summaryrefslogtreecommitdiffstats
path: root/ipaserver/install/kra.py
blob: 40c283e6d5ca2dc9647abf70624d56d05edd2c51 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
#
# Copyright (C) 2015  FreeIPA Contributors see COPYING for license
#

import os

from ipalib import api, errors
from ipaplatform import services
from ipapython import certdb
from ipapython import dogtag
from ipapython import ipautil
from ipapython.dn import DN
from ipaserver.install import custodiainstance
from ipaserver.install import cainstance
from ipaserver.install import krainstance
from ipaserver.install import dsinstance
from ipaserver.install import service


def install_check(api, replica_config, options):
    dogtag_constants = dogtag.configured_constants(api=api)
    kra = krainstance.KRAInstance(api.env.realm,
                                  dogtag_constants=dogtag_constants)
    if kra.is_installed():
        raise RuntimeError("KRA is already installed.")

    if not options.setup_ca:
        if cainstance.is_ca_installed_locally():
            if api.env.dogtag_version >= 10:
                # correct dogtag version of CA installed
                pass
            else:
                raise RuntimeError(
                    "Dogtag must be version 10.2 or above to install KRA")
        else:
            raise RuntimeError(
                "Dogtag CA is not installed.  Please install the CA first")

    if replica_config is not None:
        if not api.Command.kra_is_enabled()['result']:
            raise RuntimeError("KRA is not installed on the master system")

        if options.promote:
            return

        with certdb.NSSDatabase() as tmpdb:
            pw = ipautil.write_tmp_file(ipautil.ipa_generate_password())
            tmpdb.create_db(pw.name)
            tmpdb.import_pkcs12(replica_config.dir + "/cacert.p12", pw.name,
                                replica_config.dirman_password)
            kra_cert_nicknames = [
                "storageCert cert-pki-kra", "transportCert cert-pki-kra",
                "auditSigningCert cert-pki-kra"
            ]
            if not all(tmpdb.has_nickname(nickname)
                       for nickname in kra_cert_nicknames):
                raise RuntimeError("Missing KRA certificates, please create a "
                                   "new replica file.")


def install(api, replica_config, options):
    subject = dsinstance.DsInstance().find_subject_base()
    if replica_config is None:
        kra = krainstance.KRAInstance(
            api.env.realm,
            dogtag_constants=dogtag.install_constants)

        kra.configure_instance(
            api.env.realm, api.env.host, options.dm_password,
            options.dm_password, subject_base=subject)
    else:
        if options.promote:
            ca_data = (os.path.join(replica_config.dir, 'kracert.p12'),
                       replica_config.dirman_password)

            custodia = custodiainstance.CustodiaInstance(
                replica_config.host_name, replica_config.realm_name)
            custodia.get_kra_keys(replica_config.kra_host_name,
                                  ca_data[0], ca_data[1])

            kra = krainstance.KRAInstance(
                replica_config.realm_name,
                dogtag_constants=dogtag.install_constants)
            kra.configure_replica(replica_config.host_name,
                                  replica_config.kra_host_name,
                                  replica_config.dirman_password,
                                  kra_cert_bundle=ca_data)
            return

        else:
            kra = krainstance.install_replica_kra(replica_config)

    service.print_msg("Restarting the directory server")
    ds = dsinstance.DsInstance()
    ds.restart()

    kra.ldap_enable('KRA', api.env.host, options.dm_password, api.env.basedn)

    kra.enable_client_auth_to_db(kra.dogtag_constants.KRA_CS_CFG_PATH)

    # Restart apache for new proxy config file
    services.knownservices.httpd.restart(capture_output=True)


def uninstall(standalone):
    dogtag_constants = dogtag.configured_constants(api)
    kra = krainstance.KRAInstance(api.env.realm,
                                  dogtag_constants=dogtag_constants)

    if standalone:
        kra.ldap_connect()
        try:
            kra.admin_conn.delete_entry(DN(('cn', 'KRA'), ('cn', api.env.host),
                                           ('cn', 'masters'), ('cn', 'ipa'),
                                           ('cn', 'etc'), api.env.basedn))
        except errors.NotFound:
            pass

    kra.stop_tracking_certificates()
    if kra.is_installed():
        kra.uninstall()