diff options
| author | Fraser Tweedale <ftweedal@redhat.com> | 2016-06-01 08:07:33 +1000 |
|---|---|---|
| committer | Jan Cholasta <jcholast@redhat.com> | 2016-06-09 09:04:27 +0200 |
| commit | b0d9a4728f0dc78e2bbde344beac17ae50b847a9 (patch) | |
| tree | b5cca38aa8795073de92776942be6e6fe63b2479 /install | |
| parent | 0d37d230c066f9eb703c81e0e21b1b6738703b41 (diff) | |
| download | freeipa-b0d9a4728f0dc78e2bbde344beac17ae50b847a9.tar.gz freeipa-b0d9a4728f0dc78e2bbde344beac17ae50b847a9.tar.xz freeipa-b0d9a4728f0dc78e2bbde344beac17ae50b847a9.zip | |
Setup lightweight CA key retrieval on install/upgrade
Add the ipa-pki-retrieve-key helper program and configure
lightweight CA key replication on installation and upgrade. The
specific configuration steps are:
- Add the 'dogtag/$HOSTNAME' service principal
- Create the pricipal's Custodia keys
- Retrieve the principal's keytab
- Configure Dogtag's CS.cfg to use ExternalProcessKeyRetriever
to invoke ipa-pki-retrieve-key for key retrieval
Also bump the minimum version of Dogtag to 10.3.2.
Part of: https://fedorahosted.org/freeipa/ticket/4559
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Diffstat (limited to 'install')
| -rw-r--r-- | install/share/bootstrap-template.ldif | 6 | ||||
| -rw-r--r-- | install/tools/Makefile.am | 1 | ||||
| -rwxr-xr-x | install/tools/ipa-pki-retrieve-key | 32 | ||||
| -rw-r--r-- | install/updates/73-custodia.update | 5 |
4 files changed, 44 insertions, 0 deletions
diff --git a/install/share/bootstrap-template.ldif b/install/share/bootstrap-template.ldif index 83be43995..f6ab35495 100644 --- a/install/share/bootstrap-template.ldif +++ b/install/share/bootstrap-template.ldif @@ -179,6 +179,12 @@ objectClass: nsContainer objectClass: top cn: custodia +dn: cn=dogtag,cn=custodia,cn=ipa,cn=etc,$SUFFIX +changetype: add +objectClass: nsContainer +objectClass: top +cn: dogtag + dn: cn=s4u2proxy,cn=etc,$SUFFIX changetype: add objectClass: nsContainer diff --git a/install/tools/Makefile.am b/install/tools/Makefile.am index 7212dabdb..2866a30b2 100644 --- a/install/tools/Makefile.am +++ b/install/tools/Makefile.am @@ -39,6 +39,7 @@ EXTRA_DIST = \ appdir = $(libexecdir)/ipa/ app_SCRIPTS = \ ipa-httpd-kdcproxy \ + ipa-pki-retrieve-key \ $(NULL) MAINTAINERCLEANFILES = \ diff --git a/install/tools/ipa-pki-retrieve-key b/install/tools/ipa-pki-retrieve-key new file mode 100755 index 000000000..740e799d2 --- /dev/null +++ b/install/tools/ipa-pki-retrieve-key @@ -0,0 +1,32 @@ +#!/usr/bin/python2 + +from __future__ import print_function + +import os +import sys + +from ipalib import constants +from ipalib.config import Env +from ipaplatform.paths import paths +from ipapython.secrets.client import CustodiaClient + +env = Env() +env._finalize() + +keyname = "ca_wrapped/" + sys.argv[1] +servername = sys.argv[2] + +service = constants.PKI_GSSAPI_SERVICE_NAME +client_keyfile = os.path.join(paths.PKI_TOMCAT, service + '.keys') +client_keytab = os.path.join(paths.PKI_TOMCAT, service + '.keytab') + +# pylint: disable=no-member +client = CustodiaClient( + client_service='%s@%s' % (service, env.host), server=servername, + realm=env.realm, ldap_uri="ldaps://" + env.host, + keyfile=client_keyfile, keytab=client_keytab, + ) + +# Print the response JSON to stdout; it is already in the format +# that Dogtag's ExternalProcessKeyRetriever expects +print(client.fetch_key(keyname, store=False)) diff --git a/install/updates/73-custodia.update b/install/updates/73-custodia.update index f6520fb2e..60f805ab8 100644 --- a/install/updates/73-custodia.update +++ b/install/updates/73-custodia.update @@ -2,3 +2,8 @@ dn: cn=custodia,cn=ipa,cn=etc,$SUFFIX default: objectClass: top default: objectClass: nsContainer default: cn: custodia + +dn: cn=dogtag,cn=custodia,cn=ipa,cn=etc,$SUFFIX +default: objectClass: top +default: objectClass: nsContainer +default: cn: dogtag |