SERVICE_PROFILE,
'policyset.serverCertSet.10.constraint.class_id',
'noConstraintImpl',
quotes=False, separator='=')
- installutils.set_directive(IPA_SERVICE_PROFILE,
+ installutils.set_directive(
+ self.dogtag_constants.IPA_SERVICE_PROFILE,
'policyset.serverCertSet.10.constraint.name',
'No Constraint',
quotes=False, separator='=')
- installutils.set_directive(IPA_SERVICE_PROFILE,
+ installutils.set_directive(
+ self.dogtag_constants.IPA_SERVICE_PROFILE,
'policyset.serverCertSet.10.default.class_id',
'subjectKeyIdentifierExtDefaultImpl',
quotes=False, separator='=')
- installutils.set_directive(IPA_SERVICE_PROFILE,
+ installutils.set_directive(
+ self.dogtag_constants.IPA_SERVICE_PROFILE,
'policyset.serverCertSet.10.default.name',
'Subject Key Identifier Extension Default',
quotes=False, separator='=')
- installutils.set_directive(IPA_SERVICE_PROFILE,
+ installutils.set_directive(
+ self.dogtag_constants.IPA_SERVICE_PROFILE,
'policyset.serverCertSet.10.default.params.critical',
'false',
quotes=False, separator='=')
@@ -1173,7 +1400,7 @@ class CAInstance(service.Service):
responsibility to handle changes on upgrades.
"""
master = installutils.get_directive(
- '/var/lib/pki/pki-tomcat/conf/ca/CS.cfg', 'subsystem.select', '=')
+ self.dogtag_constants.CS_CFG_PATH, 'subsystem.select', '=')
return master == 'New'
@@ -1198,12 +1425,14 @@ def install_replica_ca(config, postinstall=False):
if not config.setup_ca:
# We aren't configuring the CA in this step but we still need
# a minimum amount of information on the CA for this IPA install.
- ca = CAInstance(config.realm_name, certs.NSS_DIR)
+ ca = CAInstance(config.realm_name, certs.NSS_DIR,
+ dogtag_constants=dogtag.install_constants)
ca.dm_password = config.dirman_password
ca.subject_base = config.subject_base
return (ca, None)
- ca = CAInstance(config.realm_name, certs.NSS_DIR)
+ ca = CAInstance(config.realm_name, certs.NSS_DIR,
+ dogtag_constants=dogtag.install_constants)
ca.dm_password = config.dirman_password
ca.subject_base = config.subject_base
if ca.is_installed():
@@ -1213,14 +1442,15 @@ def install_replica_ca(config, postinstall=False):
if ipautil.file_exists(config.dir + "/dogtagcert.p12"):
pkcs12_info = (config.dir + "/dogtagcert.p12",
config.dir + "/dirsrv_pin.txt")
- cs = CADSInstance()
+ cs = CADSInstance(dogtag_constants=dogtag.install_constants)
cs.create_instance(config.realm_name, config.host_name,
config.domain_name, config.dirman_password,
pkcs12_info)
cs.load_pkcs12()
cs.enable_ssl()
cs.restart_instance()
- ca = CAInstance(config.realm_name, certs.NSS_DIR)
+ ca = CAInstance(config.realm_name, certs.NSS_DIR,
+ dogtag_constants=dogtag.install_constants)
if postinstall:
# If installing this afterward the Apache NSS database already
# exists, don't remove it.
@@ -1240,10 +1470,10 @@ def install_replica_ca(config, postinstall=False):
# unix service.
service.print_msg("Restarting the directory and certificate servers")
- ca.stop(PKI_INSTANCE_NAME)
+ ca.stop(dogtag.install_constants.PKI_INSTANCE_NAME)
ipaservices.knownservices.dirsrv.stop("PKI-IPA")
ipaservices.knownservices.dirsrv.start("PKI-IPA")
- ca.start(PKI_INSTANCE_NAME)
+ ca.start(dogtag.install_constants.PKI_INSTANCE_NAME)
return (ca, cs)
@@ -1262,7 +1492,7 @@ def update_cert_config(nickname, cert):
'subsystemCert cert-pki-ca': 'ca.subsystem.cert',
'Server-Cert cert-pki-ca': 'ca.sslserver.cert' }
- installutils.set_directive('/var/lib/pki/%s/conf/ca/CS.cfg' % PKI_INSTANCE_NAME,
+ installutils.set_directive(dogtag.configured_constants().CS_CFG_PATH,
directives[nickname],
base64.b64encode(cert),
quotes=False, separator='=')
diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index f0f0f1dfd..0094d0b89 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -660,8 +660,13 @@ class CertDB(object):
f = open(self.passwd_fname, "r")
password = f.readline()
f.close()
- http_status, http_reason_phrase, http_headers, http_body = \
- dogtag.https_request(self.host_name, api.env.ca_ee_install_port, "/ca/ee/ca/profileSubmitSSLClient", self.secdir, password, "ipaCert", **params)
+ result = dogtag.https_request(
+ self.host_name,
+ api.env.ca_ee_install_port or
+ dogtag.install_constants.EE_SECURE_PORT,
+ "/ca/ee/ca/profileSubmitSSLClient",
+ self.secdir, password, "ipaCert", **params)
+ http_status, http_reason_phrase, http_headers, http_body = result
if http_status != 200:
raise CertificateOperationError(
@@ -743,8 +748,13 @@ class CertDB(object):
f = open(self.passwd_fname, "r")
password = f.readline()
f.close()
- http_status, http_reason_phrase, http_headers, http_body = \
- dogtag.https_request(self.host_name, api.env.ca_ee_install_port, "/ca/ee/ca/profileSubmitSSLClient", self.secdir, password, "ipaCert", **params)
+ result = dogtag.https_request(
+ self.host_name,
+ api.env.ca_ee_install_port or
+ dogtag.install_constants.EE_SECURE_PORT,
+ "/ca/ee/ca/profileSubmitSSLClient",
+ self.secdir, password, "ipaCert", **params)
+ http_status, http_reason_phrase, http_headers, http_body = result
if http_status != 200:
raise RuntimeError("Unable to submit cert request")
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index e5d9f080b..e1d8b6db8 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -31,6 +31,7 @@ import installutils
from ipapython import sysrestore
from ipapython import ipautil
from ipapython import services as ipaservices
+from ipapython import dogtag
from ipalib import util, api
HTTPD_DIR = "/etc/httpd"
@@ -70,7 +71,13 @@ class HTTPInstance(service.Service):
self.principal = "HTTP/%s@%s" % (self.fqdn, self.realm)
self.dercert = None
self.subject_base = subject_base
- self.sub_dict = {"REALM": realm, "FQDN": fqdn, "DOMAIN": self.domain, "AUTOREDIR": '' if auto_redirect else '#'}
+ self.sub_dict = dict(
+ REALM=realm,
+ FQDN=fqdn,
+ DOMAIN=self.domain,
+ AUTOREDIR='' if auto_redirect else '#',
+ CRL_PUBLISH_PATH=dogtag.install_constants.CRL_PUBLISH_PATH,
+ )
# get a connection to the DS
self.ldap_connect()
diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py
index bc0510c3a..754d5fc98 100644
--- a/ipaserver/install/installutils.py
+++ b/ipaserver/install/installutils.py
@@ -47,7 +47,9 @@ from ipalib import errors
from ipapython.dn import DN
# Used to determine install status
-IPA_MODULES = ['httpd', 'kadmin', 'dirsrv', 'pki-tomcatd', 'pkids', 'install', 'krb5kdc', 'ntpd', 'named', 'ipa_memcached']
+IPA_MODULES = [
+ 'httpd', 'kadmin', 'dirsrv', 'pki-cad', 'pki-tomcatd', 'pkids', 'install',
+ 'krb5kdc', 'ntpd', 'named', 'ipa_memcached']
class BadHostError(Exception):
pass
diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py
index e15d4e5e0..1d157eba4 100644
--- a/ipaserver/install/service.py
+++ b/ipaserver/install/service.py
@@ -23,6 +23,7 @@ import tempfile
import pwd
from ipapython import sysrestore
from ipapython import ipautil
+from ipapython import dogtag
from ipapython import services as ipaservices
from ipalib import errors
from ipapython.dn import DN
@@ -41,17 +42,6 @@ AUTO = 1
ENABLED = 2
DISABLED = 3
-# Determine if we have an updated dogtag instance (dogtag 10+) or
-# an older one.
-dogtag_service = 'pki-cad'
-try:
- for line in open("/etc/ipa/default.conf", "r"):
- if "dogtag_version" in line:
- dogtag_service = 'pki-tomcatd'
- break
-except IOError, e:
- pass
-
# The service name as stored in cn=masters,cn=ipa,cn=etc. In the tuple
# the first value is the *nix service name, the second the start order.
SERVICE_LIST = {
@@ -60,7 +50,7 @@ SERVICE_LIST = {
'DNS':('named', 30),
'MEMCACHE':('ipa_memcached', 39),
'HTTP':('httpd', 40),
- 'CA':(dogtag_service, 50),
+ 'CA':('%sd' % dogtag.configured_constants().PKI_INSTANCE_NAME, 50),
'ADTRUST':('smb', 60),
'EXTID':('winbind', 70)
}