summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--install/restart_scripts/renew_ca_cert1
-rwxr-xr-xinstall/tools/ipa-ca-install2
-rwxr-xr-xinstall/tools/ipa-replica-install3
-rwxr-xr-xinstall/tools/ipa-server-install3
-rw-r--r--ipaserver/install/cainstance.py96
-rw-r--r--ipaserver/install/installutils.py36
6 files changed, 101 insertions, 40 deletions
diff --git a/install/restart_scripts/renew_ca_cert b/install/restart_scripts/renew_ca_cert
index 5768db3f7..ab394b970 100644
--- a/install/restart_scripts/renew_ca_cert
+++ b/install/restart_scripts/renew_ca_cert
@@ -83,6 +83,7 @@ except Exception, e:
finally:
shutil.rmtree(tmpdir)
+# Done withing stopped_service context, CA restarted here
update_cert_config(nickname, cert)
if nickname == 'subsystemCert cert-pki-ca':
diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install
index 636f63da3..4edd26d33 100755
--- a/install/tools/ipa-ca-install
+++ b/install/tools/ipa-ca-install
@@ -189,8 +189,8 @@ def main():
CA.ldap_enable('CA', config.host_name, config.dirman_password,
ipautil.realm_to_suffix(config.realm_name))
+ # This is done within stopped_service context, which restarts CA
CA.enable_client_auth_to_db()
- CA.restart()
# Install CA DNS records
install_dns_records(config, options)
diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
index c6d69fca6..947c51f6f 100755
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
@@ -675,8 +675,9 @@ def main():
if CA and config.setup_ca:
CA.ldap_enable('CA', config.host_name, config.dirman_password,
ipautil.realm_to_suffix(config.realm_name))
+
+ # This is done within stopped_service context, which restarts CA
CA.enable_client_auth_to_db()
- CA.restart()
krb = install_krb(config, setup_pkinit=options.setup_pkinit)
http = install_http(config, auto_redirect=options.ui_redirect)
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index 06e99134e..86ca3447b 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -1054,8 +1054,9 @@ def main():
# We need to ldap_enable the CA now that DS is up and running
ca.ldap_enable('CA', host_name, dm_password,
ipautil.realm_to_suffix(realm_name))
+
+ # This is done within stopped_service context, which restarts CA
ca.enable_client_auth_to_db()
- ca.restart()
# Upload the CA cert to the directory
ds.upload_ca_cert()
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index ca3ee69fb..15d79fdba 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -53,6 +53,7 @@ from ipaserver.install import service
from ipaserver.install import installutils
from ipaserver.install import dsinstance
from ipaserver.install import certs
+from ipaserver.install.installutils import stopped_service
from ipaserver.plugins import ldap2
from ipapython.ipa_log_manager import *
@@ -443,7 +444,10 @@ class CAInstance(service.Service):
if not ipautil.dir_exists("/var/lib/pki-ca"):
self.step("creating pki-ca instance", self.create_instance)
self.step("configuring certificate server instance", self.__configure_instance)
+ self.step("stopping certificate server instance to update CS.cfg", self.__stop)
self.step("disabling nonces", self.__disable_nonce)
+ self.step("set up CRL publishing", self.__enable_crl_publish)
+ self.step("starting certificate server instance", self.__start)
# Step 1 of external is getting a CSR so we don't need to do these
# steps until we get a cert back from the external CA.
if self.external != 1:
@@ -454,7 +458,6 @@ class CAInstance(service.Service):
self.step("importing CA chain to RA certificate database", self.__import_ca_chain)
self.step("fixing RA database permissions", self.fix_ra_perms)
self.step("setting up signing cert profile", self.__setup_sign_profile)
- self.step("set up CRL publishing", self.__enable_crl_publish)
self.step("set certificate subject base", self.__set_subject_in_config)
self.step("enabling Subject Key Identifier", self.enable_subject_key_identifier)
self.step("enabling CRL and OCSP extensions for certificates", self.__set_crl_ocsp_extensions)
@@ -474,6 +477,13 @@ class CAInstance(service.Service):
self.start_creation(runtime=210)
+ def __stop(self):
+ self.stop()
+
+ def __start(self):
+ self.start()
+
+
def __spawn_instance(self):
"""
Create and configure a new CA instance using pkispawn.
@@ -781,7 +791,8 @@ class CAInstance(service.Service):
if update_result != 0:
raise RuntimeError("Disabling nonces failed")
pent = pwd.getpwnam(PKI_USER)
- os.chown(self.dogtag_constants.CS_CFG_PATH, pent.pw_uid, pent.pw_gid)
+ os.chown(self.dogtag_constants.CS_CFG_PATH,
+ pent.pw_uid, pent.pw_gid)
def __issue_ra_cert(self):
# The CA certificate is in the agent DB but isn't trusted
@@ -1272,36 +1283,40 @@ class CAInstance(service.Service):
"""
caconfig = dogtag.install_constants.CS_CFG_PATH
- # Enable file publishing, disable LDAP
- installutils.set_directive(caconfig,
- 'authz.instance.DirAclAuthz.ldap.ldapauth.authtype',
- 'SslClientAuth', quotes=False, separator='=')
- installutils.set_directive(caconfig,
- 'authz.instance.DirAclAuthz.ldap.ldapauth.bindDN',
- 'uid=pkidbuser,ou=people,o=ipa-ca', quotes=False, separator='=')
- installutils.set_directive(caconfig,
- 'authz.instance.DirAclAuthz.ldap.ldapauth.clientCertNickname',
- 'subsystemCert cert-pki-ca', quotes=False, separator='=')
- installutils.set_directive(caconfig,
- 'authz.instance.DirAclAuthz.ldap.ldapconn.port',
- str(dogtag.install_constants.DS_SECURE_PORT),
- quotes=False, separator='=')
- installutils.set_directive(caconfig,
- 'authz.instance.DirAclAuthz.ldap.ldapconn.secureConn',
- 'true', quotes=False, separator='=')
-
- installutils.set_directive(caconfig, 'internaldb.ldapauth.authtype',
- 'SslClientAuth', quotes=False, separator='=')
- installutils.set_directive(caconfig, 'internaldb.ldapauth.bindDN',
- 'uid=pkidbuser,ou=people,o=ipa-ca', quotes=False, separator='=')
- installutils.set_directive(caconfig,
- 'internaldb.ldapauth.clientCertNickname',
- 'subsystemCert cert-pki-ca', quotes=False, separator='=')
- installutils.set_directive(caconfig, 'internaldb.ldapconn.port',
- str(dogtag.install_constants.DS_SECURE_PORT),
- quotes=False, separator='=')
- installutils.set_directive(caconfig, 'internaldb.ldapconn.secureConn',
- 'true', quotes=False, separator='=')
+ with stopped_service('pki_tomcatd',
+ instance_name=self.dogtag_constants.PKI_INSTANCE_NAME):
+
+ # Enable file publishing, disable LDAP
+ installutils.set_directive(caconfig,
+ 'authz.instance.DirAclAuthz.ldap.ldapauth.authtype',
+ 'SslClientAuth', quotes=False, separator='=')
+ installutils.set_directive(caconfig,
+ 'authz.instance.DirAclAuthz.ldap.ldapauth.bindDN',
+ 'uid=pkidbuser,ou=people,o=ipa-ca', quotes=False, separator='=')
+ installutils.set_directive(caconfig,
+ 'authz.instance.DirAclAuthz.ldap.ldapauth.clientCertNickname',
+ 'subsystemCert cert-pki-ca', quotes=False, separator='=')
+ installutils.set_directive(caconfig,
+ 'authz.instance.DirAclAuthz.ldap.ldapconn.port',
+ str(dogtag.install_constants.DS_SECURE_PORT),
+ quotes=False, separator='=')
+ installutils.set_directive(caconfig,
+ 'authz.instance.DirAclAuthz.ldap.ldapconn.secureConn',
+ 'true', quotes=False, separator='=')
+
+ installutils.set_directive(caconfig, 'internaldb.ldapauth.authtype',
+ 'SslClientAuth', quotes=False, separator='=')
+ installutils.set_directive(caconfig, 'internaldb.ldapauth.bindDN',
+ 'uid=pkidbuser,ou=people,o=ipa-ca', quotes=False, separator='=')
+ installutils.set_directive(caconfig,
+ 'internaldb.ldapauth.clientCertNickname',
+ 'subsystemCert cert-pki-ca', quotes=False, separator='=')
+ installutils.set_directive(caconfig, 'internaldb.ldapconn.port',
+ str(dogtag.install_constants.DS_SECURE_PORT),
+ quotes=False, separator='=')
+ installutils.set_directive(caconfig,
+ 'internaldb.ldapconn.secureConn', 'true', quotes=False,
+ separator='=')
def uninstall(self):
if self.is_configured():
@@ -1687,7 +1702,7 @@ def install_replica_ca(config, master_ds_port, postinstall=False):
return ca
-def update_cert_config(nickname, cert):
+def update_cert_config(nickname, cert, dogtag_constants=None):
"""
When renewing a CA subsystem certificate the configuration file
needs to get the new certificate as well.
@@ -1695,6 +1710,10 @@ def update_cert_config(nickname, cert):
nickname is one of the known nicknames.
cert is a DER-encoded certificate.
"""
+
+ if dogtag_constants is None:
+ dogtag_constants = dogtag.configured_constants()
+
# The cert directive to update per nickname
directives = {'auditSigningCert cert-pki-ca': 'ca.audit_signing.cert',
'ocspSigningCert cert-pki-ca': 'ca.ocsp_signing.cert',
@@ -1702,10 +1721,13 @@ def update_cert_config(nickname, cert):
'subsystemCert cert-pki-ca': 'ca.subsystem.cert',
'Server-Cert cert-pki-ca': 'ca.sslserver.cert'}
- installutils.set_directive(dogtag.configured_constants().CS_CFG_PATH,
- directives[nickname],
- base64.b64encode(cert),
- quotes=False, separator='=')
+ with stopped_service('pki_tomcatd',
+ instance_name=dogtag_constants.PKI_INSTANCE_NAME):
+
+ installutils.set_directive(dogtag.configured_constants().CS_CFG_PATH,
+ directives[nickname],
+ base64.b64encode(cert),
+ quotes=False, separator='=')
def update_people_entry(uid, dercert):
"""
diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py
index d17d53d1d..268279dc9 100644
--- a/ipaserver/install/installutils.py
+++ b/ipaserver/install/installutils.py
@@ -42,6 +42,7 @@ from ipapython import config
from ipalib import errors
from ipapython.dn import DN
from ipaserver.install import certs
+from ipapython import services as ipaservices
# Used to determine install status
IPA_MODULES = [
@@ -792,3 +793,38 @@ def private_ccache(path=None):
if os.path.exists(path):
os.remove(path)
+
+
+@contextmanager
+def stopped_service(service, instance_name=""):
+ """
+ Ensure that the specified service is stopped while the commands within
+ this context are executed.
+
+ Service is started at the end of the execution.
+ """
+
+ if instance_name:
+ log_instance_name = "@{instance}".format(instance=instance_name)
+ else:
+ log_instance_name = ""
+
+ root_logger.debug('Ensuring that service %s%s is not running while '
+ 'the next set of commands is being executed.', service,
+ log_instance_name)
+
+ # Figure out if the service is running, if not, yield
+ if not ipaservices.knownservices[service].is_running(instance_name):
+ root_logger.debug('Service %s%s is not running, continue.', service,
+ log_instance_name)
+ yield
+ root_logger.debug('Starting %s%s.', service, log_instance_name)
+ ipaservices.knownservices[service].start(instance_name)
+ return
+ else:
+ # Stop the service, do the required stuff and start it again
+ root_logger.debug('Stopping %s%s.', service, log_instance_name)
+ ipaservices.knownservices[service].stop(instance_name)
+ yield
+ root_logger.debug('Starting %s%s.', service, log_instance_name)
+ ipaservices.knownservices[service].start(instance_name)