diff options
| author | Matthew Harmsen <mharmsen@redhat.com> | 2015-03-13 16:53:52 -0600 |
|---|---|---|
| committer | Matthew Harmsen <mharmsen@redhat.com> | 2015-03-13 16:56:22 -0600 |
| commit | a44ccf872262b1289cd2577a6ba55071066a5209 (patch) | |
| tree | fa8bb3b39ca028c1693c69ab397424c90c8890b2 /base/server/python/pki/server/deployment/scriptlets | |
| parent | a54e29d5be1b38158cc44a8bdeda5dcb96fd4096 (diff) | |
| download | pki-a44ccf872262b1289cd2577a6ba55071066a5209.tar.gz pki-a44ccf872262b1289cd2577a6ba55071066a5209.tar.xz pki-a44ccf872262b1289cd2577a6ba55071066a5209.zip | |
Allow use of secure LDAPS connection
- PKI TRAC Ticket #1144 - pkispawn needs option to specify ca cert for ldap
Diffstat (limited to 'base/server/python/pki/server/deployment/scriptlets')
| -rw-r--r-- | base/server/python/pki/server/deployment/scriptlets/initialization.py | 2 | ||||
| -rw-r--r-- | base/server/python/pki/server/deployment/scriptlets/security_databases.py | 26 |
2 files changed, 26 insertions, 2 deletions
diff --git a/base/server/python/pki/server/deployment/scriptlets/initialization.py b/base/server/python/pki/server/deployment/scriptlets/initialization.py index 48b120c46..0aa4e1c4a 100644 --- a/base/server/python/pki/server/deployment/scriptlets/initialization.py +++ b/base/server/python/pki/server/deployment/scriptlets/initialization.py @@ -71,6 +71,8 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): # verify selinux context of selected ports deployer.configuration_file.populate_non_default_ports() deployer.configuration_file.verify_selinux_ports() + # If secure DS connection is required, verify parameters + deployer.configuration_file.verify_ds_secure_connection_data() return self.rv def destroy(self, deployer): diff --git a/base/server/python/pki/server/deployment/scriptlets/security_databases.py b/base/server/python/pki/server/deployment/scriptlets/security_databases.py index 8adb3c4e3..546050725 100644 --- a/base/server/python/pki/server/deployment/scriptlets/security_databases.py +++ b/base/server/python/pki/server/deployment/scriptlets/security_databases.py @@ -95,8 +95,30 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): # Delete the temporary 'noise' file deployer.file.delete( deployer.mdict['pki_self_signed_noise_file']) - # Delete the temporary 'pfile' - deployer.file.delete(deployer.mdict['pki_shared_pfile']) + + # Check to see if a secure connection is being used for the DS + if config.str2bool(deployer.mdict['pki_ds_secure_connection']): + # Check to see if a directory server CA certificate + # using the same nickname already exists + rv = deployer.certutil.verify_certificate_exists( + deployer.mdict['pki_database_path'], + deployer.mdict['pki_cert_database'], + deployer.mdict['pki_key_database'], + deployer.mdict['pki_secmod_database'], + deployer.mdict['pki_self_signed_token'], + deployer.mdict['pki_ds_secure_connection_ca_nickname'], + password_file=deployer.mdict['pki_shared_pfile']) + if not rv: + # Import the directory server CA certificate + rv = deployer.certutil.import_cert( + deployer.mdict['pki_ds_secure_connection_ca_nickname'], + deployer.mdict['pki_ds_secure_connection_ca_trustargs'], + deployer.mdict['pki_ds_secure_connection_ca_pem_file'], + password_file=deployer.mdict['pki_shared_pfile'], + path=deployer.mdict['pki_database_path']) + + # Always delete the temporary 'pfile' + deployer.file.delete(deployer.mdict['pki_shared_pfile']) return self.rv def destroy(self, deployer): |