3 files changed, 108 insertions, 19 deletions
diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
index 0571f94c..1584dd58 100755
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
@@ -32,6 +32,7 @@ from ipaserver.install import bindinstance, httpinstance, ntpinstance, certs
 from ipaserver import ipaldap
 from ipapython import version
 from ipalib import api, util
+from ipalib.constants import DEFAULT_CONFIG
 
 CACERT="/usr/share/ipa/html/ca.crt"
 
@@ -130,7 +131,17 @@ def set_owner(config, dir):
     os.chown(dir, pw.pw_uid, pw.pw_gid)
 
 def install_ca(config):
+    # FIXME, need to pass along the CA plugin to use
     cafile = config.dir + "/ca.p12"
+
+    # Just initialize the environment. This is so the installer can have
+    # access to the plugin environment
+    api.env._bootstrap()
+    default_config = dict(DEFAULT_CONFIG)
+    if ipautil.file_exists(cafile):
+        default_config['ra_plugin'] = 'dogtag'
+    api.env._finalize_core(**default_config)
+
     if not ipautil.file_exists(cafile):
         return None
 
@@ -140,6 +151,12 @@ def install_ca(config):
         print >> sys.stderr, "Import failed: %s" % sys.exc_value
         sys.exit(1)
 
+    if not cainstance.check_inst():
+        print "A CA was specified but the dogtag certificate server"
+        print "is not installed on the system"
+        print "Please install dogtag and restart the setup program"
+        sys.exit(1)
+
     cs = cainstance.CADSInstance()
     cs.create_instance(config.ds_user, config.realm_name, config.host_name, config.domain_name, config.dirman_password)
 
@@ -348,9 +365,10 @@ def main():
     fd.write("realm=" + config.realm_name + "\n")
     fd.write("domain=" + config.domain_name + "\n")
     fd.write("xmlrpc_uri=https://%s/ipa/xml\n" % config.host_name)
-    fd.write("ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n" % dsinstance.realm_to_serverid(realm_name))
+    fd.write("ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n" % dsinstance.realm_to_serverid(config.realm_name))
     if ipautil.file_exists(config.dir + "/ca.p12"):
         fd.write("enable_ra=True\n")
+        fd.write("ra_plugin=dogtag\n")
     fd.close()
 
     # Apply any LDAP updates. Needs to be done after the replica is synced-up
diff --git a/install/tools/ipa-replica-prepare b/install/tools/ipa-replica-prepare
index bb8df1d9..3dc0ccce 100755
--- a/install/tools/ipa-replica-prepare
+++ b/install/tools/ipa-replica-prepare
@@ -31,6 +31,8 @@ from ipapython import ipautil
 from ipaserver.install import dsinstance, installutils, certs, httpinstance
 from ipaserver import ipaldap
 from ipapython import version
+from ipalib.constants import DEFAULT_CONFIG
+from ipalib import api
 import ldap
 
 def parse_options():
@@ -113,12 +115,13 @@ def export_certdb(realm_name, ds_dir, dir, passwd_fname, fname, hostname):
 
         db = certs.CertDB(dir)
         db.create_passwd_file()
-        db.create_certdbs()
-        if self_signed:
-            ca_db = certs.CertDB(dsinstance.config_dirname(dsinstance.realm_to_serverid(realm_name)))
-            db.create_from_cacert(ca_db.cacert_fname)
-        else:
-            ca_db = certs.CertDB(httpinstance.NSS_DIR, host_name=get_host_name())
+#        if self_signed:
+#            ca_db = certs.CertDB(dsinstance.config_dirname(dsinstance.realm_to_serverid(realm_name)))
+#            db.create_from_cacert(ca_db.cacert_fname)
+#        else:
+#            ca_db = certs.CertDB(httpinstance.NSS_DIR, host_name=get_host_name())
+        ca_db = certs.CertDB(httpinstance.NSS_DIR, host_name=get_host_name())
+        db.create_from_cacert(ca_db.cacert_fname)
         db.create_server_cert("Server-Cert", hostname, ca_db)
     except Exception, e:
         raise e
@@ -211,8 +214,12 @@ def main():
 
     replica_fqdn = args[0]
 
-    # FIXME: need more robust way to determine if dogtag is configured
-    if not certs.ipa_self_signed() and not ipautil.file_exists("/var/lib/pki-ca") and not options.dirsrv_pin:
+    # Just initialize the environment. This is so the installer can have
+    # access to the plugin environment
+    api.env._bootstrap()
+    api.env._finalize_core(**dict(DEFAULT_CONFIG))
+
+    if not certs.ipa_self_signed() and not ipautil.file_exists("/var/lib/pki-ca/conf/CS.cfg") and not options.dirsrv_pin:
         sys.exit("The replica must be created on the primary IPA server.\nIf you installed IPA with your own certificates using PKCS#12 files you must provide PKCS#12 files for any replicas you create as well.")
 
     print "Determining current realm name"
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index 70d74ddc..3aa6fae2 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -52,6 +52,7 @@ from ipaserver.install.installutils import *
 from ipapython import sysrestore
 from ipapython.ipautil import *
 from ipalib import api, util
+from ipalib.constants import DEFAULT_CONFIG
 
 pw_name = None
 
@@ -77,6 +78,12 @@ def parse_options():
                       default=False, help="print debugging information")
     parser.add_option("", "--ca", dest="ca", action="store_true",
                       default=False, help="Configure a CA instance")
+    parser.add_option("", "--external-ca", dest="external_ca", action="store_true",
+                      default=False, help="Generate a CSR to be signed by an external CA")
+    parser.add_option("", "--external_cert_file", dest="external_cert_file",
+                      help="File containing PKCS#10 certificate")
+    parser.add_option("", "--external_ca_file", dest="external_ca_file",
+                      help="File containing PKCS#10 of the external CA chain")
     parser.add_option("--hostname", dest="host_name", help="fully qualified name of server")
     parser.add_option("--ip-address", dest="ip_address", help="Master Server IP Address")
     parser.add_option("--setup-dns", dest="setup_dns", action="store_true",
@@ -138,6 +145,17 @@ def parse_options():
     if cnt > 0 and cnt < 4:
         parser.error("error: All PKCS#12 options are required if any are used.")
 
+    if (options.external_cert_file or options.external_ca_file) and not options.ca:
+        parser.error("error: --ca required to use the external CA options.")
+
+    if ((options.external_cert_file and not options.external_ca_file) or
+       (not options.external_cert_file and options.external_ca_file)):
+        parser.error("error: if either external option is used, both are required.")
+
+    if options.external_ca and not options.ca:
+        # Go ahead and be nice and fix things up
+        options.ca = True
+
     return options
 
 def signal_handler(signum, frame):
@@ -384,6 +402,14 @@ def main():
     signal.signal(signal.SIGTERM, signal_handler)
     signal.signal(signal.SIGINT, signal_handler)
 
+    # Just initialize the environment. This is so the installer can have
+    # access to the plugin environment
+    api.env._bootstrap()
+    default_config = dict(DEFAULT_CONFIG)
+    if options.ca:
+        default_config['ra_plugin'] = 'dogtag'
+    api.env._finalize_core(**default_config)
+
     if options.uninstall:
         standard_logging_setup("/var/log/ipaserver-uninstall.log", options.debug)
     else:
@@ -423,7 +449,8 @@ def main():
     print "To accept the default shown in brackets, press the Enter key."
     print ""
 
-    check_dirsrv(options.unattended)
+    if not options.external_ca:
+        check_dirsrv(options.unattended)
 
     ds_user = ""
     realm_name = ""
@@ -442,6 +469,18 @@ def main():
             print "Please install bind and the LDAP plug-in and restart the setup program"
             return 1
 
+    if options.ca:
+        try:
+            from ipaserver.install import cainstance
+        except ImportError:
+            print >> sys.stderr, "Import failed: %s" % sys.exc_value
+            sys.exit(1)
+        if not cainstance.check_inst():
+            print "--ca was specified but the dogtag certificate server"
+            print "is not installed on the system"
+            print "Please install dogtag and restart the setup program"
+            return 1
+
     # check the hostname is correctly configured, it must be as the kldap
     # utilities just use the hostname as returned by gethostbyname to set
     # up some of the standard entries
@@ -551,11 +590,7 @@ def main():
         print ""
         print "The following operations may take some minutes to complete."
         print "Please wait until the prompt is returned."
-
-    # Configure ntpd
-    if options.conf_ntp:
-        ntp = ntpinstance.NTPInstance(fstore)
-        ntp.create_instance()
+        print ""
 
     if options.dirsrv_pin:
         [pw_fd, pw_name] = tempfile.mkstemp()
@@ -575,10 +610,38 @@ def main():
         except:
             pass
 
-        cs = cainstance.CADSInstance()
-        cs.create_instance(ds_user, realm_name, host_name, domain_name, dm_password)
+        # Figure out what state we're in. See cainstance.py for more info on
+        # the 3 states.
+        external = 0
+        if options.external_ca:
+            external = 1
+        if external and ipautil.file_exists("/root/ipa.csr"):
+            external = 2
+            if options.external_cert_file is None or options.external_ca_file is None:
+                print "You have a CA signing request for this server (/root/ipa.csr), you need to include --external_cert_file and --external_ca_file"
+                sys.exit(1);
+        if external and options.external_cert_file and not ipautil.file_exists(options.external_cert_file):
+            print "%s does not exist" % options.external_cert_file
+            sys.exit(1);
+        if external and options.external_ca_file and not ipautil.file_exists(options.external_ca_file):
+            print "%s does not exist" % options.external_ca_file
+            sys.exit(1);
+
+        if options.external_cert_file is None:
+            cs = cainstance.CADSInstance()
+            cs.create_instance(ds_user, realm_name, host_name, domain_name, dm_password)
         ca = cainstance.CAInstance()
-        ca.configure_instance("pkiuser", host_name, dm_password, dm_password)
+        if external == 0:
+            ca.configure_instance("pkiuser", host_name, dm_password, dm_password)
+        elif external == 1:
+            ca.configure_instance("pkiuser", host_name, dm_password, dm_password, csr_file="/root/ipa.csr")
+        else:
+            ca.configure_instance("pkiuser", host_name, dm_password, dm_password, cert_file=options.external_cert_file, cert_chain_file=options.external_ca_file)
+
+    # Configure ntpd
+    if options.conf_ntp:
+        ntp = ntpinstance.NTPInstance(fstore)
+        ntp.create_instance()
 
     # Create a directory server instance
     ds = dsinstance.DsInstance()
@@ -628,8 +691,9 @@ def main():
     fd.write("domain=" + domain_name + "\n")
     fd.write("xmlrpc_uri=https://%s/ipa/xml\n" % host_name)
     fd.write("ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n" % dsinstance.realm_to_serverid(realm_name))
+    fd.write("enable_ra=True\n")
     if options.ca:
-        fd.write("enable_ra=True\n")
+        fd.write("ra_plugin=dogtag\n")
     fd.close()
 
     # Apply any LDAP updates. Needs to be done after the configuration file