diff options
| author | Endi S. Dewata <edewata@redhat.com> | 2014-10-01 14:59:46 -0400 |
|---|---|---|
| committer | Petr Viktorin <pviktori@dhcp-31-13.brq.redhat.com> | 2014-11-04 16:33:16 +0100 |
| commit | 0b08043c37210d0f86cb0c66d659acafda0fb529 (patch) | |
| tree | 1695b9b4b416a0b0ed14f63d1f5758b07dd170af /ipaserver/install/krainstance.py | |
| parent | e7edac30a10c0da40d7cfd625e19bd4237b9e1f6 (diff) | |
| download | freeipa-0b08043c37210d0f86cb0c66d659acafda0fb529.tar.gz freeipa-0b08043c37210d0f86cb0c66d659acafda0fb529.tar.xz freeipa-0b08043c37210d0f86cb0c66d659acafda0fb529.zip | |
Fixed KRA backend.
The KRA backend has been simplified since most of the tasks have
been moved somewhere else. The transport certificate will be
installed on the client, and it is not needed by KRA backend. The
KRA agent's PEM certificate is now generated during installation
due to permission issue. The kra_host() for now is removed since
the current ldap_enable() cannot register the KRA service, so it
is using the kra_host environment variable.
The KRA installer has been modified to use Dogtag's CLI to create
KRA agent and setup the client authentication.
The proxy settings have been updated to include KRA's URLs.
Some constants have been renamed for clarity. The DOGTAG_AGENT_P12
has been renamed to DOGTAG_ADMIN_P12 since file actually contains
the Dogtag admin's certificate and private key and it can be used
to access both CA and KRA. The DOGTAG_AGENT_PEM has been renamed
to KRA_AGENT_PEM since it can only be used for KRA.
The Dogtag dependency has been updated to 10.2.1-0.1.
https://fedorahosted.org/freeipa/ticket/4503
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Diffstat (limited to 'ipaserver/install/krainstance.py')
| -rw-r--r-- | ipaserver/install/krainstance.py | 83 |
1 files changed, 74 insertions, 9 deletions
diff --git a/ipaserver/install/krainstance.py b/ipaserver/install/krainstance.py index 1af1c0f72..7c1bded41 100644 --- a/ipaserver/install/krainstance.py +++ b/ipaserver/install/krainstance.py @@ -169,7 +169,7 @@ class KRAInstance(DogtagInstance): str(DN(('cn', 'ipa-ca-agent'), self.subject_base))) config.set("KRA", "pki_import_admin_cert", "True") config.set("KRA", "pki_admin_cert_file", paths.ADMIN_CERT_PATH) - config.set("KRA", "pki_client_admin_cert_p12", paths.DOGTAG_AGENT_P12) + config.set("KRA", "pki_client_admin_cert_p12", paths.DOGTAG_ADMIN_P12) # Directory server config.set("KRA", "pki_ds_ldap_port", str(self.ds_port)) @@ -259,16 +259,81 @@ class KRAInstance(DogtagInstance): """ Add RA agent created for CA to KRA agent group. """ - conn = ipaldap.IPAdmin(self.fqdn, self.ds_port) - conn.do_simple_bind(DN(('cn', 'Directory Manager')), self.dm_password) - entry_dn = DN(('uid', "ipara"), ('ou', 'People'), ('o', 'ipaca')) - dn = DN(('cn', 'Data Recovery Manager Agents'), ('ou', 'groups'), - self.basedn) - modlist = [(0, 'uniqueMember', '%s' % entry_dn)] - conn.modify_s(dn, modlist) + # import CA certificate into temporary security database + args = ["/usr/bin/pki", + "-d", self.agent_db, + "-c", self.admin_password, + "client-cert-import", + "--pkcs12", paths.KRACERT_P12, + "--pkcs12-password", self.admin_password] + ipautil.run(args) + + # trust CA certificate + args = ["/usr/bin/pki", + "-d", self.agent_db, + "-c", self.admin_password, + "client-cert-mod", "Certificate Authority - %s" % api.env.realm, + "--trust", "CT,c,"] + ipautil.run(args) + + # import Dogtag admin certificate into temporary security database + args = ["/usr/bin/pki", + "-d", self.agent_db, + "-c", self.admin_password, + "client-cert-import", + "--pkcs12", paths.DOGTAG_ADMIN_P12, + "--pkcs12-password", self.admin_password] + ipautil.run(args) + + # as Dogtag admin, create ipakra user in KRA + args = ["/usr/bin/pki", + "-d", self.agent_db, + "-c", self.admin_password, + "-n", "ipa-ca-agent", + "kra-user-add", "ipakra", + "--fullName", "IPA KRA User"] + ipautil.run(args) + + # as Dogtag admin, add ipakra into KRA agents group + args = ["/usr/bin/pki", + "-d", self.agent_db, + "-c", self.admin_password, + "-n", "ipa-ca-agent", + "kra-user-membership-add", "ipakra", "Data Recovery Manager Agents"] + ipautil.run(args) + + # assign ipaCert to ipakra + (file, filename) = tempfile.mkstemp() + os.close(file) + try: + # export ipaCert without private key + args = ["/usr/bin/pki", + "-d", paths.HTTPD_ALIAS_DIR, + "-C", paths.ALIAS_PWDFILE_TXT, + "client-cert-show", "ipaCert", + "--cert", filename] + ipautil.run(args) + + # as Dogtag admin, upload and assign ipaCert to ipakra + args = ["/usr/bin/pki", + "-d", self.agent_db, + "-c", self.admin_password, + "-n", "ipa-ca-agent", + "kra-user-cert-add", "ipakra", + "--input", filename] + ipautil.run(args) - conn.unbind() + finally: + os.remove(filename) + + # export ipaCert with private key for client authentication + args = ["/usr/bin/pki", + "-d", paths.HTTPD_ALIAS_DIR, + "-C", paths.ALIAS_PWDFILE_TXT, + "client-cert-show", "ipaCert", + "--client-cert", paths.KRA_AGENT_PEM] + ipautil.run(args) @staticmethod def update_cert_config(nickname, cert, dogtag_constants=None): |