From 3dd31a875650c7fe7c67ca6b47f2058c1181dafb Mon Sep 17 00:00:00 2001 From: Ade Lee Date: Wed, 15 Aug 2012 22:53:51 -0400 Subject: Modifications to install scripts for dogtag 10 Dogtag 10 uses a new installer, new directory layout and new default ports. This patch changes the ipa install code to integrate these changes. https://fedorahosted.org/freeipa/ticket/2846 --- install/conf/ipa-pki-proxy.conf | 16 +- install/conf/ipa.conf | 4 +- install/restart_scripts/renew_ca_cert | 19 +- install/restart_scripts/restart_pkicad | 18 +- install/tools/ipa-ca-install | 10 + install/tools/ipa-csreplica-manage | 2 +- install/tools/ipa-replica-install | 1 + install/tools/ipa-replica-prepare | 2 +- install/tools/ipa-server-install | 1 + install/ui/test/data/ipa_init.json | 6 +- ipa-client/man/default.conf.5 | 6 +- ipalib/constants.py | 6 +- ipapython/certmonger.py | 2 +- ipapython/platform/base.py | 7 +- ipapython/platform/fedora16.py | 7 +- ipapython/platform/systemd.py | 4 +- ipaserver/install/cainstance.py | 335 ++++++++++++++------------------- ipaserver/install/installutils.py | 2 +- ipaserver/install/service.py | 13 +- selinux/ipa_dogtag/ipa_dogtag.fc | 2 +- 20 files changed, 224 insertions(+), 239 deletions(-) diff --git a/install/conf/ipa-pki-proxy.conf b/install/conf/ipa-pki-proxy.conf index 91a99aaf9..7a067ca9c 100644 --- a/install/conf/ipa-pki-proxy.conf +++ b/install/conf/ipa-pki-proxy.conf @@ -6,22 +6,22 @@ ProxyRequests Off NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate NSSVerifyClient none - ProxyPassMatch ajp://localhost:9447/ - ProxyPassReverse ajp://localhost:9447/ + ProxyPassMatch ajp://localhost:8009 + ProxyPassReverse ajp://localhost:8009 -# matches for admin port - +# matches for admin port and installer + NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate NSSVerifyClient none - ProxyPassMatch ajp://localhost:9447/ - ProxyPassReverse ajp://localhost:9447/ + ProxyPassMatch ajp://localhost:8009 + ProxyPassReverse ajp://localhost:8009 # matches for agent port and eeca port NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate NSSVerifyClient require - ProxyPassMatch ajp://localhost:9447/ - ProxyPassReverse ajp://localhost:9447/ + ProxyPassMatch ajp://localhost:8009 + ProxyPassReverse ajp://localhost:8009 diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf index 1b31a52ac..d428460fe 100644 --- a/install/conf/ipa.conf +++ b/install/conf/ipa.conf @@ -105,8 +105,8 @@ Alias /ipa/config "/usr/share/ipa/html" # For CRL publishing -Alias /ipa/crl "/var/lib/pki-ca/publish" - +Alias /ipa/crl "/var/lib/pki/tomcat-ca/ca/publish" + SetHandler None AllowOverride None Options Indexes FollowSymLinks diff --git a/install/restart_scripts/renew_ca_cert b/install/restart_scripts/renew_ca_cert index 6e4d2b789..4c3af9775 100644 --- a/install/restart_scripts/renew_ca_cert +++ b/install/restart_scripts/renew_ca_cert @@ -45,8 +45,14 @@ nickname = sys.argv[1] api.bootstrap(context='restart') api.finalize() +alias_dir = '/etc/pki/pki-tomcat/alias' +dogtag_instance = 'pki-tomcat' +if 'dogtag_version' not in api.env: + alias_dir = '/var/lib/pki-ca/alias' + dogtag_instance = 'pki-ca' + # Fetch the new certificate -db = certs.CertDB(api.env.realm, nssdir='/var/lib/pki-ca/alias') +db = certs.CertDB(api.env.realm, nssdir=alias_dir) cert = db.get_cert_from_db(nickname, pem=False) if not cert: @@ -79,7 +85,7 @@ finally: # Fix permissions on the audit cert if we're updating it if nickname == 'auditSigningCert cert-pki-ca': - db = certs.CertDB(api.env.realm, nssdir='/var/lib/pki-ca/alias') + db = certs.CertDB(api.env.realm, nssdir=alias_dir) args = ['-M', '-n', nickname, '-t', 'u,u,Pu', @@ -91,7 +97,9 @@ if nickname == 'auditSigningCert cert-pki-ca': update_cert_config(nickname, cert) -syslog.syslog(syslog.LOG_NOTICE, 'certmonger restarted pki-cad instance pki-ca to renew %s' % nickname) +syslog.syslog( + syslog.LOG_NOTICE, 'certmonger restarted %sd instance %s to renew %s' % + (dogtag_instance, dogtag_instance, nickname)) # We monitor 3 certs that are all likely to be renewed by certmonger more or # less at the same time. Each cert renewal is going to need to restart @@ -102,6 +110,7 @@ pause = random.randint(10,360) syslog.syslog(syslog.LOG_NOTICE, 'Pausing %d seconds to restart pki-ca' % pause) time.sleep(pause) try: - ipaservices.knownservices.pki_cad.restart('pki-ca') + ipaservices.knownservices.pki_cad.restart(dogtag_instance) except Exception, e: - syslog.syslog(syslog.LOG_ERR, "Cannot restart pki-cad: %s" % str(e)) + syslog.syslog(syslog.LOG_ERR, "Cannot restart %sd: %s" % \ + (dogtag_instance, str(e))) diff --git a/install/restart_scripts/restart_pkicad b/install/restart_scripts/restart_pkicad index 070760b16..c21fb802f 100644 --- a/install/restart_scripts/restart_pkicad +++ b/install/restart_scripts/restart_pkicad @@ -30,11 +30,18 @@ nickname = sys.argv[1] api.bootstrap(context='restart') api.finalize() -syslog.syslog(syslog.LOG_NOTICE, "certmonger restarted pki-cad, nickname '%s'" % nickname) +alias_dir = '/etc/pki/pki-tomcat/alias' +dogtag_instance = 'pki-tomcat' +if 'dogtag_version' not in api.env: + alias_dir = '/var/lib/pki-ca/alias' + dogtag_instance = 'pki-ca' + +syslog.syslog(syslog.LOG_NOTICE, "certmonger restarted %sd, nickname '%s'" % \ + (dogtag_instance, nickname)) # Fix permissions on the audit cert if we're updating it if nickname == 'auditSigningCert cert-pki-ca': - db = certs.CertDB(api.env.realm, nssdir='/var/lib/pki-ca/alias') + db = certs.CertDB(api.env.realm, nssdir = alias_dir ) args = ['-M', '-n', nickname, '-t', 'u,u,Pu', @@ -44,7 +51,8 @@ if nickname == 'auditSigningCert cert-pki-ca': try: # I've seen times where systemd restart does not actually restart # the process. A full stop/start is required. This works around that - ipaservices.knownservices.pki_cad.stop('pki-ca') - ipaservices.knownservices.pki_cad.start('pki-ca') + ipaservices.knownservices.pki_cad.stop(dogtag_instance) + ipaservices.knownservices.pki_cad.start(dogtag_instance) except Exception, e: - syslog.syslog(syslog.LOG_ERR, "Cannot restart pki-cad: %s" % str(e)) + syslog.syslog(syslog.LOG_ERR, "Cannot restart %sd: %s" % \ + (dogtag_instance, str(e))) diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install index 4d7be217d..d52832239 100755 --- a/install/tools/ipa-ca-install +++ b/install/tools/ipa-ca-install @@ -156,6 +156,16 @@ def main(): # We need to restart apache as we drop a new config file in there ipaservices.knownservices.httpd.restart(capture_output=True) + #update dogtag version in config file to denote new instance + try: + fd = open("/etc/ipa/default.conf", "a") + fd.write("dogtag_version=10\n") + fd.close() + except IOError, e: + print "Failed to update /etc/ipa/default.conf" + root_logger.error(str(e)) + sys.exit(1) + fail_message = ''' Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. diff --git a/install/tools/ipa-csreplica-manage b/install/tools/ipa-csreplica-manage index 6eefe8d6d..884956fd1 100755 --- a/install/tools/ipa-csreplica-manage +++ b/install/tools/ipa-csreplica-manage @@ -80,7 +80,7 @@ class CSReplicationManager(replication.ReplicationManager): """ dn = None cn = None - instance_name = 'pki-ca' + instance_name = 'pki-tomcat' # if master is not None we know what dn to return: if master is not None: diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install index 267a70d8b..a7b34cf1b 100755 --- a/install/tools/ipa-replica-install +++ b/install/tools/ipa-replica-install @@ -376,6 +376,7 @@ def main(): if ipautil.file_exists(config.dir + "/cacert.p12"): fd.write("enable_ra=True\n") fd.write("ra_plugin=dogtag\n") + fd.write("dogtag_version=10\n") fd.write("mode=production\n") fd.close() finally: diff --git a/install/tools/ipa-replica-prepare b/install/tools/ipa-replica-prepare index d1ffe4e2e..ce25681f4 100755 --- a/install/tools/ipa-replica-prepare +++ b/install/tools/ipa-replica-prepare @@ -304,7 +304,7 @@ def main(): if options.reverse_zone and not bindinstance.verify_reverse_zone(options.reverse_zone, options.ip_address): sys.exit(1) - if not certs.ipa_self_signed() and not ipautil.file_exists("/var/lib/pki-ca/conf/CS.cfg") and not options.dirsrv_pin: + if not certs.ipa_self_signed() and not ipautil.file_exists("/var/lib/pki/pki-tomcat/conf/ca/CS.cfg") and not options.dirsrv_pin: sys.exit("The replica must be created on the primary IPA server.\nIf you installed IPA with your own certificates using PKCS#12 files you must provide PKCS#12 files for any replicas you create as well.") check_ipa_configuration(api.env.realm) diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index f07aeadf8..639a72701 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -853,6 +853,7 @@ def main(): fd.write("enable_ra=True\n") if not options.selfsign: fd.write("ra_plugin=dogtag\n") + fd.write("dogtag_version=10\n") fd.write("mode=production\n") fd.close() diff --git a/install/ui/test/data/ipa_init.json b/install/ui/test/data/ipa_init.json index 0d94d9b02..bccc31b19 100644 --- a/install/ui/test/data/ipa_init.json +++ b/install/ui/test/data/ipa_init.json @@ -669,12 +669,12 @@ "result": { "basedn": "dc=dev,dc=example,dc=com", "bin": "/var/www", - "ca_agent_install_port": 9443, + "ca_agent_install_port": 8443, "ca_agent_port": 443, - "ca_ee_install_port": 9444, + "ca_ee_install_port": 8443, "ca_ee_port": 443, "ca_host": "dev.example.com", - "ca_install_port": 9180, + "ca_install_port": 8080, "ca_port": 80, "conf": "/etc/ipa/server.conf", "conf_default": "/etc/ipa/default.conf", diff --git a/ipa-client/man/default.conf.5 b/ipa-client/man/default.conf.5 index f6873de2c..c3adeb85b 100644 --- a/ipa-client/man/default.conf.5 +++ b/ipa-client/man/default.conf.5 @@ -66,13 +66,13 @@ The following options are relevant for the server: Specifies the base DN to use when performing LDAP operations. The base must be in DN format (dc=example,dc=com). .TP .B ca_agent_port -Specifies the secure CA agent port. The default is 9443. +Specifies the secure CA agent port. The default is 8443. .TP .B ca_ee_port -Specifies the secure CA end user port. The default is 9444. +Specifies the secure CA end user port. The default is 8443. .TP .B ca_port -Specifies the insecure CA end user port. The default is 9180. +Specifies the insecure CA end user port. The default is 8080. .TP .B ca_host Specifies the hostname of the dogtag CA server. The default is the hostname of the IPA server. diff --git a/ipalib/constants.py b/ipalib/constants.py index 59649865b..57265da55 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -141,9 +141,9 @@ DEFAULT_CONFIG = ( ('ca_port', 80), ('ca_agent_port', 443), ('ca_ee_port', 443), - ('ca_install_port', 9180), - ('ca_agent_install_port', 9443), - ('ca_ee_install_port', 9444), + ('ca_install_port', 8080), + ('ca_agent_install_port', 8443), + ('ca_ee_install_port', 8443), # Special CLI: diff --git a/ipapython/certmonger.py b/ipapython/certmonger.py index bdc8591e7..7f88a05d0 100644 --- a/ipapython/certmonger.py +++ b/ipapython/certmonger.py @@ -337,7 +337,7 @@ def get_pin(token): The caller is expected to handle any exceptions raised. """ - filename = '/var/lib/pki-ca/conf/password.conf' + filename = '/var/lib/pki/pki-tomcat/conf/password.conf' with open(filename, 'r') as f: for line in f: (tok, pin) = line.split('=', 1) diff --git a/ipapython/platform/base.py b/ipapython/platform/base.py index 8c694ac04..b71e2f323 100644 --- a/ipapython/platform/base.py +++ b/ipapython/platform/base.py @@ -25,7 +25,7 @@ from ipalib.plugable import MagicDict wellknownservices = ['certmonger', 'dirsrv', 'httpd', 'ipa', 'krb5kdc', 'messagebus', 'nslcd', 'nscd', 'ntpd', 'portmap', 'rpcbind', 'kadmin', 'sshd', 'autofs', 'rpcgssd', - 'rpcidmapd', 'pki_cad'] + 'rpcidmapd', 'pki_tomcatd', 'pki-cad'] # The common ports for these services. This is used to wait for the @@ -34,7 +34,10 @@ wellknownports = { 'dirsrv@PKI-IPA.service': [7389], 'PKI-IPA': [7389], 'dirsrv': [389], # this is only used if the incoming instance name is blank - 'pki-cad': [9180], + 'pki-tomcatd@pki-tomcat.service': [8080], + 'pki-tomcat': [8080], + 'pki-tomcatd': [8080], # used if the incoming instance name is blank + 'pki-cad': [9180] } class AuthConfig(object): diff --git a/ipapython/platform/fedora16.py b/ipapython/platform/fedora16.py index 100bbb2ab..794c39e20 100644 --- a/ipapython/platform/fedora16.py +++ b/ipapython/platform/fedora16.py @@ -46,7 +46,7 @@ system_units = dict(map(lambda x: (x, "%s.service" % (x)), base.wellknownservice system_units['rpcgssd'] = 'nfs-secure.service' system_units['rpcidmapd'] = 'nfs-idmap.service' -# Rewrite dirsrv and pki-cad services as they support instances via separate +# Rewrite dirsrv and pki-tomcatd services as they support instances via separate # service generator. To make this working, one needs to have both foo@.servic # and foo.target -- the latter is used when request should be coming for # all instances (like stop). systemd, unfortunately, does not allow one @@ -58,9 +58,12 @@ system_units['rpcidmapd'] = 'nfs-idmap.service' system_units['dirsrv'] = 'dirsrv@.service' # Our directory server instance for PKI is dirsrv@PKI-IPA.service system_units['pkids'] = 'dirsrv@PKI-IPA.service' -# Our PKI instance is pki-cad@pki-ca.service +# Old style PKI instance system_units['pki-cad'] = 'pki-cad@pki-ca.service' system_units['pki_cad'] = system_units['pki-cad'] +# Our PKI instance is pki-tomcatd@pki-tomcat.service +system_units['pki-tomcatd'] = 'pki-tomcatd@pki-tomcat.service' +system_units['pki_tomcatd'] = system_units['pki-tomcatd'] class Fedora16Service(systemd.SystemdService): def __init__(self, service_name): diff --git a/ipapython/platform/systemd.py b/ipapython/platform/systemd.py index a233e1045..c174488c0 100644 --- a/ipapython/platform/systemd.py +++ b/ipapython/platform/systemd.py @@ -41,10 +41,10 @@ class SystemdService(base.PlatformService): # Short-cut: if there is already exact service name, return it if self.lib_path_exists and len(instance_name) == 0: if len(elements) == 1: - # service name is like pki-cad.target or krb5kdc.service + # service name is like pki-tomcatd.target or krb5kdc.service return self.service_name if len(elements) > 1 and elements[1][0] != '.': - # Service name is like pki-cad@pki-ca.service and that file exists + # Service name is like pki-tomcatd@pki-tomcat.service and that file exists return self.service_name if len(elements) > 1: diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 1d953757c..4ab58d062 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -65,15 +65,10 @@ PKI_USER = "pkiuser" PKI_DS_USER = "pkisrv" # These values come from /usr/share/pki/ca/setup/postinstall -PKI_INSTANCE_NAME="pki-ca" -AGENT_SECURE_PORT=9443 -EE_SECURE_PORT=9444 -ADMIN_SECURE_PORT=9445 -EE_CLIENT_AUTH_PORT=9446 -UNSECURE_PORT=9180 -TOMCAT_SERVER_PORT=9701 +PKI_INSTANCE_NAME="pki-tomcat" +AGENT_SECURE_PORT=8443 -IPA_SERVICE_PROFILE = '/var/lib/%s/profiles/ca/caIPAserviceCert.cfg' % PKI_INSTANCE_NAME +IPA_SERVICE_PROFILE = '/var/lib/pki/%s/ca/profiles/ca/caIPAserviceCert.cfg' % PKI_INSTANCE_NAME # We need to reset the template because the CA uses the regular boot # information @@ -97,9 +92,9 @@ def check_inst(): """ # Check for a couple of binaries we need - if not os.path.exists('/usr/bin/pkicreate'): + if not os.path.exists('/bin/pkispawn'): return False - if not os.path.exists('/usr/bin/pkisilent'): + if not os.path.exists('/bin/pkidestroy'): return False # This is the template tomcat file for a CA @@ -108,31 +103,6 @@ def check_inst(): return True -def get_preop_pin(instance_root, instance_name): - preop_pin = None - - filename = instance_root + "/" + instance_name + "/conf/CS.cfg" - - # read the config file and get the preop pin - try: - f=open(filename) - except IOError, e: - root_logger.error("Cannot open configuration file." + str(e)) - raise e - data = f.read() - data = data.split('\n') - pattern = re.compile("preop.pin=(.*)" ) - for line in data: - match = re.search(pattern, line) - if (match): - preop_pin=match.group(1) - break - - if preop_pin is None: - raise RuntimeError("Unable to find preop.pin in %s. Is your CA already configured?" % filename) - - return preop_pin - def import_pkcs12(input_file, input_passwd, cert_database, cert_passwd): ipautil.run(["/usr/bin/pk12util", "-d", cert_database, @@ -415,7 +385,7 @@ class CADSInstance(service.Service): 'ocspSigningCert cert-pki-ca', 'subsystemCert cert-pki-ca']: try: - certmonger.stop_tracking('/var/lib/pki-ca/alias', nickname=nickname) + certmonger.stop_tracking('/etc/pki/pki-tomcat/alias', nickname=nickname) except (ipautil.CalledProcessError, RuntimeError), e: root_logger.error("certmonger failed to stop tracking certificate: %s" % str(e)) @@ -444,7 +414,7 @@ class CAInstance(service.Service): """ def __init__(self, realm, ra_db): - service.Service.__init__(self, "pki-cad") + service.Service.__init__(self, "pki-tomcatd") self.realm = realm self.dm_password = None self.admin_password = None @@ -468,7 +438,7 @@ class CAInstance(service.Service): self.ra_agent_pwd = self.ra_agent_db + "/pwdfile.txt" self.ds_port = DEFAULT_DSPORT self.domain_name = "IPA" - self.server_root = "/var/lib" + self.server_root = "/var/lib/pki" self.ra_cert = None self.requestId = None @@ -489,8 +459,7 @@ class CAInstance(service.Service): pkcs12_info=None, master_host=None, csr_file=None, cert_file=None, cert_chain_file=None, subject_base=None): - """Create a CA instance. This may involve creating the pki-ca instance - dogtag instance. + """Create a CA instance. To create a clone, pass in pkcs12_info. @@ -523,15 +492,11 @@ class CAInstance(service.Service): self.external=2 self.step("creating certificate server user", self.__create_ca_user) - if not ipautil.dir_exists("/var/lib/pki-ca"): - self.step("creating pki-ca instance", self.create_instance) - self.step("configuring certificate server instance", self.__configure_instance) + self.step("configuring certificate server instance", self.__spawn_instance) self.step("disabling nonces", self.__disable_nonce) # Step 1 of external is getting a CSR so we don't need to do these # steps until we get a cert back from the external CA. if self.external != 1: - if not self.clone: - self.step("creating CA agent PKCS#12 file in /root", self.__create_ca_agent_pkcs12) if self.create_ra_agent_db: self.step("creating RA agent certificate database", self.__create_ra_agent_db) self.step("importing CA chain to RA certificate database", self.__import_ca_chain) @@ -555,26 +520,117 @@ class CAInstance(service.Service): self.start_creation("Configuring certificate server", 210) - def create_instance(self): + def __spawn_instance(self): """ - If for some reason the instance doesn't exist, create a new one." + Create and configure a new instance using pkispawn. + pkispawn requires a configuration file with the appropriate + values substituted in. """ - args = ['/usr/bin/pkicreate', - '-pki_instance_root', '/var/lib', - '-pki_instance_name', PKI_INSTANCE_NAME, - '-subsystem_type', 'ca', - '-agent_secure_port', str(AGENT_SECURE_PORT), - '-ee_secure_port', str(EE_SECURE_PORT), - '-admin_secure_port', str(ADMIN_SECURE_PORT), - '-ee_secure_client_auth_port', str(EE_CLIENT_AUTH_PORT), - '-unsecure_port', str(UNSECURE_PORT), - '-tomcat_server_port', str(TOMCAT_SERVER_PORT), - '-redirect', 'conf=/etc/pki-ca', - '-redirect', 'logs=/var/log/pki-ca', - '-enable_proxy' - ] - ipautil.run(args, env={'PKI_HOSTNAME':self.fqdn}) + # create a new config file for this installation + (cfg_fd, cfg_file) = tempfile.mkstemp() + os.close(cfg_fd) + shutil.copy("/usr/share/pki/deployment/config/pkideployment.cfg", + cfg_file) + pent = pwd.getpwnam(PKI_USER) + os.chown(cfg_file, pent.pw_uid, pent.pw_gid ) + replacevars = { + "pki_enable_proxy": "True", + "pki_restart_configured_instance": "False", + "pki_client_database_dir": self.ca_agent_db, + "pki_client_database_password": self.admin_password, + "pki_client_database_purge": "False", + "pki_client_pkcs12_password": self.admin_password, + "pki_security_domain_name": self.domain_name, + "pki_admin_email": "root@localhost", + "pki_admin_password": self.admin_password, + "pki_admin_nickname": "ipa-ca-agent", + "pki_admin_subject_dn": "CN=ipa-ca-agent,%s" % self.subject_base, + "pki_ds_ldap_port": str(self.ds_port), + "pki_ds_password": self.dm_password, + "pki_ds_base_dn": self.basedn, + "pki_ds_database": "ipaca", + "pki_backup_keys": "True", + "pki_backup_password": self.admin_password, + "pki_subsystem_subject_dn": \ + "CN=CA Subsystem,%s" % self.subject_base, + "pki_ocsp_signing_subject_dn": \ + "CN=OCSP Subsystem,%s" % self.subject_base, + "pki_ssl_server_subject_dn": \ + "CN=%s,%s" % (self.fqdn, self.subject_base), + "pki_audit_signing_subject_dn": \ + "CN=CA Audit,%s" % self.subject_base, + "pki_ca_signing_subject_dn": \ + "CN=Certificate Authority,%s" % self.subject_base, + "pki_subsystem_nickname": "subsystemCert cert-pki-ca", + "pki_ocsp_signing_nickname": "ocspSigningCert cert-pki-ca", + "pki_ssl_server_nickname": "Server-Cert cert-pki-ca", + "pki_audit_signing_nickname": "auditSigningCert cert-pki-ca", + "pki_ca_signing_nickname": "caSigningCert cert-pki-ca" + } + + if (self.clone): + cafile = self.pkcs12_info[0] + shutil.copy(cafile, "/tmp/ca.p12") + pent = pwd.getpwnam(PKI_USER) + os.chown("/tmp/ca.p12", pent.pw_uid, pent.pw_gid ) + + clone_vars = { + "pki_clone_pkcs12_password": self.dm_password, + "pki_clone": "True", + "pki_clone_pkcs12_path": "/tmp/ca.p12", + "pki_security_domain_hostname": self.master_host, + "pki_security_domain_https_port": "443", + "pki_security_domain_password": self.admin_password, + "pki_clone_replication_security": "SSL", + "pki_clone_uri": \ + "https://%s" % ipautil.format_netloc(self.master_host, 443) + } + replacevars.update(clone_vars) + + if self.external == 1: + external_vars = { + "pki_external": "True", + "pki_external_csr_path": self.csr_file + } + replacevars.update(external_vars) + elif self.external == 2: + external_vars = { + "pki_external": "True", + "pki_external_ca_cert_path": self.cert_file, + "pki_external_ca_cert_chain_path": self.cert_chain_file, + "pki_external_step_two": "True" + } + replacevars.update(external_vars) + + ipautil.config_replace_variables(cfg_file, replacevars=replacevars) + + # Define the things we don't want logged + nolog = (self.admin_password, self.dm_password,) + + args = ["/bin/pkispawn", "-s", "CA", "-f", cfg_file ] + + try: + ipautil.run(args, nolog=nolog) + except ipautil.CalledProcessError, e: + root_logger.critical("failed to configure ca instance %s" % e) + raise RuntimeError('Configuration of CA failed') + finally: + os.remove(cfg_file) + + if not self.clone: + shutil.move("/var/lib/pki/pki-tomcat/alias/ca_admin_cert.p12", \ + "/root/ca-agent.p12") + shutil.move("/var/lib/pki/pki-tomcat/alias/ca_backup_keys.p12", \ + "/root/cacert.p12") + + if self.external == 1: + print "The next step is to get %s signed by your CA and re-run ipa-server-install as:" % self.csr_file + print "ipa-server-install --external_cert_file=/path/to/signed_certificate --external_ca_file=/path/to/external_ca_certificate" + sys.exit(0) + + root_logger.debug("completed creating ca instance") + def __enable(self): self.backup_state("enabled", self.is_enabled()) @@ -600,110 +656,6 @@ class CAInstance(service.Service): except ipautil.CalledProcessError, e: root_logger.critical("failed to add user %s" % e) - def __configure_instance(self): - preop_pin = get_preop_pin(self.server_root, PKI_INSTANCE_NAME) - - try: - args = ["/usr/bin/perl", "/usr/bin/pkisilent", "ConfigureCA", - "-cs_hostname", self.fqdn, - "-cs_port", str(ADMIN_SECURE_PORT), - "-client_certdb_dir", self.ca_agent_db, - "-client_certdb_pwd", self.admin_password, - "-preop_pin" , preop_pin, - "-domain_name", self.domain_name, - "-admin_user", "admin", - "-admin_email", "root@localhost", - "-admin_password", self.admin_password, - "-agent_name", "ipa-ca-agent", - "-agent_key_size", "2048", - "-agent_key_type", "rsa", - "-agent_cert_subject", str(DN(('CN', 'ipa-ca-agent'), self.subject_base)), - "-ldap_host", self.fqdn, - "-ldap_port", str(self.ds_port), - "-bind_dn", "cn=Directory Manager", - "-bind_password", self.dm_password, - "-base_dn", str(self.basedn), - "-db_name", "ipaca", - "-key_size", "2048", - "-key_type", "rsa", - "-key_algorithm", "SHA256withRSA", - "-save_p12", "true", - "-backup_pwd", self.admin_password, - "-subsystem_name", self.service_name, - "-token_name", "internal", - "-ca_subsystem_cert_subject_name", str(DN(('CN', 'CA Subsystem'), self.subject_base)), - "-ca_subsystem_cert_subject_name", str(DN(('CN', 'CA Subsystem'), self.subject_base)), - "-ca_ocsp_cert_subject_name", str(DN(('CN', 'OCSP Subsystem'), self.subject_base)), - "-ca_server_cert_subject_name", str(DN(('CN', self.fqdn), self.subject_base)), - "-ca_audit_signing_cert_subject_name", str(DN(('CN', 'CA Audit'), self.subject_base)), - "-ca_sign_cert_subject_name", str(DN(('CN', 'Certificate Authority'), self.subject_base)) ] - if self.external == 1: - args.append("-external") - args.append("true") - args.append("-ext_csr_file") - args.append(self.csr_file) - elif self.external == 2: - args.append("-external") - args.append("true") - args.append("-ext_ca_cert_file") - args.append(self.cert_file) - args.append("-ext_ca_cert_chain_file") - args.append(self.cert_chain_file) - else: - args.append("-external") - args.append("false") - if (self.clone): - """sd = security domain --> all CS systems get registered to - a security domain. This is set to the hostname and port of - the master CA. - """ - # The install wizard expects the file to be here. - cafile = self.pkcs12_info[0] - shutil.copy(cafile, "/var/lib/pki-ca/alias/ca.p12") - pent = pwd.getpwnam(PKI_USER) - os.chown("/var/lib/pki-ca/alias/ca.p12", pent.pw_uid, pent.pw_gid ) - args.append("-clone") - args.append("true") - args.append("-clone_p12_file") - args.append("ca.p12") - args.append("-clone_p12_password") - args.append(self.dm_password) - args.append("-sd_hostname") - args.append(self.master_host) - args.append("-sd_admin_port") - args.append("443") - args.append("-sd_admin_name") - args.append("admin") - args.append("-sd_admin_password") - args.append(self.admin_password) - args.append("-clone_start_tls") - args.append("true") - args.append("-clone_uri") - args.append("https://%s" % ipautil.format_netloc(self.master_host, 443)) - else: - args.append("-clone") - args.append("false") - - # Define the things we don't want logged - nolog = (self.admin_password, self.dm_password,) - - ipautil.run(args, env={'PKI_HOSTNAME':self.fqdn}, nolog=nolog) - except ipautil.CalledProcessError, e: - root_logger.critical("failed to configure ca instance %s" % e) - raise RuntimeError('Configuration of CA failed') - - if self.external == 1: - print "The next step is to get %s signed by your CA and re-run ipa-server-install as:" % self.csr_file - print "ipa-server-install --external_cert_file=/path/to/signed_certificate --external_ca_file=/path/to/external_ca_certificate" - sys.exit(0) - - # pkisilent makes a copy of the CA PKCS#12 file for us but gives - # it a lousy name. - if ipautil.file_exists("/root/tmp-ca.p12"): - shutil.move("/root/tmp-ca.p12", "/root/cacert.p12") - - root_logger.debug("completed creating ca instance") - def __restart_instance(self): try: self.restart(PKI_INSTANCE_NAME) @@ -713,10 +665,11 @@ class CAInstance(service.Service): def __disable_nonce(self): # Turn off Nonces - if installutils.update_file('/var/lib/pki-ca/conf/CS.cfg', 'ca.enableNonces=true', 'ca.enableNonces=false') != 0: + cfg_file = '/var/lib/pki/pki-tomcat/conf/ca/CS.cfg' + if installutils.update_file(cfg_file, 'ca.enableNonces=true', 'ca.enableNonces=false') != 0: raise RuntimeError("Disabling nonces failed") pent = pwd.getpwnam(PKI_USER) - os.chown('/var/lib/pki-ca/conf/CS.cfg', pent.pw_uid, pent.pw_gid ) + os.chown(cfg_file, pent.pw_uid, pent.pw_gid ) def __issue_ra_cert(self): # The CA certificate is in the agent DB but isn't trusted @@ -767,7 +720,7 @@ class CAInstance(service.Service): ] (stdout, stderr, returncode) = ipautil.run(args, nolog=(self.admin_password,)) - data = stdout.split('\r\n') + data = stdout.split('\n') params = get_defList(data) params['requestId'] = find_substring(data, "requestId") params['op'] = 'approve' @@ -788,7 +741,7 @@ class CAInstance(service.Service): ] (stdout, stderr, returncode) = ipautil.run(args, nolog=(self.admin_password,)) - data = stdout.split('\r\n') + data = stdout.split('\n') outputList = get_outputList(data) self.ra_cert = outputList['b64_cert'] @@ -905,20 +858,6 @@ class CAInstance(service.Service): except Exception, e: raise RuntimeError("Unable to retrieve CA chain: %s" % str(e)) - def __create_ca_agent_pkcs12(self): - (pwd_fd, pwd_name) = tempfile.mkstemp() - os.write(pwd_fd, self.admin_password) - os.close(pwd_fd) - try: - ipautil.run(["/usr/bin/pk12util", - "-n", "ipa-ca-agent", - "-o", "/root/ca-agent.p12", - "-d", self.ca_agent_db, - "-k", pwd_name, - "-w", pwd_name]) - finally: - os.remove(pwd_name) - def __import_ca_chain(self): chain = self.__get_ca_chain() @@ -982,7 +921,7 @@ class CAInstance(service.Service): csr = pkcs10.strip_header(stdout) # Send the request to the CA - conn = httplib.HTTPConnection(self.fqdn, 9180) + conn = httplib.HTTPConnection(self.fqdn, 8080) params = urllib.urlencode({'profileId': 'caServerCert', 'cert_request_type': 'pkcs10', 'requestor_name': 'IPA Installer', @@ -1020,7 +959,7 @@ class CAInstance(service.Service): def __setup_sign_profile(self): # Tell the profile to automatically issue certs for RAs - installutils.set_directive('/var/lib/pki-ca/profiles/ca/caJarSigningCert.cfg', 'auth.instance_id', 'raCertAuth', quotes=False, separator='=') + installutils.set_directive('/var/lib/pki/pki-tomcat/ca/profiles/ca/caJarSigningCert.cfg', 'auth.instance_id', 'raCertAuth', quotes=False, separator='=') def __enable_crl_publish(self): """ @@ -1028,9 +967,9 @@ class CAInstance(service.Service): http://www.redhat.com/docs/manuals/cert-system/8.0/admin/html/Setting_up_Publishing.html """ - caconfig = "/var/lib/pki-ca/conf/CS.cfg" + caconfig = "/var/lib/pki/pki-tomcat/conf/ca/CS.cfg" - publishdir='/var/lib/pki-ca/publish' + publishdir='/var/lib/pki/pki-tomcat/ca/publish' os.mkdir(publishdir) os.chmod(publishdir, 0755) pent = pwd.getpwnam(PKI_USER) @@ -1089,8 +1028,8 @@ class CAInstance(service.Service): self.disable() try: - ipautil.run(["/usr/bin/pkiremove", "-pki_instance_root=/var/lib", - "-pki_instance_name=%s" % PKI_INSTANCE_NAME, "--force"]) + ipautil.run(["/bin/pkidestroy", "-i", "pki-tomcat", + "-s", "CA"]) except ipautil.CalledProcessError, e: root_logger.critical("failed to uninstall CA instance %s" % e) @@ -1118,7 +1057,7 @@ class CAInstance(service.Service): pin = certmonger.get_pin('internal') except IOError, e: raise RuntimeError('Unable to determine PIN for CA instance: %s' % str(e)) - certmonger.dogtag_start_tracking('dogtag-ipa-renew-agent', 'Server-Cert cert-pki-ca', pin, None, '/var/lib/pki-ca/alias', 'restart_pkicad "Server-Cert cert-pki-ca"') + certmonger.dogtag_start_tracking('dogtag-ipa-renew-agent', 'Server-Cert cert-pki-ca', pin, None, '/etc/pki/pki-tomcat/alias', 'restart_pkicad "Server-Cert cert-pki-ca"') def configure_renewal(self): cmonger = ipaservices.knownservices.certmonger @@ -1135,7 +1074,7 @@ class CAInstance(service.Service): for nickname in ['auditSigningCert cert-pki-ca', 'ocspSigningCert cert-pki-ca', 'subsystemCert cert-pki-ca']: - certmonger.dogtag_start_tracking('dogtag-ipa-renew-agent', nickname, pin, None, '/var/lib/pki-ca/alias', 'renew_ca_cert "%s"' % nickname) + certmonger.dogtag_start_tracking('dogtag-ipa-renew-agent', nickname, pin, None, '/etc/pki/pki-tomcat/alias', 'renew_ca_cert "%s"' % nickname) # Set up the agent cert for renewal certmonger.dogtag_start_tracking('dogtag-ipa-renew-agent', 'ipaCert', None, '/etc/httpd/alias/pwdfile.txt', '/etc/httpd/alias', 'renew_ra_cert') @@ -1179,7 +1118,7 @@ class CAInstance(service.Service): for nickname in ['auditSigningCert cert-pki-ca', 'ocspSigningCert cert-pki-ca', 'subsystemCert cert-pki-ca']: - certmonger.dogtag_start_tracking('dogtag-ipa-retrieve-agent-submit', nickname, pin, None, '/var/lib/pki-ca/alias', 'restart_pkicad "%s"' % nickname) + certmonger.dogtag_start_tracking('dogtag-ipa-retrieve-agent-submit', nickname, pin, None, '/etc/pki/pki-tomcat/alias', 'restart_pkicad "%s"' % nickname) # The agent renewal is configured in import_ra_cert which is called # after the HTTP instance is created. @@ -1191,7 +1130,7 @@ class CAInstance(service.Service): setlist = installutils.get_directive(IPA_SERVICE_PROFILE, 'policyset.serverCertSet.list', separator='=') - # this is the default setting from pki-ca. Don't touch it if a user + # this is the default setting from pki-tomcat. Don't touch it if a user # has manually modified it. if setlist == '1,2,3,4,5,6,7,8': installutils.set_directive(IPA_SERVICE_PROFILE, @@ -1234,7 +1173,7 @@ class CAInstance(service.Service): responsibility to handle changes on upgrades. """ master = installutils.get_directive( - '/var/lib/pki-ca/conf/CS.cfg', 'subsystem.select', '=') + '/var/lib/pki/pki-tomcat/conf/ca/CS.cfg', 'subsystem.select', '=') return master == 'New' @@ -1301,10 +1240,10 @@ def install_replica_ca(config, postinstall=False): # unix service. service.print_msg("Restarting the directory and certificate servers") - ca.stop() + ca.stop(PKI_INSTANCE_NAME) ipaservices.knownservices.dirsrv.stop("PKI-IPA") ipaservices.knownservices.dirsrv.start("PKI-IPA") - ca.start() + ca.start(PKI_INSTANCE_NAME) return (ca, cs) @@ -1323,7 +1262,7 @@ def update_cert_config(nickname, cert): 'subsystemCert cert-pki-ca': 'ca.subsystem.cert', 'Server-Cert cert-pki-ca': 'ca.sslserver.cert' } - installutils.set_directive('/var/lib/%s/conf/CS.cfg' % PKI_INSTANCE_NAME, + installutils.set_directive('/var/lib/pki/%s/conf/ca/CS.cfg' % PKI_INSTANCE_NAME, directives[nickname], base64.b64encode(cert), quotes=False, separator='=') diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py index cd2becb17..bc0510c3a 100644 --- a/ipaserver/install/installutils.py +++ b/ipaserver/install/installutils.py @@ -47,7 +47,7 @@ from ipalib import errors from ipapython.dn import DN # Used to determine install status -IPA_MODULES = ['httpd', 'kadmin', 'dirsrv', 'pki-cad', 'pkids', 'install', 'krb5kdc', 'ntpd', 'named', 'ipa_memcached'] +IPA_MODULES = ['httpd', 'kadmin', 'dirsrv', 'pki-tomcatd', 'pkids', 'install', 'krb5kdc', 'ntpd', 'named', 'ipa_memcached'] class BadHostError(Exception): pass diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py index dcfcbc27f..e15d4e5e0 100644 --- a/ipaserver/install/service.py +++ b/ipaserver/install/service.py @@ -41,6 +41,17 @@ AUTO = 1 ENABLED = 2 DISABLED = 3 +# Determine if we have an updated dogtag instance (dogtag 10+) or +# an older one. +dogtag_service = 'pki-cad' +try: + for line in open("/etc/ipa/default.conf", "r"): + if "dogtag_version" in line: + dogtag_service = 'pki-tomcatd' + break +except IOError, e: + pass + # The service name as stored in cn=masters,cn=ipa,cn=etc. In the tuple # the first value is the *nix service name, the second the start order. SERVICE_LIST = { @@ -49,7 +60,7 @@ SERVICE_LIST = { 'DNS':('named', 30), 'MEMCACHE':('ipa_memcached', 39), 'HTTP':('httpd', 40), - 'CA':('pki-cad', 50), + 'CA':(dogtag_service, 50), 'ADTRUST':('smb', 60), 'EXTID':('winbind', 70) } diff --git a/selinux/ipa_dogtag/ipa_dogtag.fc b/selinux/ipa_dogtag/ipa_dogtag.fc index 58a4b3e82..e467972be 100644 --- a/selinux/ipa_dogtag/ipa_dogtag.fc +++ b/selinux/ipa_dogtag/ipa_dogtag.fc @@ -1 +1 @@ -/var/lib/pki-ca/publish(/.*)? gen_context(system_u:object_r:cert_t,s0) +/var/lib/pki/pki-tomcat/ca/publish(/.*)? gen_context(system_u:object_r:cert_t,s0) -- cgit