From 3dd31a875650c7fe7c67ca6b47f2058c1181dafb Mon Sep 17 00:00:00 2001 From: Ade Lee Date: Wed, 15 Aug 2012 22:53:51 -0400 Subject: Modifications to install scripts for dogtag 10 Dogtag 10 uses a new installer, new directory layout and new default ports. This patch changes the ipa install code to integrate these changes. https://fedorahosted.org/freeipa/ticket/2846 --- install/conf/ipa-pki-proxy.conf | 16 ++++++++-------- install/conf/ipa.conf | 4 ++-- install/restart_scripts/renew_ca_cert | 19 ++++++++++++++----- install/restart_scripts/restart_pkicad | 18 +++++++++++++----- install/tools/ipa-ca-install | 10 ++++++++++ install/tools/ipa-csreplica-manage | 2 +- install/tools/ipa-replica-install | 1 + install/tools/ipa-replica-prepare | 2 +- install/tools/ipa-server-install | 1 + install/ui/test/data/ipa_init.json | 6 +++--- 10 files changed, 54 insertions(+), 25 deletions(-) (limited to 'install') diff --git a/install/conf/ipa-pki-proxy.conf b/install/conf/ipa-pki-proxy.conf index 91a99aaf9..7a067ca9c 100644 --- a/install/conf/ipa-pki-proxy.conf +++ b/install/conf/ipa-pki-proxy.conf @@ -6,22 +6,22 @@ ProxyRequests Off NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate NSSVerifyClient none - ProxyPassMatch ajp://localhost:9447/ - ProxyPassReverse ajp://localhost:9447/ + ProxyPassMatch ajp://localhost:8009 + ProxyPassReverse ajp://localhost:8009 -# matches for admin port - +# matches for admin port and installer + NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate NSSVerifyClient none - ProxyPassMatch ajp://localhost:9447/ - ProxyPassReverse ajp://localhost:9447/ + ProxyPassMatch ajp://localhost:8009 + ProxyPassReverse ajp://localhost:8009 # matches for agent port and eeca port NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate NSSVerifyClient require - ProxyPassMatch ajp://localhost:9447/ - ProxyPassReverse ajp://localhost:9447/ + ProxyPassMatch ajp://localhost:8009 + ProxyPassReverse ajp://localhost:8009 diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf index 1b31a52ac..d428460fe 100644 --- a/install/conf/ipa.conf +++ b/install/conf/ipa.conf @@ -105,8 +105,8 @@ Alias /ipa/config "/usr/share/ipa/html" # For CRL publishing -Alias /ipa/crl "/var/lib/pki-ca/publish" - +Alias /ipa/crl "/var/lib/pki/tomcat-ca/ca/publish" + SetHandler None AllowOverride None Options Indexes FollowSymLinks diff --git a/install/restart_scripts/renew_ca_cert b/install/restart_scripts/renew_ca_cert index 6e4d2b789..4c3af9775 100644 --- a/install/restart_scripts/renew_ca_cert +++ b/install/restart_scripts/renew_ca_cert @@ -45,8 +45,14 @@ nickname = sys.argv[1] api.bootstrap(context='restart') api.finalize() +alias_dir = '/etc/pki/pki-tomcat/alias' +dogtag_instance = 'pki-tomcat' +if 'dogtag_version' not in api.env: + alias_dir = '/var/lib/pki-ca/alias' + dogtag_instance = 'pki-ca' + # Fetch the new certificate -db = certs.CertDB(api.env.realm, nssdir='/var/lib/pki-ca/alias') +db = certs.CertDB(api.env.realm, nssdir=alias_dir) cert = db.get_cert_from_db(nickname, pem=False) if not cert: @@ -79,7 +85,7 @@ finally: # Fix permissions on the audit cert if we're updating it if nickname == 'auditSigningCert cert-pki-ca': - db = certs.CertDB(api.env.realm, nssdir='/var/lib/pki-ca/alias') + db = certs.CertDB(api.env.realm, nssdir=alias_dir) args = ['-M', '-n', nickname, '-t', 'u,u,Pu', @@ -91,7 +97,9 @@ if nickname == 'auditSigningCert cert-pki-ca': update_cert_config(nickname, cert) -syslog.syslog(syslog.LOG_NOTICE, 'certmonger restarted pki-cad instance pki-ca to renew %s' % nickname) +syslog.syslog( + syslog.LOG_NOTICE, 'certmonger restarted %sd instance %s to renew %s' % + (dogtag_instance, dogtag_instance, nickname)) # We monitor 3 certs that are all likely to be renewed by certmonger more or # less at the same time. Each cert renewal is going to need to restart @@ -102,6 +110,7 @@ pause = random.randint(10,360) syslog.syslog(syslog.LOG_NOTICE, 'Pausing %d seconds to restart pki-ca' % pause) time.sleep(pause) try: - ipaservices.knownservices.pki_cad.restart('pki-ca') + ipaservices.knownservices.pki_cad.restart(dogtag_instance) except Exception, e: - syslog.syslog(syslog.LOG_ERR, "Cannot restart pki-cad: %s" % str(e)) + syslog.syslog(syslog.LOG_ERR, "Cannot restart %sd: %s" % \ + (dogtag_instance, str(e))) diff --git a/install/restart_scripts/restart_pkicad b/install/restart_scripts/restart_pkicad index 070760b16..c21fb802f 100644 --- a/install/restart_scripts/restart_pkicad +++ b/install/restart_scripts/restart_pkicad @@ -30,11 +30,18 @@ nickname = sys.argv[1] api.bootstrap(context='restart') api.finalize() -syslog.syslog(syslog.LOG_NOTICE, "certmonger restarted pki-cad, nickname '%s'" % nickname) +alias_dir = '/etc/pki/pki-tomcat/alias' +dogtag_instance = 'pki-tomcat' +if 'dogtag_version' not in api.env: + alias_dir = '/var/lib/pki-ca/alias' + dogtag_instance = 'pki-ca' + +syslog.syslog(syslog.LOG_NOTICE, "certmonger restarted %sd, nickname '%s'" % \ + (dogtag_instance, nickname)) # Fix permissions on the audit cert if we're updating it if nickname == 'auditSigningCert cert-pki-ca': - db = certs.CertDB(api.env.realm, nssdir='/var/lib/pki-ca/alias') + db = certs.CertDB(api.env.realm, nssdir = alias_dir ) args = ['-M', '-n', nickname, '-t', 'u,u,Pu', @@ -44,7 +51,8 @@ if nickname == 'auditSigningCert cert-pki-ca': try: # I've seen times where systemd restart does not actually restart # the process. A full stop/start is required. This works around that - ipaservices.knownservices.pki_cad.stop('pki-ca') - ipaservices.knownservices.pki_cad.start('pki-ca') + ipaservices.knownservices.pki_cad.stop(dogtag_instance) + ipaservices.knownservices.pki_cad.start(dogtag_instance) except Exception, e: - syslog.syslog(syslog.LOG_ERR, "Cannot restart pki-cad: %s" % str(e)) + syslog.syslog(syslog.LOG_ERR, "Cannot restart %sd: %s" % \ + (dogtag_instance, str(e))) diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install index 4d7be217d..d52832239 100755 --- a/install/tools/ipa-ca-install +++ b/install/tools/ipa-ca-install @@ -156,6 +156,16 @@ def main(): # We need to restart apache as we drop a new config file in there ipaservices.knownservices.httpd.restart(capture_output=True) + #update dogtag version in config file to denote new instance + try: + fd = open("/etc/ipa/default.conf", "a") + fd.write("dogtag_version=10\n") + fd.close() + except IOError, e: + print "Failed to update /etc/ipa/default.conf" + root_logger.error(str(e)) + sys.exit(1) + fail_message = ''' Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. diff --git a/install/tools/ipa-csreplica-manage b/install/tools/ipa-csreplica-manage index 6eefe8d6d..884956fd1 100755 --- a/install/tools/ipa-csreplica-manage +++ b/install/tools/ipa-csreplica-manage @@ -80,7 +80,7 @@ class CSReplicationManager(replication.ReplicationManager): """ dn = None cn = None - instance_name = 'pki-ca' + instance_name = 'pki-tomcat' # if master is not None we know what dn to return: if master is not None: diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install index 267a70d8b..a7b34cf1b 100755 --- a/install/tools/ipa-replica-install +++ b/install/tools/ipa-replica-install @@ -376,6 +376,7 @@ def main(): if ipautil.file_exists(config.dir + "/cacert.p12"): fd.write("enable_ra=True\n") fd.write("ra_plugin=dogtag\n") + fd.write("dogtag_version=10\n") fd.write("mode=production\n") fd.close() finally: diff --git a/install/tools/ipa-replica-prepare b/install/tools/ipa-replica-prepare index d1ffe4e2e..ce25681f4 100755 --- a/install/tools/ipa-replica-prepare +++ b/install/tools/ipa-replica-prepare @@ -304,7 +304,7 @@ def main(): if options.reverse_zone and not bindinstance.verify_reverse_zone(options.reverse_zone, options.ip_address): sys.exit(1) - if not certs.ipa_self_signed() and not ipautil.file_exists("/var/lib/pki-ca/conf/CS.cfg") and not options.dirsrv_pin: + if not certs.ipa_self_signed() and not ipautil.file_exists("/var/lib/pki/pki-tomcat/conf/ca/CS.cfg") and not options.dirsrv_pin: sys.exit("The replica must be created on the primary IPA server.\nIf you installed IPA with your own certificates using PKCS#12 files you must provide PKCS#12 files for any replicas you create as well.") check_ipa_configuration(api.env.realm) diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index f07aeadf8..639a72701 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -853,6 +853,7 @@ def main(): fd.write("enable_ra=True\n") if not options.selfsign: fd.write("ra_plugin=dogtag\n") + fd.write("dogtag_version=10\n") fd.write("mode=production\n") fd.close() diff --git a/install/ui/test/data/ipa_init.json b/install/ui/test/data/ipa_init.json index 0d94d9b02..bccc31b19 100644 --- a/install/ui/test/data/ipa_init.json +++ b/install/ui/test/data/ipa_init.json @@ -669,12 +669,12 @@ "result": { "basedn": "dc=dev,dc=example,dc=com", "bin": "/var/www", - "ca_agent_install_port": 9443, + "ca_agent_install_port": 8443, "ca_agent_port": 443, - "ca_ee_install_port": 9444, + "ca_ee_install_port": 8443, "ca_ee_port": 443, "ca_host": "dev.example.com", - "ca_install_port": 9180, + "ca_install_port": 8080, "ca_port": 80, "conf": "/etc/ipa/server.conf", "conf_default": "/etc/ipa/default.conf", -- cgit