Use TLS for dogtag replication agreements.

Configure the dogtag 389-ds instance with SSL so we can enable TLS
for the dogtag replication agreements. The NSS database we use is a
symbolic link to the IPA 389-ds instance.

ticket 1060

2 files changed, 39 insertions, 3 deletions

diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
index d9a9748a..cfaeaa4a 100755
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
@@ -167,9 +167,22 @@ def install_ca(config):
         print "Please install dogtag and restart the setup program"
         sys.exit(1)
 
+    # We replicate to the master using TLS. In order for this to work we
+    # need an SSL server cert. To make things easier we'll re-use the
+    # IPA 389-ds instance certificate loaded directly into the
+    # dogtag 389-ds instance. Later we will replace the NSS databases with
+    # symbolic links.
+    pkcs12_info = None
+    if ipautil.file_exists(config.dir + "/dscert.p12"):
+        pkcs12_info = (config.dir + "/dscert.p12",
+                       config.dir + "/dirsrv_pin.txt")
     cs = cainstance.CADSInstance()
     cs.create_instance(config.realm_name, config.host_name,
-                       config.domain_name, config.dirman_password)
+                       config.domain_name, config.dirman_password,
+                       pkcs12_info)
+    cs.load_pkcs12()
+    cs.enable_ssl()
+    cs.restart_instance()
     ca = cainstance.CAInstance(config.realm_name, certs.NSS_DIR)
     ca.configure_instance(config.host_name, config.dirman_password,
                           config.dirman_password, pkcs12_info=(cafile,),
@@ -187,8 +200,8 @@ def install_ca(config):
     service_name = cs.service_name
     service.print_msg("Restarting the directory and certificate servers")
     cs.service_name = "dirsrv"
-    cs.stop("PKI-IPA")
     ca.stop()
+    cs.stop("PKI-IPA")
     cs.start("PKI-IPA")
     ca.start()
     cs.service_name = service_name
@@ -487,6 +500,15 @@ def main():
         CA.ldap_enable('CA', config.host_name, config.dirman_password,
                        util.realm_to_suffix(config.realm_name))
 
+        # Now we will replace the existing dogtag 389-ds instance NSS
+        # database with a symbolic link to the IPA 389-ds NSS database.
+        caconfigdir = dsinstance.config_dirname(dsinstance.realm_to_serverid('PKI-IPA'))
+        for filename in ['cert8.db', 'key3.db', 'secmod.db', 'pin.txt']:
+            os.unlink('%s%s' % (caconfigdir, filename))
+        dsconfigdir = dsinstance.config_dirname(dsinstance.realm_to_serverid(config.realm_name))
+        for filename in ['cert8.db', 'key3.db', 'secmod.db', 'pin.txt']:
+            os.symlink('%s%s' % (dsconfigdir, filename), '%s%s' % (caconfigdir, filename))
+
     install_krb(config, setup_pkinit=options.setup_pkinit)
     install_http(config)
     if CA:
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index 29c3f785..9c0947c8 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -760,6 +760,7 @@ def main():
             ca.configure_instance(host_name, dm_password, dm_password,
                                   subject_base=options.subject)
         elif external == 1:
+            # stage 2 of external CA installation
             options.realm_name = realm_name
             options.domain_name = domain_name
             options.master_password = master_password
@@ -776,6 +777,7 @@ def main():
                 # This can happen if someone passes external_ca_file without
                 # already having done the first stage of the CA install.
                 sys.exit('CA is not installed yet. To install with an external CA is a two-stage process.\nFirst run the installer with --external-ca.')
+            cs = cainstance.CADSInstance(dm_password=dm_password)
             ca.configure_instance(host_name, dm_password, dm_password,
                                   cert_file=options.external_cert_file,
                                   cert_chain_file=options.external_ca_file,
@@ -810,11 +812,23 @@ def main():
                            subject_base=options.subject,
                            hbac_allow=not options.hbac_allow)
 
-    # We ned to ldap_enable the CA now that DS is up and running
+    # We need to ldap_enable the CA now that DS is up and running
     if not options.selfsign:
         ca.ldap_enable('CA', host_name, dm_password,
                        util.realm_to_suffix(realm_name))
 
+        # Symlink the IPA LDAP server NSS database to this one.
+        caconfigdir = dsinstance.config_dirname(dsinstance.realm_to_serverid('PKI-IPA'))
+        for filename in ['cert8.db', 'key3.db', 'secmod.db']:
+            os.unlink('%s%s' % (caconfigdir, filename))
+        dsconfigdir = dsinstance.config_dirname(dsinstance.realm_to_serverid(realm_name))
+        for filename in ['cert8.db', 'key3.db', 'secmod.db', 'pin.txt']:
+            os.symlink('%s%s' % (dsconfigdir, filename), '%s%s' % (caconfigdir, filename))
+
+        # Turn on SSL in the dogtag LDAP instance. This will get restarted
+        # later, we don't need SSL now.
+        cs.enable_ssl()
+
     # Create a kerberos instance
     if options.pkinit_pin:
         [pw_fd, pw_name] = tempfile.mkstemp()