diff options
author | Fraser Tweedale <ftweedal@redhat.com> | 2016-06-01 08:07:33 +1000 |
---|---|---|
committer | Jan Cholasta <jcholast@redhat.com> | 2016-06-09 09:04:27 +0200 |
commit | b0d9a4728f0dc78e2bbde344beac17ae50b847a9 (patch) | |
tree | b5cca38aa8795073de92776942be6e6fe63b2479 /install/tools | |
parent | 0d37d230c066f9eb703c81e0e21b1b6738703b41 (diff) | |
download | freeipa-b0d9a4728f0dc78e2bbde344beac17ae50b847a9.tar.gz freeipa-b0d9a4728f0dc78e2bbde344beac17ae50b847a9.tar.xz freeipa-b0d9a4728f0dc78e2bbde344beac17ae50b847a9.zip |
Setup lightweight CA key retrieval on install/upgrade
Add the ipa-pki-retrieve-key helper program and configure
lightweight CA key replication on installation and upgrade. The
specific configuration steps are:
- Add the 'dogtag/$HOSTNAME' service principal
- Create the pricipal's Custodia keys
- Retrieve the principal's keytab
- Configure Dogtag's CS.cfg to use ExternalProcessKeyRetriever
to invoke ipa-pki-retrieve-key for key retrieval
Also bump the minimum version of Dogtag to 10.3.2.
Part of: https://fedorahosted.org/freeipa/ticket/4559
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Diffstat (limited to 'install/tools')
-rw-r--r-- | install/tools/Makefile.am | 1 | ||||
-rwxr-xr-x | install/tools/ipa-pki-retrieve-key | 32 |
2 files changed, 33 insertions, 0 deletions
diff --git a/install/tools/Makefile.am b/install/tools/Makefile.am index 7212dabdb..2866a30b2 100644 --- a/install/tools/Makefile.am +++ b/install/tools/Makefile.am @@ -39,6 +39,7 @@ EXTRA_DIST = \ appdir = $(libexecdir)/ipa/ app_SCRIPTS = \ ipa-httpd-kdcproxy \ + ipa-pki-retrieve-key \ $(NULL) MAINTAINERCLEANFILES = \ diff --git a/install/tools/ipa-pki-retrieve-key b/install/tools/ipa-pki-retrieve-key new file mode 100755 index 000000000..740e799d2 --- /dev/null +++ b/install/tools/ipa-pki-retrieve-key @@ -0,0 +1,32 @@ +#!/usr/bin/python2 + +from __future__ import print_function + +import os +import sys + +from ipalib import constants +from ipalib.config import Env +from ipaplatform.paths import paths +from ipapython.secrets.client import CustodiaClient + +env = Env() +env._finalize() + +keyname = "ca_wrapped/" + sys.argv[1] +servername = sys.argv[2] + +service = constants.PKI_GSSAPI_SERVICE_NAME +client_keyfile = os.path.join(paths.PKI_TOMCAT, service + '.keys') +client_keytab = os.path.join(paths.PKI_TOMCAT, service + '.keytab') + +# pylint: disable=no-member +client = CustodiaClient( + client_service='%s@%s' % (service, env.host), server=servername, + realm=env.realm, ldap_uri="ldaps://" + env.host, + keyfile=client_keyfile, keytab=client_keytab, + ) + +# Print the response JSON to stdout; it is already in the format +# that Dogtag's ExternalProcessKeyRetriever expects +print(client.fetch_key(keyname, store=False)) |