summaryrefslogtreecommitdiffstats
path: root/install
diff options
context:
space:
mode:
Diffstat (limited to 'install')
-rw-r--r--install/conf/ipa-pki-proxy.conf6
-rw-r--r--install/po/Makefile.in1
-rw-r--r--install/restart_scripts/renew_ca_cert11
-rw-r--r--install/tools/Makefile.am1
-rwxr-xr-xinstall/tools/ipa-ca-install82
-rwxr-xr-xinstall/tools/ipa-dns-install1
-rw-r--r--install/tools/ipa-kra-install23
-rwxr-xr-xinstall/tools/ipa-replica-install87
-rwxr-xr-xinstall/tools/ipa-server-install46
-rw-r--r--install/tools/ipa-upgradeconfig86
10 files changed, 158 insertions, 186 deletions
diff --git a/install/conf/ipa-pki-proxy.conf b/install/conf/ipa-pki-proxy.conf
index 224cdd45b..57175390b 100644
--- a/install/conf/ipa-pki-proxy.conf
+++ b/install/conf/ipa-pki-proxy.conf
@@ -1,4 +1,4 @@
-# VERSION 4 - DO NOT REMOVE THIS LINE
+# VERSION 5 - DO NOT REMOVE THIS LINE
ProxyRequests Off
@@ -11,7 +11,7 @@ ProxyRequests Off
</LocationMatch>
# matches for admin port and installer
-<LocationMatch "^/ca/admin/ca/getCertChain|^/ca/admin/ca/getConfigEntries|^/ca/admin/ca/getCookie|^/ca/admin/ca/getStatus|^/ca/admin/ca/securityDomainLogin|^/ca/admin/ca/getDomainXML|^/ca/rest/installer/installToken|^/ca/admin/ca/updateNumberRange|^/ca/rest/securityDomain/domainInfo|^/ca/rest/account/login|^/ca/admin/ca/tokenAuthenticate|^/ca/admin/ca/updateNumberRange|^/ca/admin/ca/updateDomainXML|^/ca/rest/account/logout|^/ca/rest/securityDomain/installToken">
+<LocationMatch "^/ca/admin/ca/getCertChain|^/ca/admin/ca/getConfigEntries|^/ca/admin/ca/getCookie|^/ca/admin/ca/getStatus|^/ca/admin/ca/securityDomainLogin|^/ca/admin/ca/getDomainXML|^/ca/rest/installer/installToken|^/ca/admin/ca/updateNumberRange|^/ca/rest/securityDomain/domainInfo|^/ca/rest/account/login|^/ca/admin/ca/tokenAuthenticate|^/ca/admin/ca/updateNumberRange|^/ca/admin/ca/updateDomainXML|^/ca/rest/account/logout|^/ca/rest/securityDomain/installToken|^/ca/admin/ca/updateConnector|^/ca/admin/ca/getSubsystemCert|^/kra/admin/kra/updateNumberRange|^/kra/admin/kra/getConfigEntries|^/kra/rest/config/cert/transport">
NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
NSSVerifyClient none
ProxyPassMatch ajp://localhost:$DOGTAG_PORT
@@ -19,7 +19,7 @@ ProxyRequests Off
</LocationMatch>
# matches for agent port and eeca port
-<LocationMatch "^/ca/agent/ca/displayBySerial|^/ca/agent/ca/doRevoke|^/ca/agent/ca/doUnrevoke|^/ca/agent/ca/updateDomainXML|^/ca/eeca/ca/profileSubmitSSLClient">
+<LocationMatch "^/ca/agent/ca/displayBySerial|^/ca/agent/ca/doRevoke|^/ca/agent/ca/doUnrevoke|^/ca/agent/ca/updateDomainXML|^/ca/eeca/ca/profileSubmitSSLClient|^/kra/agent/kra/connector|^/kra/rest/agent/keyrequests|^/kra/rest/agent/keys|^/kra/rest/admin/kraconnector/remove">
NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
NSSVerifyClient require
ProxyPassMatch ajp://localhost:$DOGTAG_PORT
diff --git a/install/po/Makefile.in b/install/po/Makefile.in
index 6dca615c1..de711dffb 100644
--- a/install/po/Makefile.in
+++ b/install/po/Makefile.in
@@ -47,6 +47,7 @@ PY_EXPLICIT_FILES = \
install/tools/ipa-csreplica-manage \
install/tools/ipactl \
install/tools/ipa-dns-install \
+ install/tools/ipa-kra-install \
install/tools/ipa-ldap-updater \
install/tools/ipa-managed-entries \
install/tools/ipa-nis-manage \
diff --git a/install/restart_scripts/renew_ca_cert b/install/restart_scripts/renew_ca_cert
index 2ad203870..a205b0e36 100644
--- a/install/restart_scripts/renew_ca_cert
+++ b/install/restart_scripts/renew_ca_cert
@@ -21,13 +21,12 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import sys
-import os
import syslog
import tempfile
import shutil
import traceback
-from ipapython import dogtag, certmonger, ipautil
+from ipapython import dogtag, ipautil
from ipapython.dn import DN
from ipalib import api, errors, x509, certstore
from ipaserver.install import certs, cainstance, installutils
@@ -35,6 +34,7 @@ from ipaserver.plugins.ldap2 import ldap2
from ipaplatform import services
from ipaplatform.paths import paths
+
def main():
nickname = sys.argv[1]
@@ -70,8 +70,6 @@ def main():
syslog.syslog(syslog.LOG_ERR, 'No certificate %s found.' % nickname)
sys.exit(1)
- cainstance.update_cert_config(nickname, cert, configured_constants)
-
tmpdir = tempfile.mkdtemp(prefix="tmp-")
try:
principal = str('host/%s@%s' % (api.env.host, api.env.realm))
@@ -79,6 +77,7 @@ def main():
principal)
ca = cainstance.CAInstance(host_name=api.env.host, ldapi=False)
+ ca.update_cert_config(nickname, cert, configured_constants)
if ca.is_renewal_master():
cainstance.update_people_entry(cert)
@@ -198,7 +197,9 @@ def main():
# off the servlet to verify that the CA is actually up and responding so
# when this returns it should be good-to-go. The CA was stopped in the
# pre-save state.
- syslog.syslog(syslog.LOG_NOTICE, 'Starting %s' % dogtag_service.service_name)
+ syslog.syslog(
+ syslog.LOG_NOTICE,
+ 'Starting %s' % dogtag_service.service_name)
try:
dogtag_service.start(dogtag_instance)
except Exception, e:
diff --git a/install/tools/Makefile.am b/install/tools/Makefile.am
index 0b38d2c77..b791a8c74 100644
--- a/install/tools/Makefile.am
+++ b/install/tools/Makefile.am
@@ -7,6 +7,7 @@ SUBDIRS = \
sbin_SCRIPTS = \
ipa-ca-install \
ipa-dns-install \
+ ipa-kra-install \
ipa-server-install \
ipa-adtrust-install \
ipa-replica-conncheck \
diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install
index fc8941248..475794bb6 100755
--- a/install/tools/ipa-ca-install
+++ b/install/tools/ipa-ca-install
@@ -19,23 +19,20 @@
#
import sys
-import socket
-
-import os, shutil
+import os
+import shutil
from ConfigParser import RawConfigParser
-
from ipapython import ipautil
-from ipaserver.install import installutils, service
+from ipaserver.install import installutils
from ipaserver.install import certs
-from ipaserver.install.installutils import (HostnameLocalhost, ReplicaConfig,
- expand_replica_info, read_replica_info, get_host_name, BadHostError,
- private_ccache, read_replica_info_dogtag_port, validate_external_cert)
+from ipaserver.install.installutils import (
+ ReplicaConfig, private_ccache, create_replica_config,
+ validate_external_cert)
from ipaserver.install import dsinstance, cainstance, bindinstance
from ipaserver.install.replication import replica_conn_check
from ipapython import version
-from ipalib import api, util, certstore, x509
-from ipalib.constants import CACERT
+from ipalib import api, certstore, x509
from ipapython.dn import DN
from ipapython.config import IPAOptionParser
from ipapython import sysrestore
@@ -95,8 +92,11 @@ def parse_options():
return safe_options, options, filename
+
def get_dirman_password():
- return installutils.read_password("Directory Manager (existing master)", confirm=False, validate=False)
+ return installutils.read_password(
+ "Directory Manager (existing master)", confirm=False, validate=False)
+
def install_dns_records(config, options):
@@ -115,13 +115,15 @@ def install_dns_records(config, options):
bind.add_ipa_ca_dns_records(config.host_name, config.domain_name)
finally:
if api.Backend.ldap2.isconnected() and disconnect:
- api.Backend.ldap2.disconnect()
+ api.Backend.ldap2.disconnect()
+
def install_replica(safe_options, options, filename):
standard_logging_setup(log_file_name, debug=options.debug)
- root_logger.debug('%s was invoked with argument "%s" and options: %s' % (sys.argv[0], filename, safe_options))
- root_logger.debug('IPA version %s' % version.VENDOR_VERSION)
+ root_logger.debug('%s was invoked with argument "%s" and options: %s',
+ sys.argv[0], filename, safe_options)
+ root_logger.debug('IPA version %s', version.VENDOR_VERSION)
if not ipautil.file_exists(filename):
sys.exit("Replica file %s does not exist" % filename)
@@ -151,38 +153,13 @@ def install_replica(safe_options, options, filename):
sys.exit("Directory Manager password required")
if not options.admin_password and not options.skip_conncheck and \
- options.unattended:
- sys.exit('admin password required')
+ options.unattended:
+ sys.exit('admin password required')
- try:
- top_dir, dir = expand_replica_info(filename, dirman_password)
- global REPLICA_INFO_TOP_DIR
- REPLICA_INFO_TOP_DIR = top_dir
- except Exception, e:
- print "ERROR: Failed to decrypt or open the replica file."
- print "Verify you entered the correct Directory Manager password."
- sys.exit(1)
-
- config = ReplicaConfig()
- read_replica_info(dir, config)
- config.dirman_password = dirman_password
- try:
- host = get_host_name(options.no_host_dns)
- except BadHostError, e:
- root_logger.error(str(e))
- sys.exit(1)
- if config.host_name != host:
- try:
- print "This replica was created for '%s' but this machine is named '%s'" % (config.host_name, host)
- if not ipautil.user_input("This may cause problems. Continue?", True):
- sys.exit(0)
- config.host_name = host
- print ""
- except KeyboardInterrupt:
- sys.exit(0)
- config.dir = dir
+ config = create_replica_config(dirman_password, filename, options)
+ global REPLICA_INFO_TOP_DIR
+ REPLICA_INFO_TOP_DIR = config.top_dir
config.setup_ca = True
- config.ca_ds_port = read_replica_info_dogtag_port(config.dir)
if not ipautil.file_exists(config.dir + "/cacert.p12"):
print 'CA cannot be installed in CA-less setup.'
@@ -206,7 +183,7 @@ def install_replica(safe_options, options, filename):
ipautil.realm_to_suffix(config.realm_name))
# This is done within stopped_service context, which restarts CA
- CA.enable_client_auth_to_db()
+ CA.enable_client_auth_to_db(CA.dogtag_constants.CS_CFG_PATH)
# Install CA DNS records
install_dns_records(config, options)
@@ -225,12 +202,13 @@ def install_replica(safe_options, options, filename):
root_logger.error(str(e))
sys.exit(1)
+
def install_master(safe_options, options):
standard_logging_setup(paths.IPASERVER_CA_INSTALL_LOG, debug=options.debug)
root_logger.debug(
- "%s was invoked with options: %s" % (sys.argv[0], safe_options))
- root_logger.debug("IPA version %s" % version.VENDOR_VERSION)
+ "%s was invoked with options: %s", sys.argv[0], safe_options)
+ root_logger.debug("IPA version %s", version.VENDOR_VERSION)
global sstore
sstore = sysrestore.StateFile(paths.SYSRESTORE)
@@ -316,7 +294,8 @@ def install_master(safe_options, options):
"cannot continue." % (subject, db.secdir))
sys.exit(1)
- ca = cainstance.CAInstance(realm_name, certs.NSS_DIR,
+ ca = cainstance.CAInstance(
+ realm_name, certs.NSS_DIR,
dogtag_constants=dogtag.install_constants)
ca.create_ra_agent_db = False
if external == 0:
@@ -338,7 +317,7 @@ def install_master(safe_options, options):
ca.ldap_enable('CA', host_name, dm_password,
ipautil.realm_to_suffix(realm_name), ['caRenewalMaster'])
- ca.enable_client_auth_to_db()
+ ca.enable_client_auth_to_db(ca.dogtag_constants.CS_CFG_PATH)
# Install CA DNS records
config = ReplicaConfig()
@@ -396,6 +375,7 @@ def install_master(safe_options, options):
ca.start(ca.dogtag_constants.PKI_INSTANCE_NAME)
+
def main():
safe_options, options, filename = parse_options()
@@ -416,8 +396,8 @@ if __name__ == '__main__':
try:
with private_ccache():
installutils.run_script(main, log_file_name=log_file_name,
- operation_name='ipa-ca-install',
- fail_message=fail_message)
+ operation_name='ipa-ca-install',
+ fail_message=fail_message)
finally:
# always try to remove decrypted replica file
try:
diff --git a/install/tools/ipa-dns-install b/install/tools/ipa-dns-install
index 5e191974b..c9ea63ce3 100755
--- a/install/tools/ipa-dns-install
+++ b/install/tools/ipa-dns-install
@@ -32,6 +32,7 @@ from ipalib import api, errors, util
from ipaplatform.paths import paths
from ipapython.config import IPAOptionParser
from ipapython.ipa_log_manager import standard_logging_setup, root_logger
+from ipapython.ipautil import DN
log_file_name = paths.IPASERVER_INSTALL_LOG
diff --git a/install/tools/ipa-kra-install b/install/tools/ipa-kra-install
new file mode 100644
index 000000000..bc92d26fe
--- /dev/null
+++ b/install/tools/ipa-kra-install
@@ -0,0 +1,23 @@
+#! /usr/bin/python2 -E
+# Authors: Ade Lee <alee@redhat.com>
+#
+# Copyright (C) 2014 Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+from ipaserver.install.ipa_kra_install import KRAInstall
+
+KRAInstall.run_cli()
diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
index eca73441b..7c9e27e2b 100755
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
@@ -36,12 +36,12 @@ from ipaserver.install import bindinstance, httpinstance, ntpinstance
from ipaserver.install import memcacheinstance
from ipaserver.install import otpdinstance
from ipaserver.install.replication import replica_conn_check, ReplicationManager
-from ipaserver.install.installutils import (ReplicaConfig, expand_replica_info,
- read_replica_info, get_host_name, BadHostError, private_ccache,
- read_replica_info_dogtag_port)
+from ipaserver.install.installutils import (
+ create_replica_config, read_replica_info_kra_enabled, private_ccache)
from ipaserver.plugins.ldap2 import ldap2
from ipaserver.install import cainstance
-from ipalib import api, errors, util, x509, certstore
+from ipaserver.install import krainstance
+from ipalib import api, errors, util, certstore, x509
from ipalib.constants import CACERT
from ipapython import version
from ipapython.config import IPAOptionParser
@@ -55,8 +55,8 @@ from ipaplatform import services
from ipaplatform.paths import paths
log_file_name = paths.IPAREPLICA_INSTALL_LOG
-REPLICA_INFO_TOP_DIR = None
DIRMAN_DN = DN(('cn', 'directory manager'))
+REPLICA_INFO_TOP_DIR = None
def parse_options():
usage = "%prog [options] REPLICA_FILE"
@@ -65,6 +65,8 @@ def parse_options():
basic_group = OptionGroup(parser, "basic options")
basic_group.add_option("--setup-ca", dest="setup_ca", action="store_true",
default=False, help="configure a dogtag CA")
+ basic_group.add_option("--setup-kra", dest="setup_kra", action="store_true",
+ default=False, help="configure a dogtag KRA")
basic_group.add_option("--ip-address", dest="ip_address",
type="ip", ip_local=True,
help="Replica server IP Address")
@@ -206,6 +208,7 @@ def install_krb(config, setup_pkinit=False):
return krb
+
def install_ca_cert(ldap, base_dn, realm, cafile):
try:
try:
@@ -508,44 +511,24 @@ def main():
if dirman_password is None:
sys.exit("Directory Manager password required")
- try:
- top_dir, dir = expand_replica_info(filename, dirman_password)
- global REPLICA_INFO_TOP_DIR
- REPLICA_INFO_TOP_DIR = top_dir
- except Exception, e:
- print "ERROR: Failed to decrypt or open the replica file."
- print "Verify you entered the correct Directory Manager password."
- sys.exit(1)
-
- config = ReplicaConfig()
- read_replica_info(dir, config)
- root_logger.debug('Installing replica file with version %d (0 means no version in prepared file).' % config.version)
- if config.version and config.version > version.NUM_VERSION:
- root_logger.error('A replica file from a newer release (%d) cannot be installed on an older version (%d)' % (config.version, version.NUM_VERSION))
- sys.exit(1)
- config.dirman_password = dirman_password
- try:
- host = get_host_name(options.no_host_dns)
- except BadHostError, e:
- root_logger.error(str(e))
- sys.exit(1)
- if config.host_name != host:
- try:
- print "This replica was created for '%s' but this machine is named '%s'" % (config.host_name, host)
- if not ipautil.user_input("This may cause problems. Continue?", False):
- sys.exit(0)
- config.host_name = host
- print ""
- except KeyboardInterrupt:
- sys.exit(0)
- config.dir = dir
+ config = create_replica_config(dirman_password, filename, options)
+ global REPLICA_INFO_TOP_DIR
+ REPLICA_INFO_TOP_DIR = config.top_dir
config.setup_ca = options.setup_ca
- config.ca_ds_port = read_replica_info_dogtag_port(config.dir)
if config.setup_ca and not ipautil.file_exists(config.dir + "/cacert.p12"):
print 'CA cannot be installed in CA-less setup.'
sys.exit(1)
+ config.setup_kra = options.setup_kra
+ if config.setup_kra:
+ if not config.setup_ca:
+ print "CA must be installed with the KRA"
+ sys.exit(1)
+ if not read_replica_info_kra_enabled(config.dir):
+ print "KRA is not installed on the master system"
+ sys.exit(1)
+
installutils.verify_fqdn(config.master_host_name, options.no_host_dns)
# check connection
@@ -579,6 +562,9 @@ def main():
else:
fd.write("enable_ra=False\n")
fd.write("ra_plugin=none\n")
+
+ fd.write("enable_kra=%s\n" % config.setup_kra)
+
fd.write("mode=production\n")
fd.close()
finally:
@@ -611,7 +597,7 @@ def main():
# Check that we don't already have a replication agreement
try:
- (agreement_cn, agreement_dn) = replman.agreement_dn(host)
+ (agreement_cn, agreement_dn) = replman.agreement_dn(config.host_name)
entry = conn.get_entry(agreement_dn, ['*'])
except errors.NotFound:
pass
@@ -621,20 +607,20 @@ def main():
print ('A replication agreement for this host already exists. '
'It needs to be removed.')
print "Run this on the master that generated the info file:"
- print " %% ipa-replica-manage del %s --force" % host
+ print " %% ipa-replica-manage del %s --force" % config.host_name
exit(3)
# Check pre-existing host entry
try:
- entry = conn.find_entries(u'fqdn=%s' % host, ['fqdn'], DN(api.env.container_host, api.env.basedn))
+ entry = conn.find_entries(u'fqdn=%s' % config.host_name, ['fqdn'], DN(api.env.container_host, api.env.basedn))
except errors.NotFound:
pass
else:
root_logger.info(
- 'Error: Host %s already exists on the master server.' % host)
- print 'The host %s already exists on the master server.' % host
+ 'Error: Host %s already exists on the master server.' % config.host_name)
+ print 'The host %s already exists on the master server.' % config.host_name
print "You should remove it before proceeding:"
- print " %% ipa host-del %s" % host
+ print " %% ipa host-del %s" % config.host_name
exit(3)
# Install CA cert so that we can do SSL connections with ldap
@@ -694,7 +680,7 @@ def main():
ipautil.realm_to_suffix(config.realm_name))
# This is done within stopped_service context, which restarts CA
- CA.enable_client_auth_to_db()
+ CA.enable_client_auth_to_db(CA.dogtag_constants.CS_CFG_PATH)
krb = install_krb(config, setup_pkinit=options.setup_pkinit)
http = install_http(config, auto_redirect=options.ui_redirect)
@@ -705,7 +691,7 @@ def main():
if CA:
CA.configure_certmonger_renewal()
- CA.import_ra_cert(dir + "/ra.p12")
+ CA.import_ra_cert(config.dir + "/ra.p12")
CA.fix_ra_perms()
services.knownservices.httpd.restart()
@@ -717,9 +703,14 @@ def main():
service.print_msg("Applying LDAP updates")
ds.apply_updates()
- # Restart ds and krb after configurations have been changed
- service.print_msg("Restarting the directory server")
- ds.restart()
+ if options.setup_kra:
+ kra = krainstance.install_replica_kra(config)
+ service.print_msg("Restarting the directory server")
+ ds.restart()
+ kra.enable_client_auth_to_db(kra.dogtag_constants.KRA_CS_CFG_PATH)
+ else:
+ service.print_msg("Restarting the directory server")
+ ds.restart()
service.print_msg("Restarting the KDC")
krb.restart()
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index a54725458..6e77b434a 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -3,7 +3,7 @@
# Simo Sorce <ssorce@redhat.com>
# Rob Crittenden <rcritten@redhat.com>
#
-# Copyright (C) 2007-2010 Red Hat
+# Copyright (C) 2007-2014 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
@@ -53,6 +53,7 @@ from ipaserver.install import httpinstance
from ipaserver.install import ntpinstance
from ipaserver.install import certs
from ipaserver.install import cainstance
+from ipaserver.install import krainstance
from ipaserver.install import memcacheinstance
from ipaserver.install import otpdinstance
from ipaserver.install import sysupgrade
@@ -520,11 +521,20 @@ def uninstall():
dogtag_constants=dogtag_constants)
if cads_instance.is_configured():
cads_instance.uninstall()
- cainstance.stop_tracking_certificates(dogtag_constants)
+
+ kra_instance = krainstance.KRAInstance(
+ api.env.realm, dogtag_constants=dogtag_constants)
+ kra_instance.stop_tracking_certificates(dogtag_constants)
+ if kra_instance.is_installed():
+ kra_instance.uninstall()
+
ca_instance = cainstance.CAInstance(
api.env.realm, certs.NSS_DIR, dogtag_constants=dogtag_constants)
+ ca_instance.stop_tracking_certificates(dogtag_constants)
+ ca_instance.stop_tracking_agent_certificate(dogtag_constants)
if ca_instance.is_configured():
ca_instance.uninstall()
+
bindinstance.BindInstance(fstore).uninstall()
httpinstance.HTTPInstance(fstore).uninstall()
krbinstance.KrbInstance(fstore).uninstall()
@@ -757,8 +767,13 @@ def main():
# We only set up the CA if the PKCS#12 options are not given.
if options.dirsrv_pkcs12:
setup_ca = False
+ setup_kra = False
else:
setup_ca = True
+ # setup_kra is set to False until Dogtag 10.2 is available for IPA to consume
+ # Until then users that want to install the KRA need to use ipa-install-kra
+ # TODO set setup_kra = True when Dogtag 10.2 is available
+ setup_kra = False
# Figure out what external CA step we're in. See cainstance.py for more
# info on the 3 states.
@@ -775,6 +790,8 @@ def main():
print "This includes:"
if setup_ca:
print " * Configure a stand-alone CA (dogtag) for certificate management"
+ if setup_kra:
+ print " * Configure a stand-alone KRA (dogtag) for key storage"
if options.conf_ntp:
print " * Configure the Network Time Daemon (ntpd)"
print " * Create and configure an instance of Directory Server"
@@ -1021,6 +1038,7 @@ def main():
else:
fd.write("enable_ra=False\n")
fd.write("ra_plugin=none\n")
+ fd.write("enable_kra=%s\n" % setup_kra)
fd.write("mode=production\n")
fd.close()
@@ -1122,7 +1140,7 @@ def main():
ipautil.realm_to_suffix(realm_name), ['caRenewalMaster'])
# This is done within stopped_service context, which restarts CA
- ca.enable_client_auth_to_db()
+ ca.enable_client_auth_to_db(ca.dogtag_constants.CS_CFG_PATH)
krb = krbinstance.KrbInstance(fstore)
if options.pkinit_pkcs12:
@@ -1204,6 +1222,20 @@ def main():
service.print_msg("Restarting the web server")
http.restart()
+ if setup_kra:
+ kra = krainstance.KRAInstance(realm_name,
+ dogtag_constants=dogtag.install_constants)
+ kra.configure_instance(host_name, domain_name, dm_password,
+ dm_password, subject_base=options.subject)
+
+ # This is done within stopped_service context, which restarts KRA
+ service.print_msg("Restarting the directory server")
+ ds.restart()
+
+ service.print_msg("Enabling KRA to authenticate with the database "
+ "using client certificates")
+ kra.enable_client_auth_to_db(kra.dogtag_constants.KRA_CS_CFG_PATH)
+
# Set the admin user kerberos password
ds.change_admin_password(admin_password)
@@ -1256,9 +1288,11 @@ def main():
print ""
if setup_ca:
- print "Be sure to back up the CA certificate stored in /root/cacert.p12"
- print "This file is required to create replicas. The password for this"
- print "file is the Directory Manager password"
+ print "Be sure to back up the CA certificates stored in " + paths.CACERT_P12
+ if setup_kra:
+ print "and the KRA certificates stored in " + paths.KRACERT_P12
+ print "These files are required to create replicas. The password for these"
+ print "files is the Directory Manager password"
else:
print "In order for Firefox autoconfiguration to work you will need to"
print "use a SSL signing certificate. See the IPA documentation for more details."
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index adf6c8d84..9c9de033c 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -537,12 +537,15 @@ def named_update_gssapi_configuration():
return False
try:
- bindinstance.named_conf_set_directive('tkey-gssapi-credential', None,
- bindinstance.NAMED_SECTION_OPTIONS)
- bindinstance.named_conf_set_directive('tkey-domain', None,
- bindinstance.NAMED_SECTION_OPTIONS)
- bindinstance.named_conf_set_directive('tkey-gssapi-keytab', paths.NAMED_KEYTAB,
- bindinstance.NAMED_SECTION_OPTIONS)
+ bindinstance.named_conf_set_directive(
+ 'tkey-gssapi-credential', None,
+ bindinstance.NAMED_SECTION_OPTIONS)
+ bindinstance.named_conf_set_directive(
+ 'tkey-domain', None,
+ bindinstance.NAMED_SECTION_OPTIONS)
+ bindinstance.named_conf_set_directive(
+ 'tkey-gssapi-keytab', paths.NAMED_KEYTAB,
+ bindinstance.NAMED_SECTION_OPTIONS)
except IOError, e:
root_logger.error('Cannot update GSSAPI configuration in %s: %s',
bindinstance.NAMED_CONF, e)
@@ -553,6 +556,7 @@ def named_update_gssapi_configuration():
sysupgrade.set_upgrade_state('named.conf', 'gssapi_updated', True)
return True
+
def named_update_pid_file():
"""
Make sure that named reads the pid file from the right file
@@ -723,7 +727,7 @@ def certificate_renewal_update(ca):
# Ok, now we need to stop tracking, then we can start tracking them
# again with new configuration:
- cainstance.stop_tracking_certificates(dogtag_constants)
+ ca.stop_tracking_certificates(dogtag_constants)
if not sysupgrade.get_upgrade_state('dogtag',
'certificate_renewal_update_1'):
@@ -884,71 +888,9 @@ def add_ca_dns_records():
def find_subject_base():
"""
Try to find the current value of certificate subject base.
- 1) Look in sysupgrade first
- 2) If no value is found there, look in DS (start DS if necessary)
- 3) Last resort, look in the certmap.conf itself
- 4) If all fails, log loudly and return None
+ See the docstring in dsinstance.DsInstance for details.
"""
- root_logger.debug('Trying to find certificate subject base in sysupgrade')
- subject_base = sysupgrade.get_upgrade_state('certmap.conf', 'subject_base')
-
- if subject_base:
- root_logger.debug(
- 'Found certificate subject base in sysupgrade: %s',
- subject_base
- )
- return subject_base
-
- root_logger.debug('Unable to find certificate subject base in sysupgrade')
- root_logger.debug('Trying to find certificate subject base in DS')
-
- ds_is_running = services.knownservices.dirsrv.is_running()
- if not ds_is_running:
- try:
- services.knownservices.dirsrv.start()
- except ipautil.CalledProcessError as e:
- root_logger.error('Cannot start DS to find certificate '
- 'subject base: %s', e)
- else:
- ds_is_running = True
-
- if ds_is_running:
- try:
- api.Backend.ldap2.connect(autobind=True)
- except ipalib.errors.PublicError, e:
- root_logger.error('Cannot connect to DS to find certificate '
- 'subject base: %s', e)
- else:
- ret = api.Command['config_show']()
- api.Backend.ldap2.disconnect()
- subject_base = str(ret['result']['ipacertificatesubjectbase'][0])
- root_logger.debug(
- 'Found certificate subject base in DS: %s',
- subject_base
- )
-
- if not subject_base:
- root_logger.debug('Unable to find certificate subject base in DS')
- root_logger.debug('Trying to find certificate subject base in '
- 'certmap.conf')
-
- certmap_dir = dsinstance.config_dirname(
- dsinstance.realm_to_serverid(api.env.realm)
- )
- try:
- with open(os.path.join(certmap_dir, 'certmap.conf')) as f:
- for line in f:
- if line.startswith('certmap ipaca'):
- subject_base = line.strip().split(',')[-1]
- root_logger.debug(
- 'Found certificate subject base in certmap.conf: '
- '%s',
- subject_base
- )
-
- except IOError as e:
- root_logger.error('Cannot open certmap.conf to find certificate '
- 'subject base: %s', e.strerror)
+ subject_base = dsinstance.DsInstance().find_subject_base()
if subject_base:
sysupgrade.set_upgrade_state(
@@ -958,8 +900,6 @@ def find_subject_base():
)
return subject_base
- root_logger.debug('Unable to find certificate subject base in '
- 'certmap.conf')
root_logger.error('Unable to determine certificate subject base. '
'certmap.conf will not be updated.')
generated by cgit (git 2.34.1) at 2024-09-22 21:49:06 +0000