freeipa.git/install/tools/ipa-replica-prepare, branch master Unnamed repository; edit this file to name it for gitweb. Make CA PKCS#12 location arg for ipa-replica-prepare, default /root/cacert.p12 2010-03-19T10:45:41+00:00 Rob Crittenden rcritten@redhat.com 2010-03-10T16:53:24+00:00 f4cb248497d630c4218c3d4ef2112fc4efc2a4e5 pki-silent puts a copy of the root CA into /root/tmp-ca.p12. Rename this to /root/cacert.p12. 
pki-silent puts a copy of the root CA into /root/tmp-ca.p12. Rename this
to /root/cacert.p12.
Add A and PTR records during ipa-replica-prepare 2010-02-09T21:30:25+00:00 Martin Nagy mnagy@redhat.com 2009-11-23T15:16:58+00:00 8fd41d0434dddcd6959d460df7a9f8b736ac81ac Fixes #528996 
Fixes #528996
Get rid of ipapython.config in ipa-replica-prepare 2010-02-09T21:30:06+00:00 Martin Nagy mnagy@redhat.com 2010-02-08T13:21:46+00:00 206d2d48fab45072af4660f9692dd5b8643b4c4d Also get rid of functions get_host_name(), get_realm_name() and get_domain_name(). They used the old ipapython.config. Instead, use the variables from api.env. We also change them to bootstrap() and finalize() correctly. Additionally, we add the dns_container_exists() function that will be used in ipa-replica-prepare (next patch). 
Also get rid of functions get_host_name(), get_realm_name() and
get_domain_name(). They used the old ipapython.config. Instead, use the
variables from api.env. We also change them to bootstrap() and
finalize() correctly.

Additionally, we add the dns_container_exists() function that will be
used in ipa-replica-prepare (next patch).
User-defined certificate subjects 2010-01-20T22:24:01+00:00 Rob Crittenden rcritten@redhat.com 2010-01-20T16:26:20+00:00 e4470f8165242fba6c5ce477a2eeca0141891701 Let the user, upon installation, set the certificate subject base for the dogtag CA. Certificate requests will automatically be given this subject base, regardless of what is in the CSR. The selfsign plugin does not currently support this dynamic name re-assignment and will reject any incoming requests that don't conform to the subject base. The certificate subject base is stored in cn=ipaconfig but it does NOT dynamically update the configuration, for dogtag at least. The file /var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg would need to be updated and pki-cad restarted. 
Let the user, upon installation, set the certificate subject base
for the dogtag CA. Certificate requests will automatically be given
this subject base, regardless of what is in the CSR.

The selfsign plugin does not currently support this dynamic name
re-assignment and will reject any incoming requests that don't
conform to the subject base.

The certificate subject base is stored in cn=ipaconfig but it does
NOT dynamically update the configuration, for dogtag at least. The
file /var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg would need to
be updated and pki-cad restarted.
Remove unnecessary "error: " prefixes 2009-12-02T12:07:00+00:00 Martin Nagy mnagy@redhat.com 2009-11-23T07:42:30+00:00 377907e2211875250e6af7fcb65d0548702c3c3d The parser.error() method prepends the "error: " prefix itself. Adding it to the error string is not necessary and doesn't look good. 
The parser.error() method prepends the "error: " prefix itself. Adding
it to the error string is not necessary and doesn't look good.
Add external CA signing and abstract out the RA backend 2009-09-15T14:01:08+00:00 Rob Crittenden rcritten@redhat.com 2009-09-10T20:15:14+00:00 49b36583a50e7f542e0667f3e2432ab1aa63924e External CA signing is a 2-step process. You first have to run the IPA installer which will generate a CSR. You pass this CSR to your external CA and get back a cert. You then pass this cert and the CA cert and re-run the installer. The CSR is always written to /root/ipa.csr. A run would look like: # ipa-server-install --ca --external-ca -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com -U [ sign cert request ] # ipa-server-install --ca --external-ca -p password -a password --external_cert_file=/tmp/rob.crt --external_ca_file=/tmp/cacert.crt -U -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com This also abstracts out the RA backend plugin so the self-signed CA we create can be used in a running server. This means that the cert plugin can request certs (and nothing else). This should let us do online replica creation. To handle the self-signed CA the simple ca_serialno file now contains additional data so we don't have overlapping serial numbers in replicas. This isn't used yet. Currently the cert plugin will not work on self-signed replicas. One very important change for self-signed CAs is that the CA is no longer held in the DS database. It is now in the Apache database. Lots of general fixes were also made in ipaserver.install.certs including: - better handling when multiple CA certificates are in a single file - A temporary directory for request certs is not always created when the class is instantiated (you have to call setup_cert_request()) 
External CA signing is a 2-step process. You first have to run the IPA
installer which will generate a CSR. You pass this CSR to your external
CA and get back a cert. You then pass this cert and the CA cert and
re-run the installer. The CSR is always written to /root/ipa.csr.

A run would look like:

 # ipa-server-install --ca --external-ca -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com -U
[ sign cert request ]
 # ipa-server-install --ca --external-ca -p password -a password --external_cert_file=/tmp/rob.crt --external_ca_file=/tmp/cacert.crt  -U -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com

This also abstracts out the RA backend plugin so the self-signed CA we
create can be used in a running server. This means that the cert plugin
can request certs (and nothing else). This should let us do online replica
creation.

To handle the self-signed CA the simple ca_serialno file now contains
additional data so we don't have overlapping serial numbers in replicas.
This isn't used yet. Currently the cert plugin will not work on self-signed
replicas.

One very important change for self-signed CAs is that the CA is no longer
held in the DS database. It is now in the Apache database.

Lots of general fixes were also made in ipaserver.install.certs including:
 - better handling when multiple CA certificates are in a single file
 - A temporary directory for request certs is not always created when the
   class is instantiated (you have to call setup_cert_request())
Allow replicas of an IPA server using an internal dogtag server as the CA 2009-07-15T13:00:01+00:00 Rob Crittenden rcritten@redhat.com 2009-07-10T20:18:16+00:00 8d164569d0e4ee79089ae224ac6f5a569c291cdb This involves creating a new CA instance on the replica and using pkisilent to create a clone of the master CA. Also generally fixes IPA to work with the latest dogtag SVN tip. A lot of changes to ports and configuration have been done recently. 
This involves creating a new CA instance on the replica and using pkisilent
to create a clone of the master CA.

Also generally fixes IPA to work with the latest dogtag SVN tip. A lot of
changes to ports and configuration have been done recently.
Fix replica installation for self-signed CA (no dogtag) 2009-05-04T21:42:03+00:00 Rob Crittenden rcritten@redhat.com 2009-04-28T21:05:39+00:00 064240def3e5fe1d0e75020b4a63a130e5232733 






Rename ipa-python directory to ipapython so it is a real python library
2009-02-09T19:35:15+00:00

Rob Crittenden
rcritten@redhat.com

2009-02-05T20:03:08+00:00

262ff2d731b1bfc4acd91153088b8fcde7ae92b8

We used to install it as ipa, now installing it as ipapython. The rpm
is still ipa-python.





We used to install it as ipa, now installing it as ipapython. The rpm
is still ipa-python.







Remove some duplicated code that was moved to ipaserver and use it Remove some unused files
2009-02-06T20:04:42+00:00

Rob Crittenden
rcritten@redhat.com

2009-02-04T15:53:34+00:00

6b34f0772026ede7788f9d2ec7989912ba17216f