diff options
-rwxr-xr-x | install/tools/ipa-replica-install | 27 | ||||
-rwxr-xr-x | install/tools/ipa-replica-prepare | 72 | ||||
-rw-r--r-- | ipaserver/install/certs.py | 12 | ||||
-rw-r--r-- | ipaserver/install/krbinstance.py | 20 |
4 files changed, 117 insertions, 14 deletions
diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install index 2beadae81..fb6dd46fb 100755 --- a/install/tools/ipa-replica-install +++ b/install/tools/ipa-replica-install @@ -68,6 +68,8 @@ def parse_options(): parser.add_option("--no-host-dns", dest="no_host_dns", action="store_true", default=False, help="Do not use DNS for hostname lookup during installation") + parser.add_option("--no-pkinit", dest="setup_pkinit", action="store_false", + default=True, help="disables pkinit setup steps") options, args = parser.parse_args() safe_options = parser.get_safe_opts(options) @@ -178,13 +180,21 @@ def install_ds(config): return ds -def install_krb(config): +def install_krb(config, setup_pkinit=False): krb = krbinstance.KrbInstance() ldappwd_filename = config.dir + "/ldappwd" kpasswd_filename = config.dir + "/kpasswd.keytab" + + #pkinit files + pkcs12_info = None + if ipautil.file_exists(config.dir + "/pkinitcert.p12"): + pkcs12_info = (config.dir + "/pkinitcert.p12", + config.dir + "/pkinit_pin.txt") + krb.create_replica(config.ds_user, config.realm_name, config.host_name, config.domain_name, config.dirman_password, - ldappwd_filename, kpasswd_filename) + ldappwd_filename, kpasswd_filename, + setup_pkinit, pkcs12_info) def install_ca_cert(config): if ipautil.file_exists(config.dir + "/ca.crt"): @@ -261,6 +271,11 @@ def check_bind(): print "Aborting installation" sys.exit(1) +def check_pkinit(): + if not krbinstance.check_pkinit_plugin(): + print "Aborting installation" + sys.exit(1) + def main(): safe_options, options, filename = parse_options() installutils.standard_logging_setup("/var/log/ipareplica-install.log", options.debug) @@ -269,8 +284,14 @@ def main(): if not ipautil.file_exists(filename): sys.exit("Replica file %s does not exist" % filename) + # check the bind is installed if options.setup_dns: check_bind() + + # check the pkinit plugin is installed + if options.setup_pkinit: + check_pkinit() + check_dirsrv() # get the directory manager password @@ -367,7 +388,7 @@ def main(): if ret != 0: raise RuntimeError("Failed to start replication") - install_krb(config) + install_krb(config, setup_pkinit=options.setup_pkinit) install_http(config) if CA: CA.import_ra_cert(dir + "/ra.p12") diff --git a/install/tools/ipa-replica-prepare b/install/tools/ipa-replica-prepare index 059b011f9..af7680155 100755 --- a/install/tools/ipa-replica-prepare +++ b/install/tools/ipa-replica-prepare @@ -41,25 +41,39 @@ def parse_options(): help="install certificate for the directory server") parser.add_option("--http_pkcs12", dest="http_pkcs12", help="install certificate for the http server") + parser.add_option("--pkinit_pkcs12", dest="pkinit_pkcs12", + help="install certificate for the KDC") parser.add_option("--dirsrv_pin", dest="dirsrv_pin", help="PIN for the Directory Server PKCS#12 file") parser.add_option("--http_pin", dest="http_pin", help="PIN for the Apache Server PKCS#12 file") + parser.add_option("--pkinit_pin", dest="pkinit_pin", + help="PIN for the KDC pkinit PKCS#12 file") parser.add_option("-p", "--password", dest="password", help="Directory Manager (existing master) password") parser.add_option("--ip-address", dest="ip_address", help="Add A and PTR records of the future replica") parser.add_option("--ca", dest="ca_file", default="/root/cacert.p12", help="Location of CA PKCS#12 file, default /root/cacert.p12") + parser.add_option("--no-pkinit", dest="setup_pkinit", action="store_false", + default=True, help="disables pkinit setup steps") options, args = parser.parse_args() # If any of the PKCS#12 options are selected, all are required. Create a # list of the options and count it to enforce that all are required without # having a huge set of it blocks. - pkcs12 = [options.dirsrv_pkcs12, options.http_pkcs12, options.dirsrv_pin, options.http_pin] + if options.setup_pkinit: + pkcs12 = [options.dirsrv_pkcs12, options.dirsrv_pin, + options.http_pkcs12, options.http_pin, + options.pkinit_pkcs12, options.pkinit_pin] + num = 6 + else: + pkcs12 = [options.dirsrv_pkcs12, options.dirsrv_pin, + options.http_pkcs12, options.http_pin] + num = 4 cnt = pkcs12.count(None) - if cnt > 0 and cnt < 4: + if cnt > 0 and cnt < num: parser.error("All PKCS#12 options are required if any are used.") if options.ip_address: @@ -90,7 +104,7 @@ def check_ipa_configuration(realm_name): logging.error("could not find directory instance: %s" % config_dir) sys.exit(1) -def export_certdb(realm_name, ds_dir, dir, passwd_fname, fname, hostname, subject_base=None): +def export_certdb(realm_name, ds_dir, dir, passwd_fname, fname, hostname, subject_base=None, is_kdc=False): """realm is the kerberos realm for the IPA server. ds_dir is the location of the master DS we are creating a replica for. dir is the location of the files for the replica we are creating. @@ -100,6 +114,12 @@ def export_certdb(realm_name, ds_dir, dir, passwd_fname, fname, hostname, subjec The subject is handled by certs.CertDB:create_server_cert() """ + + if is_kdc: + nickname = "KDC-Cert" + else: + nickname = "Server-Cert" + try: self_signed = certs.ipa_self_signed() @@ -111,15 +131,22 @@ def export_certdb(realm_name, ds_dir, dir, passwd_fname, fname, hostname, subjec # else: # ca_db = certs.CertDB(httpinstance.NSS_DIR, host_name=api.env.host) ca_db = certs.CertDB(httpinstance.NSS_DIR, realm_name, host_name=api.env.host, subject_base=subject_base) - db.create_from_cacert(ca_db.cacert_fname) - db.create_server_cert("Server-Cert", hostname, ca_db) + if is_kdc: + ca_db.create_kdc_cert("KDC-Cert", hostname, dir) + else: + db.create_from_cacert(ca_db.cacert_fname) + db.create_server_cert(nickname, hostname, ca_db) except Exception, e: raise e pkcs12_fname = dir + "/" + fname + ".p12" try: - db.export_pkcs12(pkcs12_fname, passwd_fname, "Server-Cert") + if is_kdc: + ca_db.export_pem_p12(pkcs12_fname, passwd_fname, + nickname, dir + "/kdc.pem") + else: + db.export_pkcs12(pkcs12_fname, passwd_fname, nickname) except ipautil.CalledProcessError, e: print "error exporting Server certificate: " + str(e) remove_file(pkcs12_fname) @@ -129,6 +156,8 @@ def export_certdb(realm_name, ds_dir, dir, passwd_fname, fname, hostname, subjec remove_file(dir + "/key3.db") remove_file(dir + "/secmod.db") remove_file(dir + "/noise.txt") + if is_kdc: + remove_file(dir + "/kdc.pem") if ipautil.file_exists(passwd_fname + ".orig"): remove_file(passwd_fname + ".orig") @@ -194,6 +223,8 @@ def copy_files(realm_name, dir): if ipautil.file_exists("/usr/share/ipa/html/preferences.html"): shutil.copy("/usr/share/ipa/html/preferences.html", dir + "/preferences.html") shutil.copy("/usr/share/ipa/html/configure.jar", dir + "/configure.jar") + if ipautil.file_exists("/var/kerberos/krb5kdc/cacert.pem"): + shutil.copy("/var/kerberos/krb5kdc/cacert.pem", dir + "/cacert.pem") except Exception, e: print "error copying files: " + str(e) sys.exit(1) @@ -316,6 +347,35 @@ def main(): print "Exporting RA certificate" export_ra_pkcs12(dir, dirman_password) + if options.setup_pkinit: + if options.pkinit_pin: + passwd = options.pkinit_pin + else: + passwd = "" + + passwd_fname = dir + "/pkinit_pin.txt" + fd = open(passwd_fname, "w") + fd.write("%s\n" % passwd) + fd.close() + + if options.pkinit_pkcs12: + print "Copying SSL certificate for the KDC from %s" % options.pkinit_pkcs12 + try: + shutil.copy(options.pkinit_pkcs12, dir + "/pkinitcert.p12") + except IOError, e: + print "Copy failed %s" % e + sys.exit(1) + else: + print "Creating SSL certificate for the KDC" + try: + export_certdb(api.env.realm, ds_dir, dir, + passwd_fname, "pkinitcert", + replica_fqdn, subject_base, + is_kdc=True) + except errors.CertificateOperationError, e: + print "%s" % e + sys.exit(1) + print "Copying additional files" copy_files(api.env.realm, dir) print "Finalizing configuration" diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py index 3fa65207c..bd5c7bf9c 100644 --- a/ipaserver/install/certs.py +++ b/ipaserver/install/certs.py @@ -865,6 +865,13 @@ class CertDB(object): "-k", self.passwd_fname, "-w", pkcs12_pwd_fname]) + def export_pem_p12(self, pkcs12_fname, pkcs12_pwd_fname, + nickname, pem_fname): + ipautil.run(["/usr/bin/openssl", "pkcs12", + "-export", "-name", nickname, + "-in", pem_fname, "-out", pkcs12_fname, + "-passout", "file:" + pkcs12_pwd_fname]) + def create_self_signed(self, passwd=None): self.create_noise_file() self.create_passwd_file(passwd) @@ -1017,6 +1024,11 @@ class CertDB(object): os.unlink(key_fname) os.unlink(cert_fname) + def install_pem_from_p12(self, p12_fname, p12_pwd_fname, pem_fname): + ipautil.run(["/usr/bin/openssl", "pkcs12", "-nodes", + "-in", p12_fname, "-out", pem_fname, + "-passin", "file:" + p12_pwd_fname]) + def backup_files(self): self.fstore.backup_file(self.noise_fname) self.fstore.backup_file(self.passwd_fname) diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py index f6650d80c..7454739e1 100644 --- a/ipaserver/install/krbinstance.py +++ b/ipaserver/install/krbinstance.py @@ -205,7 +205,14 @@ class KrbInstance(service.Service): self.kpasswd.create_instance() - def create_replica(self, ds_user, realm_name, host_name, domain_name, admin_password, ldap_passwd_filename, kpasswd_filename): + def create_replica(self, ds_user, realm_name, host_name, + domain_name, admin_password, + ldap_passwd_filename, kpasswd_filename, + setup_pkinit=False, pkcs12_info=None, + self_signed_ca=False, subject_base=None): + self.pkcs12_info = pkcs12_info + self.self_signed_ca = self_signed_ca + self.subject_base = subject_base self.__copy_ldap_passwd(ldap_passwd_filename) self.__copy_kpasswd_keytab(kpasswd_filename) @@ -217,6 +224,8 @@ class KrbInstance(service.Service): self.step("creating a keytab for the directory", self.__create_ds_keytab) self.step("creating a keytab for the machine", self.__create_host_keytab) self.step("adding the password extension to the directory", self.__add_pwd_extop_module) + if setup_pkinit: + self.step("installing X509 Certificate for PKINIT", self.__setup_pkinit) self.__common_post_setup() @@ -506,16 +515,17 @@ class KrbInstance(service.Service): ca_db = certs.CertDB(httpinstance.NSS_DIR, self.realm, host_name=self.fqdn, subject_base=self.subject_base) - if self.pkcs12_info: - - raise RuntimeError("Using PKCS12 Certs not supported yet\n") + if self.pkcs12_info: + ca_db.install_pem_from_p12(self.pkcs12_info[0], + self.pkcs12_info[1], + "/var/kerberos/krb5kdc/kdc.pem") else: if self.self_signed_ca: ca_db.create_kdc_cert("KDC-Cert", self.fqdn, "/var/kerberos/krb5kdc") else: - raise RuntimeError("Using PKCS12 Certs not supported yet\n") + raise RuntimeError("PKI not supported yet\n") # Finally copy the cacert in the krb directory so we don't # have any selinux issues with the file context |