diff options
author | Rob Crittenden <rcritten@redhat.com> | 2009-07-10 16:18:16 -0400 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2009-07-15 09:00:01 -0400 |
commit | 8d164569d0e4ee79089ae224ac6f5a569c291cdb (patch) | |
tree | a75db1b23693315d1b35bad891ea6c86019d7149 /install/tools/ipa-replica-prepare | |
parent | 904e55540438cfd88507fa747daa585605b90bdb (diff) | |
download | freeipa-8d164569d0e4ee79089ae224ac6f5a569c291cdb.tar.gz freeipa-8d164569d0e4ee79089ae224ac6f5a569c291cdb.tar.xz freeipa-8d164569d0e4ee79089ae224ac6f5a569c291cdb.zip |
Allow replicas of an IPA server using an internal dogtag server as the CA
This involves creating a new CA instance on the replica and using pkisilent
to create a clone of the master CA.
Also generally fixes IPA to work with the latest dogtag SVN tip. A lot of
changes to ports and configuration have been done recently.
Diffstat (limited to 'install/tools/ipa-replica-prepare')
-rwxr-xr-x | install/tools/ipa-replica-prepare | 72 |
1 files changed, 60 insertions, 12 deletions
diff --git a/install/tools/ipa-replica-prepare b/install/tools/ipa-replica-prepare index c2424652..bb8df1d9 100755 --- a/install/tools/ipa-replica-prepare +++ b/install/tools/ipa-replica-prepare @@ -28,7 +28,7 @@ from optparse import OptionParser import ipapython.config from ipapython import ipautil -from ipaserver.install import dsinstance, installutils, certs +from ipaserver.install import dsinstance, installutils, certs, httpinstance from ipaserver import ipaldap from ipapython import version import ldap @@ -98,28 +98,37 @@ def check_ipa_configuration(realm_name): logging.error("could not find directory instance: %s" % config_dir) sys.exit(1) -def export_certdb(realm_name, ds_dir, dir, passwd_fname, fname, subject): +def export_certdb(realm_name, ds_dir, dir, passwd_fname, fname, hostname): """realm is the kerberos realm for the IPA server. ds_dir is the location of the master DS we are creating a replica for. dir is the location of the files for the replica we are creating. passwd_fname is the file containing the PKCS#12 password fname is the filename of the PKCS#12 file for this cert (minus the .p12). - subject is the subject of the certificate we are creating + hostname is the FQDN of the server we're creating a cert for. + + The subject is handled by certs.CertDB:create_server_cert() """ try: - ds_ca = certs.CertDB(dsinstance.config_dirname(dsinstance.realm_to_serverid(realm_name))) - ca = certs.CertDB(dir) - ca.create_from_cacert(ds_ca.cacert_fname) - ca.create_server_cert("Server-Cert", subject, ds_ca) + self_signed = certs.ipa_self_signed() + + db = certs.CertDB(dir) + db.create_passwd_file() + db.create_certdbs() + if self_signed: + ca_db = certs.CertDB(dsinstance.config_dirname(dsinstance.realm_to_serverid(realm_name))) + db.create_from_cacert(ca_db.cacert_fname) + else: + ca_db = certs.CertDB(httpinstance.NSS_DIR, host_name=get_host_name()) + db.create_server_cert("Server-Cert", hostname, ca_db) except Exception, e: raise e pkcs12_fname = dir + "/" + fname + ".p12" try: - ca.export_pkcs12(pkcs12_fname, passwd_fname, "Server-Cert") + db.export_pkcs12(pkcs12_fname, passwd_fname, "Server-Cert") except ipautil.CalledProcessError, e: - print "error exporting CA certificate: " + str(e) + print "error exporting Server certificate: " + str(e) remove_file(pkcs12_fname) remove_file(passwd_fname) @@ -130,6 +139,32 @@ def export_certdb(realm_name, ds_dir, dir, passwd_fname, fname, subject): if ipautil.file_exists(passwd_fname + ".orig"): remove_file(passwd_fname + ".orig") +def export_ra_pkcs12(dir, dm_password): + """ + dir is the location of the files for the replica we are creating. + dm_password is the Directory Manager password + + If this install is using dogtag/RHCS then export the RA certificate. + """ + if certs.ipa_self_signed(): + return + + (agent_fd, agent_name) = tempfile.mkstemp() + os.write(agent_fd, dm_password) + os.close(agent_fd) + + try: + try: + db = certs.CertDB(httpinstance.NSS_DIR, host_name=get_host_name()) + + if db.has_nickname("ipaCert"): + pkcs12_fname = "%s/ra.p12" % dir + db.export_pkcs12(pkcs12_fname, agent_name, "ipaCert") + except Exception, e: + raise e + finally: + os.remove(agent_name) + def get_ds_user(ds_dir): uid = os.stat(ds_dir).st_uid user = pwd.getpwuid(uid)[0] @@ -176,7 +211,8 @@ def main(): replica_fqdn = args[0] - if not ipautil.file_exists(certs.CA_SERIALNO) and not options.dirsrv_pin: + # FIXME: need more robust way to determine if dogtag is configured + if not certs.ipa_self_signed() and not ipautil.file_exists("/var/lib/pki-ca") and not options.dirsrv_pin: sys.exit("The replica must be created on the primary IPA server.\nIf you installed IPA with your own certificates using PKCS#12 files you must provide PKCS#12 files for any replicas you create as well.") print "Determining current realm name" @@ -244,8 +280,18 @@ def main(): print "Copy failed %s" % e sys.exit(1) else: + try: + if not certs.ipa_self_signed(): + # FIXME, need option for location of CA backup + if ipautil.file_exists("/root/tmp-ca.p12"): + shutil.copy("/root/tmp-ca.p12", dir + "/ca.p12") + else: + raise RuntimeError("Root CA PKCS#12 not found in /root/tmp-ca.p12") + except IOError, e: + print "Copy failed %s" % e + sys.exit(1) print "Creating SSL certificate for the Directory Server" - export_certdb(realm_name, ds_dir, dir, passwd_fname, "dscert", "cn=%s,ou=Fedora Directory Server" % replica_fqdn) + export_certdb(realm_name, ds_dir, dir, passwd_fname, "dscert", replica_fqdn) if options.http_pin: passwd = options.http_pin @@ -266,7 +312,9 @@ def main(): sys.exit(1) else: print "Creating SSL certificate for the Web Server" - export_certdb(realm_name, ds_dir, dir, passwd_fname, "httpcert", "cn=%s,ou=Apache Web Server" % replica_fqdn) + export_certdb(realm_name, ds_dir, dir, passwd_fname, "httpcert", replica_fqdn) + print "Exporting RA certificate" + export_ra_pkcs12(dir, dirman_password) print "Copying additional files" copy_files(realm_name, dir) print "Finalizing configuration" |