diff options
-rw-r--r-- | install/tools/ipa-upgradeconfig | 21 | ||||
-rw-r--r-- | ipaserver/install/cainstance.py | 33 |
2 files changed, 47 insertions, 7 deletions
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig index cb2164c0c..4ed718a9b 100644 --- a/install/tools/ipa-upgradeconfig +++ b/install/tools/ipa-upgradeconfig @@ -211,14 +211,15 @@ def upgrade_pki(fstore): This requires enabling SSL renegotiation. """ + configured_constants = dogtag.configured_constants() root_logger.info('[Verifying that CA proxy configuration is correct]') - if not os.path.exists('/etc/pki-ca/CS.cfg'): + if not os.path.exists(configured_constants.CS_CFG_PATH): root_logger.debug('No CA detected in /etc/pki-ca') return http = httpinstance.HTTPInstance(fstore) http.enable_mod_nss_renegotiate() - if not installutils.get_directive('/etc/pki-ca/CS.cfg', + if not installutils.get_directive(configured_constants.CS_CFG_PATH, 'proxy.securePort', '=') and \ os.path.exists('/usr/bin/pki-setup-proxy'): ipautil.run(['/usr/bin/pki-setup-proxy', '-pki_instance_root=/var/lib' @@ -285,17 +286,24 @@ def cleanup_kdc(fstore): def upgrade_ipa_profile(ca): """ Update the IPA Profile provided by dogtag + + Returns True if restart is needed, False otherwise. """ root_logger.info('[Verifying that CA service certificate profile is updated]') if ca.is_configured(): - if ca.enable_subject_key_identifier(): - root_logger.debug('Subject Key Identifier updated, restarting CA') - ca.restart() + ski = ca.enable_subject_key_identifier() + if ski: + root_logger.debug('Subject Key Identifier updated.') else: root_logger.debug('Subject Key Identifier already set.') + audit = ca.set_audit_renewal() + if audit or ski: + return True else: root_logger.debug('CA is not configured') + return False + def upgrade_httpd_selinux(fstore): """ Update SElinux configuration for httpd instance in the same way as the @@ -609,14 +617,13 @@ def main(): pass cleanup_kdc(fstore) - upgrade_ipa_profile(ca) changed_psearch = named_enable_psearch() changed_autoincrement = named_enable_serial_autoincrement() if changed_psearch or changed_autoincrement: # configuration has changed, restart the name server root_logger.info('Changes to named.conf have been made, restart named') bindinstance.BindInstance(fstore).restart() - ca_restart = ca_restart or enable_certificate_renewal(ca) + ca_restart = ca_restart or enable_certificate_renewal(ca) or upgrade_ipa_profile(ca) if ca_restart: root_logger.info('pki-ca configuration changed, restart pki-ca') diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index c37c261f2..a64fe6f03 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -562,6 +562,7 @@ class CAInstance(service.Service): self.step("set up CRL publishing", self.__enable_crl_publish) self.step("set certificate subject base", self.__set_subject_in_config) self.step("enabling Subject Key Identifier", self.enable_subject_key_identifier) + self.step("setting audit signing renewal to 2 years", self.set_audit_renewal) self.step("configuring certificate server to start on boot", self.__enable) if not self.clone: self.step("restarting certificate server", self.__restart_instance) @@ -1420,6 +1421,38 @@ class CAInstance(service.Service): # No update was done return False + def set_audit_renewal(self): + """ + The default renewal time for the audit signing certificate is + six months rather than two years. Fix it. This is BZ 843979. + """ + # Check the default validity period of the audit signing cert + # and set it to 2 years if it is 6 months. + range = installutils.get_directive( + '%s/caSignedLogCert.cfg' % self.dogtag_constants.SERVICE_PROFILE_DIR, + 'policyset.caLogSigningSet.2.default.params.range', + separator='=' + ) + root_logger.debug('caSignedLogCert.cfg profile validity range is %s' % range) + if range == "180": + installutils.set_directive( + '%s/caSignedLogCert.cfg' % self.dogtag_constants.SERVICE_PROFILE_DIR, + 'policyset.caLogSigningSet.2.default.params.range', + '720', + quotes=False, + separator='=' + ) + installutils.set_directive( + '%s/caSignedLogCert.cfg' % self.dogtag_constants.SERVICE_PROFILE_DIR, + 'policyset.caLogSigningSet.2.constraint.params.range', + '720', + quotes=False, + separator='=' + ) + root_logger.debug('updated caSignedLogCert.cfg profile validity range to 720') + return True + return False + def is_master(self): """ There are some tasks that are only done on a single dogtag master. |