diff options
author | Ade Lee <alee@redhat.com> | 2012-08-15 22:53:51 -0400 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2012-09-17 18:43:36 -0400 |
commit | 3dd31a875650c7fe7c67ca6b47f2058c1181dafb (patch) | |
tree | 137f46dfe1684ebcbd6e9e70ef3c5a690ab32d07 /install | |
parent | 79b89f41962985cf0ab96238b21409b5874f67f8 (diff) | |
download | freeipa.git-3dd31a875650c7fe7c67ca6b47f2058c1181dafb.tar.gz freeipa.git-3dd31a875650c7fe7c67ca6b47f2058c1181dafb.tar.xz freeipa.git-3dd31a875650c7fe7c67ca6b47f2058c1181dafb.zip |
Modifications to install scripts for dogtag 10
Dogtag 10 uses a new installer, new directory layout and new default
ports. This patch changes the ipa install code to integrate these changes.
https://fedorahosted.org/freeipa/ticket/2846
Diffstat (limited to 'install')
-rw-r--r-- | install/conf/ipa-pki-proxy.conf | 16 | ||||
-rw-r--r-- | install/conf/ipa.conf | 4 | ||||
-rw-r--r-- | install/restart_scripts/renew_ca_cert | 19 | ||||
-rw-r--r-- | install/restart_scripts/restart_pkicad | 18 | ||||
-rwxr-xr-x | install/tools/ipa-ca-install | 10 | ||||
-rwxr-xr-x | install/tools/ipa-csreplica-manage | 2 | ||||
-rwxr-xr-x | install/tools/ipa-replica-install | 1 | ||||
-rwxr-xr-x | install/tools/ipa-replica-prepare | 2 | ||||
-rwxr-xr-x | install/tools/ipa-server-install | 1 | ||||
-rw-r--r-- | install/ui/test/data/ipa_init.json | 6 |
10 files changed, 54 insertions, 25 deletions
diff --git a/install/conf/ipa-pki-proxy.conf b/install/conf/ipa-pki-proxy.conf index 91a99aaf..7a067ca9 100644 --- a/install/conf/ipa-pki-proxy.conf +++ b/install/conf/ipa-pki-proxy.conf @@ -6,22 +6,22 @@ ProxyRequests Off <LocationMatch "^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange"> NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate NSSVerifyClient none - ProxyPassMatch ajp://localhost:9447/ - ProxyPassReverse ajp://localhost:9447/ + ProxyPassMatch ajp://localhost:8009 + ProxyPassReverse ajp://localhost:8009 </LocationMatch> -# matches for admin port -<LocationMatch "^/ca/admin/ca/getCertChain|^/ca/admin/ca/getConfigEntries|^/ca/admin/ca/getCookie|^/ca/admin/ca/getStatus|^/ca/admin/ca/securityDomainLogin|^/ca/admin/ca/getDomainXML"> +# matches for admin port and installer +<LocationMatch "^/ca/admin/ca/getCertChain|^/ca/admin/ca/getConfigEntries|^/ca/admin/ca/getCookie|^/ca/admin/ca/getStatus|^/ca/admin/ca/securityDomainLogin|^/ca/admin/ca/getDomainXML|^/ca/rest/installer/installToken"> NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate NSSVerifyClient none - ProxyPassMatch ajp://localhost:9447/ - ProxyPassReverse ajp://localhost:9447/ + ProxyPassMatch ajp://localhost:8009 + ProxyPassReverse ajp://localhost:8009 </LocationMatch> # matches for agent port and eeca port <LocationMatch "^/ca/agent/ca/displayBySerial|^/ca/agent/ca/doRevoke|^/ca/agent/ca/doUnrevoke|^/ca/agent/ca/updateDomainXML|^/ca/eeca/ca/profileSubmitSSLClient"> NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate NSSVerifyClient require - ProxyPassMatch ajp://localhost:9447/ - ProxyPassReverse ajp://localhost:9447/ + ProxyPassMatch ajp://localhost:8009 + ProxyPassReverse ajp://localhost:8009 </LocationMatch> diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf index 1b31a52a..d428460f 100644 --- a/install/conf/ipa.conf +++ b/install/conf/ipa.conf @@ -105,8 +105,8 @@ Alias /ipa/config "/usr/share/ipa/html" # For CRL publishing -Alias /ipa/crl "/var/lib/pki-ca/publish" -<Directory "/var/lib/pki-ca/publish"> +Alias /ipa/crl "/var/lib/pki/tomcat-ca/ca/publish" +<Directory "/var/lib/pki/tomcat-ca/ca/publish"> SetHandler None AllowOverride None Options Indexes FollowSymLinks diff --git a/install/restart_scripts/renew_ca_cert b/install/restart_scripts/renew_ca_cert index 6e4d2b78..4c3af977 100644 --- a/install/restart_scripts/renew_ca_cert +++ b/install/restart_scripts/renew_ca_cert @@ -45,8 +45,14 @@ nickname = sys.argv[1] api.bootstrap(context='restart') api.finalize() +alias_dir = '/etc/pki/pki-tomcat/alias' +dogtag_instance = 'pki-tomcat' +if 'dogtag_version' not in api.env: + alias_dir = '/var/lib/pki-ca/alias' + dogtag_instance = 'pki-ca' + # Fetch the new certificate -db = certs.CertDB(api.env.realm, nssdir='/var/lib/pki-ca/alias') +db = certs.CertDB(api.env.realm, nssdir=alias_dir) cert = db.get_cert_from_db(nickname, pem=False) if not cert: @@ -79,7 +85,7 @@ finally: # Fix permissions on the audit cert if we're updating it if nickname == 'auditSigningCert cert-pki-ca': - db = certs.CertDB(api.env.realm, nssdir='/var/lib/pki-ca/alias') + db = certs.CertDB(api.env.realm, nssdir=alias_dir) args = ['-M', '-n', nickname, '-t', 'u,u,Pu', @@ -91,7 +97,9 @@ if nickname == 'auditSigningCert cert-pki-ca': update_cert_config(nickname, cert) -syslog.syslog(syslog.LOG_NOTICE, 'certmonger restarted pki-cad instance pki-ca to renew %s' % nickname) +syslog.syslog( + syslog.LOG_NOTICE, 'certmonger restarted %sd instance %s to renew %s' % + (dogtag_instance, dogtag_instance, nickname)) # We monitor 3 certs that are all likely to be renewed by certmonger more or # less at the same time. Each cert renewal is going to need to restart @@ -102,6 +110,7 @@ pause = random.randint(10,360) syslog.syslog(syslog.LOG_NOTICE, 'Pausing %d seconds to restart pki-ca' % pause) time.sleep(pause) try: - ipaservices.knownservices.pki_cad.restart('pki-ca') + ipaservices.knownservices.pki_cad.restart(dogtag_instance) except Exception, e: - syslog.syslog(syslog.LOG_ERR, "Cannot restart pki-cad: %s" % str(e)) + syslog.syslog(syslog.LOG_ERR, "Cannot restart %sd: %s" % \ + (dogtag_instance, str(e))) diff --git a/install/restart_scripts/restart_pkicad b/install/restart_scripts/restart_pkicad index 070760b1..c21fb802 100644 --- a/install/restart_scripts/restart_pkicad +++ b/install/restart_scripts/restart_pkicad @@ -30,11 +30,18 @@ nickname = sys.argv[1] api.bootstrap(context='restart') api.finalize() -syslog.syslog(syslog.LOG_NOTICE, "certmonger restarted pki-cad, nickname '%s'" % nickname) +alias_dir = '/etc/pki/pki-tomcat/alias' +dogtag_instance = 'pki-tomcat' +if 'dogtag_version' not in api.env: + alias_dir = '/var/lib/pki-ca/alias' + dogtag_instance = 'pki-ca' + +syslog.syslog(syslog.LOG_NOTICE, "certmonger restarted %sd, nickname '%s'" % \ + (dogtag_instance, nickname)) # Fix permissions on the audit cert if we're updating it if nickname == 'auditSigningCert cert-pki-ca': - db = certs.CertDB(api.env.realm, nssdir='/var/lib/pki-ca/alias') + db = certs.CertDB(api.env.realm, nssdir = alias_dir ) args = ['-M', '-n', nickname, '-t', 'u,u,Pu', @@ -44,7 +51,8 @@ if nickname == 'auditSigningCert cert-pki-ca': try: # I've seen times where systemd restart does not actually restart # the process. A full stop/start is required. This works around that - ipaservices.knownservices.pki_cad.stop('pki-ca') - ipaservices.knownservices.pki_cad.start('pki-ca') + ipaservices.knownservices.pki_cad.stop(dogtag_instance) + ipaservices.knownservices.pki_cad.start(dogtag_instance) except Exception, e: - syslog.syslog(syslog.LOG_ERR, "Cannot restart pki-cad: %s" % str(e)) + syslog.syslog(syslog.LOG_ERR, "Cannot restart %sd: %s" % \ + (dogtag_instance, str(e))) diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install index 4d7be217..d5283223 100755 --- a/install/tools/ipa-ca-install +++ b/install/tools/ipa-ca-install @@ -156,6 +156,16 @@ def main(): # We need to restart apache as we drop a new config file in there ipaservices.knownservices.httpd.restart(capture_output=True) + #update dogtag version in config file to denote new instance + try: + fd = open("/etc/ipa/default.conf", "a") + fd.write("dogtag_version=10\n") + fd.close() + except IOError, e: + print "Failed to update /etc/ipa/default.conf" + root_logger.error(str(e)) + sys.exit(1) + fail_message = ''' Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. diff --git a/install/tools/ipa-csreplica-manage b/install/tools/ipa-csreplica-manage index 6eefe8d6..884956fd 100755 --- a/install/tools/ipa-csreplica-manage +++ b/install/tools/ipa-csreplica-manage @@ -80,7 +80,7 @@ class CSReplicationManager(replication.ReplicationManager): """ dn = None cn = None - instance_name = 'pki-ca' + instance_name = 'pki-tomcat' # if master is not None we know what dn to return: if master is not None: diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install index 267a70d8..a7b34cf1 100755 --- a/install/tools/ipa-replica-install +++ b/install/tools/ipa-replica-install @@ -376,6 +376,7 @@ def main(): if ipautil.file_exists(config.dir + "/cacert.p12"): fd.write("enable_ra=True\n") fd.write("ra_plugin=dogtag\n") + fd.write("dogtag_version=10\n") fd.write("mode=production\n") fd.close() finally: diff --git a/install/tools/ipa-replica-prepare b/install/tools/ipa-replica-prepare index d1ffe4e2..ce25681f 100755 --- a/install/tools/ipa-replica-prepare +++ b/install/tools/ipa-replica-prepare @@ -304,7 +304,7 @@ def main(): if options.reverse_zone and not bindinstance.verify_reverse_zone(options.reverse_zone, options.ip_address): sys.exit(1) - if not certs.ipa_self_signed() and not ipautil.file_exists("/var/lib/pki-ca/conf/CS.cfg") and not options.dirsrv_pin: + if not certs.ipa_self_signed() and not ipautil.file_exists("/var/lib/pki/pki-tomcat/conf/ca/CS.cfg") and not options.dirsrv_pin: sys.exit("The replica must be created on the primary IPA server.\nIf you installed IPA with your own certificates using PKCS#12 files you must provide PKCS#12 files for any replicas you create as well.") check_ipa_configuration(api.env.realm) diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index f07aeadf..639a7270 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -853,6 +853,7 @@ def main(): fd.write("enable_ra=True\n") if not options.selfsign: fd.write("ra_plugin=dogtag\n") + fd.write("dogtag_version=10\n") fd.write("mode=production\n") fd.close() diff --git a/install/ui/test/data/ipa_init.json b/install/ui/test/data/ipa_init.json index 0d94d9b0..bccc31b1 100644 --- a/install/ui/test/data/ipa_init.json +++ b/install/ui/test/data/ipa_init.json @@ -669,12 +669,12 @@ "result": { "basedn": "dc=dev,dc=example,dc=com", "bin": "/var/www", - "ca_agent_install_port": 9443, + "ca_agent_install_port": 8443, "ca_agent_port": 443, - "ca_ee_install_port": 9444, + "ca_ee_install_port": 8443, "ca_ee_port": 443, "ca_host": "dev.example.com", - "ca_install_port": 9180, + "ca_install_port": 8080, "ca_port": 80, "conf": "/etc/ipa/server.conf", "conf_default": "/etc/ipa/default.conf", |