diff options
Diffstat (limited to 'ipaserver/install/cainstance.py')
-rw-r--r-- | ipaserver/install/cainstance.py | 335 |
1 files changed, 137 insertions, 198 deletions
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 1d953757c..4ab58d062 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -65,15 +65,10 @@ PKI_USER = "pkiuser" PKI_DS_USER = "pkisrv" # These values come from /usr/share/pki/ca/setup/postinstall -PKI_INSTANCE_NAME="pki-ca" -AGENT_SECURE_PORT=9443 -EE_SECURE_PORT=9444 -ADMIN_SECURE_PORT=9445 -EE_CLIENT_AUTH_PORT=9446 -UNSECURE_PORT=9180 -TOMCAT_SERVER_PORT=9701 +PKI_INSTANCE_NAME="pki-tomcat" +AGENT_SECURE_PORT=8443 -IPA_SERVICE_PROFILE = '/var/lib/%s/profiles/ca/caIPAserviceCert.cfg' % PKI_INSTANCE_NAME +IPA_SERVICE_PROFILE = '/var/lib/pki/%s/ca/profiles/ca/caIPAserviceCert.cfg' % PKI_INSTANCE_NAME # We need to reset the template because the CA uses the regular boot # information @@ -97,9 +92,9 @@ def check_inst(): """ # Check for a couple of binaries we need - if not os.path.exists('/usr/bin/pkicreate'): + if not os.path.exists('/bin/pkispawn'): return False - if not os.path.exists('/usr/bin/pkisilent'): + if not os.path.exists('/bin/pkidestroy'): return False # This is the template tomcat file for a CA @@ -108,31 +103,6 @@ def check_inst(): return True -def get_preop_pin(instance_root, instance_name): - preop_pin = None - - filename = instance_root + "/" + instance_name + "/conf/CS.cfg" - - # read the config file and get the preop pin - try: - f=open(filename) - except IOError, e: - root_logger.error("Cannot open configuration file." + str(e)) - raise e - data = f.read() - data = data.split('\n') - pattern = re.compile("preop.pin=(.*)" ) - for line in data: - match = re.search(pattern, line) - if (match): - preop_pin=match.group(1) - break - - if preop_pin is None: - raise RuntimeError("Unable to find preop.pin in %s. Is your CA already configured?" % filename) - - return preop_pin - def import_pkcs12(input_file, input_passwd, cert_database, cert_passwd): ipautil.run(["/usr/bin/pk12util", "-d", cert_database, @@ -415,7 +385,7 @@ class CADSInstance(service.Service): 'ocspSigningCert cert-pki-ca', 'subsystemCert cert-pki-ca']: try: - certmonger.stop_tracking('/var/lib/pki-ca/alias', nickname=nickname) + certmonger.stop_tracking('/etc/pki/pki-tomcat/alias', nickname=nickname) except (ipautil.CalledProcessError, RuntimeError), e: root_logger.error("certmonger failed to stop tracking certificate: %s" % str(e)) @@ -444,7 +414,7 @@ class CAInstance(service.Service): """ def __init__(self, realm, ra_db): - service.Service.__init__(self, "pki-cad") + service.Service.__init__(self, "pki-tomcatd") self.realm = realm self.dm_password = None self.admin_password = None @@ -468,7 +438,7 @@ class CAInstance(service.Service): self.ra_agent_pwd = self.ra_agent_db + "/pwdfile.txt" self.ds_port = DEFAULT_DSPORT self.domain_name = "IPA" - self.server_root = "/var/lib" + self.server_root = "/var/lib/pki" self.ra_cert = None self.requestId = None @@ -489,8 +459,7 @@ class CAInstance(service.Service): pkcs12_info=None, master_host=None, csr_file=None, cert_file=None, cert_chain_file=None, subject_base=None): - """Create a CA instance. This may involve creating the pki-ca instance - dogtag instance. + """Create a CA instance. To create a clone, pass in pkcs12_info. @@ -523,15 +492,11 @@ class CAInstance(service.Service): self.external=2 self.step("creating certificate server user", self.__create_ca_user) - if not ipautil.dir_exists("/var/lib/pki-ca"): - self.step("creating pki-ca instance", self.create_instance) - self.step("configuring certificate server instance", self.__configure_instance) + self.step("configuring certificate server instance", self.__spawn_instance) self.step("disabling nonces", self.__disable_nonce) # Step 1 of external is getting a CSR so we don't need to do these # steps until we get a cert back from the external CA. if self.external != 1: - if not self.clone: - self.step("creating CA agent PKCS#12 file in /root", self.__create_ca_agent_pkcs12) if self.create_ra_agent_db: self.step("creating RA agent certificate database", self.__create_ra_agent_db) self.step("importing CA chain to RA certificate database", self.__import_ca_chain) @@ -555,26 +520,117 @@ class CAInstance(service.Service): self.start_creation("Configuring certificate server", 210) - def create_instance(self): + def __spawn_instance(self): """ - If for some reason the instance doesn't exist, create a new one." + Create and configure a new instance using pkispawn. + pkispawn requires a configuration file with the appropriate + values substituted in. """ - args = ['/usr/bin/pkicreate', - '-pki_instance_root', '/var/lib', - '-pki_instance_name', PKI_INSTANCE_NAME, - '-subsystem_type', 'ca', - '-agent_secure_port', str(AGENT_SECURE_PORT), - '-ee_secure_port', str(EE_SECURE_PORT), - '-admin_secure_port', str(ADMIN_SECURE_PORT), - '-ee_secure_client_auth_port', str(EE_CLIENT_AUTH_PORT), - '-unsecure_port', str(UNSECURE_PORT), - '-tomcat_server_port', str(TOMCAT_SERVER_PORT), - '-redirect', 'conf=/etc/pki-ca', - '-redirect', 'logs=/var/log/pki-ca', - '-enable_proxy' - ] - ipautil.run(args, env={'PKI_HOSTNAME':self.fqdn}) + # create a new config file for this installation + (cfg_fd, cfg_file) = tempfile.mkstemp() + os.close(cfg_fd) + shutil.copy("/usr/share/pki/deployment/config/pkideployment.cfg", + cfg_file) + pent = pwd.getpwnam(PKI_USER) + os.chown(cfg_file, pent.pw_uid, pent.pw_gid ) + replacevars = { + "pki_enable_proxy": "True", + "pki_restart_configured_instance": "False", + "pki_client_database_dir": self.ca_agent_db, + "pki_client_database_password": self.admin_password, + "pki_client_database_purge": "False", + "pki_client_pkcs12_password": self.admin_password, + "pki_security_domain_name": self.domain_name, + "pki_admin_email": "root@localhost", + "pki_admin_password": self.admin_password, + "pki_admin_nickname": "ipa-ca-agent", + "pki_admin_subject_dn": "CN=ipa-ca-agent,%s" % self.subject_base, + "pki_ds_ldap_port": str(self.ds_port), + "pki_ds_password": self.dm_password, + "pki_ds_base_dn": self.basedn, + "pki_ds_database": "ipaca", + "pki_backup_keys": "True", + "pki_backup_password": self.admin_password, + "pki_subsystem_subject_dn": \ + "CN=CA Subsystem,%s" % self.subject_base, + "pki_ocsp_signing_subject_dn": \ + "CN=OCSP Subsystem,%s" % self.subject_base, + "pki_ssl_server_subject_dn": \ + "CN=%s,%s" % (self.fqdn, self.subject_base), + "pki_audit_signing_subject_dn": \ + "CN=CA Audit,%s" % self.subject_base, + "pki_ca_signing_subject_dn": \ + "CN=Certificate Authority,%s" % self.subject_base, + "pki_subsystem_nickname": "subsystemCert cert-pki-ca", + "pki_ocsp_signing_nickname": "ocspSigningCert cert-pki-ca", + "pki_ssl_server_nickname": "Server-Cert cert-pki-ca", + "pki_audit_signing_nickname": "auditSigningCert cert-pki-ca", + "pki_ca_signing_nickname": "caSigningCert cert-pki-ca" + } + + if (self.clone): + cafile = self.pkcs12_info[0] + shutil.copy(cafile, "/tmp/ca.p12") + pent = pwd.getpwnam(PKI_USER) + os.chown("/tmp/ca.p12", pent.pw_uid, pent.pw_gid ) + + clone_vars = { + "pki_clone_pkcs12_password": self.dm_password, + "pki_clone": "True", + "pki_clone_pkcs12_path": "/tmp/ca.p12", + "pki_security_domain_hostname": self.master_host, + "pki_security_domain_https_port": "443", + "pki_security_domain_password": self.admin_password, + "pki_clone_replication_security": "SSL", + "pki_clone_uri": \ + "https://%s" % ipautil.format_netloc(self.master_host, 443) + } + replacevars.update(clone_vars) + + if self.external == 1: + external_vars = { + "pki_external": "True", + "pki_external_csr_path": self.csr_file + } + replacevars.update(external_vars) + elif self.external == 2: + external_vars = { + "pki_external": "True", + "pki_external_ca_cert_path": self.cert_file, + "pki_external_ca_cert_chain_path": self.cert_chain_file, + "pki_external_step_two": "True" + } + replacevars.update(external_vars) + + ipautil.config_replace_variables(cfg_file, replacevars=replacevars) + + # Define the things we don't want logged + nolog = (self.admin_password, self.dm_password,) + + args = ["/bin/pkispawn", "-s", "CA", "-f", cfg_file ] + + try: + ipautil.run(args, nolog=nolog) + except ipautil.CalledProcessError, e: + root_logger.critical("failed to configure ca instance %s" % e) + raise RuntimeError('Configuration of CA failed') + finally: + os.remove(cfg_file) + + if not self.clone: + shutil.move("/var/lib/pki/pki-tomcat/alias/ca_admin_cert.p12", \ + "/root/ca-agent.p12") + shutil.move("/var/lib/pki/pki-tomcat/alias/ca_backup_keys.p12", \ + "/root/cacert.p12") + + if self.external == 1: + print "The next step is to get %s signed by your CA and re-run ipa-server-install as:" % self.csr_file + print "ipa-server-install --external_cert_file=/path/to/signed_certificate --external_ca_file=/path/to/external_ca_certificate" + sys.exit(0) + + root_logger.debug("completed creating ca instance") + def __enable(self): self.backup_state("enabled", self.is_enabled()) @@ -600,110 +656,6 @@ class CAInstance(service.Service): except ipautil.CalledProcessError, e: root_logger.critical("failed to add user %s" % e) - def __configure_instance(self): - preop_pin = get_preop_pin(self.server_root, PKI_INSTANCE_NAME) - - try: - args = ["/usr/bin/perl", "/usr/bin/pkisilent", "ConfigureCA", - "-cs_hostname", self.fqdn, - "-cs_port", str(ADMIN_SECURE_PORT), - "-client_certdb_dir", self.ca_agent_db, - "-client_certdb_pwd", self.admin_password, - "-preop_pin" , preop_pin, - "-domain_name", self.domain_name, - "-admin_user", "admin", - "-admin_email", "root@localhost", - "-admin_password", self.admin_password, - "-agent_name", "ipa-ca-agent", - "-agent_key_size", "2048", - "-agent_key_type", "rsa", - "-agent_cert_subject", str(DN(('CN', 'ipa-ca-agent'), self.subject_base)), - "-ldap_host", self.fqdn, - "-ldap_port", str(self.ds_port), - "-bind_dn", "cn=Directory Manager", - "-bind_password", self.dm_password, - "-base_dn", str(self.basedn), - "-db_name", "ipaca", - "-key_size", "2048", - "-key_type", "rsa", - "-key_algorithm", "SHA256withRSA", - "-save_p12", "true", - "-backup_pwd", self.admin_password, - "-subsystem_name", self.service_name, - "-token_name", "internal", - "-ca_subsystem_cert_subject_name", str(DN(('CN', 'CA Subsystem'), self.subject_base)), - "-ca_subsystem_cert_subject_name", str(DN(('CN', 'CA Subsystem'), self.subject_base)), - "-ca_ocsp_cert_subject_name", str(DN(('CN', 'OCSP Subsystem'), self.subject_base)), - "-ca_server_cert_subject_name", str(DN(('CN', self.fqdn), self.subject_base)), - "-ca_audit_signing_cert_subject_name", str(DN(('CN', 'CA Audit'), self.subject_base)), - "-ca_sign_cert_subject_name", str(DN(('CN', 'Certificate Authority'), self.subject_base)) ] - if self.external == 1: - args.append("-external") - args.append("true") - args.append("-ext_csr_file") - args.append(self.csr_file) - elif self.external == 2: - args.append("-external") - args.append("true") - args.append("-ext_ca_cert_file") - args.append(self.cert_file) - args.append("-ext_ca_cert_chain_file") - args.append(self.cert_chain_file) - else: - args.append("-external") - args.append("false") - if (self.clone): - """sd = security domain --> all CS systems get registered to - a security domain. This is set to the hostname and port of - the master CA. - """ - # The install wizard expects the file to be here. - cafile = self.pkcs12_info[0] - shutil.copy(cafile, "/var/lib/pki-ca/alias/ca.p12") - pent = pwd.getpwnam(PKI_USER) - os.chown("/var/lib/pki-ca/alias/ca.p12", pent.pw_uid, pent.pw_gid ) - args.append("-clone") - args.append("true") - args.append("-clone_p12_file") - args.append("ca.p12") - args.append("-clone_p12_password") - args.append(self.dm_password) - args.append("-sd_hostname") - args.append(self.master_host) - args.append("-sd_admin_port") - args.append("443") - args.append("-sd_admin_name") - args.append("admin") - args.append("-sd_admin_password") - args.append(self.admin_password) - args.append("-clone_start_tls") - args.append("true") - args.append("-clone_uri") - args.append("https://%s" % ipautil.format_netloc(self.master_host, 443)) - else: - args.append("-clone") - args.append("false") - - # Define the things we don't want logged - nolog = (self.admin_password, self.dm_password,) - - ipautil.run(args, env={'PKI_HOSTNAME':self.fqdn}, nolog=nolog) - except ipautil.CalledProcessError, e: - root_logger.critical("failed to configure ca instance %s" % e) - raise RuntimeError('Configuration of CA failed') - - if self.external == 1: - print "The next step is to get %s signed by your CA and re-run ipa-server-install as:" % self.csr_file - print "ipa-server-install --external_cert_file=/path/to/signed_certificate --external_ca_file=/path/to/external_ca_certificate" - sys.exit(0) - - # pkisilent makes a copy of the CA PKCS#12 file for us but gives - # it a lousy name. - if ipautil.file_exists("/root/tmp-ca.p12"): - shutil.move("/root/tmp-ca.p12", "/root/cacert.p12") - - root_logger.debug("completed creating ca instance") - def __restart_instance(self): try: self.restart(PKI_INSTANCE_NAME) @@ -713,10 +665,11 @@ class CAInstance(service.Service): def __disable_nonce(self): # Turn off Nonces - if installutils.update_file('/var/lib/pki-ca/conf/CS.cfg', 'ca.enableNonces=true', 'ca.enableNonces=false') != 0: + cfg_file = '/var/lib/pki/pki-tomcat/conf/ca/CS.cfg' + if installutils.update_file(cfg_file, 'ca.enableNonces=true', 'ca.enableNonces=false') != 0: raise RuntimeError("Disabling nonces failed") pent = pwd.getpwnam(PKI_USER) - os.chown('/var/lib/pki-ca/conf/CS.cfg', pent.pw_uid, pent.pw_gid ) + os.chown(cfg_file, pent.pw_uid, pent.pw_gid ) def __issue_ra_cert(self): # The CA certificate is in the agent DB but isn't trusted @@ -767,7 +720,7 @@ class CAInstance(service.Service): ] (stdout, stderr, returncode) = ipautil.run(args, nolog=(self.admin_password,)) - data = stdout.split('\r\n') + data = stdout.split('\n') params = get_defList(data) params['requestId'] = find_substring(data, "requestId") params['op'] = 'approve' @@ -788,7 +741,7 @@ class CAInstance(service.Service): ] (stdout, stderr, returncode) = ipautil.run(args, nolog=(self.admin_password,)) - data = stdout.split('\r\n') + data = stdout.split('\n') outputList = get_outputList(data) self.ra_cert = outputList['b64_cert'] @@ -905,20 +858,6 @@ class CAInstance(service.Service): except Exception, e: raise RuntimeError("Unable to retrieve CA chain: %s" % str(e)) - def __create_ca_agent_pkcs12(self): - (pwd_fd, pwd_name) = tempfile.mkstemp() - os.write(pwd_fd, self.admin_password) - os.close(pwd_fd) - try: - ipautil.run(["/usr/bin/pk12util", - "-n", "ipa-ca-agent", - "-o", "/root/ca-agent.p12", - "-d", self.ca_agent_db, - "-k", pwd_name, - "-w", pwd_name]) - finally: - os.remove(pwd_name) - def __import_ca_chain(self): chain = self.__get_ca_chain() @@ -982,7 +921,7 @@ class CAInstance(service.Service): csr = pkcs10.strip_header(stdout) # Send the request to the CA - conn = httplib.HTTPConnection(self.fqdn, 9180) + conn = httplib.HTTPConnection(self.fqdn, 8080) params = urllib.urlencode({'profileId': 'caServerCert', 'cert_request_type': 'pkcs10', 'requestor_name': 'IPA Installer', @@ -1020,7 +959,7 @@ class CAInstance(service.Service): def __setup_sign_profile(self): # Tell the profile to automatically issue certs for RAs - installutils.set_directive('/var/lib/pki-ca/profiles/ca/caJarSigningCert.cfg', 'auth.instance_id', 'raCertAuth', quotes=False, separator='=') + installutils.set_directive('/var/lib/pki/pki-tomcat/ca/profiles/ca/caJarSigningCert.cfg', 'auth.instance_id', 'raCertAuth', quotes=False, separator='=') def __enable_crl_publish(self): """ @@ -1028,9 +967,9 @@ class CAInstance(service.Service): http://www.redhat.com/docs/manuals/cert-system/8.0/admin/html/Setting_up_Publishing.html """ - caconfig = "/var/lib/pki-ca/conf/CS.cfg" + caconfig = "/var/lib/pki/pki-tomcat/conf/ca/CS.cfg" - publishdir='/var/lib/pki-ca/publish' + publishdir='/var/lib/pki/pki-tomcat/ca/publish' os.mkdir(publishdir) os.chmod(publishdir, 0755) pent = pwd.getpwnam(PKI_USER) @@ -1089,8 +1028,8 @@ class CAInstance(service.Service): self.disable() try: - ipautil.run(["/usr/bin/pkiremove", "-pki_instance_root=/var/lib", - "-pki_instance_name=%s" % PKI_INSTANCE_NAME, "--force"]) + ipautil.run(["/bin/pkidestroy", "-i", "pki-tomcat", + "-s", "CA"]) except ipautil.CalledProcessError, e: root_logger.critical("failed to uninstall CA instance %s" % e) @@ -1118,7 +1057,7 @@ class CAInstance(service.Service): pin = certmonger.get_pin('internal') except IOError, e: raise RuntimeError('Unable to determine PIN for CA instance: %s' % str(e)) - certmonger.dogtag_start_tracking('dogtag-ipa-renew-agent', 'Server-Cert cert-pki-ca', pin, None, '/var/lib/pki-ca/alias', 'restart_pkicad "Server-Cert cert-pki-ca"') + certmonger.dogtag_start_tracking('dogtag-ipa-renew-agent', 'Server-Cert cert-pki-ca', pin, None, '/etc/pki/pki-tomcat/alias', 'restart_pkicad "Server-Cert cert-pki-ca"') def configure_renewal(self): cmonger = ipaservices.knownservices.certmonger @@ -1135,7 +1074,7 @@ class CAInstance(service.Service): for nickname in ['auditSigningCert cert-pki-ca', 'ocspSigningCert cert-pki-ca', 'subsystemCert cert-pki-ca']: - certmonger.dogtag_start_tracking('dogtag-ipa-renew-agent', nickname, pin, None, '/var/lib/pki-ca/alias', 'renew_ca_cert "%s"' % nickname) + certmonger.dogtag_start_tracking('dogtag-ipa-renew-agent', nickname, pin, None, '/etc/pki/pki-tomcat/alias', 'renew_ca_cert "%s"' % nickname) # Set up the agent cert for renewal certmonger.dogtag_start_tracking('dogtag-ipa-renew-agent', 'ipaCert', None, '/etc/httpd/alias/pwdfile.txt', '/etc/httpd/alias', 'renew_ra_cert') @@ -1179,7 +1118,7 @@ class CAInstance(service.Service): for nickname in ['auditSigningCert cert-pki-ca', 'ocspSigningCert cert-pki-ca', 'subsystemCert cert-pki-ca']: - certmonger.dogtag_start_tracking('dogtag-ipa-retrieve-agent-submit', nickname, pin, None, '/var/lib/pki-ca/alias', 'restart_pkicad "%s"' % nickname) + certmonger.dogtag_start_tracking('dogtag-ipa-retrieve-agent-submit', nickname, pin, None, '/etc/pki/pki-tomcat/alias', 'restart_pkicad "%s"' % nickname) # The agent renewal is configured in import_ra_cert which is called # after the HTTP instance is created. @@ -1191,7 +1130,7 @@ class CAInstance(service.Service): setlist = installutils.get_directive(IPA_SERVICE_PROFILE, 'policyset.serverCertSet.list', separator='=') - # this is the default setting from pki-ca. Don't touch it if a user + # this is the default setting from pki-tomcat. Don't touch it if a user # has manually modified it. if setlist == '1,2,3,4,5,6,7,8': installutils.set_directive(IPA_SERVICE_PROFILE, @@ -1234,7 +1173,7 @@ class CAInstance(service.Service): responsibility to handle changes on upgrades. """ master = installutils.get_directive( - '/var/lib/pki-ca/conf/CS.cfg', 'subsystem.select', '=') + '/var/lib/pki/pki-tomcat/conf/ca/CS.cfg', 'subsystem.select', '=') return master == 'New' @@ -1301,10 +1240,10 @@ def install_replica_ca(config, postinstall=False): # unix service. service.print_msg("Restarting the directory and certificate servers") - ca.stop() + ca.stop(PKI_INSTANCE_NAME) ipaservices.knownservices.dirsrv.stop("PKI-IPA") ipaservices.knownservices.dirsrv.start("PKI-IPA") - ca.start() + ca.start(PKI_INSTANCE_NAME) return (ca, cs) @@ -1323,7 +1262,7 @@ def update_cert_config(nickname, cert): 'subsystemCert cert-pki-ca': 'ca.subsystem.cert', 'Server-Cert cert-pki-ca': 'ca.sslserver.cert' } - installutils.set_directive('/var/lib/%s/conf/CS.cfg' % PKI_INSTANCE_NAME, + installutils.set_directive('/var/lib/pki/%s/conf/ca/CS.cfg' % PKI_INSTANCE_NAME, directives[nickname], base64.b64encode(cert), quotes=False, separator='=') |