summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--freeipa.spec.in5
-rw-r--r--ipaserver/install/cainstance.py160
2 files changed, 86 insertions, 79 deletions
diff --git a/freeipa.spec.in b/freeipa.spec.in
index efaf9596..f1c45b6c 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -114,7 +114,7 @@ Requires(post): systemd-units
Requires: selinux-policy >= 3.11.1-60
Requires(post): selinux-policy-base
Requires: slapi-nis >= 0.44
-Requires: pki-ca >= 10.0.0-0.52.b3
+Requires: pki-ca >= 10.0.0-0.54.b3
Requires: dogtag-pki-server-theme
%if 0%{?rhel}
Requires: subscription-manager
@@ -752,6 +752,9 @@ fi
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt
%changelog
+* Fri Dec 7 2012 Endi S. Dewata <edewata@redhat.com> - 3.0.99-9
+- Bump minimum version of pki-ca to 10.0.0-0.54.b3
+
* Fri Dec 7 2012 Martin Kosek <mkosek@redhat.com> - 3.0.99-8
- Bump minimum version of 389-ds-base to 1.3.0 to get transaction support
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 18c78776..e2112a28 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -35,6 +35,7 @@ import urllib
import xml.dom.minidom
import stat
import socket
+import ConfigParser
from ipapython import dogtag
from ipapython.certdb import get_ca_nickname
from ipapython import certmonger
@@ -620,96 +621,99 @@ class CAInstance(service.Service):
def __spawn_instance(self):
"""
- Create and configure a new instance using pkispawn.
- pkispawn requires a configuration file with the appropriate
- values substituted in.
+ Create and configure a new CA instance using pkispawn.
+ pkispawn requires a configuration file with IPA-specific
+ parameters.
"""
- # create a new config file for this installation
+ # Create an empty and secured file
(cfg_fd, cfg_file) = tempfile.mkstemp()
os.close(cfg_fd)
- shutil.copy("/usr/share/pki/deployment/config/pkideployment.cfg",
- cfg_file)
pent = pwd.getpwnam(PKI_USER)
- os.chown(cfg_file, pent.pw_uid, pent.pw_gid )
- replacevars = {
- "pki_enable_proxy": "True",
- "pki_restart_configured_instance": "False",
- "pki_client_database_dir": self.ca_agent_db,
- "pki_client_database_password": self.admin_password,
- "pki_client_database_purge": "False",
- "pki_client_pkcs12_password": self.admin_password,
- "pki_security_domain_name": self.security_domain_name,
- "pki_admin_name": "admin",
- "pki_admin_uid": "admin",
- "pki_admin_email": "root@localhost",
- "pki_admin_password": self.admin_password,
- "pki_admin_nickname": "ipa-ca-agent",
- "pki_admin_subject_dn": "CN=ipa-ca-agent,%s" % self.subject_base,
- "pki_ds_ldap_port": str(self.ds_port),
- "pki_ds_password": self.dm_password,
- "pki_ds_base_dn": self.basedn,
- "pki_ds_database": "ipaca",
- "pki_backup_keys": "True",
- "pki_backup_password": self.admin_password,
- "pki_subsystem_subject_dn": \
- "CN=CA Subsystem,%s" % self.subject_base,
- "pki_ocsp_signing_subject_dn": \
- "CN=OCSP Subsystem,%s" % self.subject_base,
- "pki_ssl_server_subject_dn": \
- "CN=%s,%s" % (self.fqdn, self.subject_base),
- "pki_audit_signing_subject_dn": \
- "CN=CA Audit,%s" % self.subject_base,
- "pki_ca_signing_subject_dn": \
- "CN=Certificate Authority,%s" % self.subject_base,
- "pki_subsystem_nickname": "subsystemCert cert-pki-ca",
- "pki_ocsp_signing_nickname": "ocspSigningCert cert-pki-ca",
- "pki_ssl_server_nickname": "Server-Cert cert-pki-ca",
- "pki_audit_signing_nickname": "auditSigningCert cert-pki-ca",
- "pki_ca_signing_nickname": "caSigningCert cert-pki-ca"
- }
+ os.chown(cfg_file, pent.pw_uid, pent.pw_gid)
+
+ # Create CA configuration
+ config = ConfigParser.ConfigParser()
+ config.optionxform = str
+ config.add_section("CA")
+
+ # Server
+ config.set("CA", "pki_security_domain_name", self.security_domain_name)
+ config.set("CA", "pki_enable_proxy", "True")
+ config.set("CA", "pki_restart_configured_instance", "False")
+ config.set("CA", "pki_backup_keys", "True")
+ config.set("CA", "pki_backup_password", self.admin_password)
+
+ # Client security database
+ config.set("CA", "pki_client_database_dir", self.ca_agent_db)
+ config.set("CA", "pki_client_database_password", self.admin_password)
+ config.set("CA", "pki_client_database_purge", "False")
+ config.set("CA", "pki_client_pkcs12_password", self.admin_password)
+
+ # Administrator
+ config.set("CA", "pki_admin_name", "admin")
+ config.set("CA", "pki_admin_uid", "admin")
+ config.set("CA", "pki_admin_email", "root@localhost")
+ config.set("CA", "pki_admin_password", self.admin_password)
+ config.set("CA", "pki_admin_nickname", "ipa-ca-agent")
+ config.set("CA", "pki_admin_subject_dn", "CN=ipa-ca-agent,%s" % self.subject_base)
+
+ # Directory server
+ config.set("CA", "pki_ds_ldap_port", str(self.ds_port))
+ config.set("CA", "pki_ds_password", self.dm_password)
+ config.set("CA", "pki_ds_base_dn", self.basedn)
+ config.set("CA", "pki_ds_database", "ipaca")
+
+ # Certificate subject DN's
+ config.set("CA", "pki_subsystem_subject_dn", "CN=CA Subsystem,%s" % self.subject_base)
+ config.set("CA", "pki_ocsp_signing_subject_dn", "CN=OCSP Subsystem,%s" % self.subject_base)
+ config.set("CA", "pki_ssl_server_subject_dn", "CN=%s,%s" % (self.fqdn, self.subject_base))
+ config.set("CA", "pki_audit_signing_subject_dn", "CN=CA Audit,%s" % self.subject_base)
+ config.set("CA", "pki_ca_signing_subject_dn", "CN=Certificate Authority,%s" % self.subject_base)
+
+ # Certificate nicknames
+ config.set("CA", "pki_subsystem_nickname", "subsystemCert cert-pki-ca")
+ config.set("CA", "pki_ocsp_signing_nickname", "ocspSigningCert cert-pki-ca")
+ config.set("CA", "pki_ssl_server_nickname", "Server-Cert cert-pki-ca")
+ config.set("CA", "pki_audit_signing_nickname", "auditSigningCert cert-pki-ca")
+ config.set("CA", "pki_ca_signing_nickname", "caSigningCert cert-pki-ca")
if (self.clone):
cafile = self.pkcs12_info[0]
shutil.copy(cafile, "/tmp/ca.p12")
pent = pwd.getpwnam(PKI_USER)
- os.chown("/tmp/ca.p12", pent.pw_uid, pent.pw_gid )
-
- clone_vars = {
- "pki_clone_pkcs12_password": self.dm_password,
- "pki_clone": "True",
- "pki_clone_pkcs12_path": "/tmp/ca.p12",
- "pki_security_domain_hostname": self.master_host,
- "pki_security_domain_https_port": "443",
- "pki_security_domain_user": "admin",
- "pki_security_domain_password": self.admin_password,
- "pki_clone_replication_security": "TLS",
- "pki_clone_replication_master_port":
- str(self.master_replication_port),
- "pki_clone_replication_clone_port":
- dogtag.install_constants.DS_PORT,
- "pki_clone_replicate_schema": "False",
- "pki_clone_uri":
- "https://%s" % ipautil.format_netloc(self.master_host, 443)
- }
- replacevars.update(clone_vars)
-
+ os.chown("/tmp/ca.p12", pent.pw_uid, pent.pw_gid)
+
+ # Security domain registration
+ config.set("CA", "pki_security_domain_hostname", self.master_host)
+ config.set("CA", "pki_security_domain_https_port", "443")
+ config.set("CA", "pki_security_domain_user", "admin")
+ config.set("CA", "pki_security_domain_password", self.admin_password)
+
+ # Clone
+ config.set("CA", "pki_clone", "True")
+ config.set("CA", "pki_clone_pkcs12_path", "/tmp/ca.p12")
+ config.set("CA", "pki_clone_pkcs12_password", self.dm_password)
+ config.set("CA", "pki_clone_replication_security", "TLS")
+ config.set("CA", "pki_clone_replication_master_port", str(self.master_replication_port))
+ config.set("CA", "pki_clone_replication_clone_port", dogtag.install_constants.DS_PORT)
+ config.set("CA", "pki_clone_replicate_schema", "False")
+ config.set("CA", "pki_clone_uri", "https://%s" % ipautil.format_netloc(self.master_host, 443))
+
+ # External CA
if self.external == 1:
- external_vars = {
- "pki_external": "True",
- "pki_external_csr_path": self.csr_file
- }
- replacevars.update(external_vars)
+ config.set("CA", "pki_external", "True")
+ config.set("CA", "pki_external_csr_path", self.csr_file)
+
elif self.external == 2:
- external_vars = {
- "pki_external": "True",
- "pki_external_ca_cert_path": self.cert_file,
- "pki_external_ca_cert_chain_path": self.cert_chain_file,
- "pki_external_step_two": "True"
- }
- replacevars.update(external_vars)
+ config.set("CA", "pki_external", "True")
+ config.set("CA", "pki_external_ca_cert_path", self.cert_file)
+ config.set("CA", "pki_external_ca_cert_chain_path", self.cert_chain_file)
+ config.set("CA", "pki_external_step_two", "True")
- ipautil.config_replace_variables(cfg_file, replacevars=replacevars)
+ # Generate configuration file
+ with open(cfg_file, "wb") as f:
+ config.write(f)
# Define the things we don't want logged
nolog = (self.admin_password, self.dm_password,)
@@ -730,7 +734,7 @@ class CAInstance(service.Service):
os.remove(cfg_file)
if not self.clone:
- shutil.move("/var/lib/pki/pki-tomcat/alias/ca_admin_cert.p12", \
+ shutil.move("/root/.pki/pki-tomcat/ca_admin_cert.p12", \
"/root/ca-agent.p12")
shutil.move("/var/lib/pki/pki-tomcat/alias/ca_backup_keys.p12", \
"/root/cacert.p12")
generated by cgit (git 2.34.1) at 2024-09-27 04:30:43 +0000