summaryrefslogtreecommitdiffstats
path: root/install/tools/ipa-ca-install
Commit message (Collapse)AuthorAgeFilesLines
* install: Move private_ccache from ipaserver to ipapythonJan Cholasta2015-06-081-3/+2
| | | | | | https://fedorahosted.org/freeipa/ticket/4468 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Move CA installation code into single module.David Kupka2015-06-081-227/+24
| | | | | | https://fedorahosted.org/freeipa/ticket/4468 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* move realm_to_serverid to installutils moduleMartin Basti2015-05-051-1/+1
| | | | | | | | | To avoid cyclic imports realm_to_serverid function had to be moved to installutils from dsinstance. Required for: https://fedorahosted.org/freeipa/ticket/4925 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Do not check if port 8443 is available in step 2 of external CA installJan Cholasta2014-10-221-1/+2
| | | | | | | | | The port is never available in step 2 of external CA install, as Dogtag is already running. https://fedorahosted.org/freeipa/ticket/4660 Reviewed-By: David Kupka <dkupka@redhat.com>
* Check LDAP instead of local configuration to see if IPA CA is enabledJan Cholasta2014-10-171-3/+3
| | | | | | | | The check is done using a new hidden command ca_is_enabled. https://fedorahosted.org/freeipa/ticket/4621 Reviewed-By: David Kupka <dkupka@redhat.com>
* Allow specifying signing algorithm of the IPA CA cert in ipa-ca-installJan Cholasta2014-10-161-2/+9
| | | | | | | | | The --ca-signing-algorithm option is available in ipa-server-install, make it available in ipa-ca-install as well. https://fedorahosted.org/freeipa/ticket/4447 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Support MS CS as the external CA in ipa-server-install and ipa-ca-installJan Cholasta2014-10-131-1/+9
| | | | | | | | | | | Added a new option --external-ca-type which specifies the type of the external CA. It can be either "generic" (the default) or "ms-cs". If "ms-cs" is selected, the CSR generated for the IPA CA will include MS template name extension (OID 1.3.6.1.4.1.311.20.2) with template name "SubCA". https://fedorahosted.org/freeipa/ticket/4496 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Check that port 8443 is available when installing PKI.David Kupka2014-10-101-0/+9
| | | | | | https://fedorahosted.org/freeipa/ticket/4564 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Fix ImportError in ipa-ca-installMartin Kosek2014-09-301-1/+1
| | | | | | | Patch 3aa0731f was not merged correctly and import for a function that no longer exists. This patch fixes the import. https://fedorahosted.org/freeipa/ticket/4480
* External CA installer options usability fixesJan Cholasta2014-09-301-23/+16
| | | | | | | | | | | The --external_cert_file and --external_ca_file options of ipa-server-install and ipa-ca-install have been replaced by --external-cert-file option which accepts multiple files. The files are accepted in PEM and DER certificate and PKCS#7 certificate chain formats. https://fedorahosted.org/freeipa/ticket/4480 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Add a KRA to IPAAde Lee2014-08-221-51/+31
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch adds the capability of installing a Dogtag KRA to an IPA instance. With this patch, a KRA is NOT configured by default when ipa-server-install is run. Rather, the command ipa-kra-install must be executed on an instance on which a Dogtag CA has already been configured. The KRA shares the same tomcat instance and DS instance as the Dogtag CA. Moreover, the same admin user/agent (and agent cert) can be used for both subsystems. Certmonger is also confgured to monitor the new subsystem certificates. To create a clone KRA, simply execute ipa-kra-install <replica_file> on a replica on which a Dogtag CA has already been replicated. ipa-kra-install will use the security domain to detect whether the system being installed is a replica, and will error out if a needed replica file is not provided. The install scripts have been refactored somewhat to minimize duplication of code. A new base class dogtagintance.py has been introduced containing code that is common to KRA and CA installs. This will become very useful when we add more PKI subsystems. The KRA will install its database as a subtree of o=ipaca, specifically o=ipakra,o=ipaca. This means that replication agreements created to replicate CA data will also replicate KRA data. No new replication agreements are required. Added dogtag plugin for KRA. This is an initial commit providing the basic vault functionality needed for vault. This plugin will likely be modified as we create the code to call some of these functions. Part of the work for: https://fedorahosted.org/freeipa/ticket/3872 The uninstallation option in ipa-kra-install is temporarily disabled. Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Allow upgrading CA-less to CA-full using ipa-ca-install.Jan Cholasta2014-07-301-14/+217
| | | | | | Part of https://fedorahosted.org/freeipa/ticket/3737 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* ipaplatform: Move paths from installers to paths moduleTomas Babej2014-06-261-3/+4
| | | | | | Part of: https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipaplatform: Remove redundant imports of ipaservicesTomas Babej2014-06-161-1/+0
| | | | | | | | Also fixes few incorrect imports. https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipaplatform: Change service code in freeipa to use ipaplatform servicesTomas Babej2014-06-161-1/+2
| | | | | | https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* admin tools: Log IPA versionPetr Viktorin2014-05-271-0/+1
| | | | | | | | | | | Add the IPA version, and vendor version if applicable, to the beginning of admintool logs -- both framework and indivitual tools that don't yet use the framework. This will make debugging easier. https://fedorahosted.org/freeipa/ticket/4219 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* ipa-replica-install never checks for 7389 portMartin Kosek2014-03-111-12/+5
| | | | | | | | | | | | | | | When creating replica from a Dogtag 9 based IPA server, the port 7389 which is required for the installation is never checked by ipa-replica-conncheck even though it knows that it is being installed from the Dogtag 9 based FreeIPA. If the 7389 port would be blocked by firewall, installation would stuck with no hint to user. Make sure that the port configuration parsed from replica info file is used consistently in the installers. https://fedorahosted.org/freeipa/ticket/4240 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Use /usr/bin/python2Xiao-Long Chen2014-01-031-1/+1
| | | | | | | | | | | | Part of the effort to port FreeIPA to Arch Linux, where Python 3 is the default. FreeIPA hasn't been ported to Python 3, so the code must be modified to run /usr/bin/python2 https://fedorahosted.org/freeipa/ticket/3438 Updated by pviktori@redhat.com
* Make CS.cfg edits with CA instance stoppedTomas Babej2013-08-261-1/+1
| | | | | | | | | | | This patch makes sure that all edits to CS.cfg configuration file are performed while pki-tomcatd service is stopped. Introduces a new contextmanager stopped_service for handling a general problem of performing a task that needs certain service being stopped. https://fedorahosted.org/freeipa/ticket/3804
* Print newline after receiving EOF in installutils.read_password.Jan Cholasta2013-07-241-1/+1
|
* Fix CA-less check in ipa-replica-install and ipa-ca-install.Jan Cholasta2013-06-261-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/3750
* Do not allow installing CA replicas in CA-less setup.Jan Cholasta2013-06-121-0/+4
| | | | | https://fedorahosted.org/freeipa/ticket/3673 https://fedorahosted.org/freeipa/ticket/3674
* Use private ccache in ipa install toolsTomas Babej2013-06-051-6/+7
| | | | | | | | All installers that handle Kerberos auth, have been altered to use private ccache, that is ipa-server-install, ipa-dns-install, ipa-replica-install, ipa-ca-install. https://fedorahosted.org/freeipa/ticket/3666
* Remove code to install Dogtag 9Petr Viktorin2013-05-311-8/+4
| | | | | | | | | Since we depend on Dogtag 10 now, there is no need to keep code that installs a Dogtag 9 CA. Support for upgraded Dogtag-9-style instances is left in. https://fedorahosted.org/freeipa/ticket/3529
* Drop --selfsign server functionalityPetr Viktorin2013-04-151-1/+1
| | | | | Design: http://freeipa.org/page/V3/Drop_selfsign_functionality Ticket: https://fedorahosted.org/freeipa/ticket/3494
* Use A/AAAA records instead of CNAME records in ipa-ca.Jan Cholasta2013-04-151-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/3547
* Add OCSP and CRL URIs to certificatesMartin Kosek2012-12-071-2/+21
| | | | | | | | | | | | | | | | | Modify the default IPA CA certificate profile to include CRL and OCSP extensions which will add URIs to IPA CRL&OCSP to published certificates. Both CRL and OCSP extensions have 2 URIs, one pointing directly to the IPA CA which published the certificate and one to a new CNAME ipa-ca.$DOMAIN which was introduced as a general CNAME pointing to all IPA replicas which have CA configured. The new CNAME is added either during new IPA server/replica/CA installation or during upgrade. https://fedorahosted.org/freeipa/ticket/3074 https://fedorahosted.org/freeipa/ticket/1431
* Fix schema replication from old mastersPetr Viktorin2012-11-231-0/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The new merged database will replicate with both the IPA and CA trees, so all DS instances (IPA and CA on the existing master, and the merged one on the replica) need to have the same schema. Dogtag does all its schema modifications online. Those are replicated normally. The basic IPA schema, however, is delivered in ldif files, which are not replicated. The files are not present on old CA DS instances. Any schema update that references objects in these files will fail. The whole 99user.ldif (i.e. changes introduced dynamically over LDAP) is replicated as a blob. If we updated the old master's CA schema dynamically during replica install, it would conflict with updates done during the installation: the one with the lower CSN would get lost. Dogtag's spawn script recently grew a new flag, 'pki_clone_replicate_schema'. Turning it off tells Dogtag to create its schema in the clone, where the IPA modifications are taking place, so that it is not overwritten by the IPA schema on replication. The patch solves the problems by: - In __spawn_instance, turning off the pki_clone_replicate_schema flag. - Providing a script to copy the IPA schema files to the CA DS instance. The script needs to be copied to old masters and run there. - At replica CA install, checking if the schema is updated, and failing if not. The --skip-schema-check option is added to ipa-{replica,ca}-install to override the check. All pre-3.1 CA servers in a domain will have to have the script run on them to avoid schema replication errors. https://fedorahosted.org/freeipa/ticket/3213
* Changes to use a single database for dogtag and IPAAde Lee2012-11-231-4/+19
| | | | | | | | | | | | New servers that are installed with dogtag 10 instances will use a single database instance for dogtag and IPA, albeit with different suffixes. Dogtag will communicate with the instance through a database user with permissions to modify the dogtag suffix only. This user will authenticate using client auth using the subsystem cert for the instance. This patch includes changes to allow the creation of masters and clones with single ds instances.
* Use Dogtag 10 only when it is availablePetr Viktorin2012-09-171-2/+4
| | | | | | | | | | | Put the changes from Ade's dogtag 10 patch into namespaced constants in dogtag.py, which are then referenced in the code. Make ipaserver.install.CAInstance use the service name specified in the configuration. Uninstallation, where config is removed before CA uninstall, also uses the (previously) configured value. This and Ade's patch address https://fedorahosted.org/freeipa/ticket/2846
* Modifications to install scripts for dogtag 10Ade Lee2012-09-171-0/+10
| | | | | | | Dogtag 10 uses a new installer, new directory layout and new default ports. This patch changes the ipa install code to integrate these changes. https://fedorahosted.org/freeipa/ticket/2846
* Move install script error handling to a common functionPetr Viktorin2012-05-311-40/+25
| | | | | | | | | | | | | | All of our install/admin scripts had a try/except block calling the main function and handling common exceptions. These were copy-pasted from each other and modified to various levels of sophistication. This refactors them out of installers to a single function, which includes a final pass/fail message for all of the scripts. Non-install scripts that set up the same log handler levels for stderr and log file are not changed, as it's not possible to log to only the logfile without changing the logger configuration. https://fedorahosted.org/freeipa/ticket/2071
* Remove duplicate and unused utility codePetr Viktorin2012-05-091-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | IPA has some unused code from abandoned features (Radius, ipa 1.x user input, commant-line tab completion), as well as some duplicate utilities. This patch cleans up the utility modules. Duplicate code consolidated into ipapython.ipautil: {ipalib.util,ipaserver.ipautil,ipapython.ipautil}.realm_to_suffix {ipaserver,ipapython}.ipautil.CIDict (with style improvements from the ipaserver version) {ipapython.entity,ipaserver.ipautil}.utf8_encode_value {ipapython.entity,ipaserver.ipautil}.utf8_encode_values ipalib.util.get_fqdn was removed in favor of the same function in ipaserver.install.installutils Removed unused code: ipalib.util: load_plugins_in_dir import_plugins_subpackage make_repr (was imported but unused; also removed from tests) ipapython.ipautil: format_list parse_key_value_pairs read_pairs_file read_items_file user_input_plain AttributeValueCompleter ItemCompleter ipaserver.ipautil: get_gsserror (a different version exists in ipapython.ipautil) ipaserver.ipautil ended up empty and is removed entirely. https://fedorahosted.org/freeipa/ticket/2650
* ticket 2022 - modify codebase to utilize IPALogManager, obsoletes loggingJohn Dennis2011-11-231-5/+6
| | | | | | | | | | | | change default_logger_level to debug in configure_standard_logging add new ipa_log_manager module, move log_mgr there, also export root_logger from log_mgr. change all log_manager imports to ipa_log_manager and change log_manager.root_logger to root_logger. add missing import for parse_log_level()
* Improve ipa-replica-prepare DNS checkMartin Kosek2011-10-061-2/+2
| | | | | | | | | | | | | Currently, verify_fqdn() function raises RuntimeError for every problem with the hostname. This makes it difficult for tools like ipa-replica-prepare to behave differently for a subset of raised errors (for example to be able to create a DNS record for new replica when verify_fqdn() reports a lookup error). Implement own exceptions for verify_fqdn() that they can be safely used to distinguish the error type. https://fedorahosted.org/freeipa/ticket/1899
* Install tools crash when password prompt is interruptedMartin Kosek2011-10-061-0/+2
| | | | | | | | | When getpass.getpass() function is interrupted via CTRL+D, EOFError exception is thrown. Most of the install tools are not prepared for this event and crash with this exception. Make sure that it is handled properly and nice error message is printed. https://fedorahosted.org/freeipa/ticket/1916
* Detect CA installation type in ipa-replica-prepare and ipa-ca-install.Rob Crittenden2011-09-271-7/+6
| | | | | | | | | | ipa-ca-install can only add a dogtag CA to an IPA install. ipa-replica-prepare can only be run on the initial master with a selfsign backend. https://fedorahosted.org/freeipa/ticket/1756 https://fedorahosted.org/freeipa/ticket/1757
* Convert installation tools to platform-independent access to system servicesAlexander Bokovoy2011-09-131-2/+2
| | | | http://fedorahosted.org/freeipa/ticket/1605
* enable proxy for dogtagAdam Young2011-08-291-0/+4
| | | | | | | | | | | | | | | | | | | Dogtag is going to be proxied through httpd. To make this work, it has to support renegotiation of the SSL connection. This patch enables renegotiate in the nss configuration file during during apache configuration, as well as modifies libnss to set the appropriate optins on the ssl connection in order to renegotiate. The IPA install uses the internal ports instead of proxying through httpd since httpd is not set up yet. IPA needs to Request the certificate through a port that uses authentication. On the Dogtag side, they provide an additional mapping for this: /ca/eeca/ca as opposed tp /ca/ee/ca just for this purpose. https://fedorahosted.org/freeipa/ticket/1334 add flag to pkicreate in order to enable using proxy. add the proxy file in /etc/http/conf.d/ Signed-off-by: Simo Sorce <ssorce@redhat.com>
* Re-arrange CA configuration code to reduce the number of restarts.Rob Crittenden2011-08-031-3/+0
| | | | | | | | Ade Lee from the dogtag team looked at the configuration code and determined that a number of restarts were not needed and recommended re-arranging other code to reduce the number of restarts to one. https://fedorahosted.org/freeipa/ticket/1555
* Fix self-signed replica installationMartin Kosek2011-07-141-0/+4
| | | | | | | | | When a replica for self-signed server is being installed, the installer crashes with "Not a dogtag CA installation". Make sure that installation is handled correctly for both dogtag and self-signed replicas. https://fedorahosted.org/freeipa/ticket/1479
* Make dogtag an optional (and default un-) installed component in a replica.Rob Crittenden2011-06-231-0/+183
A dogtag replica file is created as usual. When the replica is installed dogtag is optional and not installed by default. Adding the --setup-ca option will configure it when the replica is installed. A new tool ipa-ca-install will configure dogtag if it wasn't configured when the replica was initially installed. This moves a fair bit of code out of ipa-replica-install into installutils and cainstance to avoid duplication. https://fedorahosted.org/freeipa/ticket/1251
generated by cgit (git 2.34.1) at 2024-05-21 21:00:19 +0000