Move RA agent certificate file export to a different location

HTTPS connection to certificate server requires client authentication
so we need a file with client certificate and private key prior to
its first occurence which happens during migration of certificate
profiles to LDAP.

https://fedorahosted.org/freeipa/ticket/5695
https://fedorahosted.org/freeipa/ticket/6392

Reviewed-By: Jan Cholasta <jcholast@redhat.com>

6 files changed, 14 insertions, 16 deletions

diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 6e3f995f9..6cb6e3c94 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -64,7 +64,8 @@ from ipaserver.install import installutils
 from ipaserver.install import ldapupdate
 from ipaserver.install import replication
 from ipaserver.install import sysupgrade
-from ipaserver.install.dogtaginstance import DogtagInstance
+from ipaserver.install.dogtaginstance import (
+    DogtagInstance, export_ra_agent_pem)
 from ipaserver.plugins import ldap2
 
 # We need to reset the template because the CA uses the regular boot
@@ -414,6 +415,8 @@ class CAInstance(DogtagInstance):
                 else:
                     self.step("importing RA certificate from PKCS #12 file",
                               lambda: self.import_ra_cert(ra_p12))
+                self.step("exporting RA agent cert", export_ra_agent_pem)
+
             if not ra_only:
                 self.step("importing CA chain to RA certificate database", self.__import_ca_chain)
                 self.step("setting up signing cert profile", self.__setup_sign_profile)
diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py
index cbaaa2594..05fe05572 100644
--- a/ipaserver/install/dogtaginstance.py
+++ b/ipaserver/install/dogtaginstance.py
@@ -72,7 +72,7 @@ def is_installing_replica(sys_type):
         return False
 
 
-def export_kra_agent_pem():
+def export_ra_agent_pem():
     """
     Export ipaCert with private key for client authentication.
     """
@@ -90,7 +90,7 @@ def export_kra_agent_pem():
     os.chown(filename, 0, pent.pw_gid)
     os.chmod(filename, 0o440)
 
-    os.rename(filename, paths.KRA_AGENT_PEM)
+    os.rename(filename, paths.RA_AGENT_PEM)
 
 
 class DogtagInstance(service.Service):
diff --git a/ipaserver/install/ipa_backup.py b/ipaserver/install/ipa_backup.py
index 9cf0d4c5e..9f35bf6ac 100644
--- a/ipaserver/install/ipa_backup.py
+++ b/ipaserver/install/ipa_backup.py
@@ -158,7 +158,7 @@ class Backup(admintool.AdminTool):
         paths.SMB_CONF,
         paths.SAMBA_KEYTAB,
         paths.DOGTAG_ADMIN_P12,
-        paths.KRA_AGENT_PEM,
+        paths.RA_AGENT_PEM,
         paths.CACERT_P12,
         paths.KRACERT_P12,
         paths.KRB5KDC_KDC_CONF,
diff --git a/ipaserver/install/krainstance.py b/ipaserver/install/krainstance.py
index d7ab6fdaa..7a6c2d2fa 100644
--- a/ipaserver/install/krainstance.py
+++ b/ipaserver/install/krainstance.py
@@ -36,8 +36,7 @@ from ipapython.dn import DN
 from ipaserver.install import cainstance
 from ipaserver.install import installutils
 from ipaserver.install import ldapupdate
-from ipaserver.install.dogtaginstance import (export_kra_agent_pem,
-                                              DogtagInstance)
+from ipaserver.install.dogtaginstance import DogtagInstance
 from ipaserver.plugins import ldap2
 from ipapython.ipa_log_manager import log_mgr
 
@@ -118,7 +117,6 @@ class KRAInstance(DogtagInstance):
             if not self.clone:
                 self.step("create KRA agent",
                           self.__create_kra_agent)
-        self.step("exporting KRA agent cert", export_kra_agent_pem)
         if not ra_only:
             if promote:
                 self.step("destroying installation admin user", self.teardown_admin)
@@ -285,9 +283,6 @@ class KRAInstance(DogtagInstance):
             os.remove(cfg_file)
 
         shutil.move(paths.KRA_BACKUP_KEYS_P12, paths.KRACERT_P12)
-
-        export_kra_agent_pem()
-
         self.log.debug("completed creating KRA instance")
 
     def __create_kra_agent(self):
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 90c2be26e..c7965c7c3 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -44,7 +44,6 @@ from ipaserver.install import schemaupdate
 from ipaserver.install import custodiainstance
 from ipaserver.install import sysupgrade
 from ipaserver.install import dnskeysyncinstance
-from ipaserver.install import krainstance
 from ipaserver.install import dogtaginstance
 from ipaserver.install import krbinstance
 from ipaserver.install import adtrustinstance
@@ -1403,12 +1402,13 @@ def fix_trust_flags():
     sysupgrade.set_upgrade_state('http', 'fix_trust_flags', True)
 
 
-def export_kra_agent_pem():
+def export_ra_agent_pem():
     root_logger.info('[Exporting KRA agent PEM file]')
 
+    # export_kra_agent_pem is the original name of this function
     sysupgrade.remove_upgrade_state('http', 'export_kra_agent_pem')
 
-    if os.path.exists(paths.KRA_AGENT_PEM):
+    if os.path.exists(paths.RA_AGENT_PEM):
         root_logger.info("KRA agent PEM file already exported")
         return
 
@@ -1416,7 +1416,7 @@ def export_kra_agent_pem():
         root_logger.info("KRA is not enabled")
         return
 
-    krainstance.export_kra_agent_pem()
+    dogtaginstance.export_ra_agent_pem()
     installutils.remove_file(paths.OLD_KRA_AGENT_PEM)
 
 
@@ -1663,7 +1663,7 @@ def upgrade_configuration():
     update_mod_nss_protocol(http)
     update_mod_nss_cipher_suite(http)
     fix_trust_flags()
-    export_kra_agent_pem()
+    export_ra_agent_pem()
     update_http_keytab(http)
     http.configure_gssproxy()
     http.start()
diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py
index 6ff6d292c..2156f0791 100644
--- a/ipaserver/plugins/dogtag.py
+++ b/ipaserver/plugins/dogtag.py
@@ -2026,7 +2026,7 @@ class kra(Backend):
             str(self.kra_port),
             'kra')
 
-        connection.set_authentication_cert(paths.KRA_AGENT_PEM)
+        connection.set_authentication_cert(paths.RA_AGENT_PEM)
 
         return KRAClient(connection, crypto)