diff options
| author | Rob Crittenden <rcritten@redhat.com> | 2011-03-14 16:27:19 -0400 |
|---|---|---|
| committer | Rob Crittenden <rcritten@redhat.com> | 2011-03-15 14:09:57 -0400 |
| commit | 861d1bbdca4793fb45fb233d236d3793cc23da36 (patch) | |
| tree | ccb169d140cd119b07435b675ca11df8f7bff067 /install/tools | |
| parent | a36bc4ee93d13c28f8edf2bb94eb4dbfc25be568 (diff) | |
| download | freeipa-861d1bbdca4793fb45fb233d236d3793cc23da36.tar.gz freeipa-861d1bbdca4793fb45fb233d236d3793cc23da36.tar.xz freeipa-861d1bbdca4793fb45fb233d236d3793cc23da36.zip | |
Fix SELinux errors caused by enabling TLS on dogtag 389-ds instance.
This fixes 2 AVCS:
* One because we are enabling port 7390 because an SSL port must be
defined to use TLS On 7389.
* We were symlinking to the main IPA 389-ds NSS certificate databsae.
Instead generate a separate NSS database and certificate and have
certmonger track it separately
I also noticed some variable inconsistency in cainstance.py. Everywhere
else we use self.fqdn and that was using self.host_name. I found it
confusing so I fixed it.
ticket 1085
Diffstat (limited to 'install/tools')
| -rwxr-xr-x | install/tools/ipa-replica-install | 26 | ||||
| -rwxr-xr-x | install/tools/ipa-replica-prepare | 8 | ||||
| -rwxr-xr-x | install/tools/ipa-server-install | 14 |
3 files changed, 20 insertions, 28 deletions
diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install index cfaeaa4a..2bc9a17e 100755 --- a/install/tools/ipa-replica-install +++ b/install/tools/ipa-replica-install @@ -167,14 +167,9 @@ def install_ca(config): print "Please install dogtag and restart the setup program" sys.exit(1) - # We replicate to the master using TLS. In order for this to work we - # need an SSL server cert. To make things easier we'll re-use the - # IPA 389-ds instance certificate loaded directly into the - # dogtag 389-ds instance. Later we will replace the NSS databases with - # symbolic links. pkcs12_info = None - if ipautil.file_exists(config.dir + "/dscert.p12"): - pkcs12_info = (config.dir + "/dscert.p12", + if ipautil.file_exists(config.dir + "/dogtagcert.p12"): + pkcs12_info = (config.dir + "/dogtagcert.p12", config.dir + "/dirsrv_pin.txt") cs = cainstance.CADSInstance() cs.create_instance(config.realm_name, config.host_name, @@ -206,7 +201,7 @@ def install_ca(config): ca.start() cs.service_name = service_name - return ca + return (ca, cs) def install_replica_ds(config): dsinstance.check_existing_installation() @@ -487,7 +482,7 @@ def main(): ntp.create_instance() # Configure the CA if necessary - CA = install_ca(config) + (CA, cs) = install_ca(config) # Always try to install DNS records install_dns_records(config, options) @@ -495,19 +490,12 @@ def main(): # Configure dirsrv ds = install_replica_ds(config) - # We ned to ldap_enable the CA now that DS is up and running + # We need to ldap_enable the CA now that DS is up and running if CA: CA.ldap_enable('CA', config.host_name, config.dirman_password, util.realm_to_suffix(config.realm_name)) - - # Now we will replace the existing dogtag 389-ds instance NSS - # database with a symbolic link to the IPA 389-ds NSS database. - caconfigdir = dsinstance.config_dirname(dsinstance.realm_to_serverid('PKI-IPA')) - for filename in ['cert8.db', 'key3.db', 'secmod.db', 'pin.txt']: - os.unlink('%s%s' % (caconfigdir, filename)) - dsconfigdir = dsinstance.config_dirname(dsinstance.realm_to_serverid(config.realm_name)) - for filename in ['cert8.db', 'key3.db', 'secmod.db', 'pin.txt']: - os.symlink('%s%s' % (dsconfigdir, filename), '%s%s' % (caconfigdir, filename)) + cs.add_simple_service('dogtagldap/%s@%s' % (config.host_name, config.realm_name)) + cs.add_cert_to_service() install_krb(config, setup_pkinit=options.setup_pkinit) install_http(config) diff --git a/install/tools/ipa-replica-prepare b/install/tools/ipa-replica-prepare index 36e34d78..e9122351 100755 --- a/install/tools/ipa-replica-prepare +++ b/install/tools/ipa-replica-prepare @@ -338,6 +338,14 @@ def main(): print "%s" % e sys.exit(1) + if not certs.ipa_self_signed(): + print "Creating SSL certificate for the dogtag Directory Server" + try: + export_certdb(api.env.realm, ds_dir, dir, passwd_fname, "dogtagcert", replica_fqdn, subject_base) + except errors.CertificateOperationError, e: + print "%s" % e + sys.exit(1) + if options.http_pin: passwd = options.http_pin else: diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index 9c0947c8..f3a01e89 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -754,7 +754,7 @@ def main(): if options.external_cert_file is None: cs = cainstance.CADSInstance() - cs.create_instance(realm_name, host_name, domain_name, dm_password) + cs.create_instance(realm_name, host_name, domain_name, dm_password, subject_base=options.subject) ca = cainstance.CAInstance(realm_name, certs.NSS_DIR) if external == 0: ca.configure_instance(host_name, dm_password, dm_password, @@ -817,17 +817,13 @@ def main(): ca.ldap_enable('CA', host_name, dm_password, util.realm_to_suffix(realm_name)) - # Symlink the IPA LDAP server NSS database to this one. - caconfigdir = dsinstance.config_dirname(dsinstance.realm_to_serverid('PKI-IPA')) - for filename in ['cert8.db', 'key3.db', 'secmod.db']: - os.unlink('%s%s' % (caconfigdir, filename)) - dsconfigdir = dsinstance.config_dirname(dsinstance.realm_to_serverid(realm_name)) - for filename in ['cert8.db', 'key3.db', 'secmod.db', 'pin.txt']: - os.symlink('%s%s' % (dsconfigdir, filename), '%s%s' % (caconfigdir, filename)) - # Turn on SSL in the dogtag LDAP instance. This will get restarted # later, we don't need SSL now. + cs.create_certdb() cs.enable_ssl() + # Add the IPA service for storing the PKI-IPA server certificate. + cs.add_simple_service('dogtagldap/%s@%s' % (host_name, realm_name)) + cs.add_cert_to_service() # Create a kerberos instance if options.pkinit_pin: |