diff options
| author | Jan Cholasta <jcholast@redhat.com> | 2015-11-09 18:28:47 +0100 |
|---|---|---|
| committer | Jan Cholasta <jcholast@redhat.com> | 2015-11-25 09:12:25 +0100 |
| commit | aeffe2da42734655cbaedb2c4d4f9e28bd2df1c0 (patch) | |
| tree | 302b9ef0c8d4afbccc141f4f4b68a42295542cd8 /ipaserver/install/server | |
| parent | 5427e7a8c7216b0aa54159a668951d71fb009139 (diff) | |
install: drop support for Dogtag 9
Dogtag 9 CA and CA DS install and uninstall code was removed. Existing
Dogtag 9 CA and CA DS instances are disabled on upgrade.
Creating a replica of a Dogtag 9 IPA master is still supported.
https://fedorahosted.org/freeipa/ticket/5197
Reviewed-By: David Kupka <dkupka@redhat.com>
Diffstat (limited to 'ipaserver/install/server')
| -rw-r--r-- | ipaserver/install/server/install.py | 21 | ||||
| -rw-r--r-- | ipaserver/install/server/replicainstall.py | 26 | ||||
| -rw-r--r-- | ipaserver/install/server/upgrade.py | 148 |
3 files changed, 115 insertions, 80 deletions
diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py index 6629e8ec1..6ecb87ac9 100644 --- a/ipaserver/install/server/install.py +++ b/ipaserver/install/server/install.py @@ -15,7 +15,7 @@ import textwrap import six -from ipapython import certmonger, dogtag, ipaldap, ipautil, sysrestore +from ipapython import certmonger, ipaldap, ipautil, sysrestore from ipapython.dn import DN from ipapython.install import common, core from ipapython.install.common import step @@ -303,8 +303,6 @@ def install_check(installer): external_ca_file = installer._external_ca_file http_ca_cert = installer._ca_cert - dogtag_constants = dogtag.install_constants - tasks.check_selinux_status() if options.master_password: @@ -575,7 +573,7 @@ def install_check(installer): if setup_ca: fd.write("enable_ra=True\n") fd.write("ra_plugin=dogtag\n") - fd.write("dogtag_version=%s\n" % dogtag_constants.DOGTAG_VERSION) + fd.write("dogtag_version=10\n") else: fd.write("enable_ra=False\n") fd.write("ra_plugin=none\n") @@ -700,8 +698,6 @@ def install(installer): setup_ca = options.setup_ca setup_kra = options.setup_kra - dogtag_constants = dogtag.install_constants - # Installation has started. No IPA sysrestore items are restored in case of # failure to enable root cause investigation installer._installation_cleanup = False @@ -777,8 +773,7 @@ def install(installer): ca.install_step_0(False, None, options) # Now put the CA cert where other instances exepct it - ca_instance = cainstance.CAInstance(realm_name, certs.NSS_DIR, - dogtag_constants=dogtag_constants) + ca_instance = cainstance.CAInstance(realm_name, certs.NSS_DIR) ca_instance.publish_ca_cert(CACERT) else: # Put the CA cert where other instances expect it @@ -856,8 +851,7 @@ def install(installer): krb.restart() if setup_ca: - dogtag_service = services.knownservices[dogtag_constants.SERVICE_NAME] - dogtag_service.restart(dogtag_constants.PKI_INSTANCE_NAME) + services.knownservices['pki_tomcatd'].restart('pki-tomcat') if options.setup_dns: api.Backend.ldap2.connect(autobind=True) @@ -1052,9 +1046,6 @@ def uninstall(installer): except Exception as e: pass - # Need to get dogtag info before /etc/ipa/default.conf is removed - dogtag_constants = dogtag.configured_constants() - print("Removing IPA client configuration") try: (stdout, stderr, rc) = run([paths.IPA_CLIENT_INSTALL, "--on-master", @@ -1072,7 +1063,7 @@ def uninstall(installer): kra.uninstall(False) - ca.uninstall(dogtag_constants) + ca.uninstall() dns.uninstall() @@ -1134,7 +1125,7 @@ def uninstall(installer): # Note that this name will be wrong after the first uninstall. dirname = dsinstance.config_dirname( installutils.realm_to_serverid(api.env.realm)) - dirs = [dirname, dogtag_constants.ALIAS_DIR, certs.NSS_DIR] + dirs = [dirname, paths.PKI_TOMCAT_ALIAS_DIR, certs.NSS_DIR] ids = certmonger.check_state(dirs) if ids: root_logger.error('Some certificates may still be tracked by ' diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py index 492ea72d8..4b811105b 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py @@ -14,7 +14,7 @@ import socket import sys import tempfile -from ipapython import certmonger, dogtag, ipaldap, ipautil, sysrestore +from ipapython import certmonger, ipaldap, ipautil, sysrestore from ipapython.dn import DN from ipapython.install import common, core from ipapython.install.common import step @@ -465,8 +465,7 @@ def install_check(installer): if ipautil.file_exists(config.dir + "/cacert.p12"): fd.write("enable_ra=True\n") fd.write("ra_plugin=dogtag\n") - fd.write("dogtag_version=%s\n" % - dogtag.install_constants.DOGTAG_VERSION) + fd.write("dogtag_version=10\n") else: fd.write("enable_ra=False\n") fd.write("ra_plugin=none\n") @@ -631,8 +630,6 @@ def install(installer): sstore = installer._sstore config = installer._config - dogtag_constants = dogtag.install_constants - if installer._update_hosts_file: installutils.update_hosts_file(config.ips, config.host_name, fstore) @@ -685,9 +682,7 @@ def install(installer): ipautil.realm_to_suffix(config.realm_name)) if ipautil.file_exists(config.dir + "/cacert.p12"): - CA = cainstance.CAInstance( - config.realm_name, certs.NSS_DIR, - dogtag_constants=dogtag_constants) + CA = cainstance.CAInstance(config.realm_name, certs.NSS_DIR) CA.dm_password = config.dirman_password CA.configure_certmonger_renewal() @@ -716,8 +711,7 @@ def install(installer): krb.restart() if config.setup_ca: - dogtag_service = services.knownservices[dogtag_constants.SERVICE_NAME] - dogtag_service.restart(dogtag_constants.PKI_INSTANCE_NAME) + services.knownservices['pki_tomcatd'].restart('pki-tomcat') if options.setup_dns: api.Backend.ldap2.connect(autobind=True) @@ -965,7 +959,7 @@ def promote_check(installer): if not options.skip_conncheck: replica_conn_check( config.master_host_name, config.host_name, config.realm_name, - options.setup_ca, dogtag.Dogtag10Constants.DS_PORT, + options.setup_ca, 389, options.admin_password, principal=options.principal) if not ipautil.file_exists(cafile): @@ -994,8 +988,6 @@ def promote(installer): config.promote = installer.promote config.dirman_password = hexlify(ipautil.ipa_generate_password()) - dogtag_constants = dogtag.install_constants - # FIXME: allow to use passed in certs instead if installer._ca_enabled: configure_certmonger() @@ -1032,8 +1024,7 @@ def promote(installer): ipaconf.setOption('mode', 'production'), ipaconf.setOption('enable_ra', 'True'), ipaconf.setOption('ra_plugin', 'dogtag'), - ipaconf.setOption('dogtag_version', - dogtag.install_constants.DOGTAG_VERSION)] + ipaconf.setOption('dogtag_version', '10')] opts = [ipaconf.setSection('global', gopts)] ipaconf.changeConf(target_fname, opts) @@ -1069,7 +1060,6 @@ def promote(installer): custodia.get_ca_keys(config.ca_host_name, ca_data[0], ca_data[1]) ca = cainstance.CAInstance(config.realm_name, certs.NSS_DIR, - dogtag_constants=dogtag.install_constants, host_name=config.host_name, dm_password=config.dirman_password) ca.configure_replica(config.ca_host_name, @@ -1081,9 +1071,7 @@ def promote(installer): config.dirman_password) custodia.get_kra_keys(config.kra_host_name, ca_data[0], ca_data[1]) - constants = dogtag.install_constants - kra = krainstance.KRAInstance(config.realm_name, - dogtag_constants=constants) + kra = krainstance.KRAInstance(config.realm_name) kra.configure_replica(config.host_name, config.kra_host_name, config.dirman_password, kra_cert_bundle=ca_data) diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 84339b0a2..e193b85b9 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -24,7 +24,7 @@ from ipapython import ipautil, sysrestore, version, certdb from ipapython import ipaldap from ipapython.ipa_log_manager import * from ipapython import certmonger -from ipapython import dogtag +from ipapython.dn import DN from ipaplatform.paths import paths from ipaserver.install import installutils from ipaserver.install import dsinstance @@ -40,6 +40,7 @@ from ipaserver.install import custodiainstance from ipaserver.install import sysupgrade from ipaserver.install import dnskeysyncinstance from ipaserver.install import krainstance +from ipaserver.install import dogtaginstance from ipaserver.install.upgradeinstance import IPAUpgrade from ipaserver.install.ldapupdate import BadSyntax @@ -201,7 +202,6 @@ def upgrade_pki(ca, fstore): This requires enabling SSL renegotiation. """ - configured_constants = dogtag.configured_constants() root_logger.info('[Verifying that CA proxy configuration is correct]') if not ca.is_configured(): root_logger.info('CA is not configured') @@ -209,16 +209,8 @@ def upgrade_pki(ca, fstore): http = httpinstance.HTTPInstance(fstore) http.enable_mod_nss_renegotiate() - if not installutils.get_directive(configured_constants.CS_CFG_PATH, - 'proxy.securePort', '=') and \ - os.path.exists(paths.PKI_SETUP_PROXY): - # update proxy configuration with stopped dogtag to prevent corruption - # of CS.cfg - ipautil.run([paths.PKI_SETUP_PROXY, '-pki_instance_root=/var/lib', - '-pki_instance_name=pki-ca','-subsystem_type=ca']) - root_logger.debug('Proxy configuration updated') - else: - root_logger.debug('Proxy configuration up-to-date') + + root_logger.debug('Proxy configuration up-to-date') def update_dbmodules(realm, filename=paths.KRB5_CONF): newfile = [] @@ -315,15 +307,13 @@ def ca_enable_ldap_profile_subsystem(ca): root_logger.info('CA is not configured') return False - caconfig = dogtag.configured_constants() - needs_update = False directive = None try: for i in range(15): directive = "subsystem.{}.class".format(i) value = installutils.get_directive( - caconfig.CS_CFG_PATH, + paths.CA_CS_CFG_PATH, directive, separator='=') if value == 'com.netscape.cmscore.profile.ProfileSubsystem': @@ -331,18 +321,18 @@ def ca_enable_ldap_profile_subsystem(ca): break except OSError as e: root_logger.error('Cannot read CA configuration file "%s": %s', - caconfig.CS_CFG_PATH, e) + paths.CA_CS_CFG_PATH, e) return False if needs_update: installutils.set_directive( - caconfig.CS_CFG_PATH, + paths.CA_CS_CFG_PATH, directive, 'com.netscape.cmscore.profile.LDAPProfileSubsystem', quotes=False, separator='=') - ca.restart(dogtag.configured_constants().PKI_INSTANCE_NAME) + ca.restart('pki-tomcat') cainstance.migrate_profiles_to_ldap() return needs_update @@ -803,13 +793,12 @@ def certificate_renewal_update(ca): """ Update certmonger certificate renewal configuration. """ - dogtag_constants = dogtag.configured_constants() # bump version when requests is changed version = 4 requests = ( ( - dogtag_constants.ALIAS_DIR, + paths.PKI_TOMCAT_ALIAS_DIR, 'auditSigningCert cert-pki-ca', 'dogtag-ipa-ca-renew-agent', 'stop_pkicad', @@ -817,7 +806,7 @@ def certificate_renewal_update(ca): None, ), ( - dogtag_constants.ALIAS_DIR, + paths.PKI_TOMCAT_ALIAS_DIR, 'ocspSigningCert cert-pki-ca', 'dogtag-ipa-ca-renew-agent', 'stop_pkicad', @@ -825,7 +814,7 @@ def certificate_renewal_update(ca): None, ), ( - dogtag_constants.ALIAS_DIR, + paths.PKI_TOMCAT_ALIAS_DIR, 'subsystemCert cert-pki-ca', 'dogtag-ipa-ca-renew-agent', 'stop_pkicad', @@ -833,7 +822,7 @@ def certificate_renewal_update(ca): None, ), ( - dogtag_constants.ALIAS_DIR, + paths.PKI_TOMCAT_ALIAS_DIR, 'caSigningCert cert-pki-ca', 'dogtag-ipa-ca-renew-agent', 'stop_pkicad', @@ -849,7 +838,7 @@ def certificate_renewal_update(ca): None, ), ( - dogtag_constants.ALIAS_DIR, + paths.PKI_TOMCAT_ALIAS_DIR, 'Server-Cert cert-pki-ca', 'dogtag-ipa-renew-agent', 'stop_pkicad', @@ -928,15 +917,13 @@ def copy_crl_file(old_path, new_path=None): """ if new_path is None: filename = os.path.basename(old_path) - new_path = os.path.join(dogtag.configured_constants().CRL_PUBLISH_PATH, - filename) + new_path = os.path.join(paths.PKI_CA_PUBLISH_DIR, filename) root_logger.debug('copy_crl_file: %s -> %s', old_path, new_path) if os.path.islink(old_path): # update symlink to the most most recent CRL file filename = os.path.basename(os.readlink(old_path)) - realpath = os.path.join(dogtag.configured_constants().CRL_PUBLISH_PATH, - filename) + realpath = os.path.join(paths.PKI_CA_PUBLISH_DIR, filename) root_logger.debug('copy_crl_file: Create symlink %s -> %s', new_path, realpath) os.symlink(realpath, new_path) @@ -961,22 +948,21 @@ def migrate_crl_publish_dir(ca): root_logger.info('CA is not configured') return False - caconfig = dogtag.configured_constants() - try: - old_publish_dir = installutils.get_directive(caconfig.CS_CFG_PATH, + old_publish_dir = installutils.get_directive( + paths.CA_CS_CFG_PATH, 'ca.publish.publisher.instance.FileBaseCRLPublisher.directory', separator='=') except OSError as e: root_logger.error('Cannot read CA configuration file "%s": %s', - caconfig.CS_CFG_PATH, e) + paths.CA_CS_CFG_PATH, e) return False # Prepare target publish dir (creation, permissions, SELinux context) # Run this every update to ensure proper values publishdir = ca.prepare_crl_publish_dir() - if old_publish_dir == caconfig.CRL_PUBLISH_PATH: + if old_publish_dir == paths.PKI_CA_PUBLISH_DIR: # publish dir is already updated root_logger.info('Publish directory already set to new location') sysupgrade.set_upgrade_state('dogtag', 'moved_crl_publish_dir', True) @@ -1000,16 +986,17 @@ def migrate_crl_publish_dir(ca): root_logger.error('Cannot move CRL file to new directory: %s', e) try: - installutils.set_directive(caconfig.CS_CFG_PATH, + installutils.set_directive( + paths.CA_CS_CFG_PATH, 'ca.publish.publisher.instance.FileBaseCRLPublisher.directory', publishdir, quotes=False, separator='=') except OSError as e: root_logger.error('Cannot update CA configuration file "%s": %s', - caconfig.CS_CFG_PATH, e) + paths.CA_CS_CFG_PATH, e) return False sysupgrade.set_upgrade_state('dogtag', 'moved_crl_publish_dir', True) root_logger.info('CRL publish directory has been migrated, ' - 'request pki-ca restart') + 'request pki-tomcat restart') return True @@ -1101,6 +1088,76 @@ def uninstall_selfsign(ds, http): http.stop_tracking_certificates() +def uninstall_dogtag_9(ds, http): + root_logger.info('[Removing Dogtag 9 CA]') + + if api.env.ra_plugin != 'dogtag': + root_logger.debug('Dogtag CA is not installed') + return + if api.env.dogtag_version >= 10: + root_logger.debug('Dogtag is version 10 or above') + return + + if not api.Backend.ldap2.isconnected(): + try: + api.Backend.ldap2.connect(autobind=True) + except ipalib.errors.PublicError as e: + root_logger.error("Cannot connect to LDAP: %s", e) + + dn = DN(('cn', 'CA'), ('cn', api.env.host), ('cn', 'masters'), + ('cn', 'ipa'), ('cn', 'etc'), api.env.basedn) + try: + api.Backend.ldap2.delete_entry(dn) + except ipalib.errors.PublicError as e: + root_logger.error("Cannot delete %s: %s", dn, e) + + p = SafeConfigParser() + p.read(paths.IPA_DEFAULT_CONF) + p.set('global', 'dogtag_version', '10') + with open(paths.IPA_DEFAULT_CONF, 'w') as f: + p.write(f) + + sstore = sysrestore.StateFile(paths.SYSRESTORE) + sstore.restore_state('pkids', 'enabled') + sstore.restore_state('pkids', 'running') + sstore.restore_state('pkids', 'user_exists') + serverid = sstore.restore_state('pkids', 'serverid') + sstore.save() + + ca = dogtaginstance.DogtagInstance( + api.env.realm, "CA", "certificate server", + nss_db=paths.VAR_LIB_PKI_CA_ALIAS_DIR) + ca.stop_tracking_certificates(False) + + if serverid is not None: + # drop the trailing / off the config_dirname so the directory + # will match what is in certmonger + dirname = dsinstance.config_dirname(serverid)[:-1] + dsdb = certs.CertDB(api.env.realm, nssdir=dirname) + dsdb.untrack_server_cert("Server-Cert") + + try: + services.service('pki-cad').disable('pki-ca') + except Exception as e: + root_logger.warning("Failed to disable pki-cad: %s", e) + try: + services.service('pki-cad').stop('pki-ca') + except Exception as e: + root_logger.warning("Failed to stop pki-cad: %s", e) + + if serverid is not None: + try: + services.service('dirsrv').disable(serverid) + except Exception as e: + root_logger.warning("Failed to disable dirsrv: %s", e) + try: + services.service('dirsrv').stop(serverid) + except Exception as e: + root_logger.warning("Failed to stop dirsrv: %s", e) + + http.restart() + + def mask_named_regular(): """Disable named, we need to run only named-pkcs11, running both named and named-pkcs can cause unexpected errors""" @@ -1359,13 +1416,12 @@ def upgrade_configuration(): check_certs() auto_redirect = find_autoredirect(fqdn) - configured_constants = dogtag.configured_constants() sub_dict = dict( REALM=api.env.realm, FQDN=fqdn, AUTOREDIR='' if auto_redirect else '#', - CRL_PUBLISH_PATH=configured_constants.CRL_PUBLISH_PATH, - DOGTAG_PORT=configured_constants.AJP_PORT, + CRL_PUBLISH_PATH=paths.PKI_CA_PUBLISH_DIR, + DOGTAG_PORT=8009, CLONE='#' ) @@ -1375,9 +1431,7 @@ def upgrade_configuration(): ca = cainstance.CAInstance(api.env.realm, certs.NSS_DIR) - with installutils.stopped_service(configured_constants.SERVICE_NAME, - configured_constants.PKI_INSTANCE_NAME): - + with installutils.stopped_service('pki-tomcatd', 'pki-tomcat'): # Dogtag must be stopped to be able to backup CS.cfg config ca.backup_config() @@ -1385,8 +1439,8 @@ def upgrade_configuration(): ca_restart = migrate_crl_publish_dir(ca) if ca.is_configured(): - crl = installutils.get_directive(configured_constants.CS_CFG_PATH, - 'ca.crl.MasterCRL.enableCRLUpdates', '=') + crl = installutils.get_directive( + paths.CA_CS_CFG_PATH, 'ca.crl.MasterCRL.enableCRLUpdates', '=') sub_dict['CLONE']='#' if crl.lower() == 'true' else '' ds_dirname = dsinstance.config_dirname(ds_serverid) @@ -1470,6 +1524,7 @@ def upgrade_configuration(): http.start() uninstall_selfsign(ds, http) + uninstall_dogtag_9(ds, http) simple_service_list = ( (memcacheinstance.MemcacheInstance(), 'MEMCACHE'), @@ -1542,9 +1597,10 @@ def upgrade_configuration(): ]) if ca_restart: - root_logger.info('pki-ca configuration changed, restart pki-ca') + root_logger.info( + 'pki-tomcat configuration changed, restart pki-tomcat') try: - ca.restart(dogtag.configured_constants().PKI_INSTANCE_NAME) + ca.restart('pki-tomcat') except ipautil.CalledProcessError as e: root_logger.error("Failed to restart %s: %s", ca.service_name, e) |