diff options
-rw-r--r-- | ipaplatform/base/paths.py | 2 | ||||
-rw-r--r-- | ipaserver/install/cainstance.py | 49 | ||||
-rw-r--r-- | ipaserver/install/krainstance.py | 113 |
3 files changed, 72 insertions, 92 deletions
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py index a407c1273..ff75e0d7a 100644 --- a/ipaplatform/base/paths.py +++ b/ipaplatform/base/paths.py @@ -344,8 +344,6 @@ class BasePathNamespace(object): SLAPD_INSTANCE_SOCKET_TEMPLATE = "/var/run/slapd-%s.socket" ALL_SLAPD_INSTANCE_SOCKETS = "/var/run/slapd-*.socket" ADMIN_CERT_PATH = '/root/.dogtag/pki-tomcat/ca_admin.cert' - KRA_NSSDB_PASSWORD_FILE = "/root/.dogtag/pki-tomcat/kra/password.conf" - KRA_PKCS12_PASSWORD_FILE = "/root/.dogtag/pki-tomcat/kra/pkcs12_password.conf" ENTROPY_AVAIL = '/proc/sys/kernel/random/entropy_avail' LDIF2DB = '/usr/sbin/ldif2db' DB2LDIF = '/usr/sbin/db2ldif' diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 6f565dd14..85ce6cba5 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -466,7 +466,7 @@ class CAInstance(DogtagInstance): self.step("restarting certificate server", self.restart_instance) self.step("requesting RA certificate from CA", self.__request_ra_certificate) self.step("issuing RA agent certificate", self.__issue_ra_cert) - self.step("adding RA agent as a trusted user", self.__configure_ra) + self.step("adding RA agent as a trusted user", self.__create_ca_agent) self.step("authorizing RA to modify profiles", self.__configure_profiles_acl) self.step("configure certmonger for renewals", self.configure_certmonger_renewal) self.step("configure certificate renewals", self.configure_renewal) @@ -905,18 +905,26 @@ class CAInstance(DogtagInstance): self.configure_agent_renewal() - def __configure_ra(self): - # Create an RA user in the CA LDAP server and add that user to - # the appropriate groups so it can issue certificates without - # manual intervention. - conn = ipaldap.IPAdmin(self.fqdn, self.ds_port) - conn.do_simple_bind(DN(('cn', 'Directory Manager')), self.dm_password) + def __create_ca_agent(self): + """ + Create CA agent, assign a certificate, and add the user to + the appropriate groups for accessing CA services. + """ - decoded = base64.b64decode(self.ra_cert) + # get ipaCert certificate + cert_data = base64.b64decode(self.ra_cert) + cert = x509.load_certificate(cert_data, x509.DER) - entry_dn = DN(('uid', "ipara"), ('ou', 'People'), self.basedn) + # connect to CA database + server_id = installutils.realm_to_serverid(api.env.realm) + dogtag_uri = 'ldapi://%%2fvar%%2frun%%2fslapd-%s.socket' % server_id + conn = ldap2.ldap2(api, ldap_uri=dogtag_uri) + conn.connect(autobind=True) + + # create ipara user with ipaCert certificate + user_dn = DN(('uid', "ipara"), ('ou', 'People'), self.basedn) entry = conn.make_entry( - entry_dn, + user_dn, objectClass=['top', 'person', 'organizationalPerson', 'inetOrgPerson', 'cmsuser'], uid=["ipara"], @@ -924,23 +932,24 @@ class CAInstance(DogtagInstance): cn=["ipara"], usertype=["agentType"], userstate=["1"], - userCertificate=[decoded], + userCertificate=[cert_data], description=['2;%s;%s;%s' % ( - str(self.requestId), + cert.serial_number, DN(('CN', 'Certificate Authority'), self.subject_base), DN(('CN', 'IPA RA'), self.subject_base))]) - conn.add_entry(entry) - dn = DN(('cn', 'Certificate Manager Agents'), ('ou', 'groups'), self.basedn) - modlist = [(0, 'uniqueMember', '%s' % entry_dn)] - conn.modify_s(dn, modlist) + # add ipara user to Certificate Manager Agents group + group_dn = DN(('cn', 'Certificate Manager Agents'), ('ou', 'groups'), + self.basedn) + conn.add_entry_to_group(user_dn, group_dn, 'uniqueMember') - dn = DN(('cn', 'Registration Manager Agents'), ('ou', 'groups'), self.basedn) - modlist = [(0, 'uniqueMember', '%s' % entry_dn)] - conn.modify_s(dn, modlist) + # add ipara user to Registration Manager Agents group + group_dn = DN(('cn', 'Registration Manager Agents'), ('ou', 'groups'), + self.basedn) + conn.add_entry_to_group(user_dn, group_dn, 'uniqueMember') - conn.unbind() + conn.disconnect() def __configure_profiles_acl(self): """Allow the Certificate Manager Agents group to modify profiles.""" diff --git a/ipaserver/install/krainstance.py b/ipaserver/install/krainstance.py index e5cdbf5e7..958fe6fb0 100644 --- a/ipaserver/install/krainstance.py +++ b/ipaserver/install/krainstance.py @@ -25,17 +25,21 @@ import sys import tempfile from ipalib import api +from ipalib import x509 from ipaplatform import services from ipaplatform.paths import paths +from ipapython import certdb from ipapython import dogtag from ipapython import ipautil from ipapython.dn import DN from ipaserver.install import certs from ipaserver.install import cainstance +from ipaserver.install import installutils from ipaserver.install import ldapupdate from ipaserver.install import service from ipaserver.install.dogtaginstance import DogtagInstance from ipaserver.install.dogtaginstance import DEFAULT_DSPORT, PKI_USER +from ipaserver.plugins import ldap2 from ipapython.ipa_log_manager import log_mgr # When IPA is installed with DNS support, this CNAME should hold all IPA @@ -111,8 +115,8 @@ class KRAInstance(DogtagInstance): self.step("configuring KRA instance", self.__spawn_instance) if not self.clone: - self.step("add RA user to KRA agent group", - self.__add_ra_user_to_agent_group) + self.step("create KRA agent", + self.__create_kra_agent) self.step("restarting KRA", self.restart_instance) self.step("configure certmonger for renewals", self.configure_certmonger_renewal) @@ -267,77 +271,46 @@ class KRAInstance(DogtagInstance): self.log.debug("completed creating KRA instance") - def __add_ra_user_to_agent_group(self): + def __create_kra_agent(self): """ - Add RA agent created for CA to KRA agent group. + Create KRA agent, assign a certificate, and add the user to + the appropriate groups for accessing KRA services. """ - # import CA certificate into temporary security database - args = ["/usr/bin/pki", - "-d", self.agent_db, - "-C", paths.KRA_NSSDB_PASSWORD_FILE, - "client-cert-import", - "--pkcs12", paths.KRACERT_P12, - "--pkcs12-password-file", paths.KRA_PKCS12_PASSWORD_FILE] - ipautil.run(args) - - # trust CA certificate - args = ["/usr/bin/pki", - "-d", self.agent_db, - "-C", paths.KRA_NSSDB_PASSWORD_FILE, - "client-cert-mod", "Certificate Authority - %s" % api.env.realm, - "--trust", "CT,c,"] - ipautil.run(args) - - # import Dogtag admin certificate into temporary security database - args = ["/usr/bin/pki", - "-d", self.agent_db, - "-C", paths.KRA_NSSDB_PASSWORD_FILE, - "client-cert-import", - "--pkcs12", paths.DOGTAG_ADMIN_P12, - "--pkcs12-password-file", paths.KRA_PKCS12_PASSWORD_FILE] - ipautil.run(args) - - # as Dogtag admin, create ipakra user in KRA - args = ["/usr/bin/pki", - "-d", self.agent_db, - "-C", paths.KRA_NSSDB_PASSWORD_FILE, - "-n", "ipa-ca-agent", - "kra-user-add", "ipakra", - "--fullName", "IPA KRA User"] - ipautil.run(args) - - # as Dogtag admin, add ipakra into KRA agents group - args = ["/usr/bin/pki", - "-d", self.agent_db, - "-C", paths.KRA_NSSDB_PASSWORD_FILE, - "-n", "ipa-ca-agent", - "kra-user-membership-add", "ipakra", "Data Recovery Manager Agents"] - ipautil.run(args) - - # assign ipaCert to ipakra - (file, filename) = tempfile.mkstemp() - os.close(file) - try: - # export ipaCert without private key - args = ["/usr/bin/pki", - "-d", paths.HTTPD_ALIAS_DIR, - "-C", paths.ALIAS_PWDFILE_TXT, - "client-cert-show", "ipaCert", - "--cert", filename] - ipautil.run(args) - - # as Dogtag admin, upload and assign ipaCert to ipakra - args = ["/usr/bin/pki", - "-d", self.agent_db, - "-C", paths.KRA_NSSDB_PASSWORD_FILE, - "-n", "ipa-ca-agent", - "kra-user-cert-add", "ipakra", - "--input", filename] - ipautil.run(args) - - finally: - os.remove(filename) + # get ipaCert certificate + with certdb.NSSDatabase(paths.HTTPD_ALIAS_DIR) as ipa_nssdb: + cert_data = ipa_nssdb.get_cert("ipaCert") + cert = x509.load_certificate(cert_data, x509.DER) + + # connect to KRA database + server_id = installutils.realm_to_serverid(api.env.realm) + dogtag_uri = 'ldapi://%%2fvar%%2frun%%2fslapd-%s.socket' % server_id + conn = ldap2.ldap2(api, ldap_uri=dogtag_uri) + conn.connect(autobind=True) + + # create ipakra user with ipaCert certificate + user_dn = DN(('uid', "ipakra"), ('ou', 'people'), self.basedn) + entry = conn.make_entry( + user_dn, + objectClass=['top', 'person', 'organizationalPerson', + 'inetOrgPerson', 'cmsuser'], + uid=["ipakra"], + sn=["IPA KRA User"], + cn=["IPA KRA User"], + usertype=["undefined"], + userCertificate=[cert_data], + description=['2;%s;%s;%s' % ( + cert.serial_number, + DN(('CN', 'Certificate Authority'), self.subject_base), + DN(('CN', 'IPA RA'), self.subject_base))]) + conn.add_entry(entry) + + # add ipakra user to Data Recovery Manager Agents group + group_dn = DN(('cn', 'Data Recovery Manager Agents'), ('ou', 'groups'), + self.basedn) + conn.add_entry_to_group(user_dn, group_dn, 'uniqueMember') + + conn.disconnect() def __add_vault_container(self): sub_dict = { |