diff options
Diffstat (limited to 'install')
-rw-r--r-- | install/conf/ipa-pki-proxy.conf | 6 | ||||
-rw-r--r-- | install/po/Makefile.in | 1 | ||||
-rw-r--r-- | install/restart_scripts/renew_ca_cert | 11 | ||||
-rw-r--r-- | install/tools/Makefile.am | 1 | ||||
-rwxr-xr-x | install/tools/ipa-ca-install | 82 | ||||
-rwxr-xr-x | install/tools/ipa-dns-install | 1 | ||||
-rw-r--r-- | install/tools/ipa-kra-install | 23 | ||||
-rwxr-xr-x | install/tools/ipa-replica-install | 87 | ||||
-rwxr-xr-x | install/tools/ipa-server-install | 46 | ||||
-rw-r--r-- | install/tools/ipa-upgradeconfig | 86 |
10 files changed, 158 insertions, 186 deletions
diff --git a/install/conf/ipa-pki-proxy.conf b/install/conf/ipa-pki-proxy.conf index 224cdd45b..57175390b 100644 --- a/install/conf/ipa-pki-proxy.conf +++ b/install/conf/ipa-pki-proxy.conf @@ -1,4 +1,4 @@ -# VERSION 4 - DO NOT REMOVE THIS LINE +# VERSION 5 - DO NOT REMOVE THIS LINE ProxyRequests Off @@ -11,7 +11,7 @@ ProxyRequests Off </LocationMatch> # matches for admin port and installer -<LocationMatch "^/ca/admin/ca/getCertChain|^/ca/admin/ca/getConfigEntries|^/ca/admin/ca/getCookie|^/ca/admin/ca/getStatus|^/ca/admin/ca/securityDomainLogin|^/ca/admin/ca/getDomainXML|^/ca/rest/installer/installToken|^/ca/admin/ca/updateNumberRange|^/ca/rest/securityDomain/domainInfo|^/ca/rest/account/login|^/ca/admin/ca/tokenAuthenticate|^/ca/admin/ca/updateNumberRange|^/ca/admin/ca/updateDomainXML|^/ca/rest/account/logout|^/ca/rest/securityDomain/installToken"> +<LocationMatch "^/ca/admin/ca/getCertChain|^/ca/admin/ca/getConfigEntries|^/ca/admin/ca/getCookie|^/ca/admin/ca/getStatus|^/ca/admin/ca/securityDomainLogin|^/ca/admin/ca/getDomainXML|^/ca/rest/installer/installToken|^/ca/admin/ca/updateNumberRange|^/ca/rest/securityDomain/domainInfo|^/ca/rest/account/login|^/ca/admin/ca/tokenAuthenticate|^/ca/admin/ca/updateNumberRange|^/ca/admin/ca/updateDomainXML|^/ca/rest/account/logout|^/ca/rest/securityDomain/installToken|^/ca/admin/ca/updateConnector|^/ca/admin/ca/getSubsystemCert|^/kra/admin/kra/updateNumberRange|^/kra/admin/kra/getConfigEntries|^/kra/rest/config/cert/transport"> NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate NSSVerifyClient none ProxyPassMatch ajp://localhost:$DOGTAG_PORT @@ -19,7 +19,7 @@ ProxyRequests Off </LocationMatch> # matches for agent port and eeca port -<LocationMatch "^/ca/agent/ca/displayBySerial|^/ca/agent/ca/doRevoke|^/ca/agent/ca/doUnrevoke|^/ca/agent/ca/updateDomainXML|^/ca/eeca/ca/profileSubmitSSLClient"> +<LocationMatch "^/ca/agent/ca/displayBySerial|^/ca/agent/ca/doRevoke|^/ca/agent/ca/doUnrevoke|^/ca/agent/ca/updateDomainXML|^/ca/eeca/ca/profileSubmitSSLClient|^/kra/agent/kra/connector|^/kra/rest/agent/keyrequests|^/kra/rest/agent/keys|^/kra/rest/admin/kraconnector/remove"> NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate NSSVerifyClient require ProxyPassMatch ajp://localhost:$DOGTAG_PORT diff --git a/install/po/Makefile.in b/install/po/Makefile.in index 6dca615c1..de711dffb 100644 --- a/install/po/Makefile.in +++ b/install/po/Makefile.in @@ -47,6 +47,7 @@ PY_EXPLICIT_FILES = \ install/tools/ipa-csreplica-manage \ install/tools/ipactl \ install/tools/ipa-dns-install \ + install/tools/ipa-kra-install \ install/tools/ipa-ldap-updater \ install/tools/ipa-managed-entries \ install/tools/ipa-nis-manage \ diff --git a/install/restart_scripts/renew_ca_cert b/install/restart_scripts/renew_ca_cert index 2ad203870..a205b0e36 100644 --- a/install/restart_scripts/renew_ca_cert +++ b/install/restart_scripts/renew_ca_cert @@ -21,13 +21,12 @@ # along with this program. If not, see <http://www.gnu.org/licenses/>. import sys -import os import syslog import tempfile import shutil import traceback -from ipapython import dogtag, certmonger, ipautil +from ipapython import dogtag, ipautil from ipapython.dn import DN from ipalib import api, errors, x509, certstore from ipaserver.install import certs, cainstance, installutils @@ -35,6 +34,7 @@ from ipaserver.plugins.ldap2 import ldap2 from ipaplatform import services from ipaplatform.paths import paths + def main(): nickname = sys.argv[1] @@ -70,8 +70,6 @@ def main(): syslog.syslog(syslog.LOG_ERR, 'No certificate %s found.' % nickname) sys.exit(1) - cainstance.update_cert_config(nickname, cert, configured_constants) - tmpdir = tempfile.mkdtemp(prefix="tmp-") try: principal = str('host/%s@%s' % (api.env.host, api.env.realm)) @@ -79,6 +77,7 @@ def main(): principal) ca = cainstance.CAInstance(host_name=api.env.host, ldapi=False) + ca.update_cert_config(nickname, cert, configured_constants) if ca.is_renewal_master(): cainstance.update_people_entry(cert) @@ -198,7 +197,9 @@ def main(): # off the servlet to verify that the CA is actually up and responding so # when this returns it should be good-to-go. The CA was stopped in the # pre-save state. - syslog.syslog(syslog.LOG_NOTICE, 'Starting %s' % dogtag_service.service_name) + syslog.syslog( + syslog.LOG_NOTICE, + 'Starting %s' % dogtag_service.service_name) try: dogtag_service.start(dogtag_instance) except Exception, e: diff --git a/install/tools/Makefile.am b/install/tools/Makefile.am index 0b38d2c77..b791a8c74 100644 --- a/install/tools/Makefile.am +++ b/install/tools/Makefile.am @@ -7,6 +7,7 @@ SUBDIRS = \ sbin_SCRIPTS = \ ipa-ca-install \ ipa-dns-install \ + ipa-kra-install \ ipa-server-install \ ipa-adtrust-install \ ipa-replica-conncheck \ diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install index fc8941248..475794bb6 100755 --- a/install/tools/ipa-ca-install +++ b/install/tools/ipa-ca-install @@ -19,23 +19,20 @@ # import sys -import socket - -import os, shutil +import os +import shutil from ConfigParser import RawConfigParser - from ipapython import ipautil -from ipaserver.install import installutils, service +from ipaserver.install import installutils from ipaserver.install import certs -from ipaserver.install.installutils import (HostnameLocalhost, ReplicaConfig, - expand_replica_info, read_replica_info, get_host_name, BadHostError, - private_ccache, read_replica_info_dogtag_port, validate_external_cert) +from ipaserver.install.installutils import ( + ReplicaConfig, private_ccache, create_replica_config, + validate_external_cert) from ipaserver.install import dsinstance, cainstance, bindinstance from ipaserver.install.replication import replica_conn_check from ipapython import version -from ipalib import api, util, certstore, x509 -from ipalib.constants import CACERT +from ipalib import api, certstore, x509 from ipapython.dn import DN from ipapython.config import IPAOptionParser from ipapython import sysrestore @@ -95,8 +92,11 @@ def parse_options(): return safe_options, options, filename + def get_dirman_password(): - return installutils.read_password("Directory Manager (existing master)", confirm=False, validate=False) + return installutils.read_password( + "Directory Manager (existing master)", confirm=False, validate=False) + def install_dns_records(config, options): @@ -115,13 +115,15 @@ def install_dns_records(config, options): bind.add_ipa_ca_dns_records(config.host_name, config.domain_name) finally: if api.Backend.ldap2.isconnected() and disconnect: - api.Backend.ldap2.disconnect() + api.Backend.ldap2.disconnect() + def install_replica(safe_options, options, filename): standard_logging_setup(log_file_name, debug=options.debug) - root_logger.debug('%s was invoked with argument "%s" and options: %s' % (sys.argv[0], filename, safe_options)) - root_logger.debug('IPA version %s' % version.VENDOR_VERSION) + root_logger.debug('%s was invoked with argument "%s" and options: %s', + sys.argv[0], filename, safe_options) + root_logger.debug('IPA version %s', version.VENDOR_VERSION) if not ipautil.file_exists(filename): sys.exit("Replica file %s does not exist" % filename) @@ -151,38 +153,13 @@ def install_replica(safe_options, options, filename): sys.exit("Directory Manager password required") if not options.admin_password and not options.skip_conncheck and \ - options.unattended: - sys.exit('admin password required') + options.unattended: + sys.exit('admin password required') - try: - top_dir, dir = expand_replica_info(filename, dirman_password) - global REPLICA_INFO_TOP_DIR - REPLICA_INFO_TOP_DIR = top_dir - except Exception, e: - print "ERROR: Failed to decrypt or open the replica file." - print "Verify you entered the correct Directory Manager password." - sys.exit(1) - - config = ReplicaConfig() - read_replica_info(dir, config) - config.dirman_password = dirman_password - try: - host = get_host_name(options.no_host_dns) - except BadHostError, e: - root_logger.error(str(e)) - sys.exit(1) - if config.host_name != host: - try: - print "This replica was created for '%s' but this machine is named '%s'" % (config.host_name, host) - if not ipautil.user_input("This may cause problems. Continue?", True): - sys.exit(0) - config.host_name = host - print "" - except KeyboardInterrupt: - sys.exit(0) - config.dir = dir + config = create_replica_config(dirman_password, filename, options) + global REPLICA_INFO_TOP_DIR + REPLICA_INFO_TOP_DIR = config.top_dir config.setup_ca = True - config.ca_ds_port = read_replica_info_dogtag_port(config.dir) if not ipautil.file_exists(config.dir + "/cacert.p12"): print 'CA cannot be installed in CA-less setup.' @@ -206,7 +183,7 @@ def install_replica(safe_options, options, filename): ipautil.realm_to_suffix(config.realm_name)) # This is done within stopped_service context, which restarts CA - CA.enable_client_auth_to_db() + CA.enable_client_auth_to_db(CA.dogtag_constants.CS_CFG_PATH) # Install CA DNS records install_dns_records(config, options) @@ -225,12 +202,13 @@ def install_replica(safe_options, options, filename): root_logger.error(str(e)) sys.exit(1) + def install_master(safe_options, options): standard_logging_setup(paths.IPASERVER_CA_INSTALL_LOG, debug=options.debug) root_logger.debug( - "%s was invoked with options: %s" % (sys.argv[0], safe_options)) - root_logger.debug("IPA version %s" % version.VENDOR_VERSION) + "%s was invoked with options: %s", sys.argv[0], safe_options) + root_logger.debug("IPA version %s", version.VENDOR_VERSION) global sstore sstore = sysrestore.StateFile(paths.SYSRESTORE) @@ -316,7 +294,8 @@ def install_master(safe_options, options): "cannot continue." % (subject, db.secdir)) sys.exit(1) - ca = cainstance.CAInstance(realm_name, certs.NSS_DIR, + ca = cainstance.CAInstance( + realm_name, certs.NSS_DIR, dogtag_constants=dogtag.install_constants) ca.create_ra_agent_db = False if external == 0: @@ -338,7 +317,7 @@ def install_master(safe_options, options): ca.ldap_enable('CA', host_name, dm_password, ipautil.realm_to_suffix(realm_name), ['caRenewalMaster']) - ca.enable_client_auth_to_db() + ca.enable_client_auth_to_db(ca.dogtag_constants.CS_CFG_PATH) # Install CA DNS records config = ReplicaConfig() @@ -396,6 +375,7 @@ def install_master(safe_options, options): ca.start(ca.dogtag_constants.PKI_INSTANCE_NAME) + def main(): safe_options, options, filename = parse_options() @@ -416,8 +396,8 @@ if __name__ == '__main__': try: with private_ccache(): installutils.run_script(main, log_file_name=log_file_name, - operation_name='ipa-ca-install', - fail_message=fail_message) + operation_name='ipa-ca-install', + fail_message=fail_message) finally: # always try to remove decrypted replica file try: diff --git a/install/tools/ipa-dns-install b/install/tools/ipa-dns-install index 5e191974b..c9ea63ce3 100755 --- a/install/tools/ipa-dns-install +++ b/install/tools/ipa-dns-install @@ -32,6 +32,7 @@ from ipalib import api, errors, util from ipaplatform.paths import paths from ipapython.config import IPAOptionParser from ipapython.ipa_log_manager import standard_logging_setup, root_logger +from ipapython.ipautil import DN log_file_name = paths.IPASERVER_INSTALL_LOG diff --git a/install/tools/ipa-kra-install b/install/tools/ipa-kra-install new file mode 100644 index 000000000..bc92d26fe --- /dev/null +++ b/install/tools/ipa-kra-install @@ -0,0 +1,23 @@ +#! /usr/bin/python2 -E +# Authors: Ade Lee <alee@redhat.com> +# +# Copyright (C) 2014 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +# + +from ipaserver.install.ipa_kra_install import KRAInstall + +KRAInstall.run_cli() diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install index eca73441b..7c9e27e2b 100755 --- a/install/tools/ipa-replica-install +++ b/install/tools/ipa-replica-install @@ -36,12 +36,12 @@ from ipaserver.install import bindinstance, httpinstance, ntpinstance from ipaserver.install import memcacheinstance from ipaserver.install import otpdinstance from ipaserver.install.replication import replica_conn_check, ReplicationManager -from ipaserver.install.installutils import (ReplicaConfig, expand_replica_info, - read_replica_info, get_host_name, BadHostError, private_ccache, - read_replica_info_dogtag_port) +from ipaserver.install.installutils import ( + create_replica_config, read_replica_info_kra_enabled, private_ccache) from ipaserver.plugins.ldap2 import ldap2 from ipaserver.install import cainstance -from ipalib import api, errors, util, x509, certstore +from ipaserver.install import krainstance +from ipalib import api, errors, util, certstore, x509 from ipalib.constants import CACERT from ipapython import version from ipapython.config import IPAOptionParser @@ -55,8 +55,8 @@ from ipaplatform import services from ipaplatform.paths import paths log_file_name = paths.IPAREPLICA_INSTALL_LOG -REPLICA_INFO_TOP_DIR = None DIRMAN_DN = DN(('cn', 'directory manager')) +REPLICA_INFO_TOP_DIR = None def parse_options(): usage = "%prog [options] REPLICA_FILE" @@ -65,6 +65,8 @@ def parse_options(): basic_group = OptionGroup(parser, "basic options") basic_group.add_option("--setup-ca", dest="setup_ca", action="store_true", default=False, help="configure a dogtag CA") + basic_group.add_option("--setup-kra", dest="setup_kra", action="store_true", + default=False, help="configure a dogtag KRA") basic_group.add_option("--ip-address", dest="ip_address", type="ip", ip_local=True, help="Replica server IP Address") @@ -206,6 +208,7 @@ def install_krb(config, setup_pkinit=False): return krb + def install_ca_cert(ldap, base_dn, realm, cafile): try: try: @@ -508,44 +511,24 @@ def main(): if dirman_password is None: sys.exit("Directory Manager password required") - try: - top_dir, dir = expand_replica_info(filename, dirman_password) - global REPLICA_INFO_TOP_DIR - REPLICA_INFO_TOP_DIR = top_dir - except Exception, e: - print "ERROR: Failed to decrypt or open the replica file." - print "Verify you entered the correct Directory Manager password." - sys.exit(1) - - config = ReplicaConfig() - read_replica_info(dir, config) - root_logger.debug('Installing replica file with version %d (0 means no version in prepared file).' % config.version) - if config.version and config.version > version.NUM_VERSION: - root_logger.error('A replica file from a newer release (%d) cannot be installed on an older version (%d)' % (config.version, version.NUM_VERSION)) - sys.exit(1) - config.dirman_password = dirman_password - try: - host = get_host_name(options.no_host_dns) - except BadHostError, e: - root_logger.error(str(e)) - sys.exit(1) - if config.host_name != host: - try: - print "This replica was created for '%s' but this machine is named '%s'" % (config.host_name, host) - if not ipautil.user_input("This may cause problems. Continue?", False): - sys.exit(0) - config.host_name = host - print "" - except KeyboardInterrupt: - sys.exit(0) - config.dir = dir + config = create_replica_config(dirman_password, filename, options) + global REPLICA_INFO_TOP_DIR + REPLICA_INFO_TOP_DIR = config.top_dir config.setup_ca = options.setup_ca - config.ca_ds_port = read_replica_info_dogtag_port(config.dir) if config.setup_ca and not ipautil.file_exists(config.dir + "/cacert.p12"): print 'CA cannot be installed in CA-less setup.' sys.exit(1) + config.setup_kra = options.setup_kra + if config.setup_kra: + if not config.setup_ca: + print "CA must be installed with the KRA" + sys.exit(1) + if not read_replica_info_kra_enabled(config.dir): + print "KRA is not installed on the master system" + sys.exit(1) + installutils.verify_fqdn(config.master_host_name, options.no_host_dns) # check connection @@ -579,6 +562,9 @@ def main(): else: fd.write("enable_ra=False\n") fd.write("ra_plugin=none\n") + + fd.write("enable_kra=%s\n" % config.setup_kra) + fd.write("mode=production\n") fd.close() finally: @@ -611,7 +597,7 @@ def main(): # Check that we don't already have a replication agreement try: - (agreement_cn, agreement_dn) = replman.agreement_dn(host) + (agreement_cn, agreement_dn) = replman.agreement_dn(config.host_name) entry = conn.get_entry(agreement_dn, ['*']) except errors.NotFound: pass @@ -621,20 +607,20 @@ def main(): print ('A replication agreement for this host already exists. ' 'It needs to be removed.') print "Run this on the master that generated the info file:" - print " %% ipa-replica-manage del %s --force" % host + print " %% ipa-replica-manage del %s --force" % config.host_name exit(3) # Check pre-existing host entry try: - entry = conn.find_entries(u'fqdn=%s' % host, ['fqdn'], DN(api.env.container_host, api.env.basedn)) + entry = conn.find_entries(u'fqdn=%s' % config.host_name, ['fqdn'], DN(api.env.container_host, api.env.basedn)) except errors.NotFound: pass else: root_logger.info( - 'Error: Host %s already exists on the master server.' % host) - print 'The host %s already exists on the master server.' % host + 'Error: Host %s already exists on the master server.' % config.host_name) + print 'The host %s already exists on the master server.' % config.host_name print "You should remove it before proceeding:" - print " %% ipa host-del %s" % host + print " %% ipa host-del %s" % config.host_name exit(3) # Install CA cert so that we can do SSL connections with ldap @@ -694,7 +680,7 @@ def main(): ipautil.realm_to_suffix(config.realm_name)) # This is done within stopped_service context, which restarts CA - CA.enable_client_auth_to_db() + CA.enable_client_auth_to_db(CA.dogtag_constants.CS_CFG_PATH) krb = install_krb(config, setup_pkinit=options.setup_pkinit) http = install_http(config, auto_redirect=options.ui_redirect) @@ -705,7 +691,7 @@ def main(): if CA: CA.configure_certmonger_renewal() - CA.import_ra_cert(dir + "/ra.p12") + CA.import_ra_cert(config.dir + "/ra.p12") CA.fix_ra_perms() services.knownservices.httpd.restart() @@ -717,9 +703,14 @@ def main(): service.print_msg("Applying LDAP updates") ds.apply_updates() - # Restart ds and krb after configurations have been changed - service.print_msg("Restarting the directory server") - ds.restart() + if options.setup_kra: + kra = krainstance.install_replica_kra(config) + service.print_msg("Restarting the directory server") + ds.restart() + kra.enable_client_auth_to_db(kra.dogtag_constants.KRA_CS_CFG_PATH) + else: + service.print_msg("Restarting the directory server") + ds.restart() service.print_msg("Restarting the KDC") krb.restart() diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index a54725458..6e77b434a 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -3,7 +3,7 @@ # Simo Sorce <ssorce@redhat.com> # Rob Crittenden <rcritten@redhat.com> # -# Copyright (C) 2007-2010 Red Hat +# Copyright (C) 2007-2014 Red Hat # see file 'COPYING' for use and warranty information # # This program is free software; you can redistribute it and/or modify @@ -53,6 +53,7 @@ from ipaserver.install import httpinstance from ipaserver.install import ntpinstance from ipaserver.install import certs from ipaserver.install import cainstance +from ipaserver.install import krainstance from ipaserver.install import memcacheinstance from ipaserver.install import otpdinstance from ipaserver.install import sysupgrade @@ -520,11 +521,20 @@ def uninstall(): dogtag_constants=dogtag_constants) if cads_instance.is_configured(): cads_instance.uninstall() - cainstance.stop_tracking_certificates(dogtag_constants) + + kra_instance = krainstance.KRAInstance( + api.env.realm, dogtag_constants=dogtag_constants) + kra_instance.stop_tracking_certificates(dogtag_constants) + if kra_instance.is_installed(): + kra_instance.uninstall() + ca_instance = cainstance.CAInstance( api.env.realm, certs.NSS_DIR, dogtag_constants=dogtag_constants) + ca_instance.stop_tracking_certificates(dogtag_constants) + ca_instance.stop_tracking_agent_certificate(dogtag_constants) if ca_instance.is_configured(): ca_instance.uninstall() + bindinstance.BindInstance(fstore).uninstall() httpinstance.HTTPInstance(fstore).uninstall() krbinstance.KrbInstance(fstore).uninstall() @@ -757,8 +767,13 @@ def main(): # We only set up the CA if the PKCS#12 options are not given. if options.dirsrv_pkcs12: setup_ca = False + setup_kra = False else: setup_ca = True + # setup_kra is set to False until Dogtag 10.2 is available for IPA to consume + # Until then users that want to install the KRA need to use ipa-install-kra + # TODO set setup_kra = True when Dogtag 10.2 is available + setup_kra = False # Figure out what external CA step we're in. See cainstance.py for more # info on the 3 states. @@ -775,6 +790,8 @@ def main(): print "This includes:" if setup_ca: print " * Configure a stand-alone CA (dogtag) for certificate management" + if setup_kra: + print " * Configure a stand-alone KRA (dogtag) for key storage" if options.conf_ntp: print " * Configure the Network Time Daemon (ntpd)" print " * Create and configure an instance of Directory Server" @@ -1021,6 +1038,7 @@ def main(): else: fd.write("enable_ra=False\n") fd.write("ra_plugin=none\n") + fd.write("enable_kra=%s\n" % setup_kra) fd.write("mode=production\n") fd.close() @@ -1122,7 +1140,7 @@ def main(): ipautil.realm_to_suffix(realm_name), ['caRenewalMaster']) # This is done within stopped_service context, which restarts CA - ca.enable_client_auth_to_db() + ca.enable_client_auth_to_db(ca.dogtag_constants.CS_CFG_PATH) krb = krbinstance.KrbInstance(fstore) if options.pkinit_pkcs12: @@ -1204,6 +1222,20 @@ def main(): service.print_msg("Restarting the web server") http.restart() + if setup_kra: + kra = krainstance.KRAInstance(realm_name, + dogtag_constants=dogtag.install_constants) + kra.configure_instance(host_name, domain_name, dm_password, + dm_password, subject_base=options.subject) + + # This is done within stopped_service context, which restarts KRA + service.print_msg("Restarting the directory server") + ds.restart() + + service.print_msg("Enabling KRA to authenticate with the database " + "using client certificates") + kra.enable_client_auth_to_db(kra.dogtag_constants.KRA_CS_CFG_PATH) + # Set the admin user kerberos password ds.change_admin_password(admin_password) @@ -1256,9 +1288,11 @@ def main(): print "" if setup_ca: - print "Be sure to back up the CA certificate stored in /root/cacert.p12" - print "This file is required to create replicas. The password for this" - print "file is the Directory Manager password" + print "Be sure to back up the CA certificates stored in " + paths.CACERT_P12 + if setup_kra: + print "and the KRA certificates stored in " + paths.KRACERT_P12 + print "These files are required to create replicas. The password for these" + print "files is the Directory Manager password" else: print "In order for Firefox autoconfiguration to work you will need to" print "use a SSL signing certificate. See the IPA documentation for more details." diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig index adf6c8d84..9c9de033c 100644 --- a/install/tools/ipa-upgradeconfig +++ b/install/tools/ipa-upgradeconfig @@ -537,12 +537,15 @@ def named_update_gssapi_configuration(): return False try: - bindinstance.named_conf_set_directive('tkey-gssapi-credential', None, - bindinstance.NAMED_SECTION_OPTIONS) - bindinstance.named_conf_set_directive('tkey-domain', None, - bindinstance.NAMED_SECTION_OPTIONS) - bindinstance.named_conf_set_directive('tkey-gssapi-keytab', paths.NAMED_KEYTAB, - bindinstance.NAMED_SECTION_OPTIONS) + bindinstance.named_conf_set_directive( + 'tkey-gssapi-credential', None, + bindinstance.NAMED_SECTION_OPTIONS) + bindinstance.named_conf_set_directive( + 'tkey-domain', None, + bindinstance.NAMED_SECTION_OPTIONS) + bindinstance.named_conf_set_directive( + 'tkey-gssapi-keytab', paths.NAMED_KEYTAB, + bindinstance.NAMED_SECTION_OPTIONS) except IOError, e: root_logger.error('Cannot update GSSAPI configuration in %s: %s', bindinstance.NAMED_CONF, e) @@ -553,6 +556,7 @@ def named_update_gssapi_configuration(): sysupgrade.set_upgrade_state('named.conf', 'gssapi_updated', True) return True + def named_update_pid_file(): """ Make sure that named reads the pid file from the right file @@ -723,7 +727,7 @@ def certificate_renewal_update(ca): # Ok, now we need to stop tracking, then we can start tracking them # again with new configuration: - cainstance.stop_tracking_certificates(dogtag_constants) + ca.stop_tracking_certificates(dogtag_constants) if not sysupgrade.get_upgrade_state('dogtag', 'certificate_renewal_update_1'): @@ -884,71 +888,9 @@ def add_ca_dns_records(): def find_subject_base(): """ Try to find the current value of certificate subject base. - 1) Look in sysupgrade first - 2) If no value is found there, look in DS (start DS if necessary) - 3) Last resort, look in the certmap.conf itself - 4) If all fails, log loudly and return None + See the docstring in dsinstance.DsInstance for details. """ - root_logger.debug('Trying to find certificate subject base in sysupgrade') - subject_base = sysupgrade.get_upgrade_state('certmap.conf', 'subject_base') - - if subject_base: - root_logger.debug( - 'Found certificate subject base in sysupgrade: %s', - subject_base - ) - return subject_base - - root_logger.debug('Unable to find certificate subject base in sysupgrade') - root_logger.debug('Trying to find certificate subject base in DS') - - ds_is_running = services.knownservices.dirsrv.is_running() - if not ds_is_running: - try: - services.knownservices.dirsrv.start() - except ipautil.CalledProcessError as e: - root_logger.error('Cannot start DS to find certificate ' - 'subject base: %s', e) - else: - ds_is_running = True - - if ds_is_running: - try: - api.Backend.ldap2.connect(autobind=True) - except ipalib.errors.PublicError, e: - root_logger.error('Cannot connect to DS to find certificate ' - 'subject base: %s', e) - else: - ret = api.Command['config_show']() - api.Backend.ldap2.disconnect() - subject_base = str(ret['result']['ipacertificatesubjectbase'][0]) - root_logger.debug( - 'Found certificate subject base in DS: %s', - subject_base - ) - - if not subject_base: - root_logger.debug('Unable to find certificate subject base in DS') - root_logger.debug('Trying to find certificate subject base in ' - 'certmap.conf') - - certmap_dir = dsinstance.config_dirname( - dsinstance.realm_to_serverid(api.env.realm) - ) - try: - with open(os.path.join(certmap_dir, 'certmap.conf')) as f: - for line in f: - if line.startswith('certmap ipaca'): - subject_base = line.strip().split(',')[-1] - root_logger.debug( - 'Found certificate subject base in certmap.conf: ' - '%s', - subject_base - ) - - except IOError as e: - root_logger.error('Cannot open certmap.conf to find certificate ' - 'subject base: %s', e.strerror) + subject_base = dsinstance.DsInstance().find_subject_base() if subject_base: sysupgrade.set_upgrade_state( @@ -958,8 +900,6 @@ def find_subject_base(): ) return subject_base - root_logger.debug('Unable to find certificate subject base in ' - 'certmap.conf') root_logger.error('Unable to determine certificate subject base. ' 'certmap.conf will not be updated.') |