diff options
-rw-r--r-- | freeipa.spec.in | 5 | ||||
-rw-r--r-- | install/conf/ipa-pki-proxy.conf | 14 | ||||
-rw-r--r-- | install/conf/ipa.conf | 6 | ||||
-rw-r--r-- | install/restart_scripts/renew_ca_cert | 11 | ||||
-rw-r--r-- | install/restart_scripts/restart_pkicad | 15 | ||||
-rwxr-xr-x | install/tools/ipa-ca-install | 6 | ||||
-rwxr-xr-x | install/tools/ipa-csreplica-manage | 3 | ||||
-rwxr-xr-x | install/tools/ipa-replica-install | 4 | ||||
-rwxr-xr-x | install/tools/ipa-replica-prepare | 5 | ||||
-rwxr-xr-x | install/tools/ipa-server-install | 21 | ||||
-rw-r--r-- | install/tools/ipa-upgradeconfig | 12 | ||||
-rw-r--r-- | install/ui/test/data/ipa_init.json | 6 | ||||
-rw-r--r-- | ipa-client/man/default.conf.5 | 6 | ||||
-rw-r--r-- | ipalib/constants.py | 9 | ||||
-rw-r--r-- | ipapython/certmonger.py | 4 | ||||
-rw-r--r-- | ipapython/dogtag.py | 110 | ||||
-rw-r--r-- | ipapython/ipautil.py | 31 | ||||
-rw-r--r-- | ipapython/platform/base.py | 2 | ||||
-rw-r--r-- | ipaserver/install/cainstance.py | 336 | ||||
-rw-r--r-- | ipaserver/install/certs.py | 18 | ||||
-rw-r--r-- | ipaserver/install/httpinstance.py | 9 | ||||
-rw-r--r-- | ipaserver/install/installutils.py | 4 | ||||
-rw-r--r-- | ipaserver/install/service.py | 14 | ||||
-rw-r--r-- | selinux/ipa_dogtag/ipa_dogtag.fc | 1 |
24 files changed, 515 insertions, 137 deletions
diff --git a/freeipa.spec.in b/freeipa.spec.in index 298487be..ef9678ec 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -250,7 +250,7 @@ Requires: xmlrpc-c %endif %endif Requires: sssd >= 1.8.0 -Requires: certmonger >= 0.58 +Requires: certmonger >= 0.60 Requires: nss-tools Requires: bind-utils Requires: oddjob-mkhomedir @@ -748,6 +748,9 @@ fi %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt %changelog +* Tue Sep 18 2012 Petr Viktorin <pviktori@redhat.com> - 2.99.0-46 +- Set certmonger minimum version to 0.60 for Dogtag 10 support. + * Mon Sep 17 2012 Rob Crittenden <rcritten@redhat.com> - 2.99.0-45 - Set min for 389-ds-base to 1.2.11.14-1 on F17+ to pull in updated RUV code and nsslapd-readonly schema. diff --git a/install/conf/ipa-pki-proxy.conf b/install/conf/ipa-pki-proxy.conf index 7a067ca9..20c09217 100644 --- a/install/conf/ipa-pki-proxy.conf +++ b/install/conf/ipa-pki-proxy.conf @@ -1,4 +1,4 @@ -# VERSION 1 - DO NOT REMOVE THIS LINE +# VERSION 2 - DO NOT REMOVE THIS LINE ProxyRequests Off @@ -6,22 +6,22 @@ ProxyRequests Off <LocationMatch "^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange"> NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate NSSVerifyClient none - ProxyPassMatch ajp://localhost:8009 - ProxyPassReverse ajp://localhost:8009 + ProxyPassMatch ajp://localhost:$DOGTAG_PORT + ProxyPassReverse ajp://localhost:$DOGTAG_PORT </LocationMatch> # matches for admin port and installer <LocationMatch "^/ca/admin/ca/getCertChain|^/ca/admin/ca/getConfigEntries|^/ca/admin/ca/getCookie|^/ca/admin/ca/getStatus|^/ca/admin/ca/securityDomainLogin|^/ca/admin/ca/getDomainXML|^/ca/rest/installer/installToken"> NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate NSSVerifyClient none - ProxyPassMatch ajp://localhost:8009 - ProxyPassReverse ajp://localhost:8009 + ProxyPassMatch ajp://localhost:$DOGTAG_PORT + ProxyPassReverse ajp://localhost:$DOGTAG_PORT </LocationMatch> # matches for agent port and eeca port <LocationMatch "^/ca/agent/ca/displayBySerial|^/ca/agent/ca/doRevoke|^/ca/agent/ca/doUnrevoke|^/ca/agent/ca/updateDomainXML|^/ca/eeca/ca/profileSubmitSSLClient"> NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate NSSVerifyClient require - ProxyPassMatch ajp://localhost:8009 - ProxyPassReverse ajp://localhost:8009 + ProxyPassMatch ajp://localhost:$DOGTAG_PORT + ProxyPassReverse ajp://localhost:$DOGTAG_PORT </LocationMatch> diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf index d428460f..ed50a35b 100644 --- a/install/conf/ipa.conf +++ b/install/conf/ipa.conf @@ -1,5 +1,5 @@ # -# VERSION 7 - DO NOT REMOVE THIS LINE +# VERSION 8 - DO NOT REMOVE THIS LINE # # This file may be overwritten on upgrades. # @@ -105,8 +105,8 @@ Alias /ipa/config "/usr/share/ipa/html" # For CRL publishing -Alias /ipa/crl "/var/lib/pki/tomcat-ca/ca/publish" -<Directory "/var/lib/pki/tomcat-ca/ca/publish"> +Alias /ipa/crl "$CRL_PUBLISH_PATH" +<Directory "$CRL_PUBLISH_PATH"> SetHandler None AllowOverride None Options Indexes FollowSymLinks diff --git a/install/restart_scripts/renew_ca_cert b/install/restart_scripts/renew_ca_cert index 4c3af977..5317835f 100644 --- a/install/restart_scripts/renew_ca_cert +++ b/install/restart_scripts/renew_ca_cert @@ -32,6 +32,7 @@ from ipapython.dn import DN from ipalib import errors from ipapython import services as ipaservices from ipapython import ipautil +from ipapython import dogtag from ipaserver.install import certs from ipaserver.plugins.ldap2 import ldap2 from ipaserver.install.cainstance import update_cert_config @@ -45,11 +46,9 @@ nickname = sys.argv[1] api.bootstrap(context='restart') api.finalize() -alias_dir = '/etc/pki/pki-tomcat/alias' -dogtag_instance = 'pki-tomcat' -if 'dogtag_version' not in api.env: - alias_dir = '/var/lib/pki-ca/alias' - dogtag_instance = 'pki-ca' +configured_constants = dogtag.configured_constants(api) +alias_dir = configured_constants.ALIAS_DIR +dogtag_instance = configured_constants.PKI_INSTANCE_NAME # Fetch the new certificate db = certs.CertDB(api.env.realm, nssdir=alias_dir) @@ -112,5 +111,5 @@ time.sleep(pause) try: ipaservices.knownservices.pki_cad.restart(dogtag_instance) except Exception, e: - syslog.syslog(syslog.LOG_ERR, "Cannot restart %sd: %s" % \ + syslog.syslog(syslog.LOG_ERR, "Cannot restart %sd: %s" % (dogtag_instance, str(e))) diff --git a/install/restart_scripts/restart_pkicad b/install/restart_scripts/restart_pkicad index c21fb802..0b6040a9 100644 --- a/install/restart_scripts/restart_pkicad +++ b/install/restart_scripts/restart_pkicad @@ -22,6 +22,7 @@ import sys import syslog from ipapython import services as ipaservices +from ipapython import dogtag from ipaserver.install import certs from ipalib import api @@ -30,18 +31,16 @@ nickname = sys.argv[1] api.bootstrap(context='restart') api.finalize() -alias_dir = '/etc/pki/pki-tomcat/alias' -dogtag_instance = 'pki-tomcat' -if 'dogtag_version' not in api.env: - alias_dir = '/var/lib/pki-ca/alias' - dogtag_instance = 'pki-ca' +configured_constants = dogtag.configured_constants(api) +alias_dir = configured_constants.ALIAS_DIR +dogtag_instance = configured_constants.PKI_INSTANCE_NAME -syslog.syslog(syslog.LOG_NOTICE, "certmonger restarted %sd, nickname '%s'" % \ +syslog.syslog(syslog.LOG_NOTICE, "certmonger restarted %sd, nickname '%s'" % (dogtag_instance, nickname)) # Fix permissions on the audit cert if we're updating it if nickname == 'auditSigningCert cert-pki-ca': - db = certs.CertDB(api.env.realm, nssdir = alias_dir ) + db = certs.CertDB(api.env.realm, nssdir=alias_dir) args = ['-M', '-n', nickname, '-t', 'u,u,Pu', @@ -54,5 +53,5 @@ try: ipaservices.knownservices.pki_cad.stop(dogtag_instance) ipaservices.knownservices.pki_cad.start(dogtag_instance) except Exception, e: - syslog.syslog(syslog.LOG_ERR, "Cannot restart %sd: %s" % \ + syslog.syslog(syslog.LOG_ERR, "Cannot restart %sd: %s" % (dogtag_instance, str(e))) diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install index d5283223..1c1b96a9 100755 --- a/install/tools/ipa-ca-install +++ b/install/tools/ipa-ca-install @@ -37,6 +37,7 @@ from ipapython import version from ipalib import api, util from ipapython.config import IPAOptionParser from ipapython import sysrestore +from ipapython import dogtag from ipapython.ipa_log_manager import * log_file_name = "/var/log/ipareplica-ca-install.log" @@ -156,10 +157,11 @@ def main(): # We need to restart apache as we drop a new config file in there ipaservices.knownservices.httpd.restart(capture_output=True) - #update dogtag version in config file to denote new instance + #update dogtag version in config file try: fd = open("/etc/ipa/default.conf", "a") - fd.write("dogtag_version=10\n") + fd.write( + "dogtag_version=%s\n" % dogtag.install_constants.DOGTAG_VERSION) fd.close() except IOError, e: print "Failed to update /etc/ipa/default.conf" diff --git a/install/tools/ipa-csreplica-manage b/install/tools/ipa-csreplica-manage index 884956fd..39cfa585 100755 --- a/install/tools/ipa-csreplica-manage +++ b/install/tools/ipa-csreplica-manage @@ -29,6 +29,7 @@ from ipapython import ipautil from ipaserver.install import replication, installutils from ipaserver import ipaldap from ipapython import version +from ipapython import dogtag from ipalib import api, errors, util from ipapython.dn import DN @@ -80,7 +81,7 @@ class CSReplicationManager(replication.ReplicationManager): """ dn = None cn = None - instance_name = 'pki-tomcat' + instance_name = dogtag.configured_constants(api).PKI_INSTANCE_NAME # if master is not None we know what dn to return: if master is not None: diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install index a7b34cf1..0378827d 100755 --- a/install/tools/ipa-replica-install +++ b/install/tools/ipa-replica-install @@ -42,6 +42,7 @@ from ipapython.config import IPAOptionParser from ipapython import sysrestore from ipapython import services as ipaservices from ipapython.ipa_log_manager import * +from ipapython import dogtag from ipapython.dn import DN log_file_name = "/var/log/ipareplica-install.log" @@ -376,7 +377,8 @@ def main(): if ipautil.file_exists(config.dir + "/cacert.p12"): fd.write("enable_ra=True\n") fd.write("ra_plugin=dogtag\n") - fd.write("dogtag_version=10\n") + fd.write("dogtag_version=%s\n" % + dogtag.install_constants.DOGTAG_VERSION) fd.write("mode=production\n") fd.close() finally: diff --git a/install/tools/ipa-replica-prepare b/install/tools/ipa-replica-prepare index ce25681f..56f132a3 100755 --- a/install/tools/ipa-replica-prepare +++ b/install/tools/ipa-replica-prepare @@ -33,6 +33,7 @@ from ipaserver.install.replication import enable_replication_version_checking from ipaserver.install.installutils import resolve_host, BadHostError, HostLookupError from ipaserver.plugins.ldap2 import ldap2 from ipapython import version +from ipapython import dogtag from ipapython.config import IPAOptionParser from ipalib import api, errors, util from ipapython.dn import DN @@ -304,7 +305,9 @@ def main(): if options.reverse_zone and not bindinstance.verify_reverse_zone(options.reverse_zone, options.ip_address): sys.exit(1) - if not certs.ipa_self_signed() and not ipautil.file_exists("/var/lib/pki/pki-tomcat/conf/ca/CS.cfg") and not options.dirsrv_pin: + if (not certs.ipa_self_signed() and + not ipautil.file_exists(dogtag.configured_constants().CS_CFG_PATH) and + not options.dirsrv_pin): sys.exit("The replica must be created on the primary IPA server.\nIf you installed IPA with your own certificates using PKCS#12 files you must provide PKCS#12 files for any replicas you create as well.") check_ipa_configuration(api.env.realm) diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index 639a7270..201e2fb1 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -58,6 +58,7 @@ from ipaserver.plugins.ldap2 import ldap2 from ipapython import sysrestore from ipapython.ipautil import * from ipapython import ipautil +from ipapython import dogtag from ipalib import api, errors, util from ipapython.config import IPAOptionParser from ipalib.x509 import load_certificate_from_file, load_certificate_chain_from_file @@ -465,6 +466,9 @@ def uninstall(): except Exception, e: pass + # Need to get dogtag info before /etc/ipa/default.conf is removed + dogtag_constants = dogtag.configured_constants() + print "Removing IPA client configuration" try: (stdout, stderr, rc) = run(["/usr/sbin/ipa-client-install", "--on-master", "--unattended", "--uninstall"], raiseonerr=False) @@ -477,10 +481,13 @@ def uninstall(): print "ipa-client-install returned: " + str(e) ntpinstance.NTPInstance(fstore).uninstall() - if cainstance.CADSInstance().is_configured(): - cainstance.CADSInstance().uninstall() - if cainstance.CAInstance(api.env.realm, certs.NSS_DIR).is_configured(): - cainstance.CAInstance(api.env.realm, certs.NSS_DIR).uninstall() + cads_instance = cainstance.CADSInstance(dogtag_constants=dogtag_constants) + if cads_instance.is_configured(): + cads_instance.uninstall() + ca_instance = cainstance.CAInstance( + api.env.realm, certs.NSS_DIR, dogtag_constants=dogtag_constants) + if ca_instance.is_configured(): + ca_instance.uninstall() bindinstance.BindInstance(fstore).uninstall() httpinstance.HTTPInstance(fstore).uninstall() krbinstance.KrbInstance(fstore).uninstall() @@ -853,7 +860,8 @@ def main(): fd.write("enable_ra=True\n") if not options.selfsign: fd.write("ra_plugin=dogtag\n") - fd.write("dogtag_version=10\n") + fd.write("dogtag_version=%s\n" % + dogtag.install_constants.DOGTAG_VERSION) fd.write("mode=production\n") fd.close() @@ -916,7 +924,8 @@ def main(): cs = cainstance.CADSInstance(host_name, realm_name, domain_name, dm_password) if not cs.is_configured(): cs.create_instance(realm_name, host_name, domain_name, dm_password, subject_base=options.subject) - ca = cainstance.CAInstance(realm_name, certs.NSS_DIR) + ca = cainstance.CAInstance(realm_name, certs.NSS_DIR, + dogtag_constants=dogtag.install_constants) if external == 0: ca.configure_instance(host_name, dm_password, dm_password, subject_base=options.subject) diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig index 3041cb60..6c043718 100644 --- a/install/tools/ipa-upgradeconfig +++ b/install/tools/ipa-upgradeconfig @@ -29,6 +29,7 @@ try: from ipapython.config import IPAOptionParser from ipapython.ipa_log_manager import * from ipapython import certmonger + from ipapython import dogtag from ipaserver.install import installutils from ipaserver.install import dsinstance from ipaserver.install import httpinstance @@ -458,7 +459,7 @@ def enable_certificate_renewal(realm): ca.configure_agent_renewal() ca.track_servercert() sysupgrade.set_upgrade_state('dogtag', 'renewal_configured', True) - ca.restart(cainstance.PKI_INSTANCE_NAME) + ca.restart(dogtag.configured_constants().PKI_INSTANCE_NAME) root_logger.debug('CA subsystem certificate renewal enabled') def main(): @@ -495,7 +496,14 @@ def main(): check_certs() auto_redirect = find_autoredirect(fqdn) - sub_dict = { "REALM" : api.env.realm, "FQDN": fqdn, "AUTOREDIR": '' if auto_redirect else '#'} + configured_constants = dogtag.configured_constants() + sub_dict = dict( + REALM=api.env.realm, + FQDN=fqdn, + AUTOREDIR='' if auto_redirect else '#', + CRL_PUBLISH_PATH=configured_constants.CRL_PUBLISH_PATH, + DOGTAG_PORT=configured_constants.AJP_PORT, + ) upgrade(sub_dict, "/etc/httpd/conf.d/ipa.conf", ipautil.SHARE_DIR + "ipa.conf") upgrade(sub_dict, "/etc/httpd/conf.d/ipa-rewrite.conf", ipautil.SHARE_DIR + "ipa-rewrite.conf") diff --git a/install/ui/test/data/ipa_init.json b/install/ui/test/data/ipa_init.json index bccc31b1..0d94d9b0 100644 --- a/install/ui/test/data/ipa_init.json +++ b/install/ui/test/data/ipa_init.json @@ -669,12 +669,12 @@ "result": { "basedn": "dc=dev,dc=example,dc=com", "bin": "/var/www", - "ca_agent_install_port": 8443, + "ca_agent_install_port": 9443, "ca_agent_port": 443, - "ca_ee_install_port": 8443, + "ca_ee_install_port": 9444, "ca_ee_port": 443, "ca_host": "dev.example.com", - "ca_install_port": 8080, + "ca_install_port": 9180, "ca_port": 80, "conf": "/etc/ipa/server.conf", "conf_default": "/etc/ipa/default.conf", diff --git a/ipa-client/man/default.conf.5 b/ipa-client/man/default.conf.5 index c3adeb85..fb913e6c 100644 --- a/ipa-client/man/default.conf.5 +++ b/ipa-client/man/default.conf.5 @@ -66,13 +66,13 @@ The following options are relevant for the server: Specifies the base DN to use when performing LDAP operations. The base must be in DN format (dc=example,dc=com). .TP .B ca_agent_port <port> -Specifies the secure CA agent port. The default is 8443. +Specifies the secure CA agent port. The default is 9443 for Dogtag 9, and 8443 for Dogtag 10. .TP .B ca_ee_port <port> -Specifies the secure CA end user port. The default is 8443. +Specifies the secure CA end user port. The default is 9444 for Dogtag 9, and 8443 for Dogtag 10. .TP .B ca_port <port> -Specifies the insecure CA end user port. The default is 8080. +Specifies the insecure CA end user port. The default is 9180 for Dogtag 9, and 8080 for Dogtag 10. .TP .B ca_host <hostname> Specifies the hostname of the dogtag CA server. The default is the hostname of the IPA server. diff --git a/ipalib/constants.py b/ipalib/constants.py index 57265da5..81db0202 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -141,9 +141,11 @@ DEFAULT_CONFIG = ( ('ca_port', 80), ('ca_agent_port', 443), ('ca_ee_port', 443), - ('ca_install_port', 8080), - ('ca_agent_install_port', 8443), - ('ca_ee_install_port', 8443), + # For the following ports, None means a default specific to the installed + # Dogtag version. + ('ca_install_port', None), + ('ca_agent_install_port', None), + ('ca_ee_install_port', None), # Special CLI: @@ -156,6 +158,7 @@ DEFAULT_CONFIG = ( ('enable_ra', False), ('ra_plugin', 'selfsign'), ('wait_for_attr', False), + ('dogtag_version', 9), # Used when verifying that the API hasn't changed. Not for production. ('validate_api', False), diff --git a/ipapython/certmonger.py b/ipapython/certmonger.py index 7f88a05d..9cc4466c 100644 --- a/ipapython/certmonger.py +++ b/ipapython/certmonger.py @@ -26,6 +26,7 @@ import sys import re import time from ipapython import ipautil +from ipapython import dogtag REQUEST_DIR='/var/lib/certmonger/requests/' CA_DIR='/var/lib/certmonger/cas/' @@ -337,8 +338,7 @@ def get_pin(token): The caller is expected to handle any exceptions raised. """ - filename = '/var/lib/pki/pki-tomcat/conf/password.conf' - with open(filename, 'r') as f: + with open(dogtag.configured_constants().PASSWORD_CONF_PATH, 'r') as f: for line in f: (tok, pin) = line.split('=', 1) if token == tok: diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py index 8298ecfe..22a5a6d1 100644 --- a/ipapython/dogtag.py +++ b/ipapython/dogtag.py @@ -17,17 +17,118 @@ # along with this program. If not, see <http://www.gnu.org/licenses/>. # +import os import httplib import xml.dom.minidom +import ConfigParser +from urllib import urlencode + import nss.nss as nss from nss.error import NSPRError -from urllib import urlencode from ipalib import api, errors -from ipapython import nsslib, ipautil from ipalib.errors import NetworkError, CertificateOperationError -from ipapython.ipa_log_manager import * from ipalib.text import _ +from ipapython import nsslib, ipautil +from ipapython.ipa_log_manager import * + +# IPA can use either Dogtag version 9 or 10. +# +# Install tools should use the constants from install_constants, so that they +# install with version 10 if it is available, and with 9 if not. +# After IPA installation, the Dogtag version used is stored in the +# "dogtag_version" config option. (If that is missing, version 9 is assumed.) +# The configured_constants() function below provides constants relevant to +# the configured version. + +class Dogtag10Constants(object): + DOGTAG_VERSION = 10 + UNSECURE_PORT = 8080 + AGENT_SECURE_PORT = 8443 + EE_SECURE_PORT = 8443 + AJP_PORT = 8009 + + SPAWN_BINARY = '/usr/sbin/pkispawn' + DESTROY_BINARY = '/usr/sbin/pkidestroy' + + SERVER_ROOT = '/var/lib/pki' + PKI_INSTANCE_NAME = 'pki-tomcat' + PKI_ROOT = '%s/%s' % (SERVER_ROOT, PKI_INSTANCE_NAME) + CRL_PUBLISH_PATH = '%s/ca/publish' % PKI_ROOT + CS_CFG_PATH = '%s/conf/ca/CS.cfg' % PKI_ROOT + PASSWORD_CONF_PATH = '%s/conf/password.conf' % PKI_ROOT + SERVICE_PROFILE_DIR = '%s/ca/profiles/ca' % PKI_ROOT + ALIAS_DIR = '/etc/pki/pki-tomcat/alias' + + RACERT_LINE_SEP = '\n' + + IPA_SERVICE_PROFILE = '%s/caIPAserviceCert.cfg' % SERVICE_PROFILE_DIR + SIGN_PROFILE = '%s/caJarSigningCert.cfg' % SERVICE_PROFILE_DIR + +class Dogtag9Constants(object): + DOGTAG_VERSION = 9 + UNSECURE_PORT = 9180 + AGENT_SECURE_PORT = 9443 + EE_SECURE_PORT = 9444 + AJP_PORT = 9447 + + SPAWN_BINARY = '/bin/pkicreate' + DESTROY_BINARY = '/bin/pkisilent' + + SERVER_ROOT = '/var/lib' + PKI_INSTANCE_NAME = 'pki-ca' + PKI_ROOT = '%s/%s' % (SERVER_ROOT, PKI_INSTANCE_NAME) + CRL_PUBLISH_PATH = '%s/publish' % PKI_ROOT + CS_CFG_PATH = '%s/conf/CS.cfg' % PKI_ROOT + PASSWORD_CONF_PATH = '%s/conf/password.conf' % PKI_ROOT + SERVICE_PROFILE_DIR = '%s/profiles/ca' % PKI_ROOT + ALIAS_DIR = '%s/alias' % PKI_ROOT + + RACERT_LINE_SEP = '\r\n' + + ADMIN_SECURE_PORT = 9445 + EE_CLIENT_AUTH_PORT = 9446 + TOMCAT_SERVER_PORT = 9701 + + IPA_SERVICE_PROFILE = '%s/caIPAserviceCert.cfg' % SERVICE_PROFILE_DIR + SIGN_PROFILE = '%s/caJarSigningCert.cfg' % SERVICE_PROFILE_DIR + + +if os.path.exists('/usr/sbin/pkispawn'): + install_constants = Dogtag10Constants +else: + install_constants = Dogtag9Constants + + +def _get_configured_version(api): + """Get the version of Dogtag IPA is configured to use + + If an API is given, use information in its environment. + Otherwise, use information from the global config file. + """ + if api: + return int(api.env.dogtag_version) + else: + p = ConfigParser.SafeConfigParser() + p.read("/etc/ipa/default.conf") + try: + version = p.get('global', 'dogtag_version') + except (ConfigParser.NoOptionError, ConfigParser.NoSectionError): + return 9 + else: + return int(version) + + +def configured_constants(api=None): + """Get the name of the Dogtag CA instance + + See get_configured_version + """ + if _get_configured_version(api) >= 10: + return Dogtag10Constants + else: + return Dogtag9Constants + def get_ca_certchain(ca_host=None): """ @@ -36,7 +137,8 @@ def get_ca_certchain(ca_host=None): if ca_host is None: ca_host = api.env.ca_host chain = None - conn = httplib.HTTPConnection(ca_host, api.env.ca_install_port) + conn = httplib.HTTPConnection(ca_host, + api.env.ca_install_port or configured_constants().UNSECURE_PORT) conn.request("GET", "/ca/ee/ca/getCertChain") res = conn.getresponse() doc = None diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py index a3fd83e4..d6e97b89 100644 --- a/ipapython/ipautil.py +++ b/ipapython/ipautil.py @@ -293,19 +293,12 @@ def run(args, stdin=None, raiseonerr=True, raise # The command and its output may include passwords that we don't want - # to log. Run through the nolog items. + # to log. Replace those. args = ' '.join(args) - for value in nolog: - if not isinstance(value, basestring): - continue - - quoted = urllib2.quote(value) - shquoted = shell_quote(value) - for nolog_value in (shquoted, value, quoted): - if capture_output: - stdout = stdout.replace(nolog_value, 'XXXXXXXX') - stderr = stderr.replace(nolog_value, 'XXXXXXXX') - args = args.replace(nolog_value, 'XXXXXXXX') + if capture_output: + stdout = nolog_replace(stdout, nolog) + stderr = nolog_replace(stderr, nolog) + args = nolog_replace(args, nolog) root_logger.debug('args=%s' % args) if capture_output: @@ -317,6 +310,20 @@ def run(args, stdin=None, raiseonerr=True, return (stdout, stderr, p.returncode) + +def nolog_replace(string, nolog): + """Replace occurences of strings given in `nolog` with XXXXXXXX""" + for value in nolog: + if not isinstance(value, basestring): + continue + + quoted = urllib2.quote(value) + shquoted = shell_quote(value) + for nolog_value in (shquoted, value, quoted): + string = string.replace(nolog_value, 'XXXXXXXX') + return string + + def file_exists(filename): try: mode = os.stat(filename)[stat.ST_MODE] diff --git a/ipapython/platform/base.py b/ipapython/platform/base.py index b71e2f32..a1e6b4e0 100644 --- a/ipapython/platform/base.py +++ b/ipapython/platform/base.py @@ -34,10 +34,10 @@ wellknownports = { 'dirsrv@PKI-IPA.service': [7389], 'PKI-IPA': [7389], 'dirsrv': [389], # this is only used if the incoming instance name is blank + 'pki-cad': [9180], 'pki-tomcatd@pki-tomcat.service': [8080], 'pki-tomcat': [8080], 'pki-tomcatd': [8080], # used if the incoming instance name is blank - 'pki-cad': [9180] } class AuthConfig(object): diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 4ab58d06..e08df06a 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -48,6 +48,7 @@ import nss.nss as nss from ipapython import ipautil from ipapython import nsslib from ipapython import services as ipaservices +from ipapython import dogtag from ipaserver import ipaldap from ipaserver.install import service @@ -64,11 +65,6 @@ DEFAULT_DSPORT=7389 PKI_USER = "pkiuser" PKI_DS_USER = "pkisrv" -# These values come from /usr/share/pki/ca/setup/postinstall -PKI_INSTANCE_NAME="pki-tomcat" -AGENT_SECURE_PORT=8443 - -IPA_SERVICE_PROFILE = '/var/lib/pki/%s/ca/profiles/ca/caIPAserviceCert.cfg' % PKI_INSTANCE_NAME # We need to reset the template because the CA uses the regular boot # information @@ -92,9 +88,9 @@ def check_inst(): """ # Check for a couple of binaries we need - if not os.path.exists('/bin/pkispawn'): + if not os.path.exists(dogtag.install_constants.SPAWN_BINARY): return False - if not os.path.exists('/bin/pkidestroy'): + if not os.path.exists(dogtag.install_constants.DESTROY_BINARY): return False # This is the template tomcat file for a CA @@ -103,6 +99,32 @@ def check_inst(): return True +def get_preop_pin(instance_root, instance_name): + # Only used for Dogtag 9 + preop_pin = None + + filename = instance_root + "/" + instance_name + "/conf/CS.cfg" + + # read the config file and get the preop pin + try: + f=open(filename) + except IOError, e: + root_logger.error("Cannot open configuration file." + str(e)) + raise e + data = f.read() + data = data.split('\n') + pattern = re.compile("preop.pin=(.*)" ) + for line in data: + match = re.search(pattern, line) + if (match): + preop_pin=match.group(1) + break + + if preop_pin is None: + raise RuntimeError("Unable to find preop.pin in %s. Is your CA already configured?" % filename) + + return preop_pin + def import_pkcs12(input_file, input_passwd, cert_database, cert_passwd): ipautil.run(["/usr/bin/pk12util", "-d", cert_database, @@ -194,7 +216,7 @@ def get_outputList(data): return outputdict class CADSInstance(service.Service): - def __init__(self, host_name=None, realm_name=None, domain_name=None, dm_password=None): + def __init__(self, host_name=None, realm_name=None, domain_name=None, dm_password=None, dogtag_constants=None): service.Service.__init__(self, "pkids", dm_password=dm_password, ldapi=False, autobind=service.DISABLED) self.serverid = "PKI-IPA" self.realm_name = realm_name @@ -215,6 +237,10 @@ class CADSInstance(service.Service): else: self.suffix = DN() + if dogtag_constants is None: + dogtag_constants = dogtag.configured_constants() + self.dogtag_constants = dogtag_constants + subject_base = ipautil.dn_attribute_property('_subject_base') def create_instance(self, realm_name, host_name, domain_name, @@ -385,7 +411,8 @@ class CADSInstance(service.Service): 'ocspSigningCert cert-pki-ca', 'subsystemCert cert-pki-ca']: try: - certmonger.stop_tracking('/etc/pki/pki-tomcat/alias', nickname=nickname) + certmonger.stop_tracking( + self.dogtag_constants.ALIAS_DIR, nickname=nickname) except (ipautil.CalledProcessError, RuntimeError), e: root_logger.error("certmonger failed to stop tracking certificate: %s" % str(e)) @@ -413,8 +440,12 @@ class CAInstance(service.Service): 2 = have signed cert, continue installation """ - def __init__(self, realm, ra_db): - service.Service.__init__(self, "pki-tomcatd") + def __init__(self, realm, ra_db, dogtag_constants=None): + if dogtag_constants is None: + dogtag_constants = dogtag.configured_constants() + service.Service.__init__(self, + '%sd' % dogtag_constants.PKI_INSTANCE_NAME) + self.dogtag_constants = dogtag_constants self.realm = realm self.dm_password = None self.admin_password = None @@ -438,7 +469,7 @@ class CAInstance(service.Service): self.ra_agent_pwd = self.ra_agent_db + "/pwdfile.txt" self.ds_port = DEFAULT_DSPORT self.domain_name = "IPA" - self.server_root = "/var/lib/pki" + self.server_root = dogtag_constants.SERVER_ROOT self.ra_cert = None self.requestId = None @@ -452,7 +483,8 @@ class CAInstance(service.Service): Returns True/False """ - return os.path.exists(self.server_root + '/' + PKI_INSTANCE_NAME) + return os.path.exists(os.path.join( + self.server_root, self.dogtag_constants.PKI_INSTANCE_NAME)) def configure_instance(self, host_name, dm_password, admin_password, ds_port=DEFAULT_DSPORT, @@ -461,6 +493,8 @@ class CAInstance(service.Service): subject_base=None): """Create a CA instance. + For Dogtag 9, this may involve creating the pki-ca instance. + To create a clone, pass in pkcs12_info. Creating a CA with an external signer is a 2-step process. In @@ -492,11 +526,18 @@ class CAInstance(service.Service): self.external=2 self.step("creating certificate server user", self.__create_ca_user) - self.step("configuring certificate server instance", self.__spawn_instance) + if self.dogtag_constants.DOGTAG_VERSION >= 10: + self.step("configuring certificate server instance", self.__spawn_instance) + else: + if not ipautil.dir_exists("/var/lib/pki-ca"): + self.step("creating pki-ca instance", self.create_instance) + self.step("configuring certificate server instance", self.__configure_instance) self.step("disabling nonces", self.__disable_nonce) # Step 1 of external is getting a CSR so we don't need to do these # steps until we get a cert back from the external CA. if self.external != 1: + if self.dogtag_constants.DOGTAG_VERSION < 10 and not self.clone: + self.step("creating CA agent PKCS#12 file in /root", self.__create_ca_agent_pkcs12) if self.create_ra_agent_db: self.step("creating RA agent certificate database", self.__create_ra_agent_db) self.step("importing CA chain to RA certificate database", self.__import_ca_chain) @@ -608,7 +649,12 @@ class CAInstance(service.Service): # Define the things we don't want logged nolog = (self.admin_password, self.dm_password,) - args = ["/bin/pkispawn", "-s", "CA", "-f", cfg_file ] + args = ["/usr/sbin/pkispawn", "-s", "CA", "-f", cfg_file ] + + with open(cfg_file) as f: + root_logger.debug( + 'Contents of pkispawn configuration file (%s):\n%s' % + (cfg_file, ipautil.nolog_replace(f.read(), nolog))) try: ipautil.run(args, nolog=nolog) @@ -631,6 +677,33 @@ class CAInstance(service.Service): root_logger.debug("completed creating ca instance") + def create_instance(self): + """ + If for some reason the instance doesn't exist, create a new one." + """ + # Only used for Dogtag 9 + + args = ['/usr/bin/pkicreate', + '-pki_instance_root', '/var/lib', + '-pki_instance_name', + self.dogtag_constants.PKI_INSTANCE_NAME, + '-subsystem_type', 'ca', + '-agent_secure_port', + str(self.dogtag_constants.AGENT_SECURE_PORT), + '-ee_secure_port', + str(self.dogtag_constants.EE_SECURE_PORT), + '-admin_secure_port', + str(self.dogtag_constants.ADMIN_SECURE_PORT), + '-ee_secure_client_auth_port', + str(self.dogtag_constants.EE_CLIENT_AUTH_PORT), + '-unsecure_port', str(self.dogtag_constants.UNSECURE_PORT), + '-tomcat_server_port', + str(self.dogtag_constants.TOMCAT_SERVER_PORT), + '-redirect', 'conf=/etc/pki-ca', + '-redirect', 'logs=/var/log/pki-ca', + '-enable_proxy' + ] + ipautil.run(args, env={'PKI_HOSTNAME':self.fqdn}) def __enable(self): self.backup_state("enabled", self.is_enabled()) @@ -656,20 +729,128 @@ class CAInstance(service.Service): except ipautil.CalledProcessError, e: root_logger.critical("failed to add user %s" % e) + def __configure_instance(self): + # Only used for Dogtag 9 + preop_pin = get_preop_pin( + self.server_root, self.dogtag_constants.PKI_INSTANCE_NAME) + + try: + args = ["/usr/bin/perl", "/usr/bin/pkisilent", "ConfigureCA", + "-cs_hostname", self.fqdn, + "-cs_port", str(self.dogtag_constants.ADMIN_SECURE_PORT), + "-client_certdb_dir", self.ca_agent_db, + "-client_certdb_pwd", self.admin_password, + "-preop_pin" , preop_pin, + "-domain_name", self.domain_name, + "-admin_user", "admin", + "-admin_email", "root@localhost", + "-admin_password", self.admin_password, + "-agent_name", "ipa-ca-agent", + "-agent_key_size", "2048", + "-agent_key_type", "rsa", + "-agent_cert_subject", str(DN(('CN', 'ipa-ca-agent'), self.subject_base)), + "-ldap_host", self.fqdn, + "-ldap_port", str(self.ds_port), + "-bind_dn", "cn=Directory Manager", + "-bind_password", self.dm_password, + "-base_dn", str(self.basedn), + "-db_name", "ipaca", + "-key_size", "2048", + "-key_type", "rsa", + "-key_algorithm", "SHA256withRSA", + "-save_p12", "true", + "-backup_pwd", self.admin_password, + "-subsystem_name", self.service_name, + "-token_name", "internal", + "-ca_subsystem_cert_subject_name", str(DN(('CN', 'CA Subsystem'), self.subject_base)), + "-ca_subsystem_cert_subject_name", str(DN(('CN', 'CA Subsystem'), self.subject_base)), + "-ca_ocsp_cert_subject_name", str(DN(('CN', 'OCSP Subsystem'), self.subject_base)), + "-ca_server_cert_subject_name", str(DN(('CN', self.fqdn), self.subject_base)), + "-ca_audit_signing_cert_subject_name", str(DN(('CN', 'CA Audit'), self.subject_base)), + "-ca_sign_cert_subject_name", str(DN(('CN', 'Certificate Authority'), self.subject_base)) ] + if self.external == 1: + args.append("-external") + args.append("true") + args.append("-ext_csr_file") + args.append(self.csr_file) + elif self.external == 2: + args.append("-external") + args.append("true") + args.append("-ext_ca_cert_file") + args.append(self.cert_file) + args.append("-ext_ca_cert_chain_file") + args.append(self.cert_chain_file) + else: + args.append("-external") + args.append("false") + if (self.clone): + """sd = security domain --> all CS systems get registered to + a security domain. This is set to the hostname and port of + the master CA. + """ + # The install wizard expects the file to be here. + cafile = self.pkcs12_info[0] + shutil.copy(cafile, "/var/lib/pki-ca/alias/ca.p12") + pent = pwd.getpwnam(PKI_USER) + os.chown("/var/lib/pki-ca/alias/ca.p12", pent.pw_uid, pent.pw_gid ) + args.append("-clone") + args.append("true") + args.append("-clone_p12_file") + args.append("ca.p12") + args.append("-clone_p12_password") + args.append(self.dm_password) + args.append("-sd_hostname") + args.append(self.master_host) + args.append("-sd_admin_port") + args.append("443") + args.append("-sd_admin_name") + args.append("admin") + args.append("-sd_admin_password") + args.append(self.admin_password) + args.append("-clone_start_tls") + args.append("true") + args.append("-clone_uri") + args.append("https://%s" % ipautil.format_netloc(self.master_host, 443)) + else: + args.append("-clone") + args.append("false") + + # Define the things we don't want logged + nolog = (self.admin_password, self.dm_password,) + + ipautil.run(args, env={'PKI_HOSTNAME':self.fqdn}, nolog=nolog) + except ipautil.CalledProcessError, e: + root_logger.critical("failed to configure ca instance %s" % e) + raise RuntimeError('Configuration of CA failed') + + if self.external == 1: + print "The next step is to get %s signed by your CA and re-run ipa-server-install as:" % self.csr_file + print "ipa-server-install --external_cert_file=/path/to/signed_certificate --external_ca_file=/path/to/external_ca_certificate" + sys.exit(0) + + # pkisilent makes a copy of the CA PKCS#12 file for us but gives + # it a lousy name. + if ipautil.file_exists("/root/tmp-ca.p12"): + shutil.move("/root/tmp-ca.p12", "/root/cacert.p12") + + root_logger.debug("completed creating ca instance") + def __restart_instance(self): try: - self.restart(PKI_INSTANCE_NAME) + self.restart(self.dogtag_constants.PKI_INSTANCE_NAME) except Exception: # TODO: roll back here? root_logger.critical("Failed to restart the certificate server. See the installation log for details.") def __disable_nonce(self): # Turn off Nonces - cfg_file = '/var/lib/pki/pki-tomcat/conf/ca/CS.cfg' - if installutils.update_file(cfg_file, 'ca.enableNonces=true', 'ca.enableNonces=false') != 0: + update_result = installutils.update_file( + self.dogtag_constants.CS_CFG_PATH, 'ca.enableNonces=true', + 'ca.enableNonces=false') + if update_result != 0: raise RuntimeError("Disabling nonces failed") pent = pwd.getpwnam(PKI_USER) - os.chown(cfg_file, pent.pw_uid, pent.pw_gid ) + os.chown(self.dogtag_constants.CS_CFG_PATH, pent.pw_uid, pent.pw_gid) def __issue_ra_cert(self): # The CA certificate is in the agent DB but isn't trusted @@ -716,11 +897,12 @@ class CAInstance(service.Service): '-p', self.admin_password, '-d', self.ca_agent_db, '-r', '/ca/agent/ca/profileReview?requestId=%s' % self.requestId, - '%s' % ipautil.format_netloc(self.fqdn, AGENT_SECURE_PORT), + '%s' % ipautil.format_netloc( + self.fqdn, self.dogtag_constants.AGENT_SECURE_PORT), ] (stdout, stderr, returncode) = ipautil.run(args, nolog=(self.admin_password,)) - data = stdout.split('\n') + data = stdout.split(self.dogtag_constants.RACERT_LINE_SEP) params = get_defList(data) params['requestId'] = find_substring(data, "requestId") params['op'] = 'approve' @@ -737,11 +919,12 @@ class CAInstance(service.Service): '-d', self.ca_agent_db, '-e', params, '-r', '/ca/agent/ca/profileProcess', - '%s' % ipautil.format_netloc(self.fqdn, AGENT_SECURE_PORT), + '%s' % ipautil.format_netloc( + self.fqdn, self.dogtag_constants.AGENT_SECURE_PORT), ] (stdout, stderr, returncode) = ipautil.run(args, nolog=(self.admin_password,)) - data = stdout.split('\n') + data = stdout.split(self.dogtag_constants.RACERT_LINE_SEP) outputList = get_outputList(data) self.ra_cert = outputList['b64_cert'] @@ -858,6 +1041,21 @@ class CAInstance(service.Service): except Exception, e: raise RuntimeError("Unable to retrieve CA chain: %s" % str(e)) + def __create_ca_agent_pkcs12(self): + # Only used for Dogtag 9 + (pwd_fd, pwd_name) = tempfile.mkstemp() + os.write(pwd_fd, self.admin_password) + os.close(pwd_fd) + try: + ipautil.run(["/usr/bin/pk12util", + "-n", "ipa-ca-agent", + "-o", "/root/ca-agent.p12", + "-d", self.ca_agent_db, + "-k", pwd_name, + "-w", pwd_name]) + finally: + os.remove(pwd_name) + def __import_ca_chain(self): chain = self.__get_ca_chain() @@ -921,7 +1119,8 @@ class CAInstance(service.Service): csr = pkcs10.strip_header(stdout) # Send the request to the CA - conn = httplib.HTTPConnection(self.fqdn, 8080) + conn = httplib.HTTPConnection( + self.fqdn, self.dogtag_constants.UNSECURE_PORT) params = urllib.urlencode({'profileId': 'caServerCert', 'cert_request_type': 'pkcs10', 'requestor_name': 'IPA Installer', @@ -959,7 +1158,8 @@ class CAInstance(service.Service): def __setup_sign_profile(self): # Tell the profile to automatically issue certs for RAs - installutils.set_directive('/var/lib/pki/pki-tomcat/ca/profiles/ca/caJarSigningCert.cfg', 'auth.instance_id', 'raCertAuth', quotes=False, separator='=') + installutils.set_directive(self.dogtag_constants.SIGN_PROFILE, + 'auth.instance_id', 'raCertAuth', quotes=False, separator='=') def __enable_crl_publish(self): """ @@ -967,9 +1167,9 @@ class CAInstance(service.Service): http://www.redhat.com/docs/manuals/cert-system/8.0/admin/html/Setting_up_Publishing.html """ - caconfig = "/var/lib/pki/pki-tomcat/conf/ca/CS.cfg" + caconfig = self.dogtag_constants.CS_CFG_PATH - publishdir='/var/lib/pki/pki-tomcat/ca/publish' + publishdir = self.dogtag_constants.CRL_PUBLISH_PATH os.mkdir(publishdir) os.chmod(publishdir, 0755) pent = pwd.getpwnam(PKI_USER) @@ -1006,7 +1206,7 @@ class CAInstance(service.Service): installutils.set_directive(caconfig, 'ca.publish.rule.instance.LdapXCertRule.enable', 'false', quotes=False, separator='=') # Fix the CRL URI in the profile - installutils.set_directive(IPA_SERVICE_PROFILE, + installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE, 'policyset.serverCertSet.9.default.params.crlDistPointsPointName_0', 'https://%s/ipa/crl/MasterCRL.bin' % ipautil.format_netloc(self.fqdn), quotes=False, separator='=') @@ -1016,7 +1216,8 @@ class CAInstance(service.Service): def __set_subject_in_config(self): # dogtag ships with an IPA-specific profile that forces a subject # format. We need to update that template with our base subject - if installutils.update_file(IPA_SERVICE_PROFILE, 'OU=pki-ipa, O=IPA', str(self.subject_base)): + if installutils.update_file(self.dogtag_constants.IPA_SERVICE_PROFILE, + 'OU=pki-ipa, O=IPA', str(self.subject_base)): print "Updating subject_base in CA template failed" def uninstall(self): @@ -1028,8 +1229,16 @@ class CAInstance(service.Service): self.disable() try: - ipautil.run(["/bin/pkidestroy", "-i", "pki-tomcat", - "-s", "CA"]) + if self.dogtag_constants.DOGTAG_VERSION >= 10: + ipautil.run(["/usr/sbin/pkidestroy", "-i", + self.dogtag_constants.PKI_INSTANCE_NAME, + "-s", "CA"]) + else: + ipautil.run(["/usr/bin/pkiremove", + "-pki_instance_root=/var/lib", + "-pki_instance_name=%s" % + self.dogtag_constants.PKI_INSTANCE_NAME, + "--force"]) except ipautil.CalledProcessError, e: root_logger.critical("failed to uninstall CA instance %s" % e) @@ -1049,15 +1258,21 @@ class CAInstance(service.Service): os.chmod(location, 0444) def __http_proxy(self): - shutil.copy(ipautil.SHARE_DIR + "ipa-pki-proxy.conf", - HTTPD_CONFD + "ipa-pki-proxy.conf") + template_filename = ipautil.SHARE_DIR + "ipa-pki-proxy.conf" + sub_dict = dict(DOGTAG_PORT=self.dogtag_constants.AJP_PORT) + template = ipautil.template_file(template_filename, sub_dict) + with open(HTTPD_CONFD + "ipa-pki-proxy.conf", "w") as fd: + fd.write(template) def track_servercert(self): try: pin = certmonger.get_pin('internal') except IOError, e: raise RuntimeError('Unable to determine PIN for CA instance: %s' % str(e)) - certmonger.dogtag_start_tracking('dogtag-ipa-renew-agent', 'Server-Cert cert-pki-ca', pin, None, '/etc/pki/pki-tomcat/alias', 'restart_pkicad "Server-Cert cert-pki-ca"') + certmonger.dogtag_start_tracking( + 'dogtag-ipa-renew-agent', 'Server-Cert cert-pki-ca', pin, None, + self.dogtag_constants.ALIAS_DIR, + 'restart_pkicad "Server-Cert cert-pki-ca"') def configure_renewal(self): cmonger = ipaservices.knownservices.certmonger @@ -1074,7 +1289,9 @@ class CAInstance(service.Service): for nickname in ['auditSigningCert cert-pki-ca', 'ocspSigningCert cert-pki-ca', 'subsystemCert cert-pki-ca']: - certmonger.dogtag_start_tracking('dogtag-ipa-renew-agent', nickname, pin, None, '/etc/pki/pki-tomcat/alias', 'renew_ca_cert "%s"' % nickname) + certmonger.dogtag_start_tracking( + 'dogtag-ipa-renew-agent', nickname, pin, None, + self.dogtag_constants.ALIAS_DIR, 'renew_ca_cert "%s"' % nickname) # Set up the agent cert for renewal certmonger.dogtag_start_tracking('dogtag-ipa-renew-agent', 'ipaCert', None, '/etc/httpd/alias/pwdfile.txt', '/etc/httpd/alias', 'renew_ra_cert') @@ -1118,7 +1335,10 @@ class CAInstance(service.Service): for nickname in ['auditSigningCert cert-pki-ca', 'ocspSigningCert cert-pki-ca', 'subsystemCert cert-pki-ca']: - certmonger.dogtag_start_tracking('dogtag-ipa-retrieve-agent-submit', nickname, pin, None, '/etc/pki/pki-tomcat/alias', 'restart_pkicad "%s"' % nickname) + certmonger.dogtag_start_tracking( + 'dogtag-ipa-retrieve-agent-submit', nickname, pin, None, + self.dogtag_constants.ALIAS_DIR, + 'restart_pkicad "%s"' % nickname) # The agent renewal is configured in import_ra_cert which is called # after the HTTP instance is created. @@ -1127,33 +1347,40 @@ class CAInstance(service.Service): """ See if Subject Key Identifier is set in the profile and if not, add it. """ - setlist = installutils.get_directive(IPA_SERVICE_PROFILE, + setlist = installutils.get_directive( + self.dogtag_constants.IPA_SERVICE_PROFILE, 'policyset.serverCertSet.list', separator='=') - # this is the default setting from pki-tomcat. Don't touch it if a user - # has manually modified it. + # this is the default setting from pki-ca/pki-tomcat. Don't touch it + # if a user has manually modified it. if setlist == '1,2,3,4,5,6,7,8': - installutils.set_directive(IPA_SERVICE_PROFILE, + installutils.set_directive( + self.dogtag_constants.IPA_SERVICE_PROFILE, 'policyset.serverCertSet.list', '1,2,3,4,5,6,7,8,10', quotes=False, separator='=') - installutils.set_directive(IPA_SERVICE_PROFILE, + installutils.set_directive( + self.dogtag_constants.IPA_SERVICE_PROFILE, 'policyset.serverCertSet.10.constraint.class_id', 'noConstraintImpl', quotes=False, separator='=') - installutils.set_directive(IPA_SERVICE_PROFILE, + installutils.set_directive( + self.dogtag_constants.IPA_SERVICE_PROFILE, 'policyset.serverCertSet.10.constraint.name', 'No Constraint', quotes=False, separator='=') - installutils.set_directive(IPA_SERVICE_PROFILE, + installutils.set_directive( + self.dogtag_constants.IPA_SERVICE_PROFILE, 'policyset.serverCertSet.10.default.class_id', 'subjectKeyIdentifierExtDefaultImpl', quotes=False, separator='=') - installutils.set_directive(IPA_SERVICE_PROFILE, + installutils.set_directive( + self.dogtag_constants.IPA_SERVICE_PROFILE, 'policyset.serverCertSet.10.default.name', 'Subject Key Identifier Extension Default', quotes=False, separator='=') - installutils.set_directive(IPA_SERVICE_PROFILE, + installutils.set_directive( + self.dogtag_constants.IPA_SERVICE_PROFILE, 'policyset.serverCertSet.10.default.params.critical', 'false', quotes=False, separator='=') @@ -1173,7 +1400,7 @@ class CAInstance(service.Service): responsibility to handle changes on upgrades. """ master = installutils.get_directive( - '/var/lib/pki/pki-tomcat/conf/ca/CS.cfg', 'subsystem.select', '=') + self.dogtag_constants.CS_CFG_PATH, 'subsystem.select', '=') return master == 'New' @@ -1198,12 +1425,14 @@ def install_replica_ca(config, postinstall=False): if not config.setup_ca: # We aren't configuring the CA in this step but we still need # a minimum amount of information on the CA for this IPA install. - ca = CAInstance(config.realm_name, certs.NSS_DIR) + ca = CAInstance(config.realm_name, certs.NSS_DIR, + dogtag_constants=dogtag.install_constants) ca.dm_password = config.dirman_password ca.subject_base = config.subject_base return (ca, None) - ca = CAInstance(config.realm_name, certs.NSS_DIR) + ca = CAInstance(config.realm_name, certs.NSS_DIR, + dogtag_constants=dogtag.install_constants) ca.dm_password = config.dirman_password ca.subject_base = config.subject_base if ca.is_installed(): @@ -1213,14 +1442,15 @@ def install_replica_ca(config, postinstall=False): if ipautil.file_exists(config.dir + "/dogtagcert.p12"): pkcs12_info = (config.dir + "/dogtagcert.p12", config.dir + "/dirsrv_pin.txt") - cs = CADSInstance() + cs = CADSInstance(dogtag_constants=dogtag.install_constants) cs.create_instance(config.realm_name, config.host_name, config.domain_name, config.dirman_password, pkcs12_info) cs.load_pkcs12() cs.enable_ssl() cs.restart_instance() - ca = CAInstance(config.realm_name, certs.NSS_DIR) + ca = CAInstance(config.realm_name, certs.NSS_DIR, + dogtag_constants=dogtag.install_constants) if postinstall: # If installing this afterward the Apache NSS database already # exists, don't remove it. @@ -1240,10 +1470,10 @@ def install_replica_ca(config, postinstall=False): # unix service. service.print_msg("Restarting the directory and certificate servers") - ca.stop(PKI_INSTANCE_NAME) + ca.stop(dogtag.install_constants.PKI_INSTANCE_NAME) ipaservices.knownservices.dirsrv.stop("PKI-IPA") ipaservices.knownservices.dirsrv.start("PKI-IPA") - ca.start(PKI_INSTANCE_NAME) + ca.start(dogtag.install_constants.PKI_INSTANCE_NAME) return (ca, cs) @@ -1262,7 +1492,7 @@ def update_cert_config(nickname, cert): 'subsystemCert cert-pki-ca': 'ca.subsystem.cert', 'Server-Cert cert-pki-ca': 'ca.sslserver.cert' } - installutils.set_directive('/var/lib/pki/%s/conf/ca/CS.cfg' % PKI_INSTANCE_NAME, + installutils.set_directive(dogtag.configured_constants().CS_CFG_PATH, directives[nickname], base64.b64encode(cert), quotes=False, separator='=') diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py index f0f0f1df..0094d0b8 100644 --- a/ipaserver/install/certs.py +++ b/ipaserver/install/certs.py @@ -660,8 +660,13 @@ class CertDB(object): f = open(self.passwd_fname, "r") password = f.readline() f.close() - http_status, http_reason_phrase, http_headers, http_body = \ - dogtag.https_request(self.host_name, api.env.ca_ee_install_port, "/ca/ee/ca/profileSubmitSSLClient", self.secdir, password, "ipaCert", **params) + result = dogtag.https_request( + self.host_name, + api.env.ca_ee_install_port or + dogtag.install_constants.EE_SECURE_PORT, + "/ca/ee/ca/profileSubmitSSLClient", + self.secdir, password, "ipaCert", **params) + http_status, http_reason_phrase, http_headers, http_body = result if http_status != 200: raise CertificateOperationError( @@ -743,8 +748,13 @@ class CertDB(object): f = open(self.passwd_fname, "r") password = f.readline() f.close() - http_status, http_reason_phrase, http_headers, http_body = \ - dogtag.https_request(self.host_name, api.env.ca_ee_install_port, "/ca/ee/ca/profileSubmitSSLClient", self.secdir, password, "ipaCert", **params) + result = dogtag.https_request( + self.host_name, + api.env.ca_ee_install_port or + dogtag.install_constants.EE_SECURE_PORT, + "/ca/ee/ca/profileSubmitSSLClient", + self.secdir, password, "ipaCert", **params) + http_status, http_reason_phrase, http_headers, http_body = result if http_status != 200: raise RuntimeError("Unable to submit cert request") diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index e5d9f080..e1d8b6db 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -31,6 +31,7 @@ import installutils from ipapython import sysrestore from ipapython import ipautil from ipapython import services as ipaservices +from ipapython import dogtag from ipalib import util, api HTTPD_DIR = "/etc/httpd" @@ -70,7 +71,13 @@ class HTTPInstance(service.Service): self.principal = "HTTP/%s@%s" % (self.fqdn, self.realm) self.dercert = None self.subject_base = subject_base - self.sub_dict = {"REALM": realm, "FQDN": fqdn, "DOMAIN": self.domain, "AUTOREDIR": '' if auto_redirect else '#'} + self.sub_dict = dict( + REALM=realm, + FQDN=fqdn, + DOMAIN=self.domain, + AUTOREDIR='' if auto_redirect else '#', + CRL_PUBLISH_PATH=dogtag.install_constants.CRL_PUBLISH_PATH, + ) # get a connection to the DS self.ldap_connect() diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py index bc0510c3..754d5fc9 100644 --- a/ipaserver/install/installutils.py +++ b/ipaserver/install/installutils.py @@ -47,7 +47,9 @@ from ipalib import errors from ipapython.dn import DN # Used to determine install status -IPA_MODULES = ['httpd', 'kadmin', 'dirsrv', 'pki-tomcatd', 'pkids', 'install', 'krb5kdc', 'ntpd', 'named', 'ipa_memcached'] +IPA_MODULES = [ + 'httpd', 'kadmin', 'dirsrv', 'pki-cad', 'pki-tomcatd', 'pkids', 'install', + 'krb5kdc', 'ntpd', 'named', 'ipa_memcached'] class BadHostError(Exception): pass diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py index e15d4e5e..1d157eba 100644 --- a/ipaserver/install/service.py +++ b/ipaserver/install/service.py @@ -23,6 +23,7 @@ import tempfile import pwd from ipapython import sysrestore from ipapython import ipautil +from ipapython import dogtag from ipapython import services as ipaservices from ipalib import errors from ipapython.dn import DN @@ -41,17 +42,6 @@ AUTO = 1 ENABLED = 2 DISABLED = 3 -# Determine if we have an updated dogtag instance (dogtag 10+) or -# an older one. -dogtag_service = 'pki-cad' -try: - for line in open("/etc/ipa/default.conf", "r"): - if "dogtag_version" in line: - dogtag_service = 'pki-tomcatd' - break -except IOError, e: - pass - # The service name as stored in cn=masters,cn=ipa,cn=etc. In the tuple # the first value is the *nix service name, the second the start order. SERVICE_LIST = { @@ -60,7 +50,7 @@ SERVICE_LIST = { 'DNS':('named', 30), 'MEMCACHE':('ipa_memcached', 39), 'HTTP':('httpd', 40), - 'CA':(dogtag_service, 50), + 'CA':('%sd' % dogtag.configured_constants().PKI_INSTANCE_NAME, 50), 'ADTRUST':('smb', 60), 'EXTID':('winbind', 70) } diff --git a/selinux/ipa_dogtag/ipa_dogtag.fc b/selinux/ipa_dogtag/ipa_dogtag.fc index e467972b..08c5f319 100644 --- a/selinux/ipa_dogtag/ipa_dogtag.fc +++ b/selinux/ipa_dogtag/ipa_dogtag.fc @@ -1 +1,2 @@ +/var/lib/pki-ca/publish(/.*)? gen_context(system_u:object_r:cert_t,s0) /var/lib/pki/pki-tomcat/ca/publish(/.*)? gen_context(system_u:object_r:cert_t,s0) |