diff options
Diffstat (limited to 'install')
| -rwxr-xr-x | install/tools/ipa-replica-install | 35 | ||||
| -rwxr-xr-x | install/tools/ipa-replica-prepare | 72 | ||||
| -rwxr-xr-x | install/tools/ipa-server-install | 2 |
3 files changed, 91 insertions, 18 deletions
diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install index a92db3029..1a471b2a0 100755 --- a/install/tools/ipa-replica-install +++ b/install/tools/ipa-replica-install @@ -101,6 +101,25 @@ def set_owner(config, dir): pw = pwd.getpwnam(config.ds_user) os.chown(dir, pw.pw_uid, pw.pw_gid) +def install_ca(config): + cafile = config.dir + "/ca.p12" + if not ipautil.file_exists(cafile): + return None + + try: + from ipaserver.install import cainstance + except ImportError: + print >> sys.stderr, "Import failed: %s" % sys.exc_value + sys.exit(1) + + cs = cainstance.CADSInstance() + cs.create_instance(config.ds_user, config.realm_name, config.host_name, config.domain_name, config.dirman_password) + + ca = cainstance.CAInstance() + ca.configure_instance("pkiuser", config.host_name, config.dirman_password, config.dirman_password, pkcs12_info=(cafile,), master_host=config.master_host_name) + + return ca + def install_ds(config): dsinstance.check_existing_installation() dsinstance.check_ports() @@ -237,17 +256,20 @@ def main(): except ldap.INVALID_CREDENTIALS, e : sys.exit("\nThe password provided is incorrect for LDAP server %s" % config.master_host_name) + # Install CA cert so that we can do SSL connections with ldap + install_ca_cert(config) + # Configure ntpd if options.conf_ntp: ntp = ntpinstance.NTPInstance() ntp.create_instance() + # Configure the CA if necessary + CA = install_ca(config) + # Configure dirsrv ds = install_ds(config) - # Install CA cert so that we can do SSL connections with ldap - install_ca_cert(config) - try: repl = replication.ReplicationManager(config.host_name, config.dirman_password) ret = repl.setup_replication(config.master_host_name, config.realm_name) @@ -259,6 +281,10 @@ def main(): install_krb(config) install_http(config) + if CA: + CA.import_ra_cert(dir + "/ra.p12") + CA.fix_ra_perms() + service.restart("httpd") # Create the config file fd = open("/etc/ipa/ipa.conf", "w") @@ -275,8 +301,7 @@ def main(): fd.write("realm=" + config.realm_name + "\n") fd.write("domain=" + config.domain_name + "\n") fd.write("xmlrpc_uri=https://%s/ipa/xml\n" % config.host_name) - # FIXME: detect when we are installing a cloned CA - if False: + if ipautil.file_exists(config.dir + "/ca.p12"): fd.write("enable_ra=True\n") fd.close() diff --git a/install/tools/ipa-replica-prepare b/install/tools/ipa-replica-prepare index c2424652b..bb8df1d93 100755 --- a/install/tools/ipa-replica-prepare +++ b/install/tools/ipa-replica-prepare @@ -28,7 +28,7 @@ from optparse import OptionParser import ipapython.config from ipapython import ipautil -from ipaserver.install import dsinstance, installutils, certs +from ipaserver.install import dsinstance, installutils, certs, httpinstance from ipaserver import ipaldap from ipapython import version import ldap @@ -98,28 +98,37 @@ def check_ipa_configuration(realm_name): logging.error("could not find directory instance: %s" % config_dir) sys.exit(1) -def export_certdb(realm_name, ds_dir, dir, passwd_fname, fname, subject): +def export_certdb(realm_name, ds_dir, dir, passwd_fname, fname, hostname): """realm is the kerberos realm for the IPA server. ds_dir is the location of the master DS we are creating a replica for. dir is the location of the files for the replica we are creating. passwd_fname is the file containing the PKCS#12 password fname is the filename of the PKCS#12 file for this cert (minus the .p12). - subject is the subject of the certificate we are creating + hostname is the FQDN of the server we're creating a cert for. + + The subject is handled by certs.CertDB:create_server_cert() """ try: - ds_ca = certs.CertDB(dsinstance.config_dirname(dsinstance.realm_to_serverid(realm_name))) - ca = certs.CertDB(dir) - ca.create_from_cacert(ds_ca.cacert_fname) - ca.create_server_cert("Server-Cert", subject, ds_ca) + self_signed = certs.ipa_self_signed() + + db = certs.CertDB(dir) + db.create_passwd_file() + db.create_certdbs() + if self_signed: + ca_db = certs.CertDB(dsinstance.config_dirname(dsinstance.realm_to_serverid(realm_name))) + db.create_from_cacert(ca_db.cacert_fname) + else: + ca_db = certs.CertDB(httpinstance.NSS_DIR, host_name=get_host_name()) + db.create_server_cert("Server-Cert", hostname, ca_db) except Exception, e: raise e pkcs12_fname = dir + "/" + fname + ".p12" try: - ca.export_pkcs12(pkcs12_fname, passwd_fname, "Server-Cert") + db.export_pkcs12(pkcs12_fname, passwd_fname, "Server-Cert") except ipautil.CalledProcessError, e: - print "error exporting CA certificate: " + str(e) + print "error exporting Server certificate: " + str(e) remove_file(pkcs12_fname) remove_file(passwd_fname) @@ -130,6 +139,32 @@ def export_certdb(realm_name, ds_dir, dir, passwd_fname, fname, subject): if ipautil.file_exists(passwd_fname + ".orig"): remove_file(passwd_fname + ".orig") +def export_ra_pkcs12(dir, dm_password): + """ + dir is the location of the files for the replica we are creating. + dm_password is the Directory Manager password + + If this install is using dogtag/RHCS then export the RA certificate. + """ + if certs.ipa_self_signed(): + return + + (agent_fd, agent_name) = tempfile.mkstemp() + os.write(agent_fd, dm_password) + os.close(agent_fd) + + try: + try: + db = certs.CertDB(httpinstance.NSS_DIR, host_name=get_host_name()) + + if db.has_nickname("ipaCert"): + pkcs12_fname = "%s/ra.p12" % dir + db.export_pkcs12(pkcs12_fname, agent_name, "ipaCert") + except Exception, e: + raise e + finally: + os.remove(agent_name) + def get_ds_user(ds_dir): uid = os.stat(ds_dir).st_uid user = pwd.getpwuid(uid)[0] @@ -176,7 +211,8 @@ def main(): replica_fqdn = args[0] - if not ipautil.file_exists(certs.CA_SERIALNO) and not options.dirsrv_pin: + # FIXME: need more robust way to determine if dogtag is configured + if not certs.ipa_self_signed() and not ipautil.file_exists("/var/lib/pki-ca") and not options.dirsrv_pin: sys.exit("The replica must be created on the primary IPA server.\nIf you installed IPA with your own certificates using PKCS#12 files you must provide PKCS#12 files for any replicas you create as well.") print "Determining current realm name" @@ -244,8 +280,18 @@ def main(): print "Copy failed %s" % e sys.exit(1) else: + try: + if not certs.ipa_self_signed(): + # FIXME, need option for location of CA backup + if ipautil.file_exists("/root/tmp-ca.p12"): + shutil.copy("/root/tmp-ca.p12", dir + "/ca.p12") + else: + raise RuntimeError("Root CA PKCS#12 not found in /root/tmp-ca.p12") + except IOError, e: + print "Copy failed %s" % e + sys.exit(1) print "Creating SSL certificate for the Directory Server" - export_certdb(realm_name, ds_dir, dir, passwd_fname, "dscert", "cn=%s,ou=Fedora Directory Server" % replica_fqdn) + export_certdb(realm_name, ds_dir, dir, passwd_fname, "dscert", replica_fqdn) if options.http_pin: passwd = options.http_pin @@ -266,7 +312,9 @@ def main(): sys.exit(1) else: print "Creating SSL certificate for the Web Server" - export_certdb(realm_name, ds_dir, dir, passwd_fname, "httpcert", "cn=%s,ou=Apache Web Server" % replica_fqdn) + export_certdb(realm_name, ds_dir, dir, passwd_fname, "httpcert", replica_fqdn) + print "Exporting RA certificate" + export_ra_pkcs12(dir, dirman_password) print "Copying additional files" copy_files(realm_name, dir) print "Finalizing configuration" diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index a19d8f44c..d24b0e9f9 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -521,7 +521,7 @@ def main(): pass cs = cainstance.CADSInstance() - cs.create_instance("dirsrv", realm_name, host_name, domain_name, dm_password) + cs.create_instance(ds_user, realm_name, host_name, domain_name, dm_password) ca = cainstance.CAInstance() ca.configure_instance("pkiuser", host_name, dm_password, dm_password) |