diff options
| author | Jan Cholasta <jcholast@redhat.com> | 2015-11-09 18:28:47 +0100 |
|---|---|---|
| committer | Jan Cholasta <jcholast@redhat.com> | 2015-11-25 09:12:25 +0100 |
| commit | aeffe2da42734655cbaedb2c4d4f9e28bd2df1c0 (patch) | |
| tree | 302b9ef0c8d4afbccc141f4f4b68a42295542cd8 /ipaserver | |
| parent | 5427e7a8c7216b0aa54159a668951d71fb009139 (diff) | |
| download | freeipa-aeffe2da42734655cbaedb2c4d4f9e28bd2df1c0.tar.gz freeipa-aeffe2da42734655cbaedb2c4d4f9e28bd2df1c0.tar.xz freeipa-aeffe2da42734655cbaedb2c4d4f9e28bd2df1c0.zip | |
install: drop support for Dogtag 9
Dogtag 9 CA and CA DS install and uninstall code was removed. Existing
Dogtag 9 CA and CA DS instances are disabled on upgrade.
Creating a replica of a Dogtag 9 IPA master is still supported.
https://fedorahosted.org/freeipa/ticket/5197
Reviewed-By: David Kupka <dkupka@redhat.com>
Diffstat (limited to 'ipaserver')
| -rw-r--r-- | ipaserver/install/ca.py | 33 | ||||
| -rw-r--r-- | ipaserver/install/cainstance.py | 361 | ||||
| -rw-r--r-- | ipaserver/install/certs.py | 10 | ||||
| -rw-r--r-- | ipaserver/install/dogtaginstance.py | 77 | ||||
| -rw-r--r-- | ipaserver/install/httpinstance.py | 3 | ||||
| -rw-r--r-- | ipaserver/install/installutils.py | 8 | ||||
| -rw-r--r-- | ipaserver/install/ipa_backup.py | 67 | ||||
| -rw-r--r-- | ipaserver/install/ipa_cacert_manage.py | 7 | ||||
| -rw-r--r-- | ipaserver/install/ipa_kra_install.py | 6 | ||||
| -rw-r--r-- | ipaserver/install/ipa_replica_prepare.py | 7 | ||||
| -rw-r--r-- | ipaserver/install/ipa_restore.py | 31 | ||||
| -rw-r--r-- | ipaserver/install/kra.py | 21 | ||||
| -rw-r--r-- | ipaserver/install/krainstance.py | 39 | ||||
| -rw-r--r-- | ipaserver/install/plugins/ca_renewal_master.py | 5 | ||||
| -rw-r--r-- | ipaserver/install/replication.py | 11 | ||||
| -rw-r--r-- | ipaserver/install/server/install.py | 21 | ||||
| -rw-r--r-- | ipaserver/install/server/replicainstall.py | 26 | ||||
| -rw-r--r-- | ipaserver/install/server/upgrade.py | 148 | ||||
| -rw-r--r-- | ipaserver/install/service.py | 6 | ||||
| -rw-r--r-- | ipaserver/plugins/dogtag.py | 4 |
20 files changed, 263 insertions, 628 deletions
diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py index 51871f2dc..fcead1891 100644 --- a/ipaserver/install/ca.py +++ b/ipaserver/install/ca.py @@ -10,7 +10,7 @@ import os.path from six.moves.configparser import RawConfigParser from ipaserver.install import cainstance, dsinstance, bindinstance -from ipapython import dogtag, ipautil, certdb +from ipapython import ipautil, certdb from ipaplatform import services from ipaplatform.paths import paths from ipaserver.install import installutils, certs @@ -126,8 +126,6 @@ def install_step_0(standalone, replica_config, options): host_name = options.host_name subject_base = options.subject - dogtag_constants = dogtag.install_constants - if replica_config is not None: # Configure the CA if necessary if standalone: @@ -154,8 +152,7 @@ def install_step_0(standalone, replica_config, options): else: external = 0 - ca = cainstance.CAInstance(realm_name, certs.NSS_DIR, - dogtag_constants=dogtag_constants) + ca = cainstance.CAInstance(realm_name, certs.NSS_DIR) if standalone: ca.create_ra_agent_db = False if external == 0: @@ -185,19 +182,16 @@ def install_step_1(standalone, replica_config, options): basedn = ipautil.realm_to_suffix(realm_name) - dogtag_constants = dogtag.install_constants - - ca = cainstance.CAInstance(realm_name, certs.NSS_DIR, - dogtag_constants=dogtag_constants) + ca = cainstance.CAInstance(realm_name, certs.NSS_DIR) if standalone: - ca.stop(ca.dogtag_constants.PKI_INSTANCE_NAME) + ca.stop('pki-tomcat') # We need to ldap_enable the CA now that DS is up and running ca.ldap_enable('CA', host_name, dm_password, basedn, ['caRenewalMaster']) # This is done within stopped_service context, which restarts CA - ca.enable_client_auth_to_db(dogtag_constants.CS_CFG_PATH) + ca.enable_client_auth_to_db(paths.CA_CS_CFG_PATH) if standalone and replica_config is None: serverid = installutils.realm_to_serverid(realm_name) @@ -231,7 +225,7 @@ def install_step_1(standalone, replica_config, options): bind_pw=dm_password) # Store DS CA cert in Dogtag NSS database - dogtagdb = certs.CertDB(realm_name, nssdir=dogtag_constants.ALIAS_DIR) + dogtagdb = certs.CertDB(realm_name, nssdir=paths.PKI_TOMCAT_ALIAS_DIR) trust_flags = dict(reversed(dsdb.list_certs())) server_certs = dsdb.find_server_certs() trust_chain = dsdb.find_root_cert(server_certs[0][0])[:-1] @@ -240,7 +234,7 @@ def install_step_1(standalone, replica_config, options): dogtagdb.add_cert(cert, nickname, trust_flags[nickname]) if standalone: - ca.start(ca.dogtag_constants.PKI_INSTANCE_NAME) + ca.start('pki-tomcat') # Update config file try: @@ -248,8 +242,7 @@ def install_step_1(standalone, replica_config, options): parser.read(paths.IPA_DEFAULT_CONF) parser.set('global', 'enable_ra', 'True') parser.set('global', 'ra_plugin', 'dogtag') - parser.set('global', 'dogtag_version', - str(dogtag_constants.DOGTAG_VERSION)) + parser.set('global', 'dogtag_version', '10') with open(paths.IPA_DEFAULT_CONF, 'w') as f: parser.write(f) except IOError as e: @@ -266,15 +259,9 @@ def install_step_1(standalone, replica_config, options): bind.add_ipa_ca_dns_records(host_name, domain_name) -def uninstall(dogtag_constants): - if not dogtag_constants.SHARED_DB: - cads_instance = cainstance.CADSInstance( - dogtag_constants=dogtag_constants) - if cads_instance.is_configured(): - cads_instance.uninstall() - +def uninstall(): ca_instance = cainstance.CAInstance( - api.env.realm, certs.NSS_DIR, dogtag_constants=dogtag_constants) + api.env.realm, certs.NSS_DIR) ca_instance.stop_tracking_certificates() if ca_instance.is_configured(): ca_instance.uninstall() diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 8a8ae2fc5..3632a3931 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -68,7 +68,7 @@ from ipaserver.install import ldapupdate from ipaserver.install import replication from ipaserver.install import service from ipaserver.install.dogtaginstance import ( - DEFAULT_DSPORT, PKI_USER, export_kra_agent_pem, DogtagInstance) + PKI_USER, export_kra_agent_pem, DogtagInstance) from ipaserver.plugins import ldap2 # Python 3 rename. The package is available in "six.moves.http_client", but @@ -248,7 +248,7 @@ def get_crl_files(path=None): @param path Custom target directory """ if path is None: - path = dogtag.configured_constants().CRL_PUBLISH_PATH + path = paths.PKI_CA_PUBLISH_DIR files = os.listdir(path) for f in files: @@ -261,7 +261,7 @@ def get_crl_files(path=None): def is_step_one_done(): """Read CS.cfg and determine if step one of an external CA install is done """ - path = dogtag.install_constants.CS_CFG_PATH + path = paths.CA_CS_CFG_PATH if not os.path.exists(path): return False test = installutils.get_directive(path, 'preop.ca.type', '=') @@ -274,8 +274,7 @@ def is_ca_installed_locally(): """Check if CA is installed locally by checking for existence of CS.cfg :return:True/False """ - path = dogtag.install_constants.CS_CFG_PATH - return os.path.exists(path) + return os.path.exists(paths.CA_CS_CFG_PATH) def create_ca_user(): @@ -288,63 +287,6 @@ def create_ca_user(): ) -class CADSInstance(service.Service): - """Certificate Authority DS instance - - The CA DS was used with Dogtag 9. Only upgraded installations still use it. - Thus this class only does uninstallation. - """ - def __init__(self, host_name=None, realm_name=None, dm_password=None, dogtag_constants=None): - service.Service.__init__( - self, "pkids", - service_desc="directory server for the CA", - dm_password=dm_password, - ldapi=False, - autobind=ipaldap.AUTOBIND_DISABLED) - - self.serverid = "PKI-IPA" - self.realm = realm_name - self.sub_dict = None - self.fqdn = host_name - self.dercert = None - self.pkcs12_info = None - self.ds_port = None - self.master_host = None - self.nickname = 'Server-Cert' - self.subject_base = None - - def uninstall(self): - if self.is_configured(): - self.print_msg("Unconfiguring CA directory server") - - enabled = self.restore_state("enabled") - serverid = self.restore_state("serverid") - - # Just eat this state if it exists - self.restore_state("running") - - if not enabled is None and not enabled: - services.knownservices.dirsrv.disable() - - if serverid is not None: - # drop the trailing / off the config_dirname so the directory - # will match what is in certmonger - dirname = dsinstance.config_dirname(serverid)[:-1] - dsdb = certs.CertDB(self.realm, nssdir=dirname) - dsdb.untrack_server_cert("Server-Cert") - try: - dsinstance.remove_ds_instance(serverid) - except ipautil.CalledProcessError: - root_logger.error("Failed to remove CA DS instance. You may " - "need to remove instance data manually") - - self.restore_state("user_exists") - - # At one time we removed this user on uninstall. That can potentially - # orphan files, or worse, if another useradd runs in the interim, - # cause files to have a new owner. - - class CAInstance(DogtagInstance): """ When using a dogtag CA the DS database contains just the @@ -368,16 +310,12 @@ class CAInstance(DogtagInstance): ('caSigningCert cert-pki-ca', 'ipaCACertRenewal')) server_cert_name = 'Server-Cert cert-pki-ca' - def __init__(self, realm=None, ra_db=None, dogtag_constants=None, - host_name=None, dm_password=None, ldapi=True): - if dogtag_constants is None: - dogtag_constants = dogtag.configured_constants() - + def __init__(self, realm=None, ra_db=None, host_name=None, + dm_password=None, ldapi=True): super(CAInstance, self).__init__( realm=realm, subsystem="CA", service_desc="certificate server", - dogtag_constants=dogtag_constants, host_name=host_name, dm_password=dm_password, ldapi=ldapi @@ -404,8 +342,7 @@ class CAInstance(DogtagInstance): self.log = log_mgr.get_logger(self) self.no_db_setup = False - def configure_instance(self, host_name, dm_password, - admin_password, ds_port=DEFAULT_DSPORT, + def configure_instance(self, host_name, dm_password, admin_password, pkcs12_info=None, master_host=None, csr_file=None, cert_file=None, cert_chain_file=None, master_replication_port=None, @@ -413,8 +350,6 @@ class CAInstance(DogtagInstance): ca_type=None, ra_p12=None): """Create a CA instance. - For Dogtag 9, this may involve creating the pki-ca instance. - To create a clone, pass in pkcs12_info. Creating a CA with an external signer is a 2-step process. In @@ -426,7 +361,6 @@ class CAInstance(DogtagInstance): self.dm_password = dm_password self.admin_user = "admin" self.admin_password = admin_password - self.ds_port = ds_port self.pkcs12_info = pkcs12_info if self.pkcs12_info is not None: self.clone = True @@ -456,12 +390,8 @@ class CAInstance(DogtagInstance): self.external = 2 self.step("creating certificate server user", create_ca_user) - if self.dogtag_constants.DOGTAG_VERSION >= 10: - self.step("configuring certificate server instance", self.__spawn_instance) - else: - if not ipautil.dir_exists(paths.VAR_LIB_PKI_CA_DIR): - self.step("creating pki-ca instance", self.create_instance) - self.step("configuring certificate server instance", self.__configure_instance) + self.step("configuring certificate server instance", + self.__spawn_instance) self.step("stopping certificate server instance to update CS.cfg", self.stop_instance) self.step("backing up CS.cfg", self.backup_config) self.step("disabling nonces", self.__disable_nonce) @@ -471,8 +401,6 @@ class CAInstance(DogtagInstance): # Step 1 of external is getting a CSR so we don't need to do these # steps until we get a cert back from the external CA. if self.external != 1: - if self.dogtag_constants.DOGTAG_VERSION < 10 and not self.clone: - self.step("creating CA agent PKCS#12 file in /root", self.__create_ca_agent_pkcs12) if self.create_ra_agent_db: self.step("creating RA agent certificate database", self.__create_ra_agent_db) self.step("importing CA chain to RA certificate database", self.__import_ca_chain) @@ -547,7 +475,7 @@ class CAInstance(DogtagInstance): config.set("CA", "pki_client_admin_cert_p12", paths.DOGTAG_ADMIN_P12) # Directory server - config.set("CA", "pki_ds_ldap_port", str(self.ds_port)) + config.set("CA", "pki_ds_ldap_port", "389") config.set("CA", "pki_ds_password", self.dm_password) config.set("CA", "pki_ds_base_dn", self.basedn) config.set("CA", "pki_ds_database", "ipaca") @@ -598,7 +526,7 @@ class CAInstance(DogtagInstance): config.set("CA", "pki_clone_pkcs12_password", self.dm_password) config.set("CA", "pki_clone_replication_security", "TLS") config.set("CA", "pki_clone_replication_master_port", str(self.master_replication_port)) - config.set("CA", "pki_clone_replication_clone_port", dogtag.install_constants.DS_PORT) + config.set("CA", "pki_clone_replication_clone_port", "389") config.set("CA", "pki_clone_replicate_schema", "False") config.set("CA", "pki_clone_uri", "https://%s" % ipautil.format_netloc(self.master_host, 443)) @@ -656,151 +584,9 @@ class CAInstance(DogtagInstance): self.log.debug("completed creating ca instance") - def create_instance(self): - """ - If for some reason the instance doesn't exist, create a new one." - """ - # Only used for Dogtag 9 - - args = [paths.PKICREATE, - '-pki_instance_root', paths.VAR_LIB, - '-pki_instance_name', - self.dogtag_constants.PKI_INSTANCE_NAME, - '-subsystem_type', 'ca', - '-agent_secure_port', - str(self.dogtag_constants.AGENT_SECURE_PORT), - '-ee_secure_port', - str(self.dogtag_constants.EE_SECURE_PORT), - '-admin_secure_port', - str(self.dogtag_constants.ADMIN_SECURE_PORT), - '-ee_secure_client_auth_port', - str(self.dogtag_constants.EE_CLIENT_AUTH_PORT), - '-unsecure_port', str(self.dogtag_constants.UNSECURE_PORT), - '-tomcat_server_port', - str(self.dogtag_constants.TOMCAT_SERVER_PORT), - '-redirect', 'conf=/etc/pki-ca', - '-redirect', 'logs=/var/log/pki-ca', - '-enable_proxy' - ] - self.backup_state('installed', True) - ipautil.run(args, env={'PKI_HOSTNAME':self.fqdn}) - - def __configure_instance(self): - # Only used for Dogtag 9 - preop_pin = get_preop_pin( - self.server_root, self.dogtag_constants.PKI_INSTANCE_NAME) - - try: - args = [paths.PERL, paths.PKISILENT, "ConfigureCA", - "-cs_hostname", self.fqdn, - "-cs_port", str(self.dogtag_constants.ADMIN_SECURE_PORT), - "-client_certdb_dir", self.agent_db, - "-client_certdb_pwd", self.admin_password, - "-preop_pin" , preop_pin, - "-domain_name", self.security_domain_name, - "-admin_user", self.admin_user, - "-admin_email", "root@localhost", - "-admin_password", self.admin_password, - "-agent_name", "ipa-ca-agent", - "-agent_key_size", "2048", - "-agent_key_type", "rsa", - "-agent_cert_subject", str(DN(('CN', 'ipa-ca-agent'), self.subject_base)), - "-ldap_host", self.fqdn, - "-ldap_port", str(self.ds_port), - "-bind_dn", "cn=Directory Manager", - "-bind_password", self.dm_password, - "-base_dn", str(self.basedn), - "-db_name", "ipaca", - "-key_size", "2048", - "-key_type", "rsa", - "-key_algorithm", self.ca_signing_algorithm, - "-signing_algorithm", "SHA256withRSA", - "-save_p12", "true", - "-backup_pwd", self.admin_password, - "-subsystem_name", self.service_name, - "-token_name", "internal", - "-ca_subsystem_cert_subject_name", str(DN(('CN', 'CA Subsystem'), self.subject_base)), - "-ca_subsystem_cert_subject_name", str(DN(('CN', 'CA Subsystem'), self.subject_base)), - "-ca_ocsp_cert_subject_name", str(DN(('CN', 'OCSP Subsystem'), self.subject_base)), - "-ca_server_cert_subject_name", str(DN(('CN', self.fqdn), self.subject_base)), - "-ca_audit_signing_cert_subject_name", str(DN(('CN', 'CA Audit'), self.subject_base)), - "-ca_sign_cert_subject_name", str(DN(('CN', 'Certificate Authority'), self.subject_base)) ] - if self.external == 1: - args.append("-external") - args.append("true") - args.append("-ext_csr_file") - args.append(self.csr_file) - elif self.external == 2: - cert = x509.load_certificate_from_file(self.cert_file) - cert_file = tempfile.NamedTemporaryFile() - x509.write_certificate(cert.der_data, cert_file.name) - cert_file.flush() - - args.append("-external") - args.append("true") - args.append("-ext_ca_cert_file") - args.append(cert_file.name) - args.append("-ext_ca_cert_chain_file") - args.append(self.cert_chain_file) - else: - args.append("-external") - args.append("false") - if self.clone: - """sd = security domain --> all CS systems get registered to - a security domain. This is set to the hostname and port of - the master CA. - """ - # The install wizard expects the file to be here. - cafile = self.pkcs12_info[0] - shutil.copy(cafile, paths.PKI_ALIAS_CA_P12) - pent = pwd.getpwnam(PKI_USER) - os.chown(paths.PKI_ALIAS_CA_P12, pent.pw_uid, pent.pw_gid ) - args.append("-clone") - args.append("true") - args.append("-clone_p12_file") - args.append("ca.p12") - args.append("-clone_p12_password") - args.append(self.dm_password) - args.append("-sd_hostname") - args.append(self.master_host) - args.append("-sd_admin_port") - args.append("443") - args.append("-sd_admin_name") - args.append(self.admin_user) - args.append("-sd_admin_password") - args.append(self.admin_password) - args.append("-clone_master_port") - args.append(str(self.master_replication_port)) - args.append("-clone_start_tls") - args.append("true") - args.append("-clone_uri") - args.append("https://%s" % ipautil.format_netloc(self.master_host, 443)) - else: - args.append("-clone") - args.append("false") - - # Define the things we don't want logged - nolog = (self.admin_password, self.dm_password,) - - ipautil.run(args, env={'PKI_HOSTNAME':self.fqdn}, nolog=nolog) - except ipautil.CalledProcessError as e: - self.handle_setup_error(e) - - if self.external == 1: - print("The next step is to get %s signed by your CA and re-run %s as:" % (self.csr_file, sys.argv[0])) - print("%s --external-cert-file=/path/to/signed_certificate --external-cert-file=/path/to/external_ca_certificate" % sys.argv[0]) - sys.exit(0) - - # pkisilent makes a copy of the CA PKCS#12 file for us but gives - # it a lousy name. - if ipautil.file_exists(paths.ROOT_TMP_CA_P12): - shutil.move(paths.ROOT_TMP_CA_P12, paths.CACERT_P12) - - self.log.debug("completed creating ca instance") - def backup_config(self): try: - backup_config(self.dogtag_constants) + backup_config() except Exception as e: root_logger.warning("Failed to backup CS.cfg: %s", e) @@ -816,16 +602,15 @@ class CAInstance(DogtagInstance): def __disable_nonce(self): # Turn off Nonces update_result = installutils.update_file( - self.dogtag_constants.CS_CFG_PATH, 'ca.enableNonces=true', + paths.CA_CS_CFG_PATH, 'ca.enableNonces=true', 'ca.enableNonces=false') if update_result != 0: raise RuntimeError("Disabling nonces failed") pent = pwd.getpwnam(PKI_USER) - os.chown(self.dogtag_constants.CS_CFG_PATH, - pent.pw_uid, pent.pw_gid) + os.chown(paths.CA_CS_CFG_PATH, pent.pw_uid, pent.pw_gid) def enable_pkix(self): - installutils.set_directive(self.dogtag_constants.SYSCONFIG_FILE_PATH, + installutils.set_directive(paths.SYSCONFIG_PKI_TOMCAT, 'NSS_ENABLE_PKIX_VERIFY', '1', quotes=False, separator='=') @@ -874,13 +659,12 @@ class CAInstance(DogtagInstance): '-p', self.admin_password, '-d', self.agent_db, '-r', '/ca/agent/ca/profileReview?requestId=%s' % self.requestId, - '%s' % ipautil.format_netloc( - self.fqdn, self.dogtag_constants.AGENT_SECURE_PORT), + '%s' % ipautil.format_netloc(self.fqdn, 8443), ] (stdout, _stderr, _returncode) = ipautil.run( args, nolog=(self.admin_password,)) - data = stdout.split(self.dogtag_constants.RACERT_LINE_SEP) + data = stdout.split('\n') params = get_defList(data) params['requestId'] = find_substring(data, "requestId") params['op'] = 'approve' @@ -897,13 +681,12 @@ class CAInstance(DogtagInstance): '-d', self.agent_db, '-e', params, '-r', '/ca/agent/ca/profileProcess', - '%s' % ipautil.format_netloc( - self.fqdn, self.dogtag_constants.AGENT_SECURE_PORT), + '%s' % ipautil.format_netloc(self.fqdn, 8443), ] (stdout, _stderr, _returncode) = ipautil.run( args, nolog=(self.admin_password,)) - data = stdout.split(self.dogtag_constants.RACERT_LINE_SEP) + data = stdout.split('\n') outputList = get_outputList(data) self.ra_cert = outputList['b64_cert'] @@ -1024,26 +807,10 @@ class CAInstance(DogtagInstance): def __get_ca_chain(self): try: - return dogtag.get_ca_certchain(ca_host=self.fqdn, - dogtag_constants=self.dogtag_constants) + return dogtag.get_ca_certchain(ca_host=self.fqdn) except Exception as e: raise RuntimeError("Unable to retrieve CA chain: %s" % str(e)) - def __create_ca_agent_pkcs12(self): - # Only used for Dogtag 9 - (pwd_fd, pwd_name) = tempfile.mkstemp() - os.write(pwd_fd, self.admin_password) - os.close(pwd_fd) - try: - ipautil.run([paths.PK12UTIL, - "-n", "ipa-ca-agent", - "-o", paths.DOGTAG_ADMIN_P12, - "-d", self.agent_db, - "-k", pwd_name, - "-w", pwd_name]) - finally: - os.remove(pwd_name) - def __import_ca_chain(self): chain = self.__get_ca_chain() @@ -1113,8 +880,7 @@ class CAInstance(DogtagInstance): csr = pkcs10.strip_header(stdout) # Send the request to the CA - conn = httplib.HTTPConnection( - self.fqdn, self.dogtag_constants.UNSECURE_PORT) + conn = httplib.HTTPConnection(self.fqdn, 8080) params = urllib.parse.urlencode({'profileId': 'caServerCert', 'cert_request_type': 'pkcs10', 'requestor_name': 'IPA Installer', @@ -1152,8 +918,9 @@ class CAInstance(DogtagInstance): def __setup_sign_profile(self): # Tell the profile to automatically issue certs for RAs - installutils.set_directive(self.dogtag_constants.SIGN_PROFILE, - 'auth.instance_id', 'raCertAuth', quotes=False, separator='=') + installutils.set_directive( + paths.CAJARSIGNINGCERT_CFG, 'auth.instance_id', 'raCertAuth', + quotes=False, separator='=') def prepare_crl_publish_dir(self): """ @@ -1161,7 +928,7 @@ class CAInstance(DogtagInstance): Returns a path to the CRL publishing directory """ - publishdir = self.dogtag_constants.CRL_PUBLISH_PATH + publishdir = paths.PKI_CA_PUBLISH_DIR if not os.path.exists(publishdir): os.mkdir(publishdir) @@ -1181,7 +948,7 @@ class CAInstance(DogtagInstance): https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Certificate_System/8.0/html/Admin_Guide/Setting_up_Publishing.html """ - caconfig = self.dogtag_constants.CS_CFG_PATH + caconfig = paths.CA_CS_CFG_PATH publishdir = self.prepare_crl_publish_dir() @@ -1232,20 +999,7 @@ class CAInstance(DogtagInstance): # just eat state self.restore_state("enabled") - if self.dogtag_constants.DOGTAG_VERSION >= 10: - DogtagInstance.uninstall(self) - else: - if self.is_configured(): - self.print_msg("Unconfiguring CA") - - try: - ipautil.run([paths.PKIREMOVE, - "-pki_instance_root=%s" % paths.VAR_LIB, - "-pki_instance_name=%s" % - self.dogtag_constants.PKI_INSTANCE_NAME, - "--force"]) - except ipautil.CalledProcessError as e: - self.log.critical("failed to uninstall CA instance %s", e) + DogtagInstance.uninstall(self) self.restore_state("installed") @@ -1289,9 +1043,9 @@ class CAInstance(DogtagInstance): # remove CRL directory self.log.info("Remove CRL directory") - if os.path.exists(self.dogtag_constants.CRL_PUBLISH_PATH): + if os.path.exists(paths.PKI_CA_PUBLISH_DIR): try: - shutil.rmtree(self.dogtag_constants.CRL_PUBLISH_PATH) + shutil.rmtree(paths.PKI_CA_PUBLISH_DIR) except OSError as e: self.log.warning("Error while removing CRL publish " "directory: %s", e) @@ -1370,7 +1124,7 @@ class CAInstance(DogtagInstance): # Check the default validity period of the audit signing cert # and set it to 2 years if it is 6 months. cert_range = installutils.get_directive( - '%s/caSignedLogCert.cfg' % self.dogtag_constants.SERVICE_PROFILE_DIR, + paths.CASIGNEDLOGCERT_CFG, 'policyset.caLogSigningSet.2.default.params.range', separator='=' ) @@ -1378,14 +1132,14 @@ class CAInstance(DogtagInstance): 'caSignedLogCert.cfg profile validity range is %s', cert_range) if cert_range == "180": installutils.set_directive( - '%s/caSignedLogCert.cfg' % self.dogtag_constants.SERVICE_PROFILE_DIR, + paths.CASIGNEDLOGCERT_CFG, 'policyset.caLogSigningSet.2.default.params.range', '720', quotes=False, separator='=' ) installutils.set_directive( - '%s/caSignedLogCert.cfg' % self.dogtag_constants.SERVICE_PROFILE_DIR, + paths.CASIGNEDLOGCERT_CFG, 'policyset.caLogSigningSet.2.constraint.params.range', '720', quotes=False, @@ -1447,7 +1201,7 @@ class CAInstance(DogtagInstance): self.admin_conn.update_entry(master_entry) @staticmethod - def update_cert_config(nickname, cert, dogtag_constants=None): + def update_cert_config(nickname, cert): """ When renewing a CA subsystem certificate the configuration file needs to get the new certificate as well. @@ -1456,9 +1210,6 @@ class CAInstance(DogtagInstance): cert is a DER-encoded certificate. """ - if dogtag_constants is None: - dogtag_constants = dogtag.configured_constants() - # The cert directive to update per nickname directives = {'auditSigningCert cert-pki-ca': 'ca.audit_signing.cert', 'ocspSigningCert cert-pki-ca': 'ca.ocsp_signing.cert', @@ -1467,14 +1218,12 @@ class CAInstance(DogtagInstance): 'Server-Cert cert-pki-ca': 'ca.sslserver.cert'} try: - backup_config(dogtag_constants) + backup_config() except Exception as e: syslog.syslog(syslog.LOG_ERR, "Failed to backup CS.cfg: %s" % e) DogtagInstance.update_cert_cs_cfg( - nickname, cert, directives, - dogtag.configured_constants().CS_CFG_PATH, - dogtag_constants) + nickname, cert, directives, paths.CA_CS_CFG_PATH) def __create_ds_db(self): ''' @@ -1519,7 +1268,7 @@ class CAInstance(DogtagInstance): self.__update_topology() def __client_auth_to_db(self): - self.enable_client_auth_to_db(self.dogtag_constants.CS_CFG_PATH) + self.enable_client_auth_to_db(paths.CA_CS_CFG_PATH) def __restart_http_instance(self): # We need to restart apache as we drop a new config file in there @@ -1536,9 +1285,8 @@ class CAInstance(DogtagInstance): the topology plugin to manage replication. Requires domain_level >= DOMAIN_LEVEL_1 and custodia on the master. """ - self.ds_port = DEFAULT_DSPORT self.master_host = master_host - self.master_replication_port = DEFAULT_DSPORT + self.master_replication_port = 389 if subject_base is None: self.subject_base = DN(('O', self.realm)) else: @@ -1614,14 +1362,7 @@ def replica_ca_install_check(config): # Replica of old "self-signed" master - CA won't be installed return - # Exit if we have an old-style (Dogtag 9) CA already installed - ca = CAInstance(config.realm_name, certs.NSS_DIR, - dogtag_constants=dogtag.Dogtag9Constants) - if ca.is_installed(): - root_logger.info('Dogtag 9 style CA instance found') - sys.exit("A CA is already configured on this system.") - - if config.ca_ds_port != dogtag.Dogtag9Constants.DS_PORT: + if config.ca_ds_port != 7389: root_logger.debug( 'Installing CA Replica from master with a merged database') return @@ -1675,8 +1416,7 @@ def install_replica_ca(config, postinstall=False, ra_p12=None): # Replica of old "self-signed" master - skip installing CA return None - ca = CAInstance(config.realm_name, certs.NSS_DIR, - dogtag_constants=dogtag.install_constants) + ca = CAInstance(config.realm_name, certs.NSS_DIR) ca.dm_password = config.dirman_password ca.subject_base = config.subject_base @@ -1716,27 +1456,24 @@ def install_replica_ca(config, postinstall=False, ra_p12=None): # unix service. service.print_msg("Restarting the directory and certificate servers") - ca.stop(dogtag.install_constants.PKI_INSTANCE_NAME) + ca.stop('pki-tomcat') services.knownservices.dirsrv.restart() - ca.start(dogtag.install_constants.PKI_INSTANCE_NAME) + ca.start('pki-tomcat') return ca -def backup_config(dogtag_constants=None): + +def backup_config(): """ Create a backup copy of CS.cfg """ - if dogtag_constants is None: - dogtag_constants = dogtag.configured_constants() - - if services.knownservices[dogtag_constants.SERVICE_NAME].is_running( - dogtag_constants.PKI_INSTANCE_NAME): - raise RuntimeError("Dogtag must be stopped when creating backup of %s" - % dogtag_constants.CS_CFG_PATH) - shutil.copy(dogtag_constants.CS_CFG_PATH, - dogtag_constants.CS_CFG_PATH + '.ipabkp') + path = paths.CA_CS_CFG_PATH + if services.knownservices['pki_tomcatd'].is_running('pki-tomcat'): + raise RuntimeError( + "Dogtag must be stopped when creating backup of %s" % path) + shutil.copy(path, path + '.ipabkp') def update_people_entry(dercert): """ @@ -1940,7 +1677,7 @@ def migrate_profiles_to_ldap(): api.Backend.ra_certprofile._read_password() api.Backend.ra_certprofile.override_port = 8443 - with open(dogtag.configured_constants().CS_CFG_PATH) as f: + with open(paths.CA_CS_CFG_PATH) as f: cs_cfg = f.read() match = re.search(r'^profile\.list=(\S*)', cs_cfg, re.MULTILINE) profile_ids = match.group(1).split(',') diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py index 658e8ec45..c918791f0 100644 --- a/ipaserver/install/certs.py +++ b/ipaserver/install/certs.py @@ -399,10 +399,7 @@ class CertDB(object): password = f.readline() f.close() result = dogtag.https_request( - self.host_name, - api.env.ca_ee_install_port or - dogtag.configured_constants().EE_SECURE_PORT, - "/ca/ee/ca/profileSubmitSSLClient", + self.host_name, 8443, "/ca/ee/ca/profileSubmitSSLClient", self.secdir, password, "ipaCert", **params) http_status, http_reason_phrase, http_headers, http_body = result @@ -456,10 +453,7 @@ class CertDB(object): password = f.readline() f.close() result = dogtag.https_request( - self.host_name, - api.env.ca_ee_install_port or - dogtag.configured_constants().EE_SECURE_PORT, - "/ca/ee/ca/profileSubmitSSLClient", + self.host_name, 8443, "/ca/ee/ca/profileSubmitSSLClient", self.secdir, password, "ipaCert", **params) http_status, http_reason_phrase, http_headers, http_body = result if http_status != 200: diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py index 106b75bc2..aad6fbbe5 100644 --- a/ipaserver/install/dogtaginstance.py +++ b/ipaserver/install/dogtaginstance.py @@ -35,7 +35,6 @@ from ipalib import errors from ipaplatform import services from ipaplatform.paths import paths from ipapython import certmonger -from ipapython import dogtag from ipapython import ipaldap from ipapython import ipautil from ipapython.dn import DN @@ -45,10 +44,7 @@ from ipaserver.install import replication from ipaserver.install.installutils import stopped_service from ipapython.ipa_log_manager import log_mgr -DEFAULT_DSPORT = dogtag.install_constants.DS_PORT - PKI_USER = "pkiuser" -PKI_DS_USER = dogtag.install_constants.DS_USER def check_inst(subsystem): @@ -57,9 +53,9 @@ def check_inst(subsystem): """ # Check for a couple of binaries we need - if not os.path.exists(dogtag.install_constants.SPAWN_BINARY): + if not os.path.exists(paths.PKISPAWN): return False - if not os.path.exists(dogtag.install_constants.DESTROY_BINARY): + if not os.path.exists(paths.PKIDESTROY): return False if not os.path.exists(paths.PKI_CONF_SERVER_XML_TEMPLATE % subsystem): @@ -127,21 +123,18 @@ class DogtagInstance(service.Service): tracking_reqs = None server_cert_name = None - def __init__(self, realm, subsystem, service_desc, dogtag_constants=None, - host_name=None, dm_password=None, ldapi=True): + def __init__(self, realm, subsystem, service_desc, host_name=None, + dm_password=None, ldapi=True, + nss_db=paths.PKI_TOMCAT_ALIAS_DIR): """Initializer""" - if dogtag_constants is None: - dogtag_constants = dogtag.configured_constants() - super(DogtagInstance, self).__init__( - '%sd' % dogtag_constants.PKI_INSTANCE_NAME, + 'pki-tomcatd', service_desc=service_desc, dm_password=dm_password, ldapi=ldapi ) - self.dogtag_constants = dogtag_constants self.realm = realm self.admin_password = None self.fqdn = host_name @@ -154,15 +147,13 @@ class DogtagInstance(service.Service): ('ou', 'people'), ('o', 'ipaca')) self.admin_groups = None self.agent_db = tempfile.mkdtemp(prefix="tmp-") - self.ds_port = DEFAULT_DSPORT - self.server_root = dogtag_constants.SERVER_ROOT self.subsystem = subsystem self.security_domain_name = "IPA" - # replication parameters self.master_host = None self.master_replication_port = None self.subject_base = None + self.nss_db = nss_db self.log = log_mgr.get_logger(self) @@ -176,8 +167,7 @@ class DogtagInstance(service.Service): Returns True/False """ return os.path.exists(os.path.join( - self.server_root, self.dogtag_constants.PKI_INSTANCE_NAME, - self.subsystem.lower())) + paths.VAR_LIB_PKI_TOMCAT_DIR, self.subsystem.lower())) def spawn_instance(self, cfg_file, nolog_list=None): """ @@ -208,7 +198,7 @@ class DogtagInstance(service.Service): def restart_instance(self): try: - self.restart(self.dogtag_constants.PKI_INSTANCE_NAME) + self.restart('pki-tomcat') except Exception: self.log.debug(traceback.format_exc()) self.log.critical( @@ -217,7 +207,7 @@ class DogtagInstance(service.Service): def start_instance(self): try: - self.start(self.dogtag_constants.PKI_INSTANCE_NAME) + self.start('pki-tomcat') except Exception: self.log.debug(traceback.format_exc()) self.log.critical( @@ -226,7 +216,7 @@ class DogtagInstance(service.Service): def stop_instance(self): try: - self.stop(self.dogtag_constants.PKI_INSTANCE_NAME) + self.stop('pki-tomcat') except Exception: self.log.debug(traceback.format_exc()) self.log.critical( @@ -239,9 +229,7 @@ class DogtagInstance(service.Service): Path to CS.cfg config file passed in. """ - with stopped_service( - self.dogtag_constants.SERVICE_NAME, - instance_name=self.dogtag_constants.PKI_INSTANCE_NAME): + with stopped_service('pki-tomcatd', 'pki-tomcat'): installutils.set_directive( config, 'authz.instance.DirAclAuthz.ldap.ldapauth.authtype', @@ -256,8 +244,7 @@ class DogtagInstance(service.Service): 'subsystemCert cert-pki-ca', quotes=False, separator='=') installutils.set_directive( config, - 'authz.instance.DirAclAuthz.ldap.ldapconn.port', - str(dogtag.install_constants.DS_SECURE_PORT), + 'authz.instance.DirAclAuthz.ldap.ldapconn.port', '636', quotes=False, separator='=') installutils.set_directive( config, @@ -279,15 +266,13 @@ class DogtagInstance(service.Service): 'subsystemCert cert-pki-ca', quotes=False, separator='=') installutils.set_directive( config, - 'internaldb.ldapconn.port', - str(dogtag.install_constants.DS_SECURE_PORT), - quotes=False, separator='=') + 'internaldb.ldapconn.port', '636', quotes=False, separator='=') installutils.set_directive( config, 'internaldb.ldapconn.secureConn', 'true', quotes=False, separator='=') # Remove internaldb password as is not needed anymore - installutils.set_directive(self.dogtag_constants.PASSWORD_CONF_PATH, + installutils.set_directive(paths.PKI_TOMCAT_PASSWORD_CONF, 'internaldb', None) def uninstall(self): @@ -295,8 +280,8 @@ class DogtagInstance(service.Service): self.print_msg("Unconfiguring %s" % self.subsystem) try: - ipautil.run([paths.PKIDESTROY, "-i", - self.dogtag_constants.PKI_INSTANCE_NAME, + ipautil.run([paths.PKIDESTROY, + "-i", 'pki-tomcat', "-s", self.subsystem]) except ipautil.CalledProcessError as e: self.log.critical("failed to uninstall %s instance %s", @@ -306,7 +291,7 @@ class DogtagInstance(service.Service): """ Update the http proxy file """ template_filename = ipautil.SHARE_DIR + "ipa-pki-proxy.conf" sub_dict = dict( - DOGTAG_PORT=self.dogtag_constants.AJP_PORT, + DOGTAG_PORT=8009, CLONE='' if self.clone else '#', FQDN=self.fqdn, ) @@ -337,8 +322,7 @@ class DogtagInstance(service.Service): def __get_pin(self): try: - return certmonger.get_pin('internal', - dogtag_constants=self.dogtag_constants) + return certmonger.get_pin('internal') except IOError as e: self.log.debug( 'Unable to determine PIN for the Dogtag instance: %s', e) @@ -355,7 +339,7 @@ class DogtagInstance(service.Service): nickname=nickname, pin=pin, pinfile=None, - secdir=self.dogtag_constants.ALIAS_DIR, + secdir=self.nss_db, pre_command='stop_pkicad', post_command='renew_ca_cert "%s"' % nickname, profile=profile) @@ -376,7 +360,7 @@ class DogtagInstance(service.Service): nickname=self.server_cert_name, pin=pin, pinfile=None, - secdir=self.dogtag_constants.ALIAS_DIR, + secdir=self.nss_db, pre_command='stop_pkicad', post_command='renew_ca_cert "%s"' % self.server_cert_name) except RuntimeError as e: @@ -401,7 +385,7 @@ class DogtagInstance(service.Service): for nickname in nicknames: try: certmonger.stop_tracking( - self.dogtag_constants.ALIAS_DIR, nickname=nickname) + self.nss_db, nickname=nickname) except RuntimeError as e: self.log.error( "certmonger failed to stop tracking certificate: %s", e) @@ -410,8 +394,7 @@ class DogtagInstance(service.Service): cmonger.stop() @staticmethod - def update_cert_cs_cfg(nickname, cert, directives, cs_cfg, - dogtag_constants=None): + def update_cert_cs_cfg(nickname, cert, directives, cs_cfg): """ When renewing a Dogtag subsystem certificate the configuration file needs to get the new certificate as well. @@ -422,11 +405,7 @@ class DogtagInstance(service.Service): cs_cfg is the path to the CS.cfg file """ - if dogtag_constants is None: - dogtag_constants = dogtag.configured_constants() - - with stopped_service(dogtag_constants.SERVICE_NAME, - instance_name=dogtag_constants.PKI_INSTANCE_NAME): + with stopped_service('pki-tomcatd', 'pki-tomcat'): installutils.set_directive( cs_cfg, directives[nickname], @@ -461,11 +440,7 @@ class DogtagInstance(service.Service): % (self.subsystem, e)) self.log.critical("See the installation logs and the following " "files/directories for more information:") - logs = [self.dogtag_constants.PKI_INSTALL_LOG, - self.dogtag_constants.PKI_LOG_TOP_LEVEL] - - for log in logs: - self.log.critical(" %s" % log) + self.log.critical(" %s" % paths.TOMCAT_TOPLEVEL_DIR) raise RuntimeError("%s configuration failed." % self.subsystem) @@ -517,7 +492,7 @@ class DogtagInstance(service.Service): # Now wait until the other server gets replicated this data master_conn = ipaldap.IPAdmin(self.master_host, - port=DEFAULT_DSPORT, + port=389, protocol='ldap') master_conn.do_sasl_gssapi_bind() replication.wait_for_entry(master_conn, entry) diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index b7a15702a..1b68573d7 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -34,7 +34,6 @@ from ipaserver.install import certs from ipaserver.install import installutils from ipapython import sysrestore from ipapython import ipautil -from ipapython import dogtag from ipapython.dn import DN from ipapython.ipa_log_manager import root_logger import ipapython.errors @@ -128,7 +127,7 @@ class HTTPInstance(service.Service): FQDN=fqdn, DOMAIN=self.domain, AUTOREDIR='' if auto_redirect else '#', - CRL_PUBLISH_PATH=dogtag.install_constants.CRL_PUBLISH_PATH, + CRL_PUBLISH_PATH=paths.PKI_CA_PUBLISH_DIR, ) self.ca_file = ca_file if ca_is_configured is not None: diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py index aadb8e22b..489d03bda 100644 --- a/ipaserver/install/installutils.py +++ b/ipaserver/install/installutils.py @@ -45,7 +45,7 @@ from six.moves.configparser import SafeConfigParser, NoOptionError import ipaplatform -from ipapython import ipautil, sysrestore, admintool, dogtag, version +from ipapython import ipautil, sysrestore, admintool, version from ipapython.admintool import ScriptError from ipapython.ipa_log_manager import root_logger, log_mgr from ipalib.util import validate_hostname @@ -64,8 +64,8 @@ if six.PY3: # Used to determine install status IPA_MODULES = [ - 'httpd', 'kadmin', 'dirsrv', 'pki-cad', 'pki-tomcatd', 'install', - 'krb5kdc', 'ntpd', 'named', 'ipa_memcached'] + 'httpd', 'kadmin', 'dirsrv', 'pki-tomcatd', 'install', 'krb5kdc', 'ntpd', + 'named', 'ipa_memcached'] class BadHostError(Exception): @@ -583,7 +583,7 @@ def read_replica_info(dir_path, rconfig): def read_replica_info_dogtag_port(config_dir): portfile = config_dir + "/dogtag_directory_port.txt" - default_port = dogtag.Dogtag9Constants.DS_PORT + default_port = 7389 if not ipautil.file_exists(portfile): dogtag_master_ds_port = default_port else: diff --git a/ipaserver/install/ipa_backup.py b/ipaserver/install/ipa_backup.py index 28054be3f..6d97ef13b 100644 --- a/ipaserver/install/ipa_backup.py +++ b/ipaserver/install/ipa_backup.py @@ -106,12 +106,10 @@ class Backup(admintool.AdminTool): dirs = (paths.IPA_HTML_DIR, paths.ROOT_PKI, - paths.ETC_PKI_CA_DIR, paths.PKI_TOMCAT, paths.SYSCONFIG_PKI, paths.HTTPD_ALIAS_DIR, paths.VAR_LIB_PKI_DIR, - paths.VAR_LIB_PKI_CA_DIR, paths.SYSRESTORE, paths.IPA_CLIENT_SYSRESTORE, paths.IPA_DNSSEC_DIR, @@ -127,12 +125,10 @@ class Backup(admintool.AdminTool): paths.NAMED_CONF, paths.NAMED_KEYTAB, paths.RESOLV_CONF, - paths.SYSCONFIG_PKI_CA_DIR, paths.SYSCONFIG_PKI_TOMCAT, paths.SYSCONFIG_DIRSRV, paths.SYSCONFIG_NTPD, paths.SYSCONFIG_KRB5KDC_DIR, - paths.SYSCONFIG_PKI_CA_PKI_CA_DIR, paths.SYSCONFIG_IPA_DNSKEYSYNCD, paths.SYSCONFIG_IPA_ODS_EXPORTER, paths.SYSCONFIG_NAMED, @@ -187,18 +183,14 @@ class Backup(admintool.AdminTool): ) logs=( - paths.PKI_CA_LOG_DIR, paths.VAR_LOG_PKI_DIR, - paths.VAR_LOG_SLAPD_PKI_IPA_DIR, paths.VAR_LOG_HTTPD_DIR, paths.IPASERVER_INSTALL_LOG, paths.KADMIND_LOG, - paths.PKI_CA_INSTALL_LOG, paths.MESSAGES, paths.IPACLIENT_INSTALL_LOG, paths.LOG_SECURE, paths.IPASERVER_UNINSTALL_LOG, - paths.PKI_CA_UNINSTALL_LOG, paths.IPACLIENT_UNINSTALL_LOG, paths.NAMED_RUN, ) @@ -306,14 +298,14 @@ class Backup(admintool.AdminTool): self.log.info('Stopping IPA services') run(['ipactl', 'stop']) - for instance in [ - installutils.realm_to_serverid(api.env.realm), 'PKI-IPA' - ]: - if os.path.exists(paths.VAR_LIB_SLAPD_INSTANCE_DIR_TEMPLATE % instance): - if os.path.exists(paths.SLAPD_INSTANCE_DB_DIR_TEMPLATE % (instance, 'ipaca')): - self.db2ldif(instance, 'ipaca', online=options.online) - self.db2ldif(instance, 'userRoot', online=options.online) - self.db2bak(instance, online=options.online) + instance = installutils.realm_to_serverid(api.env.realm) + if os.path.exists(paths.VAR_LIB_SLAPD_INSTANCE_DIR_TEMPLATE % + instance): + if os.path.exists(paths.SLAPD_INSTANCE_DB_DIR_TEMPLATE % + (instance, 'ipaca')): + self.db2ldif(instance, 'ipaca', online=options.online) + self.db2ldif(instance, 'userRoot', online=options.online) + self.db2bak(instance, online=options.online) if not options.data_only: # create backup of auth configuration auth_backup_path = os.path.join(paths.VAR_LIB_IPA, 'auth_backup') @@ -341,34 +333,21 @@ class Backup(admintool.AdminTool): ''' Add instance-specific files and directories. - NOTE: this adds some things that may not get backed up, like the PKI-IPA - instance. + NOTE: this adds some things that may not get backed up. ''' serverid = installutils.realm_to_serverid(api.env.realm) - for dir in [ - paths.ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE % serverid, - paths.VAR_LIB_DIRSRV_INSTANCE_SCRIPTS_TEMPLATE % serverid, - paths.VAR_LIB_SLAPD_INSTANCE_DIR_TEMPLATE % serverid, - paths.VAR_LIB_SLAPD_PKI_IPA_DIR_TEMPLATE, - paths.USR_LIB_SLAPD_PKI_IPA_DIR, - paths.ETC_SLAPD_PKI_IPA_DIR, - paths.VAR_LIB_SLAPD_PKI_IPA_DIR_TEMPLATE, - self.__find_scripts_dir('PKI-IPA'), - ]: + for dir in [paths.ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE % serverid, + paths.VAR_LIB_DIRSRV_INSTANCE_SCRIPTS_TEMPLATE % serverid, + paths.VAR_LIB_SLAPD_INSTANCE_DIR_TEMPLATE % serverid]: if os.path.exists(dir): self.dirs.append(dir) - for file in [ - paths.SYSCONFIG_DIRSRV_INSTANCE % serverid, - paths.SYSCONFIG_DIRSRV_PKI_IPA_DIR]: - if os.path.exists(file): - self.files.append(file) + file = paths.SYSCONFIG_DIRSRV_INSTANCE % serverid + if os.path.exists(file): + self.files.append(file) - for log in [ - paths.VAR_LOG_DIRSRV_INSTANCE_TEMPLATE % serverid, - ]: - self.logs.append(log) + self.logs.append(paths.VAR_LOG_DIRSRV_INSTANCE_TEMPLATE % serverid) def get_connection(self): @@ -628,17 +607,3 @@ class Backup(admintool.AdminTool): shutil.move(self.header, backup_dir) self.log.info('Backed up to %s', backup_dir) - - def __find_scripts_dir(self, instance): - """ - IPA stores its 389-ds scripts in a different directory than dogtag - does so we need to probe for it. - """ - if instance != 'PKI-IPA': - return os.path.join(paths.VAR_LIB_DIRSRV, 'scripts-%s' % instance) - else: - if sys.maxsize > 2**32: - libpath = 'lib64' - else: - libpath = 'lib' - return os.path.join(paths.USR_DIR, libpath, 'dirsrv', 'slapd-PKI-IPA') diff --git a/ipaserver/install/ipa_cacert_manage.py b/ipaserver/install/ipa_cacert_manage.py index 96de6bffb..110feb2cc 100644 --- a/ipaserver/install/ipa_cacert_manage.py +++ b/ipaserver/install/ipa_cacert_manage.py @@ -144,9 +144,8 @@ class CACertManage(admintool.AdminTool): if not ca.is_configured(): raise admintool.ScriptError("CA is not configured on this system") - nss_dir = ca.dogtag_constants.ALIAS_DIR criteria = { - 'cert-database': nss_dir, + 'cert-database': paths.PKI_TOMCAT_ALIAS_DIR, 'cert-nickname': self.cert_nickname, 'ca-name': 'dogtag-ipa-ca-renew-agent', } @@ -157,7 +156,7 @@ class CACertManage(admintool.AdminTool): self.log.debug( "Found certmonger request id %r", self.request_id) - db = certs.CertDB(api.env.realm, nssdir=nss_dir) + db = certs.CertDB(api.env.realm, nssdir=paths.PKI_TOMCAT_ALIAS_DIR) cert = db.get_cert_from_db(self.cert_nickname, pem=False) options = self.options @@ -206,7 +205,7 @@ class CACertManage(admintool.AdminTool): options.external_cert_files, x509.subject_base()) nss_cert = None - nss.nss_init(ca.dogtag_constants.ALIAS_DIR) + nss.nss_init(paths.PKI_TOMCAT_ALIAS_DIR) try: nss_cert = x509.load_certificate(old_cert, x509.DER) subject = nss_cert.subject diff --git a/ipaserver/install/ipa_kra_install.py b/ipaserver/install/ipa_kra_install.py index add8250d4..d8fbf580e 100644 --- a/ipaserver/install/ipa_kra_install.py +++ b/ipaserver/install/ipa_kra_install.py @@ -28,7 +28,6 @@ from ipalib.constants import DOMAIN_LEVEL_0 from ipaplatform import services from ipaplatform.paths import paths from ipapython import admintool -from ipapython import dogtag from ipapython import ipautil from ipapython.dn import DN from ipaserver.install import service @@ -100,8 +99,7 @@ class KRAUninstaller(KRAInstall): if self.args: self.option_parser.error("Too many parameters provided.") - dogtag_constants = dogtag.configured_constants(api) - _kra = krainstance.KRAInstance(api, dogtag_constants=dogtag_constants) + _kra = krainstance.KRAInstance(api) if not _kra.is_installed(): self.option_parser.error( "Cannot uninstall. There is no KRA installed on this system." @@ -194,7 +192,7 @@ class KRAInstaller(KRAInstall): config.host_name = api.env.host config.domain_name = api.env.domain config.dirman_password = self.options.password - config.ca_ds_port = dogtag.install_constants.DS_PORT + config.ca_ds_port = 389 config.top_dir = tempfile.mkdtemp("ipa") config.dir = config.top_dir else: diff --git a/ipaserver/install/ipa_replica_prepare.py b/ipaserver/install/ipa_replica_prepare.py index 552103223..c1bce693b 100644 --- a/ipaserver/install/ipa_replica_prepare.py +++ b/ipaserver/install/ipa_replica_prepare.py @@ -35,7 +35,7 @@ from ipaserver.install.replication import enable_replication_version_checking from ipaserver.plugins.ldap2 import ldap2 from ipaserver.install.bindinstance import ( add_zone, add_fwd_rr, add_ptr_rr, dns_container_exists) -from ipapython import ipautil, admintool, dogtag +from ipapython import ipautil, admintool from ipapython.dn import DN from ipapython import version from ipalib import api @@ -342,8 +342,7 @@ class ReplicaPrepare(admintool.AdminTool): "Apache Server SSL certificate and Directory Server SSL " "certificate are not signed by the same CA certificate") - if (not ipautil.file_exists( - dogtag.configured_constants().CS_CFG_PATH) and + if (not ipautil.file_exists(paths.CA_CS_CFG_PATH) and options.dirsrv_pin is None): self.log.info("If you installed IPA with your own certificates " "using PKCS#12 files you must provide PKCS#12 files for any " @@ -419,7 +418,7 @@ class ReplicaPrepare(admintool.AdminTool): port_fname = os.path.join( self.dir, "dogtag_directory_port.txt") with open(port_fname, "w") as fd: - fd.write("%s\n" % str(dogtag.configured_constants().DS_PORT)) + fd.write("389\n") def copy_httpd_certificate(self): options = self.options diff --git a/ipaserver/install/ipa_restore.py b/ipaserver/install/ipa_restore.py index 792ad54c5..a257b7892 100644 --- a/ipaserver/install/ipa_restore.py +++ b/ipaserver/install/ipa_restore.py @@ -387,10 +387,7 @@ class Restore(admintool.AdminTool): httpinstance.create_kdcproxy_user() # Always restore the data from ldif - # If we are restoring PKI-IPA then we need to restore the - # userRoot backend in it and the main IPA instance. If we - # have a unified instance we need to restore both userRoot and - # ipaca. + # We need to restore both userRoot and ipaca. for instance, backend in databases: self.ldif2db(instance, backend, online=options.online) @@ -591,7 +588,7 @@ class Restore(admintool.AdminTool): instance here is a loaded term. It can mean either a separate 389-ds install instance or a separate 389-ds backend. We only need - to treat PKI-IPA and ipaca specially. + to treat ipaca specially. ''' if backend is not None: self.log.info('Restoring %s in %s' % (backend, instance)) @@ -766,21 +763,6 @@ class Restore(admintool.AdminTool): # We can remove the decoded tarball os.unlink(filename) - - def __find_scripts_dir(self, instance): - """ - IPA stores its 389-ds scripts in a different directory than dogtag - does so we need to probe for it. - """ - if instance != 'PKI-IPA': - return os.path.join(paths.VAR_LIB_DIRSRV, 'scripts-%s' % instance) - else: - if sys.maxsize > 2**32: - libpath = 'lib64' - else: - libpath = 'lib' - return os.path.join(paths.USR_DIR, libpath, 'dirsrv', 'slapd-PKI-IPA') - def __create_dogtag_log_dirs(self): """ If we are doing a full restore and the dogtag log directories do @@ -790,11 +772,6 @@ class Restore(admintool.AdminTool): or a d10-based installation. """ dirs = [] - # dogtag 9 - if (os.path.exists(paths.VAR_LIB_PKI_CA_DIR) and - not os.path.exists(paths.PKI_CA_LOG_DIR)): - dirs += [paths.PKI_CA_LOG_DIR, - os.path.join(paths.PKI_CA_LOG_DIR, 'signedAudit')] # dogtag 10 if (os.path.exists(paths.VAR_LIB_PKI_TOMCAT_DIR) and not os.path.exists(paths.TOMCAT_TOPLEVEL_DIR)): @@ -879,7 +856,5 @@ class Restore(admintool.AdminTool): api.bootstrap(in_server=False, context='restore', **overrides) api.finalize() - self.instances = [ - installutils.realm_to_serverid(api.env.realm), 'PKI-IPA' - ] + self.instances = [installutils.realm_to_serverid(api.env.realm)] self.backends = ['userRoot', 'ipaca'] diff --git a/ipaserver/install/kra.py b/ipaserver/install/kra.py index 40c283e6d..14568ec42 100644 --- a/ipaserver/install/kra.py +++ b/ipaserver/install/kra.py @@ -6,8 +6,8 @@ import os from ipalib import api, errors from ipaplatform import services +from ipaplatform.paths import paths from ipapython import certdb -from ipapython import dogtag from ipapython import ipautil from ipapython.dn import DN from ipaserver.install import custodiainstance @@ -18,9 +18,7 @@ from ipaserver.install import service def install_check(api, replica_config, options): - dogtag_constants = dogtag.configured_constants(api=api) - kra = krainstance.KRAInstance(api.env.realm, - dogtag_constants=dogtag_constants) + kra = krainstance.KRAInstance(api.env.realm) if kra.is_installed(): raise RuntimeError("KRA is already installed.") @@ -61,10 +59,7 @@ def install_check(api, replica_config, options): def install(api, replica_config, options): subject = dsinstance.DsInstance().find_subject_base() if replica_config is None: - kra = krainstance.KRAInstance( - api.env.realm, - dogtag_constants=dogtag.install_constants) - + kra = krainstance.KRAInstance(api.env.realm) kra.configure_instance( api.env.realm, api.env.host, options.dm_password, options.dm_password, subject_base=subject) @@ -78,9 +73,7 @@ def install(api, replica_config, options): custodia.get_kra_keys(replica_config.kra_host_name, ca_data[0], ca_data[1]) - kra = krainstance.KRAInstance( - replica_config.realm_name, - dogtag_constants=dogtag.install_constants) + kra = krainstance.KRAInstance(replica_config.realm_name) kra.configure_replica(replica_config.host_name, replica_config.kra_host_name, replica_config.dirman_password, @@ -96,16 +89,14 @@ def install(api, replica_config, options): kra.ldap_enable('KRA', api.env.host, options.dm_password, api.env.basedn) - kra.enable_client_auth_to_db(kra.dogtag_constants.KRA_CS_CFG_PATH) + kra.enable_client_auth_to_db(paths.KRA_CS_CFG_PATH) # Restart apache for new proxy config file services.knownservices.httpd.restart(capture_output=True) def uninstall(standalone): - dogtag_constants = dogtag.configured_constants(api) - kra = krainstance.KRAInstance(api.env.realm, - dogtag_constants=dogtag_constants) + kra = krainstance.KRAInstance(api.env.realm) if standalone: kra.ldap_connect() diff --git a/ipaserver/install/krainstance.py b/ipaserver/install/krainstance.py index be62226ad..d58bcc659 100644 --- a/ipaserver/install/krainstance.py +++ b/ipaserver/install/krainstance.py @@ -30,7 +30,6 @@ from ipalib import x509 from ipaplatform import services from ipaplatform.paths import paths from ipapython import certdb -from ipapython import dogtag from ipapython import ipautil from ipapython.dn import DN from ipaserver.install import certs @@ -39,7 +38,7 @@ from ipaserver.install import installutils from ipaserver.install import ldapupdate from ipaserver.install import service from ipaserver.install.dogtaginstance import ( - DEFAULT_DSPORT, PKI_USER, export_kra_agent_pem, DogtagInstance) + PKI_USER, export_kra_agent_pem, DogtagInstance) from ipaserver.plugins import ldap2 from ipapython.ipa_log_manager import log_mgr @@ -68,23 +67,18 @@ class KRAInstance(DogtagInstance): ('transportCert cert-pki-kra', None), ('storageCert cert-pki-kra', None)) - def __init__(self, realm, dogtag_constants=None): - if dogtag_constants is None: - dogtag_constants = dogtag.configured_constants() - + def __init__(self, realm): super(KRAInstance, self).__init__( realm=realm, subsystem="KRA", service_desc="KRA server", - dogtag_constants=dogtag_constants ) self.basedn = DN(('o', 'kra'), ('o', 'ipaca')) self.log = log_mgr.get_logger(self) def configure_instance(self, realm_name, host_name, dm_password, - admin_password, ds_port=DEFAULT_DSPORT, - pkcs12_info=None, master_host=None, + admin_password, pkcs12_info=None, master_host=None, subject_base=None): """Create a KRA instance. @@ -93,7 +87,6 @@ class KRAInstance(DogtagInstance): self.fqdn = host_name self.dm_password = dm_password self.admin_password = admin_password - self.ds_port = ds_port self.pkcs12_info = pkcs12_info if self.pkcs12_info is not None: self.clone = True @@ -110,9 +103,7 @@ class KRAInstance(DogtagInstance): raise RuntimeError( "KRA already installed.") # Confirm that a Dogtag 10 CA instance already exists - ca = cainstance.CAInstance( - api.env.realm, certs.NSS_DIR, - dogtag_constants=dogtag.Dogtag10Constants) + ca = cainstance.CAInstance(api.env.realm, certs.NSS_DIR) if not ca.is_installed(): raise RuntimeError( "KRA configuration failed. " @@ -185,7 +176,7 @@ class KRAInstance(DogtagInstance): config.set("KRA", "pki_client_admin_cert_p12", paths.DOGTAG_ADMIN_P12) # Directory server - config.set("KRA", "pki_ds_ldap_port", str(self.ds_port)) + config.set("KRA", "pki_ds_ldap_port", "389") config.set("KRA", "pki_ds_password", self.dm_password) config.set("KRA", "pki_ds_base_dn", self.basedn) config.set("KRA", "pki_ds_database", "ipaca") @@ -337,7 +328,7 @@ class KRAInstance(DogtagInstance): ld.update([os.path.join(paths.UPDATES_DIR, '40-vault.update')]) @staticmethod - def update_cert_config(nickname, cert, dogtag_constants=None): + def update_cert_config(nickname, cert): """ When renewing a KRA subsystem certificate the configuration file needs to get the new certificate as well. @@ -346,9 +337,6 @@ class KRAInstance(DogtagInstance): cert is a DER-encoded certificate. """ - if dogtag_constants is None: - dogtag_constants = dogtag.configured_constants() - # The cert directive to update per nickname directives = { 'auditSigningCert cert-pki-kra': 'kra.audit_signing.cert', @@ -358,9 +346,7 @@ class KRAInstance(DogtagInstance): 'Server-Cert cert-pki-ca': 'kra.sslserver.cert'} DogtagInstance.update_cert_cs_cfg( - nickname, cert, directives, - dogtag.configured_constants().KRA_CS_CFG_PATH, - dogtag_constants) + nickname, cert, directives, paths.KRA_CS_CFG_PATH) def __enable_instance(self): self.ldap_enable('KRA', self.fqdn, None, self.suffix) @@ -373,7 +359,6 @@ class KRAInstance(DogtagInstance): """ self.fqdn = host_name self.dm_password = dm_password - self.ds_port = DEFAULT_DSPORT self.master_host = master_host if subject_base is None: self.subject_base = DN(('O', self.realm)) @@ -390,8 +375,7 @@ class KRAInstance(DogtagInstance): raise RuntimeError( "KRA already installed.") # Confirm that a Dogtag 10 CA instance already exists - ca = cainstance.CAInstance(self.realm, certs.NSS_DIR, - dogtag_constants=dogtag.Dogtag10Constants) + ca = cainstance.CAInstance(self.realm, certs.NSS_DIR) if not ca.is_installed(): raise RuntimeError( "KRA configuration failed. " @@ -433,8 +417,7 @@ def install_replica_kra(config, postinstall=False): "Unable to clone KRA." " cacert.p12 file not found in replica file") - _kra = KRAInstance(config.realm_name, - dogtag_constants=dogtag.install_constants) + _kra = KRAInstance(config.realm_name) _kra.dm_password = config.dirman_password _kra.subject_base = config.subject_base if _kra.is_installed(): @@ -455,8 +438,8 @@ def install_replica_kra(config, postinstall=False): # dogtag service.print_msg("Restarting the directory and KRA servers") - _kra.stop(dogtag.install_constants.PKI_INSTANCE_NAME) + _kra.stop('pki-tomcat') services.knownservices.dirsrv.restart() - _kra.start(dogtag.install_constants.PKI_INSTANCE_NAME) + _kra.start('pki-tomcat') return _kra diff --git a/ipaserver/install/plugins/ca_renewal_master.py b/ipaserver/install/plugins/ca_renewal_master.py index dae976f02..e83cf3b02 100644 --- a/ipaserver/install/plugins/ca_renewal_master.py +++ b/ipaserver/install/plugins/ca_renewal_master.py @@ -21,7 +21,7 @@ from ipaserver.install import installutils, certs, cainstance from ipalib import errors from ipalib import Updater from ipalib.plugable import Registry -from ipapython import certmonger, dogtag +from ipapython import certmonger from ipaplatform.paths import paths from ipapython.dn import DN @@ -83,8 +83,7 @@ class update_ca_renewal_master(Updater): self.debug("certmonger request for ipaCert not found") config = installutils.get_directive( - dogtag.configured_constants().CS_CFG_PATH, - 'subsystem.select', '=') + paths.CA_CS_CFG_PATH, 'subsystem.select', '=') if config == 'New': pass diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py index 443f7ca23..b408d4fbe 100644 --- a/ipaserver/install/replication.py +++ b/ipaserver/install/replication.py @@ -30,7 +30,7 @@ import ldap from ipalib import api, errors from ipalib.constants import CACERT from ipapython.ipa_log_manager import * -from ipapython import ipautil, dogtag, ipaldap +from ipapython import ipautil, ipaldap from ipapython.dn import DN from ipaplatform import services from ipaplatform.paths import paths @@ -86,7 +86,7 @@ def replica_conn_check(master_host, host_name, realm, check_ca, args.extend(["--password", admin_password]) nolog=(admin_password,) - if check_ca and dogtag_master_ds_port == dogtag.Dogtag9Constants.DS_PORT: + if check_ca and dogtag_master_ds_port == 7389: args.append('--check-ca') (stdin, stderr, returncode) = ipautil.run( args, raiseonerr=False, capture_output=False, nolog=nolog) @@ -1737,7 +1737,7 @@ class CSReplicationManager(ReplicationManager): if self.conn.port == 7389: instance_name = 'pki-ca' else: - instance_name = dogtag.configured_constants(api).PKI_INSTANCE_NAME + instance_name = 'pki-tomcat' # if master is not None we know what dn to return: if master is not None: @@ -1797,10 +1797,7 @@ def get_cs_replication_manager(realm, host, dirman_passwd): # Fall back to the old PKI-only DS port. Check that it has the ipaca tree # (IPA with merged DB theoretically leaves port 7389 free for anyone). # If it doesn't, raise exception. - ports = [ - dogtag.Dogtag10Constants.DS_PORT, - dogtag.Dogtag9Constants.DS_PORT, - ] + ports = [389, 7389] for port in ports: root_logger.debug('Looking for PKI DS on %s:%s' % (host, port)) replication_manager = CSReplicationManager( diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py index 6629e8ec1..6ecb87ac9 100644 --- a/ipaserver/install/server/install.py +++ b/ipaserver/install/server/install.py @@ -15,7 +15,7 @@ import textwrap import six -from ipapython import certmonger, dogtag, ipaldap, ipautil, sysrestore +from ipapython import certmonger, ipaldap, ipautil, sysrestore from ipapython.dn import DN from ipapython.install import common, core from ipapython.install.common import step @@ -303,8 +303,6 @@ def install_check(installer): external_ca_file = installer._external_ca_file http_ca_cert = installer._ca_cert - dogtag_constants = dogtag.install_constants - tasks.check_selinux_status() if options.master_password: @@ -575,7 +573,7 @@ def install_check(installer): if setup_ca: fd.write("enable_ra=True\n") fd.write("ra_plugin=dogtag\n") - fd.write("dogtag_version=%s\n" % dogtag_constants.DOGTAG_VERSION) + fd.write("dogtag_version=10\n") else: fd.write("enable_ra=False\n") fd.write("ra_plugin=none\n") @@ -700,8 +698,6 @@ def install(installer): setup_ca = options.setup_ca setup_kra = options.setup_kra - dogtag_constants = dogtag.install_constants - # Installation has started. No IPA sysrestore items are restored in case of # failure to enable root cause investigation installer._installation_cleanup = False @@ -777,8 +773,7 @@ def install(installer): ca.install_step_0(False, None, options) # Now put the CA cert where other instances exepct it - ca_instance = cainstance.CAInstance(realm_name, certs.NSS_DIR, - dogtag_constants=dogtag_constants) + ca_instance = cainstance.CAInstance(realm_name, certs.NSS_DIR) ca_instance.publish_ca_cert(CACERT) else: # Put the CA cert where other instances expect it @@ -856,8 +851,7 @@ def install(installer): krb.restart() if setup_ca: - dogtag_service = services.knownservices[dogtag_constants.SERVICE_NAME] - dogtag_service.restart(dogtag_constants.PKI_INSTANCE_NAME) + services.knownservices['pki_tomcatd'].restart('pki-tomcat') if options.setup_dns: api.Backend.ldap2.connect(autobind=True) @@ -1052,9 +1046,6 @@ def uninstall(installer): except Exception as e: pass - # Need to get dogtag info before /etc/ipa/default.conf is removed - dogtag_constants = dogtag.configured_constants() - print("Removing IPA client configuration") try: (stdout, stderr, rc) = run([paths.IPA_CLIENT_INSTALL, "--on-master", @@ -1072,7 +1063,7 @@ def uninstall(installer): kra.uninstall(False) - ca.uninstall(dogtag_constants) + ca.uninstall() dns.uninstall() @@ -1134,7 +1125,7 @@ def uninstall(installer): # Note that this name will be wrong after the first uninstall. dirname = dsinstance.config_dirname( installutils.realm_to_serverid(api.env.realm)) - dirs = [dirname, dogtag_constants.ALIAS_DIR, certs.NSS_DIR] + dirs = [dirname, paths.PKI_TOMCAT_ALIAS_DIR, certs.NSS_DIR] ids = certmonger.check_state(dirs) if ids: root_logger.error('Some certificates may still be tracked by ' diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py index 492ea72d8..4b811105b 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py @@ -14,7 +14,7 @@ import socket import sys import tempfile -from ipapython import certmonger, dogtag, ipaldap, ipautil, sysrestore +from ipapython import certmonger, ipaldap, ipautil, sysrestore from ipapython.dn import DN from ipapython.install import common, core from ipapython.install.common import step @@ -465,8 +465,7 @@ def install_check(installer): if ipautil.file_exists(config.dir + "/cacert.p12"): fd.write("enable_ra=True\n") fd.write("ra_plugin=dogtag\n") - fd.write("dogtag_version=%s\n" % - dogtag.install_constants.DOGTAG_VERSION) + fd.write("dogtag_version=10\n") else: fd.write("enable_ra=False\n") fd.write("ra_plugin=none\n") @@ -631,8 +630,6 @@ def install(installer): sstore = installer._sstore config = installer._config - dogtag_constants = dogtag.install_constants - if installer._update_hosts_file: installutils.update_hosts_file(config.ips, config.host_name, fstore) @@ -685,9 +682,7 @@ def install(installer): ipautil.realm_to_suffix(config.realm_name)) if ipautil.file_exists(config.dir + "/cacert.p12"): - CA = cainstance.CAInstance( - config.realm_name, certs.NSS_DIR, - dogtag_constants=dogtag_constants) + CA = cainstance.CAInstance(config.realm_name, certs.NSS_DIR) CA.dm_password = config.dirman_password CA.configure_certmonger_renewal() @@ -716,8 +711,7 @@ def install(installer): krb.restart() if config.setup_ca: - dogtag_service = services.knownservices[dogtag_constants.SERVICE_NAME] - dogtag_service.restart(dogtag_constants.PKI_INSTANCE_NAME) + services.knownservices['pki_tomcatd'].restart('pki-tomcat') if options.setup_dns: api.Backend.ldap2.connect(autobind=True) @@ -965,7 +959,7 @@ def promote_check(installer): if not options.skip_conncheck: replica_conn_check( config.master_host_name, config.host_name, config.realm_name, - options.setup_ca, dogtag.Dogtag10Constants.DS_PORT, + options.setup_ca, 389, options.admin_password, principal=options.principal) if not ipautil.file_exists(cafile): @@ -994,8 +988,6 @@ def promote(installer): config.promote = installer.promote config.dirman_password = hexlify(ipautil.ipa_generate_password()) - dogtag_constants = dogtag.install_constants - # FIXME: allow to use passed in certs instead if installer._ca_enabled: configure_certmonger() @@ -1032,8 +1024,7 @@ def promote(installer): ipaconf.setOption('mode', 'production'), ipaconf.setOption('enable_ra', 'True'), ipaconf.setOption('ra_plugin', 'dogtag'), - ipaconf.setOption('dogtag_version', - dogtag.install_constants.DOGTAG_VERSION)] + ipaconf.setOption('dogtag_version', '10')] opts = [ipaconf.setSection('global', gopts)] ipaconf.changeConf(target_fname, opts) @@ -1069,7 +1060,6 @@ def promote(installer): custodia.get_ca_keys(config.ca_host_name, ca_data[0], ca_data[1]) ca = cainstance.CAInstance(config.realm_name, certs.NSS_DIR, - dogtag_constants=dogtag.install_constants, host_name=config.host_name, dm_password=config.dirman_password) ca.configure_replica(config.ca_host_name, @@ -1081,9 +1071,7 @@ def promote(installer): config.dirman_password) custodia.get_kra_keys(config.kra_host_name, ca_data[0], ca_data[1]) - constants = dogtag.install_constants - kra = krainstance.KRAInstance(config.realm_name, - dogtag_constants=constants) + kra = krainstance.KRAInstance(config.realm_name) kra.configure_replica(config.host_name, config.kra_host_name, config.dirman_password, kra_cert_bundle=ca_data) diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 84339b0a2..e193b85b9 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -24,7 +24,7 @@ from ipapython import ipautil, sysrestore, version, certdb from ipapython import ipaldap from ipapython.ipa_log_manager import * from ipapython import certmonger -from ipapython import dogtag +from ipapython.dn import DN from ipaplatform.paths import paths from ipaserver.install import installutils from ipaserver.install import dsinstance @@ -40,6 +40,7 @@ from ipaserver.install import custodiainstance from ipaserver.install import sysupgrade from ipaserver.install import dnskeysyncinstance from ipaserver.install import krainstance +from ipaserver.install import dogtaginstance from ipaserver.install.upgradeinstance import IPAUpgrade from ipaserver.install.ldapupdate import BadSyntax @@ -201,7 +202,6 @@ def upgrade_pki(ca, fstore): This requires enabling SSL renegotiation. """ - configured_constants = dogtag.configured_constants() root_logger.info('[Verifying that CA proxy configuration is correct]') if not ca.is_configured(): root_logger.info('CA is not configured') @@ -209,16 +209,8 @@ def upgrade_pki(ca, fstore): http = httpinstance.HTTPInstance(fstore) http.enable_mod_nss_renegotiate() - if not installutils.get_directive(configured_constants.CS_CFG_PATH, - 'proxy.securePort', '=') and \ - os.path.exists(paths.PKI_SETUP_PROXY): - # update proxy configuration with stopped dogtag to prevent corruption - # of CS.cfg - ipautil.run([paths.PKI_SETUP_PROXY, '-pki_instance_root=/var/lib', - '-pki_instance_name=pki-ca','-subsystem_type=ca']) - root_logger.debug('Proxy configuration updated') - else: - root_logger.debug('Proxy configuration up-to-date') + + root_logger.debug('Proxy configuration up-to-date') def update_dbmodules(realm, filename=paths.KRB5_CONF): newfile = [] @@ -315,15 +307,13 @@ def ca_enable_ldap_profile_subsystem(ca): root_logger.info('CA is not configured') return False - caconfig = dogtag.configured_constants() - needs_update = False directive = None try: for i in range(15): directive = "subsystem.{}.class".format(i) value = installutils.get_directive( - caconfig.CS_CFG_PATH, + paths.CA_CS_CFG_PATH, directive, separator='=') if value == 'com.netscape.cmscore.profile.ProfileSubsystem': @@ -331,18 +321,18 @@ def ca_enable_ldap_profile_subsystem(ca): break except OSError as e: root_logger.error('Cannot read CA configuration file "%s": %s', - caconfig.CS_CFG_PATH, e) + paths.CA_CS_CFG_PATH, e) return False if needs_update: installutils.set_directive( - caconfig.CS_CFG_PATH, + paths.CA_CS_CFG_PATH, directive, 'com.netscape.cmscore.profile.LDAPProfileSubsystem', quotes=False, separator='=') - ca.restart(dogtag.configured_constants().PKI_INSTANCE_NAME) + ca.restart('pki-tomcat') cainstance.migrate_profiles_to_ldap() return needs_update @@ -803,13 +793,12 @@ def certificate_renewal_update(ca): """ Update certmonger certificate renewal configuration. """ - dogtag_constants = dogtag.configured_constants() # bump version when requests is changed version = 4 requests = ( ( - dogtag_constants.ALIAS_DIR, + paths.PKI_TOMCAT_ALIAS_DIR, 'auditSigningCert cert-pki-ca', 'dogtag-ipa-ca-renew-agent', 'stop_pkicad', @@ -817,7 +806,7 @@ def certificate_renewal_update(ca): None, ), ( - dogtag_constants.ALIAS_DIR, + paths.PKI_TOMCAT_ALIAS_DIR, 'ocspSigningCert cert-pki-ca', 'dogtag-ipa-ca-renew-agent', 'stop_pkicad', @@ -825,7 +814,7 @@ def certificate_renewal_update(ca): None, ), ( - dogtag_constants.ALIAS_DIR, + paths.PKI_TOMCAT_ALIAS_DIR, 'subsystemCert cert-pki-ca', 'dogtag-ipa-ca-renew-agent', 'stop_pkicad', @@ -833,7 +822,7 @@ def certificate_renewal_update(ca): None, ), ( - dogtag_constants.ALIAS_DIR, + paths.PKI_TOMCAT_ALIAS_DIR, 'caSigningCert cert-pki-ca', 'dogtag-ipa-ca-renew-agent', 'stop_pkicad', @@ -849,7 +838,7 @@ def certificate_renewal_update(ca): None, ), ( - dogtag_constants.ALIAS_DIR, + paths.PKI_TOMCAT_ALIAS_DIR, 'Server-Cert cert-pki-ca', 'dogtag-ipa-renew-agent', 'stop_pkicad', @@ -928,15 +917,13 @@ def copy_crl_file(old_path, new_path=None): """ if new_path is None: filename = os.path.basename(old_path) - new_path = os.path.join(dogtag.configured_constants().CRL_PUBLISH_PATH, - filename) + new_path = os.path.join(paths.PKI_CA_PUBLISH_DIR, filename) root_logger.debug('copy_crl_file: %s -> %s', old_path, new_path) if os.path.islink(old_path): # update symlink to the most most recent CRL file filename = os.path.basename(os.readlink(old_path)) - realpath = os.path.join(dogtag.configured_constants().CRL_PUBLISH_PATH, - filename) + realpath = os.path.join(paths.PKI_CA_PUBLISH_DIR, filename) root_logger.debug('copy_crl_file: Create symlink %s -> %s', new_path, realpath) os.symlink(realpath, new_path) @@ -961,22 +948,21 @@ def migrate_crl_publish_dir(ca): root_logger.info('CA is not configured') return False - caconfig = dogtag.configured_constants() - try: - old_publish_dir = installutils.get_directive(caconfig.CS_CFG_PATH, + old_publish_dir = installutils.get_directive( + paths.CA_CS_CFG_PATH, 'ca.publish.publisher.instance.FileBaseCRLPublisher.directory', separator='=') except OSError as e: root_logger.error('Cannot read CA configuration file "%s": %s', - caconfig.CS_CFG_PATH, e) + paths.CA_CS_CFG_PATH, e) return False # Prepare target publish dir (creation, permissions, SELinux context) # Run this every update to ensure proper values publishdir = ca.prepare_crl_publish_dir() - if old_publish_dir == caconfig.CRL_PUBLISH_PATH: + if old_publish_dir == paths.PKI_CA_PUBLISH_DIR: # publish dir is already updated root_logger.info('Publish directory already set to new location') sysupgrade.set_upgrade_state('dogtag', 'moved_crl_publish_dir', True) @@ -1000,16 +986,17 @@ def migrate_crl_publish_dir(ca): root_logger.error('Cannot move CRL file to new directory: %s', e) try: - installutils.set_directive(caconfig.CS_CFG_PATH, + installutils.set_directive( + paths.CA_CS_CFG_PATH, 'ca.publish.publisher.instance.FileBaseCRLPublisher.directory', publishdir, quotes=False, separator='=') except OSError as e: root_logger.error('Cannot update CA configuration file "%s": %s', - caconfig.CS_CFG_PATH, e) + paths.CA_CS_CFG_PATH, e) return False sysupgrade.set_upgrade_state('dogtag', 'moved_crl_publish_dir', True) root_logger.info('CRL publish directory has been migrated, ' - 'request pki-ca restart') + 'request pki-tomcat restart') return True @@ -1101,6 +1088,76 @@ def uninstall_selfsign(ds, http): http.stop_tracking_certificates() +def uninstall_dogtag_9(ds, http): + root_logger.info('[Removing Dogtag 9 CA]') + + if api.env.ra_plugin != 'dogtag': + root_logger.debug('Dogtag CA is not installed') + return + if api.env.dogtag_version >= 10: + root_logger.debug('Dogtag is version 10 or above') + return + + if not api.Backend.ldap2.isconnected(): + try: + api.Backend.ldap2.connect(autobind=True) + except ipalib.errors.PublicError as e: + root_logger.error("Cannot connect to LDAP: %s", e) + + dn = DN(('cn', 'CA'), ('cn', api.env.host), ('cn', 'masters'), + ('cn', 'ipa'), ('cn', 'etc'), api.env.basedn) + try: + api.Backend.ldap2.delete_entry(dn) + except ipalib.errors.PublicError as e: + root_logger.error("Cannot delete %s: %s", dn, e) + + p = SafeConfigParser() + p.read(paths.IPA_DEFAULT_CONF) + p.set('global', 'dogtag_version', '10') + with open(paths.IPA_DEFAULT_CONF, 'w') as f: + p.write(f) + + sstore = sysrestore.StateFile(paths.SYSRESTORE) + sstore.restore_state('pkids', 'enabled') + sstore.restore_state('pkids', 'running') + sstore.restore_state('pkids', 'user_exists') + serverid = sstore.restore_state('pkids', 'serverid') + sstore.save() + + ca = dogtaginstance.DogtagInstance( + api.env.realm, "CA", "certificate server", + nss_db=paths.VAR_LIB_PKI_CA_ALIAS_DIR) + ca.stop_tracking_certificates(False) + + if serverid is not None: + # drop the trailing / off the config_dirname so the directory + # will match what is in certmonger + dirname = dsinstance.config_dirname(serverid)[:-1] + dsdb = certs.CertDB(api.env.realm, nssdir=dirname) + dsdb.untrack_server_cert("Server-Cert") + + try: + services.service('pki-cad').disable('pki-ca') + except Exception as e: + root_logger.warning("Failed to disable pki-cad: %s", e) + try: + services.service('pki-cad').stop('pki-ca') + except Exception as e: + root_logger.warning("Failed to stop pki-cad: %s", e) + + if serverid is not None: + try: + services.service('dirsrv').disable(serverid) + except Exception as e: + root_logger.warning("Failed to disable dirsrv: %s", e) + try: + services.service('dirsrv').stop(serverid) + except Exception as e: + root_logger.warning("Failed to stop dirsrv: %s", e) + + http.restart() + + def mask_named_regular(): """Disable named, we need to run only named-pkcs11, running both named and named-pkcs can cause unexpected errors""" @@ -1359,13 +1416,12 @@ def upgrade_configuration(): check_certs() auto_redirect = find_autoredirect(fqdn) - configured_constants = dogtag.configured_constants() sub_dict = dict( REALM=api.env.realm, FQDN=fqdn, AUTOREDIR='' if auto_redirect else '#', - CRL_PUBLISH_PATH=configured_constants.CRL_PUBLISH_PATH, - DOGTAG_PORT=configured_constants.AJP_PORT, + CRL_PUBLISH_PATH=paths.PKI_CA_PUBLISH_DIR, + DOGTAG_PORT=8009, CLONE='#' ) @@ -1375,9 +1431,7 @@ def upgrade_configuration(): ca = cainstance.CAInstance(api.env.realm, certs.NSS_DIR) - with installutils.stopped_service(configured_constants.SERVICE_NAME, - configured_constants.PKI_INSTANCE_NAME): - + with installutils.stopped_service('pki-tomcatd', 'pki-tomcat'): # Dogtag must be stopped to be able to backup CS.cfg config ca.backup_config() @@ -1385,8 +1439,8 @@ def upgrade_configuration(): ca_restart = migrate_crl_publish_dir(ca) if ca.is_configured(): - crl = installutils.get_directive(configured_constants.CS_CFG_PATH, - 'ca.crl.MasterCRL.enableCRLUpdates', '=') + crl = installutils.get_directive( + paths.CA_CS_CFG_PATH, 'ca.crl.MasterCRL.enableCRLUpdates', '=') sub_dict['CLONE']='#' if crl.lower() == 'true' else '' ds_dirname = dsinstance.config_dirname(ds_serverid) @@ -1470,6 +1524,7 @@ def upgrade_configuration(): http.start() uninstall_selfsign(ds, http) + uninstall_dogtag_9(ds, http) simple_service_list = ( (memcacheinstance.MemcacheInstance(), 'MEMCACHE'), @@ -1542,9 +1597,10 @@ def upgrade_configuration(): ]) if ca_restart: - root_logger.info('pki-ca configuration changed, restart pki-ca') + root_logger.info( + 'pki-tomcat configuration changed, restart pki-tomcat') try: - ca.restart(dogtag.configured_constants().PKI_INSTANCE_NAME) + ca.restart('pki-tomcat') except ipautil.CalledProcessError as e: root_logger.error("Failed to restart %s: %s", ca.service_name, e) diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py index c856cccd0..a2f40ef38 100644 --- a/ipaserver/install/service.py +++ b/ipaserver/install/service.py @@ -24,7 +24,7 @@ import time import datetime import traceback -from ipapython import sysrestore, ipautil, dogtag, ipaldap +from ipapython import sysrestore, ipautil, ipaldap from ipapython.dn import DN from ipapython.ipa_log_manager import * from ipalib import api, errors, certstore @@ -41,8 +41,8 @@ SERVICE_LIST = { 'MEMCACHE': ('ipa_memcached', 39), 'HTTP': ('httpd', 40), 'KEYS': ('ipa-custodia', 41), - 'CA': ('%sd' % dogtag.configured_constants().PKI_INSTANCE_NAME, 50), - 'KRA': ('%sd' % dogtag.configured_constants().PKI_INSTANCE_NAME, 51), + 'CA': ('pki-tomcatd', 50), + 'KRA': ('pki-tomcatd', 51), 'ADTRUST': ('smb', 60), 'EXTID': ('winbind', 70), 'OTPD': ('ipa-otpd', 80), diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py index 7b8416996..62ec1cce4 100644 --- a/ipaserver/plugins/dogtag.py +++ b/ipaserver/plugins/dogtag.py @@ -1841,7 +1841,9 @@ class ra(rabase.rabase): payload = etree.tostring(doc, pretty_print=False, xml_declaration=True, encoding='UTF-8') self.debug('%s.find(): request: %s', self.fullname, payload) - url = 'http://%s/ca/rest/certs/search?size=%d' % (ipautil.format_netloc(self.ca_host, ipapython.dogtag.configured_constants().UNSECURE_PORT), options.get('sizelimit', 100)) + url = 'http://%s/ca/rest/certs/search?size=%d' % ( + ipautil.format_netloc(self.ca_host, 8080), + options.get('sizelimit', 100)) opener = urllib.request.build_opener() opener.addheaders = [('Accept-Encoding', 'gzip, deflate'), |