diff options
31 files changed, 297 insertions, 820 deletions
diff --git a/install/restart_scripts/renew_ca_cert b/install/restart_scripts/renew_ca_cert index 8ad0473b5..5f8646860 100644 --- a/install/restart_scripts/renew_ca_cert +++ b/install/restart_scripts/renew_ca_cert @@ -27,7 +27,7 @@ import tempfile import shutil import traceback -from ipapython import dogtag, ipautil +from ipapython import ipautil from ipapython.dn import DN from ipalib import api, errors, x509, certstore from ipaserver.install import certs, cainstance, installutils @@ -42,20 +42,17 @@ def _main(): api.bootstrap(context='restart') api.finalize() - configured_constants = dogtag.configured_constants(api) - alias_dir = configured_constants.ALIAS_DIR - dogtag_service = services.knownservices[configured_constants.SERVICE_NAME] - dogtag_instance = configured_constants.PKI_INSTANCE_NAME + dogtag_service = services.knownservices['pki_tomcatd'] # dogtag opens its NSS database in read/write mode so we need it # shut down so certmonger can open it read/write mode. This avoids # database corruption. It should already be stopped by the pre-command # but lets be sure. - if dogtag_service.is_running(dogtag_instance): + if dogtag_service.is_running('pki-tomcat'): syslog.syslog( syslog.LOG_NOTICE, "Stopping %s" % dogtag_service.service_name) try: - dogtag_service.stop(dogtag_instance) + dogtag_service.stop('pki-tomcat') except Exception as e: syslog.syslog( syslog.LOG_ERR, @@ -65,7 +62,7 @@ def _main(): syslog.LOG_NOTICE, "Stopped %s" % dogtag_service.service_name) # Fetch the new certificate - db = certs.CertDB(api.env.realm, nssdir=alias_dir) + db = certs.CertDB(api.env.realm, nssdir=paths.PKI_TOMCAT_ALIAS_DIR) cert = db.get_cert_from_db(nickname, pem=False) if not cert: syslog.syslog(syslog.LOG_ERR, 'No certificate %s found.' % nickname) @@ -79,7 +76,7 @@ def _main(): os.environ['KRB5CCNAME'] = ccache_filename ca = cainstance.CAInstance(host_name=api.env.host, ldapi=False) - ca.update_cert_config(nickname, cert, configured_constants) + ca.update_cert_config(nickname, cert) if ca.is_renewal_master(): cainstance.update_people_entry(cert) @@ -100,7 +97,7 @@ def _main(): (nickname, db.secdir)) elif nickname == 'caSigningCert cert-pki-ca': # Update CS.cfg - cfg_path = configured_constants.CS_CFG_PATH + cfg_path = paths.CA_CS_CFG_PATH config = installutils.get_directive( cfg_path, 'subsystem.select', '=') if config == 'New': @@ -203,7 +200,7 @@ def _main(): syslog.LOG_NOTICE, 'Starting %s' % dogtag_service.service_name) try: - dogtag_service.start(dogtag_instance) + dogtag_service.start('pki-tomcat') except Exception as e: syslog.syslog( syslog.LOG_ERR, diff --git a/install/restart_scripts/stop_pkicad b/install/restart_scripts/stop_pkicad index 7a238706d..22d492012 100644 --- a/install/restart_scripts/stop_pkicad +++ b/install/restart_scripts/stop_pkicad @@ -22,7 +22,6 @@ import sys import syslog import traceback -from ipapython import dogtag from ipalib import api from ipaplatform import services from ipaserver.install import certs @@ -32,15 +31,13 @@ def main(): api.bootstrap(context='restart') api.finalize() - configured_constants = dogtag.configured_constants(api) - dogtag_service = services.knownservices[configured_constants.SERVICE_NAME] - dogtag_instance = configured_constants.PKI_INSTANCE_NAME + dogtag_service = services.knownservices['pki_tomcatd'] certs.renewal_lock.acquire('renew_ca_cert') syslog.syslog(syslog.LOG_NOTICE, "Stopping %s" % dogtag_service.service_name) try: - dogtag_service.stop(dogtag_instance) + dogtag_service.stop('pki-tomcat') except Exception as e: syslog.syslog( syslog.LOG_ERR, "Cannot stop %s: %s" % (dogtag_service.service_name, e)) diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install index 4c778d950..fafd5d091 100755 --- a/install/tools/ipa-ca-install +++ b/install/tools/ipa-ca-install @@ -30,7 +30,6 @@ from ipaserver.install.installutils import create_replica_config from ipaserver.install.installutils import check_creds, ReplicaConfig from ipaserver.install import dsinstance, ca from ipaserver.install import cainstance, custodiainstance, service -from ipapython import dogtag from ipapython import version from ipalib import api from ipalib.constants import DOMAIN_LEVEL_0 @@ -144,7 +143,7 @@ def install_replica(safe_options, options, filename): config.host_name = api.env.host config.domain_name = api.env.domain config.dirman_password = dirman_password - config.ca_ds_port = dogtag.install_constants.DS_PORT + config.ca_ds_port = 389 config.top_dir = tempfile.mkdtemp("ipa") config.dir = config.top_dir else: @@ -184,7 +183,6 @@ def install_replica(safe_options, options, filename): custodia.get_ca_keys(config.ca_host_name, ca_data[0], ca_data[1]) CA = cainstance.CAInstance(config.realm_name, certs.NSS_DIR, - dogtag_constants=dogtag.install_constants, host_name=config.host_name, dm_password=config.dirman_password) CA.configure_replica(config.ca_host_name, diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck index e4c259b7e..a67837c54 100755 --- a/install/tools/ipa-replica-conncheck +++ b/install/tools/ipa-replica-conncheck @@ -23,7 +23,6 @@ from __future__ import print_function from ipapython.config import IPAOptionParser from ipapython import version from ipapython import ipautil -from ipapython import dogtag from ipapython.ipautil import CalledProcessError from ipaserver.install import installutils import ipaclient.ipachangeconf @@ -325,8 +324,8 @@ def main(): if options.check_ca: # Check old Dogtag CA replication port # New installs with unified databases use main DS port (checked above) - required_ports.append(CheckedPort(dogtag.Dogtag9Constants.DS_PORT, - SOCK_STREAM, "PKI-CA: Directory Service port")) + required_ports.append(CheckedPort(7389, SOCK_STREAM, + "PKI-CA: Directory Service port")) if options.replica: print_info("Check connection from master to remote replica '%s':" % options.replica) diff --git a/ipa-client/ipaclient/ipa_certupdate.py b/ipa-client/ipaclient/ipa_certupdate.py index dcd9a1fb2..9d14f6a00 100644 --- a/ipa-client/ipaclient/ipa_certupdate.py +++ b/ipa-client/ipaclient/ipa_certupdate.py @@ -23,8 +23,8 @@ import shutil from six.moves.urllib.parse import urlsplit -from ipapython import (admintool, ipautil, ipaldap, sysrestore, dogtag, - certmonger, certdb) +from ipapython import (admintool, ipautil, ipaldap, sysrestore, certmonger, + certdb) from ipaplatform import services from ipaplatform.paths import paths from ipaplatform.tasks import tasks @@ -134,10 +134,9 @@ class CertUpdate(admintool.AdminTool): if services.knownservices.httpd.is_running(): services.knownservices.httpd.restart() - dogtag_constants = dogtag.configured_constants() nickname = 'caSigningCert cert-pki-ca' criteria = { - 'cert-database': dogtag_constants.ALIAS_DIR, + 'cert-database': paths.PKI_TOMCAT_ALIAS_DIR, 'cert-nickname': nickname, 'ca-name': 'dogtag-ipa-ca-renew-agent', } diff --git a/ipa-client/man/default.conf.5 b/ipa-client/man/default.conf.5 index c7790c823..35ce6bb9f 100644 --- a/ipa-client/man/default.conf.5 +++ b/ipa-client/man/default.conf.5 @@ -66,16 +66,16 @@ The following options are relevant for the server: Specifies the base DN to use when performing LDAP operations. The base must be in DN format (dc=example,dc=com). .TP .B ca_agent_port <port> -Specifies the secure CA agent port. The default is 9443 for Dogtag 9, and 8443 for Dogtag 10. +Specifies the secure CA agent port. The default is 8443. .TP .B ca_ee_port <port> -Specifies the secure CA end user port. The default is 9444 for Dogtag 9, and 8443 for Dogtag 10. +Specifies the secure CA end user port. The default is 8443. .TP .B ca_host <hostname> Specifies the hostname of the dogtag CA server. The default is the hostname of the IPA server. .TP .B ca_port <port> -Specifies the insecure CA end user port. The default is 9180 for Dogtag 9, and 8080 for Dogtag 10. +Specifies the insecure CA end user port. The default is 8080. .TP .B context <context> Specifies the context that IPA is being executed in. IPA may operate differently depending on the context. The current defined contexts are cli and server. Additionally this value is used to load /etc/ipa/\fBcontext\fR.conf to provide context\-specific configuration. For example, if you want to always perform client requests in verbose mode but do not want to have verbose enabled on the server, add the verbose option to \fI/etc/ipa/cli.conf\fR. diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py index 6686bf07e..9ee488f9f 100644 --- a/ipaplatform/base/paths.py +++ b/ipaplatform/base/paths.py @@ -27,8 +27,6 @@ class BasePathNamespace(object): BIN_FALSE = "/bin/false" BIN_HOSTNAME = "/bin/hostname" LS = "/bin/ls" - PKICREATE = "/bin/pkicreate" - PKISILENT = "/bin/pkisilent" SH = "/bin/sh" SYSTEMCTL = "/bin/systemctl" TAR = "/bin/tar" @@ -39,7 +37,6 @@ class BasePathNamespace(object): ETC_DIRSRV = "/etc/dirsrv" DS_KEYTAB = "/etc/dirsrv/ds.keytab" ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE = "/etc/dirsrv/slapd-%s" - ETC_SLAPD_PKI_IPA_DIR = "/etc/dirsrv/slapd-PKI-IPA" ETC_FEDORA_RELEASE = "/etc/fedora-release" GROUP = "/etc/group" ETC_HOSTNAME = "/etc/hostname" @@ -94,12 +91,11 @@ class BasePathNamespace(object): OPENLDAP_LDAP_CONF = "/etc/openldap/ldap.conf" PAM_LDAP_CONF = "/etc/pam_ldap.conf" PASSWD = "/etc/passwd" - ETC_PKI_CA_DIR = "/etc/pki-ca" SYSTEMWIDE_IPA_CA_CRT = "/etc/pki/ca-trust/source/anchors/ipa-ca.crt" IPA_P11_KIT = "/etc/pki/ca-trust/source/ipa.p11-kit" NSS_DB_DIR = "/etc/pki/nssdb" PKI_TOMCAT = "/etc/pki/pki-tomcat" - PKI_TOMCAT_ALIAS_DIR = "/etc/pki/pki-tomcat/alias/" + PKI_TOMCAT_ALIAS_DIR = "/etc/pki/pki-tomcat/alias" PKI_TOMCAT_PASSWORD_CONF = "/etc/pki/pki-tomcat/password.conf" ETC_REDHAT_RELEASE = "/etc/redhat-release" RESOLV_CONF = "/etc/resolv.conf" @@ -116,7 +112,6 @@ class BasePathNamespace(object): SYSCONFIG_AUTOFS = "/etc/sysconfig/autofs" SYSCONFIG_DIRSRV = "/etc/sysconfig/dirsrv" SYSCONFIG_DIRSRV_INSTANCE = "/etc/sysconfig/dirsrv-%s" - SYSCONFIG_DIRSRV_PKI_IPA_DIR = "/etc/sysconfig/dirsrv-PKI-IPA" SYSCONFIG_DIRSRV_SYSTEMD = "/etc/sysconfig/dirsrv.systemd" SYSCONFIG_IPA_DNSKEYSYNCD = "/etc/sysconfig/ipa-dnskeysyncd" SYSCONFIG_IPA_ODS_EXPORTER = "/etc/sysconfig/ipa-ods-exporter" @@ -129,9 +124,7 @@ class BasePathNamespace(object): SYSCONFIG_NTPD = "/etc/sysconfig/ntpd" SYSCONFIG_ODS = "/etc/sysconfig/ods" SYSCONFIG_PKI = "/etc/sysconfig/pki" - SYSCONFIG_PKI_CA_DIR = "/etc/sysconfig/pki-ca" SYSCONFIG_PKI_TOMCAT = "/etc/sysconfig/pki-tomcat" - SYSCONFIG_PKI_CA_PKI_CA_DIR = "/etc/sysconfig/pki/ca/pki-ca" SYSCONFIG_PKI_TOMCAT_PKI_TOMCAT_DIR = "/etc/sysconfig/pki/tomcat/pki-tomcat" ETC_SYSTEMD_SYSTEM_DIR = "/etc/systemd/system/" SYSTEMD_CERTMONGER_SERVICE = "/etc/systemd/system/multi-user.target.wants/certmonger.service" @@ -146,7 +139,6 @@ class BasePathNamespace(object): KRA_AGENT_PEM = "/etc/httpd/alias/kra-agent.pem" CACERT_P12 = "/root/cacert.p12" ROOT_IPA_CSR = "/root/ipa.csr" - ROOT_TMP_CA_P12 = "/root/tmp-ca.p12" NAMED_PID = "/run/named/named.pid" IP = "/sbin/ip" NOLOGIN = "/sbin/nologin" @@ -178,12 +170,7 @@ class BasePathNamespace(object): ODS_KSMUTIL = "/usr/bin/ods-ksmutil" ODS_SIGNER = "/usr/sbin/ods-signer" OPENSSL = "/usr/bin/openssl" - PERL = "/usr/bin/perl" PK12UTIL = "/usr/bin/pk12util" - PKI_SETUP_PROXY = "/usr/bin/pki-setup-proxy" - PKICREATE = "/usr/bin/pkicreate" - PKIREMOVE = "/usr/bin/pkiremove" - PKISILENT = "/usr/bin/pkisilent" SETPASSWD = "/usr/bin/setpasswd" SIGNTOOL = "/usr/bin/signtool" SOFTHSM2_UTIL = "/usr/bin/softhsm2-util" @@ -198,13 +185,11 @@ class BasePathNamespace(object): BIND_LDAP_DNS_IPA_WORKDIR = "/var/named/dyndb-ldap/ipa/" BIND_LDAP_DNS_ZONE_WORKDIR = "/var/named/dyndb-ldap/ipa/master/" USR_LIB_DIRSRV = "/usr/lib/dirsrv" - USR_LIB_SLAPD_PKI_IPA_DIR = "/usr/lib/dirsrv/slapd-PKI-IPA" LIB_FIREFOX = "/usr/lib/firefox" LIBSOFTHSM2_SO = "/usr/lib/pkcs11/libsofthsm2.so" LIB_SYSTEMD_SYSTEMD_DIR = "/usr/lib/systemd/system/" BIND_LDAP_SO_64 = "/usr/lib64/bind/ldap.so" USR_LIB_DIRSRV_64 = "/usr/lib64/dirsrv" - SLAPD_PKI_IPA = "/usr/lib64/dirsrv/slapd-PKI-IPA" LIB64_FIREFOX = "/usr/lib64/firefox" LIBSOFTHSM2_SO_64 = "/usr/lib64/pkcs11/libsofthsm2.so" DOGTAG_IPA_CA_RENEW_AGENT_SUBMIT = "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit" @@ -271,7 +256,6 @@ class BasePathNamespace(object): SLAPD_INSTANCE_BACKUP_DIR_TEMPLATE = "/var/lib/dirsrv/slapd-%s/bak/%s" SLAPD_INSTANCE_DB_DIR_TEMPLATE = "/var/lib/dirsrv/slapd-%s/db/%s" SLAPD_INSTANCE_LDIF_DIR_TEMPLATE = "/var/lib/dirsrv/slapd-%s/ldif" - VAR_LIB_SLAPD_PKI_IPA_DIR_TEMPLATE = "/var/lib/dirsrv/slapd-PKI-IPA" VAR_LIB_IPA = "/var/lib/ipa" IPA_CLIENT_SYSRESTORE = "/var/lib/ipa-client/sysrestore" SYSRESTORE_INDEX = "/var/lib/ipa-client/sysrestore/sysrestore.index" @@ -288,11 +272,16 @@ class BasePathNamespace(object): STATEFILE_DIR = "/var/lib/ipa/sysupgrade" VAR_LIB_KDCPROXY = "/var/lib/kdcproxy" VAR_LIB_PKI_DIR = "/var/lib/pki" - VAR_LIB_PKI_CA_DIR = "/var/lib/pki-ca" - PKI_ALIAS_CA_P12 = "/var/lib/pki-ca/alias/ca.p12" + VAR_LIB_PKI_CA_ALIAS_DIR = "/var/lib/pki-ca/alias" VAR_LIB_PKI_TOMCAT_DIR = "/var/lib/pki/pki-tomcat" CA_BACKUP_KEYS_P12 = "/var/lib/pki/pki-tomcat/alias/ca_backup_keys.p12" KRA_BACKUP_KEYS_P12 = "/var/lib/pki/pki-tomcat/alias/kra_backup_keys.p12" + CA_CS_CFG_PATH = "/var/lib/pki/pki-tomcat/conf/ca/CS.cfg" + CAJARSIGNINGCERT_CFG = ( + "/var/lib/pki/pki-tomcat/ca/profiles/ca/caJarSigningCert.cfg") + CASIGNEDLOGCERT_CFG = ( + "/var/lib/pki/pki-tomcat/ca/profiles/ca/caSignedLogCert.cfg") + KRA_CS_CFG_PATH = "/var/lib/pki/pki-tomcat/conf/kra/CS.cfg" KRACERT_P12 = "/root/kracert.p12" SAMBA_DIR = "/var/lib/samba/" SSSD_DB = "/var/lib/sss/db" @@ -304,7 +293,6 @@ class BasePathNamespace(object): VAR_LOG_DIRSRV_INSTANCE_TEMPLATE = "/var/log/dirsrv/slapd-%s" SLAPD_INSTANCE_ACCESS_LOG_TEMPLATE = "/var/log/dirsrv/slapd-%s/access" SLAPD_INSTANCE_ERROR_LOG_TEMPLATE = "/var/log/dirsrv/slapd-%s/errors" - VAR_LOG_SLAPD_PKI_IPA_DIR = "/var/log/dirsrv/slapd-PKI-IPA" VAR_LOG_HTTPD_DIR = "/var/log/httpd" IPABACKUP_LOG = "/var/log/ipabackup.log" IPACLIENT_INSTALL_LOG = "/var/log/ipaclient-install.log" @@ -321,9 +309,6 @@ class BasePathNamespace(object): IPAUPGRADE_LOG = "/var/log/ipaupgrade.log" KADMIND_LOG = "/var/log/kadmind.log" MESSAGES = "/var/log/messages" - PKI_CA_LOG_DIR = "/var/log/pki-ca" - PKI_CA_INSTALL_LOG = "/var/log/pki-ca-install.log" - PKI_CA_UNINSTALL_LOG = "/var/log/pki-ca-uninstall.log" VAR_LOG_PKI_DIR = "/var/log/pki/" TOMCAT_TOPLEVEL_DIR = "/var/log/pki/pki-tomcat" TOMCAT_CA_DIR = "/var/log/pki/pki-tomcat/ca" diff --git a/ipaplatform/base/services.py b/ipaplatform/base/services.py index 6dcb26bb9..da2f1011e 100644 --- a/ipaplatform/base/services.py +++ b/ipaplatform/base/services.py @@ -41,16 +41,13 @@ from ipaplatform.paths import paths wellknownservices = ['certmonger', 'dirsrv', 'httpd', 'ipa', 'krb5kdc', 'messagebus', 'nslcd', 'nscd', 'ntpd', 'portmap', 'rpcbind', 'kadmin', 'sshd', 'autofs', 'rpcgssd', - 'rpcidmapd', 'pki_tomcatd', 'pki_cad', 'chronyd', - 'domainname', 'named', 'ods_enforcerd', 'ods_signerd'] + 'rpcidmapd', 'pki_tomcatd', 'chronyd', 'domainname', + 'named', 'ods_enforcerd', 'ods_signerd'] # The common ports for these services. This is used to wait for the # service to become available. wellknownports = { - 'dirsrv@PKI-IPA.service': [7389], - 'PKI-IPA': [7389], 'dirsrv': [389], # only used if the incoming instance name is blank - 'pki-cad': [9180, 9443, 9444], 'pki-tomcatd@pki-tomcat.service': [8080, 8443], 'pki-tomcat': [8080, 8443], 'pki-tomcatd': [8080, 8443], # used if the incoming instance name is blank diff --git a/ipaplatform/redhat/services.py b/ipaplatform/redhat/services.py index 757908f95..0902215a5 100644 --- a/ipaplatform/redhat/services.py +++ b/ipaplatform/redhat/services.py @@ -58,11 +58,6 @@ redhat_system_units['rpcidmapd'] = 'nfs-idmap.service' # code). redhat_system_units['dirsrv'] = 'dirsrv@.service' -# Our directory server instance for PKI is dirsrv@PKI-IPA.service -redhat_system_units['pkids'] = 'dirsrv@PKI-IPA.service' -# Old style PKI instance -redhat_system_units['pki-cad'] = 'pki-cad@pki-ca.service' -redhat_system_units['pki_cad'] = redhat_system_units['pki-cad'] # Our PKI instance is pki-tomcatd@pki-tomcat.service redhat_system_units['pki-tomcatd'] = 'pki-tomcatd@pki-tomcat.service' redhat_system_units['pki_tomcatd'] = redhat_system_units['pki-tomcatd'] @@ -284,7 +279,7 @@ def redhat_service_class_factory(name): return RedHatIPAService(name) if name == 'sshd': return RedHatSSHService(name) - if name in ('pki-cad', 'pki_cad', 'pki-tomcatd', 'pki_tomcatd'): + if name in ('pki-tomcatd', 'pki_tomcatd'): return RedHatCAService(name) if name == 'named': return RedHatNamedService(name) diff --git a/ipapython/certmonger.py b/ipapython/certmonger.py index 6ebec205a..2a4e43d3c 100644 --- a/ipapython/certmonger.py +++ b/ipapython/certmonger.py @@ -32,7 +32,6 @@ import shlex import subprocess import tempfile from ipapython import ipautil -from ipapython import dogtag from ipapython.ipa_log_manager import * from ipaplatform.paths import paths from ipaplatform import services @@ -444,15 +443,13 @@ def remove_principal_from_cas(): ca.prop_if.Set(DBUS_CM_CA_IF, 'external-helper', ext_helper) -def get_pin(token, dogtag_constants=None): +def get_pin(token): """ Dogtag stores its NSS pin in a file formatted as token:PIN. The caller is expected to handle any exceptions raised. """ - if dogtag_constants is None: - dogtag_constants = dogtag.configured_constants() - with open(dogtag_constants.PASSWORD_CONF_PATH, 'r') as f: + with open(paths.PKI_TOMCAT_PASSWORD_CONF, 'r') as f: for line in f: (tok, pin) = line.split('=', 1) if token == tok: diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py index 0436d5f46..9c8779ead 100644 --- a/ipapython/dogtag.py +++ b/ipapython/dogtag.py @@ -18,19 +18,16 @@ # import collections -import os import xml.dom.minidom import nss.nss as nss import six -from six.moves import configparser from six.moves.urllib.parse import urlencode from ipalib import api, errors from ipalib.errors import NetworkError from ipalib.text import _ from ipapython import nsslib, ipautil -from ipaplatform.paths import paths from ipapython.ipa_log_manager import * # Python 3 rename. The package is available in "six.moves.http_client", but @@ -43,16 +40,6 @@ except ImportError: if six.PY3: unicode = str -# IPA can use either Dogtag version 9 or 10. -# -# Install tools should use the constants from install_constants, so that they -# install with version 10 if it is available, and with 9 if not. -# After IPA installation, the Dogtag version used is stored in the -# "dogtag_version" config option. (If that is missing, version 9 is assumed.) -# The configured_constants() function below provides constants relevant to -# the configured version. - - Profile = collections.namedtuple('Profile', ['profile_id', 'description', 'store_issued']) INCLUDED_PROFILES = { @@ -62,113 +49,6 @@ INCLUDED_PROFILES = { DEFAULT_PROFILE = u'caIPAserviceCert' -class Dogtag10Constants(object): - DOGTAG_VERSION = 10 - UNSECURE_PORT = 8080 - AGENT_SECURE_PORT = 8443 - EE_SECURE_PORT = 8443 - AJP_PORT = 8009 - DS_PORT = 389 - DS_SECURE_PORT = 636 - - SPAWN_BINARY = paths.PKISPAWN - DESTROY_BINARY = paths.PKIDESTROY - - SERVER_ROOT = paths.VAR_LIB_PKI_DIR - PKI_INSTALL_LOG = paths.PKI_CA_INSTALL_LOG - PKI_INSTANCE_NAME = 'pki-tomcat' - PKI_LOG_TOP_LEVEL = os.path.join(paths.VAR_LOG_PKI_DIR, PKI_INSTANCE_NAME) - PKI_ROOT = '%s/%s' % (SERVER_ROOT, PKI_INSTANCE_NAME) - CRL_PUBLISH_PATH = paths.PKI_CA_PUBLISH_DIR - CS_CFG_PATH = '%s/conf/ca/CS.cfg' % PKI_ROOT - PASSWORD_CONF_PATH = '%s/conf/password.conf' % PKI_ROOT - SERVICE_PROFILE_DIR = '%s/ca/profiles/ca' % PKI_ROOT - ALIAS_DIR = paths.PKI_TOMCAT_ALIAS_DIR.rstrip('/') - SYSCONFIG_FILE_PATH = '%s/%s' % (paths.ETC_SYSCONFIG_DIR, PKI_INSTANCE_NAME) - KRA_CS_CFG_PATH = '%s/conf/kra/CS.cfg' % PKI_ROOT - - SERVICE_NAME = 'pki_tomcatd' - - RACERT_LINE_SEP = '\n' - - SIGN_PROFILE = '%s/caJarSigningCert.cfg' % SERVICE_PROFILE_DIR - SHARED_DB = True - DS_USER = "dirsrv" - DS_NAME = "dirsrv" - - -class Dogtag9Constants(object): - DOGTAG_VERSION = 9 - UNSECURE_PORT = 9180 - AGENT_SECURE_PORT = 9443 - EE_SECURE_PORT = 9444 - AJP_PORT = 9447 - DS_PORT = 7389 - DS_SECURE_PORT = 7636 - - SPAWN_BINARY = paths.PKICREATE - DESTROY_BINARY = paths.PKISILENT - - SERVER_ROOT = paths.VAR_LIB - PKI_INSTALL_LOG = paths.PKI_CA_INSTALL_LOG - PKI_INSTANCE_NAME = 'pki-ca' - PKI_LOG_TOP_LEVEL = paths.PKI_CA_LOG_DIR - PKI_ROOT = '%s/%s' % (SERVER_ROOT, PKI_INSTANCE_NAME) - CRL_PUBLISH_PATH = paths.PKI_CA_PUBLISH_DIR - CS_CFG_PATH = '%s/conf/CS.cfg' % PKI_ROOT - PASSWORD_CONF_PATH = '%s/conf/password.conf' % PKI_ROOT - SERVICE_PROFILE_DIR = '%s/profiles/ca' % PKI_ROOT - ALIAS_DIR = '%s/alias' % PKI_ROOT - SYSCONFIG_FILE_PATH = '%s/%s' % (paths.ETC_SYSCONFIG_DIR, PKI_INSTANCE_NAME) - - SERVICE_NAME = 'pki-cad' - - RACERT_LINE_SEP = '\r\n' - - ADMIN_SECURE_PORT = 9445 - EE_CLIENT_AUTH_PORT = 9446 - TOMCAT_SERVER_PORT = 9701 - - SIGN_PROFILE = '%s/caJarSigningCert.cfg' % SERVICE_PROFILE_DIR - SHARED_DB = False - DS_USER = "pkisrv" - DS_NAME = "PKI-IPA" - -if os.path.exists(paths.PKISPAWN): - install_constants = Dogtag10Constants -else: - install_constants = Dogtag9Constants - - -def _get_configured_version(api): - """Get the version of Dogtag IPA is configured to use - - If an API is given, use information in its environment. - Otherwise, use information from the global config file. - """ - if api: - return int(api.env.dogtag_version) - else: - p = configparser.SafeConfigParser() - p.read(paths.IPA_DEFAULT_CONF) - try: - version = p.get('global', 'dogtag_version') - except (configparser.NoOptionError, configparser.NoSectionError): - return 9 - else: - return int(version) - - -def configured_constants(api=None): - """Get the name of the Dogtag CA instance - - See get_configured_version - """ - if _get_configured_version(api) >= 10: - return Dogtag10Constants - else: - return Dogtag9Constants - def error_from_xml(doc, message_template): try: @@ -179,18 +59,16 @@ def error_from_xml(doc, message_template): return errors.RemoteRetrieveError(reason=message_template % e) -def get_ca_certchain(ca_host=None, dogtag_constants=None): +def get_ca_certchain(ca_host=None): """ Retrieve the CA Certificate chain from the configured Dogtag server. """ if ca_host is None: ca_host = api.env.ca_host - if dogtag_constants is None: - dogtag_constants = configured_constants() chain = None conn = httplib.HTTPConnection( ca_host, - api.env.ca_install_port or dogtag_constants.UNSECURE_PORT) + api.env.ca_install_port or 8080) conn.request("GET", "/ca/ee/ca/getCertChain") res = conn.getresponse() doc = None diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py index 51871f2dc..fcead1891 100644 --- a/ipaserver/install/ca.py +++ b/ipaserver/install/ca.py @@ -10,7 +10,7 @@ import os.path from six.moves.configparser import RawConfigParser from ipaserver.install import cainstance, dsinstance, bindinstance -from ipapython import dogtag, ipautil, certdb +from ipapython import ipautil, certdb from ipaplatform import services from ipaplatform.paths import paths from ipaserver.install import installutils, certs @@ -126,8 +126,6 @@ def install_step_0(standalone, replica_config, options): host_name = options.host_name subject_base = options.subject - dogtag_constants = dogtag.install_constants - if replica_config is not None: # Configure the CA if necessary if standalone: @@ -154,8 +152,7 @@ def install_step_0(standalone, replica_config, options): else: external = 0 - ca = cainstance.CAInstance(realm_name, certs.NSS_DIR, - dogtag_constants=dogtag_constants) + ca = cainstance.CAInstance(realm_name, certs.NSS_DIR) if standalone: ca.create_ra_agent_db = False if external == 0: @@ -185,19 +182,16 @@ def install_step_1(standalone, replica_config, options): basedn = ipautil.realm_to_suffix(realm_name) - dogtag_constants = dogtag.install_constants - - ca = cainstance.CAInstance(realm_name, certs.NSS_DIR, - dogtag_constants=dogtag_constants) + ca = cainstance.CAInstance(realm_name, certs.NSS_DIR) if standalone: - ca.stop(ca.dogtag_constants.PKI_INSTANCE_NAME) + ca.stop('pki-tomcat') # We need to ldap_enable the CA now that DS is up and running ca.ldap_enable('CA', host_name, dm_password, basedn, ['caRenewalMaster']) # This is done within stopped_service context, which restarts CA - ca.enable_client_auth_to_db(dogtag_constants.CS_CFG_PATH) + ca.enable_client_auth_to_db(paths.CA_CS_CFG_PATH) if standalone and replica_config is None: serverid = installutils.realm_to_serverid(realm_name) @@ -231,7 +225,7 @@ def install_step_1(standalone, replica_config, options): bind_pw=dm_password) # Store DS CA cert in Dogtag NSS database - dogtagdb = certs.CertDB(realm_name, nssdir=dogtag_constants.ALIAS_DIR) + dogtagdb = certs.CertDB(realm_name, nssdir=paths.PKI_TOMCAT_ALIAS_DIR) trust_flags = dict(reversed(dsdb.list_certs())) server_certs = dsdb.find_server_certs() trust_chain = dsdb.find_root_cert(server_certs[0][0])[:-1] @@ -240,7 +234,7 @@ def install_step_1(standalone, replica_config, options): dogtagdb.add_cert(cert, nickname, trust_flags[nickname]) if standalone: - ca.start(ca.dogtag_constants.PKI_INSTANCE_NAME) + ca.start('pki-tomcat') # Update config file try: @@ -248,8 +242,7 @@ def install_step_1(standalone, replica_config, options): parser.read(paths.IPA_DEFAULT_CONF) parser.set('global', 'enable_ra', 'True') parser.set('global', 'ra_plugin', 'dogtag') - parser.set('global', 'dogtag_version', - str(dogtag_constants.DOGTAG_VERSION)) + parser.set('global', 'dogtag_version', '10') with open(paths.IPA_DEFAULT_CONF, 'w') as f: parser.write(f) except IOError as e: @@ -266,15 +259,9 @@ def install_step_1(standalone, replica_config, options): bind.add_ipa_ca_dns_records(host_name, domain_name) -def uninstall(dogtag_constants): - if not dogtag_constants.SHARED_DB: - cads_instance = cainstance.CADSInstance( - dogtag_constants=dogtag_constants) - if cads_instance.is_configured(): - cads_instance.uninstall() - +def uninstall(): ca_instance = cainstance.CAInstance( - api.env.realm, certs.NSS_DIR, dogtag_constants=dogtag_constants) + api.env.realm, certs.NSS_DIR) ca_instance.stop_tracking_certificates() if ca_instance.is_configured(): ca_instance.uninstall() diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 8a8ae2fc5..3632a3931 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -68,7 +68,7 @@ from ipaserver.install import ldapupdate from ipaserver.install import replication from ipaserver.install import service from ipaserver.install.dogtaginstance import ( - DEFAULT_DSPORT, PKI_USER, export_kra_agent_pem, DogtagInstance) + PKI_USER, export_kra_agent_pem, DogtagInstance) from ipaserver.plugins import ldap2 # Python 3 rename. The package is available in "six.moves.http_client", but @@ -248,7 +248,7 @@ def get_crl_files(path=None): @param path Custom target directory """ if path is None: - path = dogtag.configured_constants().CRL_PUBLISH_PATH + path = paths.PKI_CA_PUBLISH_DIR files = os.listdir(path) for f in files: @@ -261,7 +261,7 @@ def get_crl_files(path=None): def is_step_one_done(): """Read CS.cfg and determine if step one of an external CA install is done """ - path = dogtag.install_constants.CS_CFG_PATH + path = paths.CA_CS_CFG_PATH if not os.path.exists(path): return False test = installutils.get_directive(path, 'preop.ca.type', '=') @@ -274,8 +274,7 @@ def is_ca_installed_locally(): """Check if CA is installed locally by checking for existence of CS.cfg :return:True/False """ - path = dogtag.install_constants.CS_CFG_PATH - return os.path.exists(path) + return os.path.exists(paths.CA_CS_CFG_PATH) def create_ca_user(): @@ -288,63 +287,6 @@ def create_ca_user(): ) -class CADSInstance(service.Service): - """Certificate Authority DS instance - - The CA DS was used with Dogtag 9. Only upgraded installations still use it. - Thus this class only does uninstallation. - """ - def __init__(self, host_name=None, realm_name=None, dm_password=None, dogtag_constants=None): - service.Service.__init__( - self, "pkids", - service_desc="directory server for the CA", - dm_password=dm_password, - ldapi=False, - autobind=ipaldap.AUTOBIND_DISABLED) - - self.serverid = "PKI-IPA" - self.realm = realm_name - self.sub_dict = None - self.fqdn = host_name - self.dercert = None - self.pkcs12_info = None - self.ds_port = None - self.master_host = None - self.nickname = 'Server-Cert' - self.subject_base = None - - def uninstall(self): - if self.is_configured(): - self.print_msg("Unconfiguring CA directory server") - - enabled = self.restore_state("enabled") - serverid = self.restore_state("serverid") - - # Just eat this state if it exists - self.restore_state("running") - - if not enabled is None and not enabled: - services.knownservices.dirsrv.disable() - - if serverid is not None: - # drop the trailing / off the config_dirname so the directory - # will match what is in certmonger - dirname = dsinstance.config_dirname(serverid)[:-1] - dsdb = certs.CertDB(self.realm, nssdir=dirname) - dsdb.untrack_server_cert("Server-Cert") - try: - dsinstance.remove_ds_instance(serverid) - except ipautil.CalledProcessError: - root_logger.error("Failed to remove CA DS instance. You may " - "need to remove instance data manually") - - self.restore_state("user_exists") - - # At one time we removed this user on uninstall. That can potentially - # orphan files, or worse, if another useradd runs in the interim, - # cause files to have a new owner. - - class CAInstance(DogtagInstance): """ When using a dogtag CA the DS database contains just the @@ -368,16 +310,12 @@ class CAInstance(DogtagInstance): ('caSigningCert cert-pki-ca', 'ipaCACertRenewal')) server_cert_name = 'Server-Cert cert-pki-ca' - def __init__(self, realm=None, ra_db=None, dogtag_constants=None, - host_name=None, dm_password=None, ldapi=True): - if dogtag_constants is None: - dogtag_constants = dogtag.configured_constants() - + def __init__(self, realm=None, ra_db=None, host_name=None, + dm_password=None, ldapi=True): super(CAInstance, self).__init__( realm=realm, subsystem="CA", service_desc="certificate server", - dogtag_constants=dogtag_constants, host_name=host_name, dm_password=dm_password, ldapi=ldapi @@ -404,8 +342,7 @@ class CAInstance(DogtagInstance): self.log = log_mgr.get_logger(self) self.no_db_setup = False - def configure_instance(self, host_name, dm_password, - admin_password, ds_port=DEFAULT_DSPORT, + def configure_instance(self, host_name, dm_password, admin_password, pkcs12_info=None, master_host=None, csr_file=None, cert_file=None, cert_chain_file=None, master_replication_port=None, @@ -413,8 +350,6 @@ class CAInstance(DogtagInstance): ca_type=None, ra_p12=None): """Create a CA instance. - For Dogtag 9, this may involve creating the pki-ca instance. - To create a clone, pass in pkcs12_info. Creating a CA with an external signer is a 2-step process. In @@ -426,7 +361,6 @@ class CAInstance(DogtagInstance): self.dm_password = dm_password self.admin_user = "admin" self.admin_password = admin_password - self.ds_port = ds_port self.pkcs12_info = pkcs12_info if self.pkcs12_info is not None: self.clone = True @@ -456,12 +390,8 @@ class CAInstance(DogtagInstance): self.external = 2 self.step("creating certificate server user", create_ca_user) - if self.dogtag_constants.DOGTAG_VERSION >= 10: - self.step("configuring certificate server instance", self.__spawn_instance) - else: - if not ipautil.dir_exists(paths.VAR_LIB_PKI_CA_DIR): - self.step("creating pki-ca instance", self.create_instance) - self.step("configuring certificate server instance", self.__configure_instance) + self.step("configuring certificate server instance", + self.__spawn_instance) self.step("stopping certificate server instance to update CS.cfg", self.stop_instance) self.step("backing up CS.cfg", self.backup_config) self.step("disabling nonces", self.__disable_nonce) @@ -471,8 +401,6 @@ class CAInstance(DogtagInstance): # Step 1 of external is getting a CSR so we don't need to do these # steps until we get a cert back from the external CA. if self.external != 1: - if self.dogtag_constants.DOGTAG_VERSION < 10 and not self.clone: - self.step("creating CA agent PKCS#12 file in /root", self.__create_ca_agent_pkcs12) if self.create_ra_agent_db: self.step("creating RA agent certificate database", self.__create_ra_agent_db) self.step("importing CA chain to RA certificate database", self.__import_ca_chain) @@ -547,7 +475,7 @@ class CAInstance(DogtagInstance): config.set("CA", "pki_client_admin_cert_p12", paths.DOGTAG_ADMIN_P12) # Directory server - config.set("CA", "pki_ds_ldap_port", str(self.ds_port)) + config.set("CA", "pki_ds_ldap_port", "389") config.set("CA", "pki_ds_password", self.dm_password) config.set("CA", "pki_ds_base_dn", self.basedn) config.set("CA", "pki_ds_database", "ipaca") @@ -598,7 +526,7 @@ class CAInstance(DogtagInstance): config.set("CA", "pki_clone_pkcs12_password", self.dm_password) config.set("CA", "pki_clone_replication_security", "TLS") config.set("CA", "pki_clone_replication_master_port", str(self.master_replication_port)) - config.set("CA", "pki_clone_replication_clone_port", dogtag.install_constants.DS_PORT) + config.set("CA", "pki_clone_replication_clone_port", "389") config.set("CA", "pki_clone_replicate_schema", "False") config.set("CA", "pki_clone_uri", "https://%s" % ipautil.format_netloc(self.master_host, 443)) @@ -656,151 +584,9 @@ class CAInstance(DogtagInstance): self.log.debug("completed creating ca instance") - def create_instance(self): - """ - If for some reason the instance doesn't exist, create a new one." - """ - # Only used for Dogtag 9 - - args = [paths.PKICREATE, - '-pki_instance_root', paths.VAR_LIB, - '-pki_instance_name', - self.dogtag_constants.PKI_INSTANCE_NAME, - '-subsystem_type', 'ca', - '-agent_secure_port', - str(self.dogtag_constants.AGENT_SECURE_PORT), - '-ee_secure_port', - str(self.dogtag_constants.EE_SECURE_PORT), - '-admin_secure_port', - str(self.dogtag_constants.ADMIN_SECURE_PORT), - '-ee_secure_client_auth_port', - str(self.dogtag_constants.EE_CLIENT_AUTH_PORT), - '-unsecure_port', str(self.dogtag_constants.UNSECURE_PORT), - '-tomcat_server_port', - str(self.dogtag_constants.TOMCAT_SERVER_PORT), - '-redirect', 'conf=/etc/pki-ca', - '-redirect', 'logs=/var/log/pki-ca', - '-enable_proxy' - ] - self.backup_state('installed', True) - ipautil.run(args, env={'PKI_HOSTNAME':self.fqdn}) - - def __configure_instance(self): - # Only used for Dogtag 9 - preop_pin = get_preop_pin( - self.server_root, self.dogtag_constants.PKI_INSTANCE_NAME) - - try: - args = [paths.PERL, paths.PKISILENT, "ConfigureCA", - "-cs_hostname", self.fqdn, - "-cs_port", str(self.dogtag_constants.ADMIN_SECURE_PORT), - "-client_certdb_dir", self.agent_db, - "-client_certdb_pwd", self.admin_password, - "-preop_pin" , preop_pin, - "-domain_name", self.security_domain_name, - "-admin_user", self.admin_user, - "-admin_email", "root@localhost", - "-admin_password", self.admin_password, - "-agent_name", "ipa-ca-agent", - "-agent_key_size", "2048", - "-agent_key_type", "rsa", - "-agent_cert_subject", str(DN(('CN', 'ipa-ca-agent'), self.subject_base)), - "-ldap_host", self.fqdn, - "-ldap_port", str(self.ds_port), - "-bind_dn", "cn=Directory Manager", - "-bind_password", self.dm_password, - "-base_dn", str(self.basedn), - "-db_name", "ipaca", - "-key_size", "2048", - "-key_type", "rsa", - "-key_algorithm", self.ca_signing_algorithm, - "-signing_algorithm", "SHA256withRSA", - "-save_p12", "true", - "-backup_pwd", self.admin_password, - "-subsystem_name", self.service_name, - "-token_name", "internal", - "-ca_subsystem_cert_subject_name", str(DN(('CN', 'CA Subsystem'), self.subject_base)), - "-ca_subsystem_cert_subject_name", str(DN(('CN', 'CA Subsystem'), self.subject_base)), - "-ca_ocsp_cert_subject_name", str(DN(('CN', 'OCSP Subsystem'), self.subject_base)), - "-ca_server_cert_subject_name", str(DN(('CN', self.fqdn), self.subject_base)), - "-ca_audit_signing_cert_subject_name", str(DN(('CN', 'CA Audit'), self.subject_base)), - "-ca_sign_cert_subject_name", str(DN(('CN', 'Certificate Authority'), self.subject_base)) ] - if self.external == 1: - args.append("-external") - args.append("true") - args.append("-ext_csr_file") - args.append(self.csr_file) - elif self.external == 2: - cert = x509.load_certificate_from_file(self.cert_file) - cert_file = tempfile.NamedTemporaryFile() - x509.write_certificate(cert.der_data, cert_file.name) - cert_file.flush() - - args.append("-external") - args.append("true") - args.append("-ext_ca_cert_file") - args.append(cert_file.name) - args.append("-ext_ca_cert_chain_file") - args.append(self.cert_chain_file) - else: - args.append("-external") - args.append("false") - if self.clone: - """sd = security domain --> all CS systems get registered to - a security domain. This is set to the hostname and port of - the master CA. - """ - # The install wizard expects the file to be here. - cafile = self.pkcs12_info[0] - shutil.copy(cafile, paths.PKI_ALIAS_CA_P12) - pent = pwd.getpwnam(PKI_USER) - os.chown(paths.PKI_ALIAS_CA_P12, pent.pw_uid, pent.pw_gid ) - args.append("-clone") - args.append("true") - args.append("-clone_p12_file") - args.append("ca.p12") - args.append("-clone_p12_password") - args.append(self.dm_password) - args.append("-sd_hostname") - args.append(self.master_host) - args.append("-sd_admin_port") - args.append("443") - args.append("-sd_admin_name") - args.append(self.admin_user) - args.append("-sd_admin_password") - args.append(self.admin_password) - args.append("-clone_master_port") - args.append(str(self.master_replication_port)) - args.append("-clone_start_tls") - args.append("true") - args.append("-clone_uri") - args.append("https://%s" % ipautil.format_netloc(self.master_host, 443)) - else: - args.append("-clone") - args.append("false") - - # Define the things we don't want logged - nolog = (self.admin_password, self.dm_password,) - - ipautil.run(args, env={'PKI_HOSTNAME':self.fqdn}, nolog=nolog) - except ipautil.CalledProcessError as e: - self.handle_setup_error(e) - - if self.external == 1: - print("The next step is to get %s signed by your CA and re-run %s as:" % (self.csr_file, sys.argv[0])) - print("%s --external-cert-file=/path/to/signed_certificate --external-cert-file=/path/to/external_ca_certificate" % sys.argv[0]) - sys.exit(0) - - # pkisilent makes a copy of the CA PKCS#12 file for us but gives - # it a lousy name. - if ipautil.file_exists(paths.ROOT_TMP_CA_P12): - shutil.move(paths.ROOT_TMP_CA_P12, paths.CACERT_P12) - - self.log.debug("completed creating ca instance") - def backup_config(self): try: - backup_config(self.dogtag_constants) + backup_config() except Exception as e: root_logger.warning("Failed to backup CS.cfg: %s", e) @@ -816,16 +602,15 @@ class CAInstance(DogtagInstance): def __disable_nonce(self): # Turn off Nonces update_result = installutils.update_file( - self.dogtag_constants.CS_CFG_PATH, 'ca.enableNonces=true', + paths.CA_CS_CFG_PATH, 'ca.enableNonces=true', 'ca.enableNonces=false') if update_result != 0: raise RuntimeError("Disabling nonces failed") pent = pwd.getpwnam(PKI_USER) - os.chown(self.dogtag_constants.CS_CFG_PATH, - pent.pw_uid, pent.pw_gid) + os.chown(paths.CA_CS_CFG_PATH, pent.pw_uid, pent.pw_gid) def enable_pkix(self): - installutils.set_directive(self.dogtag_constants.SYSCONFIG_FILE_PATH, + installutils.set_directive(paths.SYSCONFIG_PKI_TOMCAT, 'NSS_ENABLE_PKIX_VERIFY', '1', quotes=False, separator='=') @@ -874,13 +659,12 @@ class CAInstance(DogtagInstance): '-p', self.admin_password, '-d', self.agent_db, '-r', '/ca/agent/ca/profileReview?requestId=%s' % self.requestId, - '%s' % ipautil.format_netloc( - self.fqdn, self.dogtag_constants.AGENT_SECURE_PORT), + '%s' % ipautil.format_netloc(self.fqdn, 8443), ] (stdout, _stderr, _returncode) = ipautil.run( args, nolog=(self.admin_password,)) - data = stdout.split(self.dogtag_constants.RACERT_LINE_SEP) + data = stdout.split('\n') params = get_defList(data) params['requestId'] = find_substring(data, "requestId") params['op'] = 'approve' @@ -897,13 +681,12 @@ class CAInstance(DogtagInstance): '-d', self.agent_db, '-e', params, '-r', '/ca/agent/ca/profileProcess', - '%s' % ipautil.format_netloc( - self.fqdn, self.dogtag_constants.AGENT_SECURE_PORT), + '%s' % ipautil.format_netloc(self.fqdn, 8443), ] (stdout, _stderr, _returncode) = ipautil.run( args, nolog=(self.admin_password,)) - data = stdout.split(self.dogtag_constants.RACERT_LINE_SEP) + data = stdout.split('\n') outputList = get_outputList(data) self.ra_cert = outputList['b64_cert'] @@ -1024,26 +807,10 @@ class CAInstance(DogtagInstance): def __get_ca_chain(self): try: - return dogtag.get_ca_certchain(ca_host=self.fqdn, - dogtag_constants=self.dogtag_constants) + return dogtag.get_ca_certchain(ca_host=self.fqdn) except Exception as e: raise RuntimeError("Unable to retrieve CA chain: %s" % str(e)) - def __create_ca_agent_pkcs12(self): - # Only used for Dogtag 9 - (pwd_fd, pwd_name) = tempfile.mkstemp() - os.write(pwd_fd, self.admin_password) - os.close(pwd_fd) - try: - ipautil.run([paths.PK12UTIL, - "-n", "ipa-ca-agent", - "-o", paths.DOGTAG_ADMIN_P12, - "-d", self.agent_db, - "-k", pwd_name, - "-w", pwd_name]) - finally: - os.remove(pwd_name) - def __import_ca_chain(self): chain = self.__get_ca_chain() @@ -1113,8 +880,7 @@ class CAInstance(DogtagInstance): csr = pkcs10.strip_header(stdout) # Send the request to the CA - conn = httplib.HTTPConnection( - self.fqdn, self.dogtag_constants.UNSECURE_PORT) + conn = httplib.HTTPConnection(self.fqdn, 8080) params = urllib.parse.urlencode({'profileId': 'caServerCert', 'cert_request_type': 'pkcs10', 'requestor_name': 'IPA Installer', @@ -1152,8 +918,9 @@ class CAInstance(DogtagInstance): def __setup_sign_profile(self): # Tell the profile to automatically issue certs for RAs - installutils.set_directive(self.dogtag_constants.SIGN_PROFILE, - 'auth.instance_id', 'raCertAuth', quotes=False, separator='=') + installutils.set_directive( + paths.CAJARSIGNINGCERT_CFG, 'auth.instance_id', 'raCertAuth', + quotes=False, separator='=') def prepare_crl_publish_dir(self): """ @@ -1161,7 +928,7 @@ class CAInstance(DogtagInstance): Returns a path to the CRL publishing directory """ - publishdir = self.dogtag_constants.CRL_PUBLISH_PATH + publishdir = paths.PKI_CA_PUBLISH_DIR if not os.path.exists(publishdir): os.mkdir(publishdir) @@ -1181,7 +948,7 @@ class CAInstance(DogtagInstance): https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Certificate_System/8.0/html/Admin_Guide/Setting_up_Publishing.html """ - caconfig = self.dogtag_constants.CS_CFG_PATH + caconfig = paths.CA_CS_CFG_PATH publishdir = self.prepare_crl_publish_dir() @@ -1232,20 +999,7 @@ class CAInstance(DogtagInstance): # just eat state self.restore_state("enabled") - if self.dogtag_constants.DOGTAG_VERSION >= 10: - DogtagInstance.uninstall(self) - else: - if self.is_configured(): - self.print_msg("Unconfiguring CA") - - try: - ipautil.run([paths.PKIREMOVE, - "-pki_instance_root=%s" % paths.VAR_LIB, - "-pki_instance_name=%s" % - self.dogtag_constants.PKI_INSTANCE_NAME, - "--force"]) - except ipautil.CalledProcessError as e: - self.log.critical("failed to uninstall CA instance %s", e) + DogtagInstance.uninstall(self) self.restore_state("installed") @@ -1289,9 +1043,9 @@ class CAInstance(DogtagInstance): # remove CRL directory self.log.info("Remove CRL directory") - if os.path.exists(self.dogtag_constants.CRL_PUBLISH_PATH): + if os.path.exists(paths.PKI_CA_PUBLISH_DIR): try: - shutil.rmtree(self.dogtag_constants.CRL_PUBLISH_PATH) + shutil.rmtree(paths.PKI_CA_PUBLISH_DIR) except OSError as e: self.log.warning("Error while removing CRL publish " "directory: %s", e) @@ -1370,7 +1124,7 @@ class CAInstance(DogtagInstance): # Check the default validity period of the audit signing cert # and set it to 2 years if it is 6 months. cert_range = installutils.get_directive( - '%s/caSignedLogCert.cfg' % self.dogtag_constants.SERVICE_PROFILE_DIR, + paths.CASIGNEDLOGCERT_CFG, 'policyset.caLogSigningSet.2.default.params.range', separator='=' ) @@ -1378,14 +1132,14 @@ class CAInstance(DogtagInstance): 'caSignedLogCert.cfg profile validity range is %s', cert_range) if cert_range == "180": installutils.set_directive( - '%s/caSignedLogCert.cfg' % self.dogtag_constants.SERVICE_PROFILE_DIR, + paths.CASIGNEDLOGCERT_CFG, 'policyset.caLogSigningSet.2.default.params.range', '720', quotes=False, separator='=' ) installutils.set_directive( - '%s/caSignedLogCert.cfg' % self.dogtag_constants.SERVICE_PROFILE_DIR, + paths.CASIGNEDLOGCERT_CFG, 'policyset.caLogSigningSet.2.constraint.params.range', '720', quotes=False, @@ -1447,7 +1201,7 @@ class CAInstance(DogtagInstance): self.admin_conn.update_entry(master_entry) @staticmethod - def update_cert_config(nickname, cert, dogtag_constants=None): + def update_cert_config(nickname, cert): """ When renewing a CA subsystem certificate the configuration file needs to get the new certificate as well. @@ -1456,9 +1210,6 @@ class CAInstance(DogtagInstance): cert is a DER-encoded certificate. """ - if dogtag_constants is None: - dogtag_constants = dogtag.configured_constants() - # The cert directive to update per nickname directives = {'auditSigningCert cert-pki-ca': 'ca.audit_signing.cert', 'ocspSigningCert cert-pki-ca': 'ca.ocsp_signing.cert', @@ -1467,14 +1218,12 @@ class CAInstance(DogtagInstance): 'Server-Cert cert-pki-ca': 'ca.sslserver.cert'} try: - backup_config(dogtag_constants) + backup_config() except Exception as e: syslog.syslog(syslog.LOG_ERR, "Failed to backup CS.cfg: %s" % e) DogtagInstance.update_cert_cs_cfg( - nickname, cert, directives, - dogtag.configured_constants().CS_CFG_PATH, - dogtag_constants) + nickname, cert, directives, paths.CA_CS_CFG_PATH) def __create_ds_db(self): ''' @@ -1519,7 +1268,7 @@ class CAInstance(DogtagInstance): self.__update_topology() def __client_auth_to_db(self): - self.enable_client_auth_to_db(self.dogtag_constants.CS_CFG_PATH) + self.enable_client_auth_to_db(paths.CA_CS_CFG_PATH) def __restart_http_instance(self): # We need to restart apache as we drop a new config file in there @@ -1536,9 +1285,8 @@ class CAInstance(DogtagInstance): the topology plugin to manage replication. Requires domain_level >= DOMAIN_LEVEL_1 and custodia on the master. """ - self.ds_port = DEFAULT_DSPORT self.master_host = master_host - self.master_replication_port = DEFAULT_DSPORT + self.master_replication_port = 389 if subject_base is None: self.subject_base = DN(('O', self.realm)) else: @@ -1614,14 +1362,7 @@ def replica_ca_install_check(config): # Replica of old "self-signed" master - CA won't be installed return - # Exit if we have an old-style (Dogtag 9) CA already installed - ca = CAInstance(config.realm_name, certs.NSS_DIR, - dogtag_constants=dogtag.Dogtag9Constants) - if ca.is_installed(): - root_logger.info('Dogtag 9 style CA instance found') - sys.exit("A CA is already configured on this system.") - - if config.ca_ds_port != dogtag.Dogtag9Constants.DS_PORT: + if config.ca_ds_port != 7389: root_logger.debug( 'Installing CA Replica from master with a merged database') return @@ -1675,8 +1416,7 @@ def install_replica_ca(config, postinstall=False, ra_p12=None): # Replica of old "self-signed" master - skip installing CA return None - ca = CAInstance(config.realm_name, certs.NSS_DIR, - dogtag_constants=dogtag.install_constants) + ca = CAInstance(config.realm_name, certs.NSS_DIR) ca.dm_password = config.dirman_password ca.subject_base = config.subject_base @@ -1716,27 +1456,24 @@ def install_replica_ca(config, postinstall=False, ra_p12=None): # unix service. service.print_msg("Restarting the directory and certificate servers") - ca.stop(dogtag.install_constants.PKI_INSTANCE_NAME) + ca.stop('pki-tomcat') services.knownservices.dirsrv.restart() - ca.start(dogtag.install_constants.PKI_INSTANCE_NAME) + ca.start('pki-tomcat') return ca -def backup_config(dogtag_constants=None): + +def backup_config(): """ Create a backup copy of CS.cfg """ - if dogtag_constants is None: - dogtag_constants = dogtag.configured_constants() - - if services.knownservices[dogtag_constants.SERVICE_NAME].is_running( - dogtag_constants.PKI_INSTANCE_NAME): - raise RuntimeError("Dogtag must be stopped when creating backup of %s" - % dogtag_constants.CS_CFG_PATH) - shutil.copy(dogtag_constants.CS_CFG_PATH, - dogtag_constants.CS_CFG_PATH + '.ipabkp') + path = paths.CA_CS_CFG_PATH + if services.knownservices['pki_tomcatd'].is_running('pki-tomcat'): + raise RuntimeError( + "Dogtag must be stopped when creating backup of %s" % path) + shutil.copy(path, path + '.ipabkp') def update_people_entry(dercert): """ @@ -1940,7 +1677,7 @@ def migrate_profiles_to_ldap(): api.Backend.ra_certprofile._read_password() api.Backend.ra_certprofile.override_port = 8443 - with open(dogtag.configured_constants().CS_CFG_PATH) as f: + with open(paths.CA_CS_CFG_PATH) as f: cs_cfg = f.read() match = re.search(r'^profile\.list=(\S*)', cs_cfg, re.MULTILINE) profile_ids = match.group(1).split(',') diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py index 658e8ec45..c918791f0 100644 --- a/ipaserver/install/certs.py +++ b/ipaserver/install/certs.py @@ -399,10 +399,7 @@ class CertDB(object): password = f.readline() f.close() result = dogtag.https_request( - self.host_name, - api.env.ca_ee_install_port or - dogtag.configured_constants().EE_SECURE_PORT, - "/ca/ee/ca/profileSubmitSSLClient", + self.host_name, 8443, "/ca/ee/ca/profileSubmitSSLClient", self.secdir, password, "ipaCert", **params) http_status, http_reason_phrase, http_headers, http_body = result @@ -456,10 +453,7 @@ class CertDB(object): password = f.readline() f.close() result = dogtag.https_request( - self.host_name, - api.env.ca_ee_install_port or - dogtag.configured_constants().EE_SECURE_PORT, - "/ca/ee/ca/profileSubmitSSLClient", + self.host_name, 8443, "/ca/ee/ca/profileSubmitSSLClient", self.secdir, password, "ipaCert", **params) http_status, http_reason_phrase, http_headers, http_body = result if http_status != 200: diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py index 106b75bc2..aad6fbbe5 100644 --- a/ipaserver/install/dogtaginstance.py +++ b/ipaserver/install/dogtaginstance.py @@ -35,7 +35,6 @@ from ipalib import errors from ipaplatform import services from ipaplatform.paths import paths from ipapython import certmonger -from ipapython import dogtag from ipapython import ipaldap from ipapython import ipautil from ipapython.dn import DN @@ -45,10 +44,7 @@ from ipaserver.install import replication from ipaserver.install.installutils import stopped_service from ipapython.ipa_log_manager import log_mgr -DEFAULT_DSPORT = dogtag.install_constants.DS_PORT - PKI_USER = "pkiuser" -PKI_DS_USER = dogtag.install_constants.DS_USER def check_inst(subsystem): @@ -57,9 +53,9 @@ def check_inst(subsystem): """ # Check for a couple of binaries we need - if not os.path.exists(dogtag.install_constants.SPAWN_BINARY): + if not os.path.exists(paths.PKISPAWN): return False - if not os.path.exists(dogtag.install_constants.DESTROY_BINARY): + if not os.path.exists(paths.PKIDESTROY): return False if not os.path.exists(paths.PKI_CONF_SERVER_XML_TEMPLATE % subsystem): @@ -127,21 +123,18 @@ class DogtagInstance(service.Service): tracking_reqs = None server_cert_name = None - def __init__(self, realm, subsystem, service_desc, dogtag_constants=None, - host_name=None, dm_password=None, ldapi=True): + def __init__(self, realm, subsystem, service_desc, host_name=None, + dm_password=None, ldapi=True, + nss_db=paths.PKI_TOMCAT_ALIAS_DIR): """Initializer""" - if dogtag_constants is None: - dogtag_constants = dogtag.configured_constants() - super(DogtagInstance, self).__init__( - '%sd' % dogtag_constants.PKI_INSTANCE_NAME, + 'pki-tomcatd', service_desc=service_desc, dm_password=dm_password, ldapi=ldapi ) - self.dogtag_constants = dogtag_constants self.realm = realm self.admin_password = None self.fqdn = host_name @@ -154,15 +147,13 @@ class DogtagInstance(service.Service): ('ou', 'people'), ('o', 'ipaca')) self.admin_groups = None self.agent_db = tempfile.mkdtemp(prefix="tmp-") - self.ds_port = DEFAULT_DSPORT - self.server_root = dogtag_constants.SERVER_ROOT self.subsystem = subsystem self.security_domain_name = "IPA" - # replication parameters self.master_host = None self.master_replication_port = None self.subject_base = None + self.nss_db = nss_db self.log = log_mgr.get_logger(self) @@ -176,8 +167,7 @@ class DogtagInstance(service.Service): Returns True/False """ return os.path.exists(os.path.join( - self.server_root, self.dogtag_constants.PKI_INSTANCE_NAME, - self.subsystem.lower())) + paths.VAR_LIB_PKI_TOMCAT_DIR, self.subsystem.lower())) def spawn_instance(self, cfg_file, nolog_list=None): """ @@ -208,7 +198,7 @@ class DogtagInstance(service.Service): def restart_instance(self): try: - self.restart(self.dogtag_constants.PKI_INSTANCE_NAME) + self.restart('pki-tomcat') except Exception: self.log.debug(traceback.format_exc()) self.log.critical( @@ -217,7 +207,7 @@ class DogtagInstance(service.Service): def start_instance(self): try: - self.start(self.dogtag_constants.PKI_INSTANCE_NAME) + self.start('pki-tomcat') except Exception: self.log.debug(traceback.format_exc()) self.log.critical( @@ -226,7 +216,7 @@ class DogtagInstance(service.Service): def stop_instance(self): try: - self.stop(self.dogtag_constants.PKI_INSTANCE_NAME) + self.stop('pki-tomcat') except Exception: self.log.debug(traceback.format_exc()) self.log.critical( @@ -239,9 +229,7 @@ class DogtagInstance(service.Service): Path to CS.cfg config file passed in. """ - with stopped_service( - self.dogtag_constants.SERVICE_NAME, - instance_name=self.dogtag_constants.PKI_INSTANCE_NAME): + with stopped_service('pki-tomcatd', 'pki-tomcat'): installutils.set_directive( config, 'authz.instance.DirAclAuthz.ldap.ldapauth.authtype', @@ -256,8 +244,7 @@ class DogtagInstance(service.Service): 'subsystemCert cert-pki-ca', quotes=False, separator='=') installutils.set_directive( config, - 'authz.instance.DirAclAuthz.ldap.ldapconn.port', - str(dogtag.install_constants.DS_SECURE_PORT), + 'authz.instance.DirAclAuthz.ldap.ldapconn.port', '636', quotes=False, separator='=') installutils.set_directive( config, @@ -279,15 +266,13 @@ class DogtagInstance(service.Service): 'subsystemCert cert-pki-ca', quotes=False, separator='=') installutils.set_directive( config, - 'internaldb.ldapconn.port', - str(dogtag.install_constants.DS_SECURE_PORT), - quotes=False, separator='=') + 'internaldb.ldapconn.port', '636', quotes=False, separator='=') installutils.set_directive( config, 'internaldb.ldapconn.secureConn', 'true', quotes=False, separator='=') # Remove internaldb password as is not needed anymore - installutils.set_directive(self.dogtag_constants.PASSWORD_CONF_PATH, + installutils.set_directive(paths.PKI_TOMCAT_PASSWORD_CONF, 'internaldb', None) def uninstall(self): @@ -295,8 +280,8 @@ class DogtagInstance(service.Service): self.print_msg("Unconfiguring %s" % self.subsystem) try: - ipautil.run([paths.PKIDESTROY, "-i", - self.dogtag_constants.PKI_INSTANCE_NAME, + ipautil.run([paths.PKIDESTROY, + "-i", 'pki-tomcat', "-s", self.subsystem]) except ipautil.CalledProcessError as e: self.log.critical("failed to uninstall %s instance %s", @@ -306,7 +291,7 @@ class DogtagInstance(service.Service): """ Update the http proxy file """ template_filename = ipautil.SHARE_DIR + "ipa-pki-proxy.conf" sub_dict = dict( - DOGTAG_PORT=self.dogtag_constants.AJP_PORT, + DOGTAG_PORT=8009, CLONE='' if self.clone else '#', FQDN=self.fqdn, ) @@ -337,8 +322,7 @@ class DogtagInstance(service.Service): def __get_pin(self): try: - return certmonger.get_pin('internal', - dogtag_constants=self.dogtag_constants) + return certmonger.get_pin('internal') except IOError as e: self.log.debug( 'Unable to determine PIN for the Dogtag instance: %s', e) @@ -355,7 +339,7 @@ class DogtagInstance(service.Service): nickname=nickname, pin=pin, pinfile=None, - secdir=self.dogtag_constants.ALIAS_DIR, + secdir=self.nss_db, pre_command='stop_pkicad', post_command='renew_ca_cert "%s"' % nickname, profile=profile) @@ -376,7 +360,7 @@ class DogtagInstance(service.Service): nickname=self.server_cert_name, pin=pin, pinfile=None, - secdir=self.dogtag_constants.ALIAS_DIR, + secdir=self.nss_db, pre_command='stop_pkicad', post_command='renew_ca_cert "%s"' % self.server_cert_name) except RuntimeError as e: @@ -401,7 +385,7 @@ class DogtagInstance(service.Service): for nickname in nicknames: try: certmonger.stop_tracking( - self.dogtag_constants.ALIAS_DIR, nickname=nickname) + self.nss_db, nickname=nickname) except RuntimeError as e: self.log.error( "certmonger failed to stop tracking certificate: %s", e) @@ -410,8 +394,7 @@ class DogtagInstance(service.Service): cmonger.stop() @staticmethod - def update_cert_cs_cfg(nickname, cert, directives, cs_cfg, - dogtag_constants=None): + def update_cert_cs_cfg(nickname, cert, directives, cs_cfg): """ When renewing a Dogtag subsystem certificate the configuration file needs to get the new certificate as well. @@ -422,11 +405,7 @@ class DogtagInstance(service.Service): cs_cfg is the path to the CS.cfg file """ - if dogtag_constants is None: - dogtag_constants = dogtag.configured_constants() - - with stopped_service(dogtag_constants.SERVICE_NAME, - instance_name=dogtag_constants.PKI_INSTANCE_NAME): + with stopped_service('pki-tomcatd', 'pki-tomcat'): installutils.set_directive( cs_cfg, directives[nickname], @@ -461,11 +440,7 @@ class DogtagInstance(service.Service): % (self.subsystem, e)) self.log.critical("See the installation logs and the following " "files/directories for more information:") - logs = [self.dogtag_constants.PKI_INSTALL_LOG, - self.dogtag_constants.PKI_LOG_TOP_LEVEL] - - for log in logs: - self.log.critical(" %s" % log) + self.log.critical(" %s" % paths.TOMCAT_TOPLEVEL_DIR) raise RuntimeError("%s configuration failed." % self.subsystem) @@ -517,7 +492,7 @@ class DogtagInstance(service.Service): # Now wait until the other server gets replicated this data master_conn = ipaldap.IPAdmin(self.master_host, - port=DEFAULT_DSPORT, + port=389, protocol='ldap') master_conn.do_sasl_gssapi_bind() replication.wait_for_entry(master_conn, entry) diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index b7a15702a..1b68573d7 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -34,7 +34,6 @@ from ipaserver.install import certs from ipaserver.install import installutils from ipapython import sysrestore from ipapython import ipautil -from ipapython import dogtag from ipapython.dn import DN from ipapython.ipa_log_manager import root_logger import ipapython.errors @@ -128,7 +127,7 @@ class HTTPInstance(service.Service): FQDN=fqdn, DOMAIN=self.domain, AUTOREDIR='' if auto_redirect else '#', - CRL_PUBLISH_PATH=dogtag.install_constants.CRL_PUBLISH_PATH, + CRL_PUBLISH_PATH=paths.PKI_CA_PUBLISH_DIR, ) self.ca_file = ca_file if ca_is_configured is not None: diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py index aadb8e22b..489d03bda 100644 --- a/ipaserver/install/installutils.py +++ b/ipaserver/install/installutils.py @@ -45,7 +45,7 @@ from six.moves.configparser import SafeConfigParser, NoOptionError import ipaplatform -from ipapython import ipautil, sysrestore, admintool, dogtag, version +from ipapython import ipautil, sysrestore, admintool, version from ipapython.admintool import ScriptError from ipapython.ipa_log_manager import root_logger, log_mgr from ipalib.util import validate_hostname @@ -64,8 +64,8 @@ if six.PY3: # Used to determine install status IPA_MODULES = [ - 'httpd', 'kadmin', 'dirsrv', 'pki-cad', 'pki-tomcatd', 'install', - 'krb5kdc', 'ntpd', 'named', 'ipa_memcached'] + 'httpd', 'kadmin', 'dirsrv', 'pki-tomcatd', 'install', 'krb5kdc', 'ntpd', + 'named', 'ipa_memcached'] class BadHostError(Exception): @@ -583,7 +583,7 @@ def read_replica_info(dir_path, rconfig): def read_replica_info_dogtag_port(config_dir): portfile = config_dir + "/dogtag_directory_port.txt" - default_port = dogtag.Dogtag9Constants.DS_PORT + default_port = 7389 if not ipautil.file_exists(portfile): dogtag_master_ds_port = default_port else: diff --git a/ipaserver/install/ipa_backup.py b/ipaserver/install/ipa_backup.py index 28054be3f..6d97ef13b 100644 --- a/ipaserver/install/ipa_backup.py +++ b/ipaserver/install/ipa_backup.py @@ -106,12 +106,10 @@ class Backup(admintool.AdminTool): dirs = (paths.IPA_HTML_DIR, paths.ROOT_PKI, - paths.ETC_PKI_CA_DIR, paths.PKI_TOMCAT, paths.SYSCONFIG_PKI, paths.HTTPD_ALIAS_DIR, paths.VAR_LIB_PKI_DIR, - paths.VAR_LIB_PKI_CA_DIR, paths.SYSRESTORE, paths.IPA_CLIENT_SYSRESTORE, paths.IPA_DNSSEC_DIR, @@ -127,12 +125,10 @@ class Backup(admintool.AdminTool): paths.NAMED_CONF, paths.NAMED_KEYTAB, paths.RESOLV_CONF, - paths.SYSCONFIG_PKI_CA_DIR, paths.SYSCONFIG_PKI_TOMCAT, paths.SYSCONFIG_DIRSRV, paths.SYSCONFIG_NTPD, paths.SYSCONFIG_KRB5KDC_DIR, - paths.SYSCONFIG_PKI_CA_PKI_CA_DIR, paths.SYSCONFIG_IPA_DNSKEYSYNCD, paths.SYSCONFIG_IPA_ODS_EXPORTER, paths.SYSCONFIG_NAMED, @@ -187,18 +183,14 @@ class Backup(admintool.AdminTool): ) logs=( - paths.PKI_CA_LOG_DIR, paths.VAR_LOG_PKI_DIR, - paths.VAR_LOG_SLAPD_PKI_IPA_DIR, paths.VAR_LOG_HTTPD_DIR, paths.IPASERVER_INSTALL_LOG, paths.KADMIND_LOG, - paths.PKI_CA_INSTALL_LOG, paths.MESSAGES, paths.IPACLIENT_INSTALL_LOG, paths.LOG_SECURE, paths.IPASERVER_UNINSTALL_LOG, - paths.PKI_CA_UNINSTALL_LOG, paths.IPACLIENT_UNINSTALL_LOG, paths.NAMED_RUN, ) @@ -306,14 +298,14 @@ class Backup(admintool.AdminTool): self.log.info('Stopping IPA services') run(['ipactl', 'stop']) - for instance in [ - installutils.realm_to_serverid(api.env.realm), 'PKI-IPA' - ]: - if os.path.exists(paths.VAR_LIB_SLAPD_INSTANCE_DIR_TEMPLATE % instance): - if os.path.exists(paths.SLAPD_INSTANCE_DB_DIR_TEMPLATE % (instance, 'ipaca')): - self.db2ldif(instance, 'ipaca', online=options.online) - self.db2ldif(instance, 'userRoot', online=options.online) - self.db2bak(instance, online=options.online) + instance = installutils.realm_to_serverid(api.env.realm) + if os.path.exists(paths.VAR_LIB_SLAPD_INSTANCE_DIR_TEMPLATE % + instance): + if os.path.exists(paths.SLAPD_INSTANCE_DB_DIR_TEMPLATE % + (instance, 'ipaca')): + self.db2ldif(instance, 'ipaca', online=options.online) + self.db2ldif(instance, 'userRoot', online=options.online) + self.db2bak(instance, online=options.online) if not options.data_only: # create backup of auth configuration auth_backup_path = os.path.join(paths.VAR_LIB_IPA, 'auth_backup') @@ -341,34 +333,21 @@ class Backup(admintool.AdminTool): ''' Add instance-specific files and directories. - NOTE: this adds some things that may not get backed up, like the PKI-IPA - instance. + NOTE: this adds some things that may not get backed up. ''' serverid = installutils.realm_to_serverid(api.env.realm) - for dir in [ - paths.ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE % serverid, - paths.VAR_LIB_DIRSRV_INSTANCE_SCRIPTS_TEMPLATE % serverid, - paths.VAR_LIB_SLAPD_INSTANCE_DIR_TEMPLATE % serverid, - paths.VAR_LIB_SLAPD_PKI_IPA_DIR_TEMPLATE, - paths.USR_LIB_SLAPD_PKI_IPA_DIR, - paths.ETC_SLAPD_PKI_IPA_DIR, - paths.VAR_LIB_SLAPD_PKI_IPA_DIR_TEMPLATE, - self.__find_scripts_dir('PKI-IPA'), - ]: + for dir in [paths.ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE % serverid, + paths.VAR_LIB_DIRSRV_INSTANCE_SCRIPTS_TEMPLATE % serverid, + paths.VAR_LIB_SLAPD_INSTANCE_DIR_TEMPLATE % serverid]: if os.path.exists(dir): self.dirs.append(dir) - for file in [ - paths.SYSCONFIG_DIRSRV_INSTANCE % serverid, - paths.SYSCONFIG_DIRSRV_PKI_IPA_DIR]: - if os.path.exists(file): - self.files.append(file) + file = paths.SYSCONFIG_DIRSRV_INSTANCE % serverid + if os.path.exists(file): + self.files.append(file) - for log in [ - paths.VAR_LOG_DIRSRV_INSTANCE_TEMPLATE % serverid, - ]: - self.logs.append(log) + self.logs.append(paths.VAR_LOG_DIRSRV_INSTANCE_TEMPLATE % serverid) def get_connection(self): @@ -628,17 +607,3 @@ class Backup(admintool.AdminTool): shutil.move(self.header, backup_dir) self.log.info('Backed up to %s', backup_dir) - - def __find_scripts_dir(self, instance): - """ - IPA stores its 389-ds scripts in a different directory than dogtag - does so we need to probe for it. - """ - if instance != 'PKI-IPA': - return os.path.join(paths.VAR_LIB_DIRSRV, 'scripts-%s' % instance) - else: - if sys.maxsize > 2**32: - libpath = 'lib64' - else: - libpath = 'lib' - return os.path.join(paths.USR_DIR, libpath, 'dirsrv', 'slapd-PKI-IPA') diff --git a/ipaserver/install/ipa_cacert_manage.py b/ipaserver/install/ipa_cacert_manage.py index 96de6bffb..110feb2cc 100644 --- a/ipaserver/install/ipa_cacert_manage.py +++ b/ipaserver/install/ipa_cacert_manage.py @@ -144,9 +144,8 @@ class CACertManage(admintool.AdminTool): if not ca.is_configured(): raise admintool.ScriptError("CA is not configured on this system") - nss_dir = ca.dogtag_constants.ALIAS_DIR criteria = { - 'cert-database': nss_dir, + 'cert-database': paths.PKI_TOMCAT_ALIAS_DIR, 'cert-nickname': self.cert_nickname, 'ca-name': 'dogtag-ipa-ca-renew-agent', } @@ -157,7 +156,7 @@ class CACertManage(admintool.AdminTool): self.log.debug( "Found certmonger request id %r", self.request_id) - db = certs.CertDB(api.env.realm, nssdir=nss_dir) + db = certs.CertDB(api.env.realm, nssdir=paths.PKI_TOMCAT_ALIAS_DIR) cert = db.get_cert_from_db(self.cert_nickname, pem=False) options = self.options @@ -206,7 +205,7 @@ class CACertManage(admintool.AdminTool): options.external_cert_files, x509.subject_base()) nss_cert = None - nss.nss_init(ca.dogtag_constants.ALIAS_DIR) + nss.nss_init(paths.PKI_TOMCAT_ALIAS_DIR) try: nss_cert = x509.load_certificate(old_cert, x509.DER) subject = nss_cert.subject diff --git a/ipaserver/install/ipa_kra_install.py b/ipaserver/install/ipa_kra_install.py index add8250d4..d8fbf580e 100644 --- a/ipaserver/install/ipa_kra_install.py +++ b/ipaserver/install/ipa_kra_install.py @@ -28,7 +28,6 @@ from ipalib.constants import DOMAIN_LEVEL_0 from ipaplatform import services from ipaplatform.paths import paths from ipapython import admintool -from ipapython import dogtag from ipapython import ipautil from ipapython.dn import DN from ipaserver.install import service @@ -100,8 +99,7 @@ class KRAUninstaller(KRAInstall): if self.args: self.option_parser.error("Too many parameters provided.") - dogtag_constants = dogtag.configured_constants(api) - _kra = krainstance.KRAInstance(api, dogtag_constants=dogtag_constants) + _kra = krainstance.KRAInstance(api) if not _kra.is_installed(): self.option_parser.error( "Cannot uninstall. There is no KRA installed on this system." @@ -194,7 +192,7 @@ class KRAInstaller(KRAInstall): config.host_name = api.env.host config.domain_name = api.env.domain config.dirman_password = self.options.password - config.ca_ds_port = dogtag.install_constants.DS_PORT + config.ca_ds_port = 389 config.top_dir = tempfile.mkdtemp("ipa") config.dir = config.top_dir else: diff --git a/ipaserver/install/ipa_replica_prepare.py b/ipaserver/install/ipa_replica_prepare.py index 552103223..c1bce693b 100644 --- a/ipaserver/install/ipa_replica_prepare.py +++ b/ipaserver/install/ipa_replica_prepare.py @@ -35,7 +35,7 @@ from ipaserver.install.replication import enable_replication_version_checking from ipaserver.plugins.ldap2 import ldap2 from ipaserver.install.bindinstance import ( add_zone, add_fwd_rr, add_ptr_rr, dns_container_exists) -from ipapython import ipautil, admintool, dogtag +from ipapython import ipautil, admintool from ipapython.dn import DN from ipapython import version from ipalib import api @@ -342,8 +342,7 @@ class ReplicaPrepare(admintool.AdminTool): "Apache Server SSL certificate and Directory Server SSL " "certificate are not signed by the same CA certificate") - if (not ipautil.file_exists( - dogtag.configured_constants().CS_CFG_PATH) and + if (not ipautil.file_exists(paths.CA_CS_CFG_PATH) and options.dirsrv_pin is None): self.log.info("If you installed IPA with your own certificates " "using PKCS#12 files you must provide PKCS#12 files for any " @@ -419,7 +418,7 @@ class ReplicaPrepare(admintool.AdminTool): port_fname = os.path.join( self.dir, "dogtag_directory_port.txt") with open(port_fname, "w") as fd: - fd.write("%s\n" % str(dogtag.configured_constants().DS_PORT)) + fd.write("389\n") def copy_httpd_certificate(self): options = self.options diff --git a/ipaserver/install/ipa_restore.py b/ipaserver/install/ipa_restore.py index 792ad54c5..a257b7892 100644 --- a/ipaserver/install/ipa_restore.py +++ b/ipaserver/install/ipa_restore.py @@ -387,10 +387,7 @@ class Restore(admintool.AdminTool): httpinstance.create_kdcproxy_user() # Always restore the data from ldif - # If we are restoring PKI-IPA then we need to restore the - # userRoot backend in it and the main IPA instance. If we - # have a unified instance we need to restore both userRoot and - # ipaca. + # We need to restore both userRoot and ipaca. for instance, backend in databases: self.ldif2db(instance, backend, online=options.online) @@ -591,7 +588,7 @@ class Restore(admintool.AdminTool): instance here is a loaded term. It can mean either a separate 389-ds install instance or a separate 389-ds backend. We only need - to treat PKI-IPA and ipaca specially. + to treat ipaca specially. ''' if backend is not None: self.log.info('Restoring %s in %s' % (backend, instance)) @@ -766,21 +763,6 @@ class Restore(admintool.AdminTool): # We can remove the decoded tarball os.unlink(filename) - - def __find_scripts_dir(self, instance): - """ - IPA stores its 389-ds scripts in a different directory than dogtag - does so we need to probe for it. - """ - if instance != 'PKI-IPA': - return os.path.join(paths.VAR_LIB_DIRSRV, 'scripts-%s' % instance) - else: - if sys.maxsize > 2**32: - libpath = 'lib64' - else: - libpath = 'lib' - return os.path.join(paths.USR_DIR, libpath, 'dirsrv', 'slapd-PKI-IPA') - def __create_dogtag_log_dirs(self): """ If we are doing a full restore and the dogtag log directories do @@ -790,11 +772,6 @@ class Restore(admintool.AdminTool): or a d10-based installation. """ dirs = [] - # dogtag 9 - if (os.path.exists(paths.VAR_LIB_PKI_CA_DIR) and - not os.path.exists(paths.PKI_CA_LOG_DIR)): - dirs += [paths.PKI_CA_LOG_DIR, - os.path.join(paths.PKI_CA_LOG_DIR, 'signedAudit')] # dogtag 10 if (os.path.exists(paths.VAR_LIB_PKI_TOMCAT_DIR) and not os.path.exists(paths.TOMCAT_TOPLEVEL_DIR)): @@ -879,7 +856,5 @@ class Restore(admintool.AdminTool): api.bootstrap(in_server=False, context='restore', **overrides) api.finalize() - self.instances = [ - installutils.realm_to_serverid(api.env.realm), 'PKI-IPA' - ] + self.instances = [installutils.realm_to_serverid(api.env.realm)] self.backends = ['userRoot', 'ipaca'] diff --git a/ipaserver/install/kra.py b/ipaserver/install/kra.py index 40c283e6d..14568ec42 100644 --- a/ipaserver/install/kra.py +++ b/ipaserver/install/kra.py @@ -6,8 +6,8 @@ import os from ipalib import api, errors from ipaplatform import services +from ipaplatform.paths import paths from ipapython import certdb -from ipapython import dogtag from ipapython import ipautil from ipapython.dn import DN from ipaserver.install import custodiainstance @@ -18,9 +18,7 @@ from ipaserver.install import service def install_check(api, replica_config, options): - dogtag_constants = dogtag.configured_constants(api=api) - kra = krainstance.KRAInstance(api.env.realm, - dogtag_constants=dogtag_constants) + kra = krainstance.KRAInstance(api.env.realm) if kra.is_installed(): raise RuntimeError("KRA is already installed.") @@ -61,10 +59,7 @@ def install_check(api, replica_config, options): def install(api, replica_config, options): subject = dsinstance.DsInstance().find_subject_base() if replica_config is None: - kra = krainstance.KRAInstance( - api.env.realm, - dogtag_constants=dogtag.install_constants) - + kra = krainstance.KRAInstance(api.env.realm) kra.configure_instance( api.env.realm, api.env.host, options.dm_password, options.dm_password, subject_base=subject) @@ -78,9 +73,7 @@ def install(api, replica_config, options): custodia.get_kra_keys(replica_config.kra_host_name, ca_data[0], ca_data[1]) - kra = krainstance.KRAInstance( - replica_config.realm_name, - dogtag_constants=dogtag.install_constants) + kra = krainstance.KRAInstance(replica_config.realm_name) kra.configure_replica(replica_config.host_name, replica_config.kra_host_name, replica_config.dirman_password, @@ -96,16 +89,14 @@ def install(api, replica_config, options): kra.ldap_enable('KRA', api.env.host, options.dm_password, api.env.basedn) - kra.enable_client_auth_to_db(kra.dogtag_constants.KRA_CS_CFG_PATH) + kra.enable_client_auth_to_db(paths.KRA_CS_CFG_PATH) # Restart apache for new proxy config file services.knownservices.httpd.restart(capture_output=True) def uninstall(standalone): - dogtag_constants = dogtag.configured_constants(api) - kra = krainstance.KRAInstance(api.env.realm, - dogtag_constants=dogtag_constants) + kra = krainstance.KRAInstance(api.env.realm) if standalone: kra.ldap_connect() diff --git a/ipaserver/install/krainstance.py b/ipaserver/install/krainstance.py index be62226ad..d58bcc659 100644 --- a/ipaserver/install/krainstance.py +++ b/ipaserver/install/krainstance.py @@ -30,7 +30,6 @@ from ipalib import x509 from ipaplatform import services from ipaplatform.paths import paths from ipapython import certdb -from ipapython import dogtag from ipapython import ipautil from ipapython.dn import DN from ipaserver.install import certs @@ -39,7 +38,7 @@ from ipaserver.install import installutils from ipaserver.install import ldapupdate from ipaserver.install import service from ipaserver.install.dogtaginstance import ( - DEFAULT_DSPORT, PKI_USER, export_kra_agent_pem, DogtagInstance) + PKI_USER, export_kra_agent_pem, DogtagInstance) from ipaserver.plugins import ldap2 from ipapython.ipa_log_manager import log_mgr @@ -68,23 +67,18 @@ class KRAInstance(DogtagInstance): ('transportCert cert-pki-kra', None), ('storageCert cert-pki-kra', None)) - def __init__(self, realm, dogtag_constants=None): - if dogtag_constants is None: - dogtag_constants = dogtag.configured_constants() - + def __init__(self, realm): super(KRAInstance, self).__init__( realm=realm, subsystem="KRA", service_desc="KRA server", - dogtag_constants=dogtag_constants ) self.basedn = DN(('o', 'kra'), ('o', 'ipaca')) self.log = log_mgr.get_logger(self) def configure_instance(self, realm_name, host_name, dm_password, - admin_password, ds_port=DEFAULT_DSPORT, - pkcs12_info=None, master_host=None, + admin_password, pkcs12_info=None, master_host=None, subject_base=None): """Create a KRA instance. @@ -93,7 +87,6 @@ class KRAInstance(DogtagInstance): self.fqdn = host_name self.dm_password = dm_password self.admin_password = admin_password - self.ds_port = ds_port self.pkcs12_info = pkcs12_info if self.pkcs12_info is not None: self.clone = True @@ -110,9 +103,7 @@ class KRAInstance(DogtagInstance): raise RuntimeError( "KRA already installed.") # Confirm that a Dogtag 10 CA instance already exists - ca = cainstance.CAInstance( - api.env.realm, certs.NSS_DIR, - dogtag_constants=dogtag.Dogtag10Constants) + ca = cainstance.CAInstance(api.env.realm, certs.NSS_DIR) if not ca.is_installed(): raise RuntimeError( "KRA configuration failed. " @@ -185,7 +176,7 @@ class KRAInstance(DogtagInstance): config.set("KRA", "pki_client_admin_cert_p12", paths.DOGTAG_ADMIN_P12) # Directory server - config.set("KRA", "pki_ds_ldap_port", str(self.ds_port)) + config.set("KRA", "pki_ds_ldap_port", "389") config.set("KRA", "pki_ds_password", self.dm_password) config.set("KRA", "pki_ds_base_dn", self.basedn) config.set("KRA", "pki_ds_database", "ipaca") @@ -337,7 +328,7 @@ class KRAInstance(DogtagInstance): ld.update([os.path.join(paths.UPDATES_DIR, '40-vault.update')]) @staticmethod - def update_cert_config(nickname, cert, dogtag_constants=None): + def update_cert_config(nickname, cert): """ When renewing a KRA subsystem certificate the configuration file needs to get the new certificate as well. @@ -346,9 +337,6 @@ class KRAInstance(DogtagInstance): cert is a DER-encoded certificate. """ - if dogtag_constants is None: - dogtag_constants = dogtag.configured_constants() - # The cert directive to update per nickname directives = { 'auditSigningCert cert-pki-kra': 'kra.audit_signing.cert', @@ -358,9 +346,7 @@ class KRAInstance(DogtagInstance): 'Server-Cert cert-pki-ca': 'kra.sslserver.cert'} DogtagInstance.update_cert_cs_cfg( - nickname, cert, directives, - dogtag.configured_constants().KRA_CS_CFG_PATH, - dogtag_constants) + nickname, cert, directives, paths.KRA_CS_CFG_PATH) def __enable_instance(self): self.ldap_enable('KRA', self.fqdn, None, self.suffix) @@ -373,7 +359,6 @@ class KRAInstance(DogtagInstance): """ self.fqdn = host_name self.dm_password = dm_password - self.ds_port = DEFAULT_DSPORT self.master_host = master_host if subject_base is None: self.subject_base = DN(('O', self.realm)) @@ -390,8 +375,7 @@ class KRAInstance(DogtagInstance): raise RuntimeError( "KRA already installed.") # Confirm that a Dogtag 10 CA instance already exists - ca = cainstance.CAInstance(self.realm, certs.NSS_DIR, - dogtag_constants=dogtag.Dogtag10Constants) + ca = cainstance.CAInstance(self.realm, certs.NSS_DIR) if not ca.is_installed(): raise RuntimeError( "KRA configuration failed. " @@ -433,8 +417,7 @@ def install_replica_kra(config, postinstall=False): "Unable to clone KRA." " cacert.p12 file not found in replica file") - _kra = KRAInstance(config.realm_name, - dogtag_constants=dogtag.install_constants) + _kra = KRAInstance(config.realm_name) _kra.dm_password = config.dirman_password _kra.subject_base = config.subject_base if _kra.is_installed(): @@ -455,8 +438,8 @@ def install_replica_kra(config, postinstall=False): # dogtag service.print_msg("Restarting the directory and KRA servers") - _kra.stop(dogtag.install_constants.PKI_INSTANCE_NAME) + _kra.stop('pki-tomcat') services.knownservices.dirsrv.restart() - _kra.start(dogtag.install_constants.PKI_INSTANCE_NAME) + _kra.start('pki-tomcat') return _kra diff --git a/ipaserver/install/plugins/ca_renewal_master.py b/ipaserver/install/plugins/ca_renewal_master.py index dae976f02..e83cf3b02 100644 --- a/ipaserver/install/plugins/ca_renewal_master.py +++ b/ipaserver/install/plugins/ca_renewal_master.py @@ -21,7 +21,7 @@ from ipaserver.install import installutils, certs, cainstance from ipalib import errors from ipalib import Updater from ipalib.plugable import Registry -from ipapython import certmonger, dogtag +from ipapython import certmonger from ipaplatform.paths import paths from ipapython.dn import DN @@ -83,8 +83,7 @@ class update_ca_renewal_master(Updater): self.debug("certmonger request for ipaCert not found") config = installutils.get_directive( - dogtag.configured_constants().CS_CFG_PATH, - 'subsystem.select', '=') + paths.CA_CS_CFG_PATH, 'subsystem.select', '=') if config == 'New': pass diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py index 443f7ca23..b408d4fbe 100644 --- a/ipaserver/install/replication.py +++ b/ipaserver/install/replication.py @@ -30,7 +30,7 @@ import ldap from ipalib import api, errors from ipalib.constants import CACERT from ipapython.ipa_log_manager import * -from ipapython import ipautil, dogtag, ipaldap +from ipapython import ipautil, ipaldap from ipapython.dn import DN from ipaplatform import services from ipaplatform.paths import paths @@ -86,7 +86,7 @@ def replica_conn_check(master_host, host_name, realm, check_ca, args.extend(["--password", admin_password]) nolog=(admin_password,) - if check_ca and dogtag_master_ds_port == dogtag.Dogtag9Constants.DS_PORT: + if check_ca and dogtag_master_ds_port == 7389: args.append('--check-ca') (stdin, stderr, returncode) = ipautil.run( args, raiseonerr=False, capture_output=False, nolog=nolog) @@ -1737,7 +1737,7 @@ class CSReplicationManager(ReplicationManager): if self.conn.port == 7389: instance_name = 'pki-ca' else: - instance_name = dogtag.configured_constants(api).PKI_INSTANCE_NAME + instance_name = 'pki-tomcat' # if master is not None we know what dn to return: if master is not None: @@ -1797,10 +1797,7 @@ def get_cs_replication_manager(realm, host, dirman_passwd): # Fall back to the old PKI-only DS port. Check that it has the ipaca tree # (IPA with merged DB theoretically leaves port 7389 free for anyone). # If it doesn't, raise exception. - ports = [ - dogtag.Dogtag10Constants.DS_PORT, - dogtag.Dogtag9Constants.DS_PORT, - ] + ports = [389, 7389] for port in ports: root_logger.debug('Looking for PKI DS on %s:%s' % (host, port)) replication_manager = CSReplicationManager( diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py index 6629e8ec1..6ecb87ac9 100644 --- a/ipaserver/install/server/install.py +++ b/ipaserver/install/server/install.py @@ -15,7 +15,7 @@ import textwrap import six -from ipapython import certmonger, dogtag, ipaldap, ipautil, sysrestore +from ipapython import certmonger, ipaldap, ipautil, sysrestore from ipapython.dn import DN from ipapython.install import common, core from ipapython.install.common import step @@ -303,8 +303,6 @@ def install_check(installer): external_ca_file = installer._external_ca_file http_ca_cert = installer._ca_cert - dogtag_constants = dogtag.install_constants - tasks.check_selinux_status() if options.master_password: @@ -575,7 +573,7 @@ def install_check(installer): if setup_ca: fd.write("enable_ra=True\n") fd.write("ra_plugin=dogtag\n") - fd.write("dogtag_version=%s\n" % dogtag_constants.DOGTAG_VERSION) + fd.write("dogtag_version=10\n") else: fd.write("enable_ra=False\n") fd.write("ra_plugin=none\n") @@ -700,8 +698,6 @@ def install(installer): setup_ca = options.setup_ca setup_kra = options.setup_kra - dogtag_constants = dogtag.install_constants - # Installation has started. No IPA sysrestore items are restored in case of # failure to enable root cause investigation installer._installation_cleanup = False @@ -777,8 +773,7 @@ def install(installer): ca.install_step_0(False, None, options) # Now put the CA cert where other instances exepct it - ca_instance = cainstance.CAInstance(realm_name, certs.NSS_DIR, - dogtag_constants=dogtag_constants) + ca_instance = cainstance.CAInstance(realm_name, certs.NSS_DIR) ca_instance.publish_ca_cert(CACERT) else: # Put the CA cert where other instances expect it @@ -856,8 +851,7 @@ def install(installer): krb.restart() if setup_ca: - dogtag_service = services.knownservices[dogtag_constants.SERVICE_NAME] - dogtag_service.restart(dogtag_constants.PKI_INSTANCE_NAME) + services.knownservices['pki_tomcatd'].restart('pki-tomcat') if options.setup_dns: api.Backend.ldap2.connect(autobind=True) @@ -1052,9 +1046,6 @@ def uninstall(installer): except Exception as e: pass - # Need to get dogtag info before /etc/ipa/default.conf is removed - dogtag_constants = dogtag.configured_constants() - print("Removing IPA client configuration") try: (stdout, stderr, rc) = run([paths.IPA_CLIENT_INSTALL, "--on-master", @@ -1072,7 +1063,7 @@ def uninstall(installer): kra.uninstall(False) - ca.uninstall(dogtag_constants) + ca.uninstall() dns.uninstall() @@ -1134,7 +1125,7 @@ def uninstall(installer): # Note that this name will be wrong after the first uninstall. dirname = dsinstance.config_dirname( installutils.realm_to_serverid(api.env.realm)) - dirs = [dirname, dogtag_constants.ALIAS_DIR, certs.NSS_DIR] + dirs = [dirname, paths.PKI_TOMCAT_ALIAS_DIR, certs.NSS_DIR] ids = certmonger.check_state(dirs) if ids: root_logger.error('Some certificates may still be tracked by ' diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py index 492ea72d8..4b811105b 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py @@ -14,7 +14,7 @@ import socket import sys import tempfile -from ipapython import certmonger, dogtag, ipaldap, ipautil, sysrestore +from ipapython import certmonger, ipaldap, ipautil, sysrestore from ipapython.dn import DN from ipapython.install import common, core from ipapython.install.common import step @@ -465,8 +465,7 @@ def install_check(installer): if ipautil.file_exists(config.dir + "/cacert.p12"): fd.write("enable_ra=True\n") fd.write("ra_plugin=dogtag\n") - fd.write("dogtag_version=%s\n" % - dogtag.install_constants.DOGTAG_VERSION) + fd.write("dogtag_version=10\n") else: fd.write("enable_ra=False\n") fd.write("ra_plugin=none\n") @@ -631,8 +630,6 @@ def install(installer): sstore = installer._sstore config = installer._config - dogtag_constants = dogtag.install_constants - if installer._update_hosts_file: installutils.update_hosts_file(config.ips, config.host_name, fstore) @@ -685,9 +682,7 @@ def install(installer): ipautil.realm_to_suffix(config.realm_name)) if ipautil.file_exists(config.dir + "/cacert.p12"): - CA = cainstance.CAInstance( - config.realm_name, certs.NSS_DIR, - dogtag_constants=dogtag_constants) + CA = cainstance.CAInstance(config.realm_name, certs.NSS_DIR) CA.dm_password = config.dirman_password CA.configure_certmonger_renewal() @@ -716,8 +711,7 @@ def install(installer): krb.restart() if config.setup_ca: - dogtag_service = services.knownservices[dogtag_constants.SERVICE_NAME] - dogtag_service.restart(dogtag_constants.PKI_INSTANCE_NAME) + services.knownservices['pki_tomcatd'].restart('pki-tomcat') if options.setup_dns: api.Backend.ldap2.connect(autobind=True) @@ -965,7 +959,7 @@ def promote_check(installer): if not options.skip_conncheck: replica_conn_check( config.master_host_name, config.host_name, config.realm_name, - options.setup_ca, dogtag.Dogtag10Constants.DS_PORT, + options.setup_ca, 389, options.admin_password, principal=options.principal) if not ipautil.file_exists(cafile): @@ -994,8 +988,6 @@ def promote(installer): config.promote = installer.promote config.dirman_password = hexlify(ipautil.ipa_generate_password()) - dogtag_constants = dogtag.install_constants - # FIXME: allow to use passed in certs instead if installer._ca_enabled: configure_certmonger() @@ -1032,8 +1024,7 @@ def promote(installer): ipaconf.setOption('mode', 'production'), ipaconf.setOption('enable_ra', 'True'), ipaconf.setOption('ra_plugin', 'dogtag'), - ipaconf.setOption('dogtag_version', - dogtag.install_constants.DOGTAG_VERSION)] + ipaconf.setOption('dogtag_version', '10')] opts = [ipaconf.setSection('global', gopts)] ipaconf.changeConf(target_fname, opts) @@ -1069,7 +1060,6 @@ def promote(installer): custodia.get_ca_keys(config.ca_host_name, ca_data[0], ca_data[1]) ca = cainstance.CAInstance(config.realm_name, certs.NSS_DIR, - dogtag_constants=dogtag.install_constants, host_name=config.host_name, dm_password=config.dirman_password) ca.configure_replica(config.ca_host_name, @@ -1081,9 +1071,7 @@ def promote(installer): config.dirman_password) custodia.get_kra_keys(config.kra_host_name, ca_data[0], ca_data[1]) - constants = dogtag.install_constants - kra = krainstance.KRAInstance(config.realm_name, - dogtag_constants=constants) + kra = krainstance.KRAInstance(config.realm_name) kra.configure_replica(config.host_name, config.kra_host_name, config.dirman_password, kra_cert_bundle=ca_data) diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 84339b0a2..e193b85b9 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -24,7 +24,7 @@ from ipapython import ipautil, sysrestore, version, certdb from ipapython import ipaldap from ipapython.ipa_log_manager import * from ipapython import certmonger -from ipapython import dogtag +from ipapython.dn import DN from ipaplatform.paths import paths from ipaserver.install import installutils from ipaserver.install import dsinstance @@ -40,6 +40,7 @@ from ipaserver.install import custodiainstance from ipaserver.install import sysupgrade from ipaserver.install import dnskeysyncinstance from ipaserver.install import krainstance +from ipaserver.install import dogtaginstance from ipaserver.install.upgradeinstance import IPAUpgrade from ipaserver.install.ldapupdate import BadSyntax @@ -201,7 +202,6 @@ def upgrade_pki(ca, fstore): This requires enabling SSL renegotiation. """ - configured_constants = dogtag.configured_constants() root_logger.info('[Verifying that CA proxy configuration is correct]') if not ca.is_configured(): root_logger.info('CA is not configured') @@ -209,16 +209,8 @@ def upgrade_pki(ca, fstore): http = httpinstance.HTTPInstance(fstore) http.enable_mod_nss_renegotiate() - if not installutils.get_directive(configured_constants.CS_CFG_PATH, - 'proxy.securePort', '=') and \ - os.path.exists(paths.PKI_SETUP_PROXY): - # update proxy configuration with stopped dogtag to prevent corruption - # of CS.cfg - ipautil.run([paths.PKI_SETUP_PROXY, '-pki_instance_root=/var/lib', - '-pki_instance_name=pki-ca','-subsystem_type=ca']) - root_logger.debug('Proxy configuration updated') - else: - root_logger.debug('Proxy configuration up-to-date') + + root_logger.debug('Proxy configuration up-to-date') def update_dbmodules(realm, filename=paths.KRB5_CONF): newfile = [] @@ -315,15 +307,13 @@ def ca_enable_ldap_profile_subsystem(ca): root_logger.info('CA is not configured') return False - caconfig = dogtag.configured_constants() - needs_update = False directive = None try: for i in range(15): directive = "subsystem.{}.class".format(i) value = installutils.get_directive( - caconfig.CS_CFG_PATH, + paths.CA_CS_CFG_PATH, directive, separator='=') if value == 'com.netscape.cmscore.profile.ProfileSubsystem': @@ -331,18 +321,18 @@ def ca_enable_ldap_profile_subsystem(ca): break except OSError as e: root_logger.error('Cannot read CA configuration file "%s": %s', - caconfig.CS_CFG_PATH, e) + paths.CA_CS_CFG_PATH, e) return False if needs_update: installutils.set_directive( - caconfig.CS_CFG_PATH, + paths.CA_CS_CFG_PATH, directive, 'com.netscape.cmscore.profile.LDAPProfileSubsystem', quotes=False, separator='=') - ca.restart(dogtag.configured_constants().PKI_INSTANCE_NAME) + ca.restart('pki-tomcat') cainstance.migrate_profiles_to_ldap() return needs_update @@ -803,13 +793,12 @@ def certificate_renewal_update(ca): """ Update certmonger certificate renewal configuration. """ - dogtag_constants = dogtag.configured_constants() # bump version when requests is changed version = 4 requests = ( ( - dogtag_constants.ALIAS_DIR, + paths.PKI_TOMCAT_ALIAS_DIR, 'auditSigningCert cert-pki-ca', 'dogtag-ipa-ca-renew-agent', 'stop_pkicad', @@ -817,7 +806,7 @@ def certificate_renewal_update(ca): None, ), ( - dogtag_constants.ALIAS_DIR, + paths.PKI_TOMCAT_ALIAS_DIR, 'ocspSigningCert cert-pki-ca', 'dogtag-ipa-ca-renew-agent', 'stop_pkicad', @@ -825,7 +814,7 @@ def certificate_renewal_update(ca): None, ), ( - dogtag_constants.ALIAS_DIR, + paths.PKI_TOMCAT_ALIAS_DIR, 'subsystemCert cert-pki-ca', 'dogtag-ipa-ca-renew-agent', 'stop_pkicad', @@ -833,7 +822,7 @@ def certificate_renewal_update(ca): None, ), ( - dogtag_constants.ALIAS_DIR, + paths.PKI_TOMCAT_ALIAS_DIR, 'caSigningCert cert-pki-ca', 'dogtag-ipa-ca-renew-agent', 'stop_pkicad', @@ -849,7 +838,7 @@ def certificate_renewal_update(ca): None, ), ( - dogtag_constants.ALIAS_DIR, + paths.PKI_TOMCAT_ALIAS_DIR, 'Server-Cert cert-pki-ca', 'dogtag-ipa-renew-agent', 'stop_pkicad', @@ -928,15 +917,13 @@ def copy_crl_file(old_path, new_path=None): """ if new_path is None: filename = os.path.basename(old_path) - new_path = os.path.join(dogtag.configured_constants().CRL_PUBLISH_PATH, - filename) + new_path = os.path.join(paths.PKI_CA_PUBLISH_DIR, filename) root_logger.debug('copy_crl_file: %s -> %s', old_path, new_path) if os.path.islink(old_path): # update symlink to the most most recent CRL file filename = os.path.basename(os.readlink(old_path)) - realpath = os.path.join(dogtag.configured_constants().CRL_PUBLISH_PATH, - filename) + realpath = os.path.join(paths.PKI_CA_PUBLISH_DIR, filename) root_logger.debug('copy_crl_file: Create symlink %s -> %s', new_path, realpath) os.symlink(realpath, new_path) @@ -961,22 +948,21 @@ def migrate_crl_publish_dir(ca): root_logger.info('CA is not configured') return False - caconfig = dogtag.configured_constants() - try: - old_publish_dir = installutils.get_directive(caconfig.CS_CFG_PATH, + old_publish_dir = installutils.get_directive( + paths.CA_CS_CFG_PATH, 'ca.publish.publisher.instance.FileBaseCRLPublisher.directory', separator='=') except OSError as e: root_logger.error('Cannot read CA configuration file "%s": %s', - caconfig.CS_CFG_PATH, e) + paths.CA_CS_CFG_PATH, e) return False # Prepare target publish dir (creation, permissions, SELinux context) # Run this every update to ensure proper values publishdir = ca.prepare_crl_publish_dir() - if old_publish_dir == caconfig.CRL_PUBLISH_PATH: + if old_publish_dir == paths.PKI_CA_PUBLISH_DIR: # publish dir is already updated root_logger.info('Publish directory already set to new location') sysupgrade.set_upgrade_state('dogtag', 'moved_crl_publish_dir', True) @@ -1000,16 +986,17 @@ def migrate_crl_publish_dir(ca): root_logger.error('Cannot move CRL file to new directory: %s', e) try: - installutils.set_directive(caconfig.CS_CFG_PATH, + installutils.set_directive( + paths.CA_CS_CFG_PATH, 'ca.publish.publisher.instance.FileBaseCRLPublisher.directory', publishdir, quotes=False, separator='=') except OSError as e: root_logger.error('Cannot update CA configuration file "%s": %s', - caconfig.CS_CFG_PATH, e) + paths.CA_CS_CFG_PATH, e) return False sysupgrade.set_upgrade_state('dogtag', 'moved_crl_publish_dir', True) root_logger.info('CRL publish directory has been migrated, ' - 'request pki-ca restart') + 'request pki-tomcat restart') return True @@ -1101,6 +1088,76 @@ def uninstall_selfsign(ds, http): http.stop_tracking_certificates() +def uninstall_dogtag_9(ds, http): + root_logger.info('[Removing Dogtag 9 CA]') + + if api.env.ra_plugin != 'dogtag': + root_logger.debug('Dogtag CA is not installed') + return + if api.env.dogtag_version >= 10: + root_logger.debug('Dogtag is version 10 or above') + return + + if not api.Backend.ldap2.isconnected(): + try: + api.Backend.ldap2.connect(autobind=True) + except ipalib.errors.PublicError as e: + root_logger.error("Cannot connect to LDAP: %s", e) + + dn = DN(('cn', 'CA'), ('cn', api.env.host), ('cn', 'masters'), + ('cn', 'ipa'), ('cn', 'etc'), api.env.basedn) + try: + api.Backend.ldap2.delete_entry(dn) + except ipalib.errors.PublicError as e: + root_logger.error("Cannot delete %s: %s", dn, e) + + p = SafeConfigParser() + p.read(paths.IPA_DEFAULT_CONF) + p.set('global', 'dogtag_version', '10') + with open(paths.IPA_DEFAULT_CONF, 'w') as f: + p.write(f) + + sstore = sysrestore.StateFile(paths.SYSRESTORE) + sstore.restore_state('pkids', 'enabled') + sstore.restore_state('pkids', 'running') + sstore.restore_state('pkids', 'user_exists') + serverid = sstore.restore_state('pkids', 'serverid') + sstore.save() + + ca = dogtaginstance.DogtagInstance( + api.env.realm, "CA", "certificate server", + nss_db=paths.VAR_LIB_PKI_CA_ALIAS_DIR) + ca.stop_tracking_certificates(False) + + if serverid is not None: + # drop the trailing / off the config_dirname so the directory + # will match what is in certmonger + dirname = dsinstance.config_dirname(serverid)[:-1] + dsdb = certs.CertDB(api.env.realm, nssdir=dirname) + dsdb.untrack_server_cert("Server-Cert") + + try: + services.service('pki-cad').disable('pki-ca') + except Exception as e: + root_logger.warning("Failed to disable pki-cad: %s", e) + try: + services.service('pki-cad').stop('pki-ca') + except Exception as e: + root_logger.warning("Failed to stop pki-cad: %s", e) + + if serverid is not None: + try: + services.service('dirsrv').disable(serverid) + except Exception as e: + root_logger.warning("Failed to disable dirsrv: %s", e) + try: + services.service('dirsrv').stop(serverid) + except Exception as e: + root_logger.warning("Failed to stop dirsrv: %s", e) + + http.restart() + + def mask_named_regular(): """Disable named, we need to run only named-pkcs11, running both named and named-pkcs can cause unexpected errors""" @@ -1359,13 +1416,12 @@ def upgrade_configuration(): check_certs() auto_redirect = find_autoredirect(fqdn) - configured_constants = dogtag.configured_constants() sub_dict = dict( REALM=api.env.realm, FQDN=fqdn, AUTOREDIR='' if auto_redirect else '#', - CRL_PUBLISH_PATH=configured_constants.CRL_PUBLISH_PATH, - DOGTAG_PORT=configured_constants.AJP_PORT, + CRL_PUBLISH_PATH=paths.PKI_CA_PUBLISH_DIR, + DOGTAG_PORT=8009, CLONE='#' ) @@ -1375,9 +1431,7 @@ def upgrade_configuration(): ca = cainstance.CAInstance(api.env.realm, certs.NSS_DIR) - with installutils.stopped_service(configured_constants.SERVICE_NAME, - configured_constants.PKI_INSTANCE_NAME): - + with installutils.stopped_service('pki-tomcatd', 'pki-tomcat'): # Dogtag must be stopped to be able to backup CS.cfg config ca.backup_config() @@ -1385,8 +1439,8 @@ def upgrade_configuration(): ca_restart = migrate_crl_publish_dir(ca) if ca.is_configured(): - crl = installutils.get_directive(configured_constants.CS_CFG_PATH, - 'ca.crl.MasterCRL.enableCRLUpdates', '=') + crl = installutils.get_directive( + paths.CA_CS_CFG_PATH, 'ca.crl.MasterCRL.enableCRLUpdates', '=') sub_dict['CLONE']='#' if crl.lower() == 'true' else '' ds_dirname = dsinstance.config_dirname(ds_serverid) @@ -1470,6 +1524,7 @@ def upgrade_configuration(): http.start() uninstall_selfsign(ds, http) + uninstall_dogtag_9(ds, http) simple_service_list = ( (memcacheinstance.MemcacheInstance(), 'MEMCACHE'), @@ -1542,9 +1597,10 @@ def upgrade_configuration(): ]) if ca_restart: - root_logger.info('pki-ca configuration changed, restart pki-ca') + root_logger.info( + 'pki-tomcat configuration changed, restart pki-tomcat') try: - ca.restart(dogtag.configured_constants().PKI_INSTANCE_NAME) + ca.restart('pki-tomcat') except ipautil.CalledProcessError as e: root_logger.error("Failed to restart %s: %s", ca.service_name, e) diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py index c856cccd0..a2f40ef38 100644 --- a/ipaserver/install/service.py +++ b/ipaserver/install/service.py @@ -24,7 +24,7 @@ import time import datetime import traceback -from ipapython import sysrestore, ipautil, dogtag, ipaldap +from ipapython import sysrestore, ipautil, ipaldap from ipapython.dn import DN from ipapython.ipa_log_manager import * from ipalib import api, errors, certstore @@ -41,8 +41,8 @@ SERVICE_LIST = { 'MEMCACHE': ('ipa_memcached', 39), 'HTTP': ('httpd', 40), 'KEYS': ('ipa-custodia', 41), - 'CA': ('%sd' % dogtag.configured_constants().PKI_INSTANCE_NAME, 50), - 'KRA': ('%sd' % dogtag.configured_constants().PKI_INSTANCE_NAME, 51), + 'CA': ('pki-tomcatd', 50), + 'KRA': ('pki-tomcatd', 51), 'ADTRUST': ('smb', 60), 'EXTID': ('winbind', 70), 'OTPD': ('ipa-otpd', 80), diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py index 7b8416996..62ec1cce4 100644 --- a/ipaserver/plugins/dogtag.py +++ b/ipaserver/plugins/dogtag.py @@ -1841,7 +1841,9 @@ class ra(rabase.rabase): payload = etree.tostring(doc, pretty_print=False, xml_declaration=True, encoding='UTF-8') self.debug('%s.find(): request: %s', self.fullname, payload) - url = 'http://%s/ca/rest/certs/search?size=%d' % (ipautil.format_netloc(self.ca_host, ipapython.dogtag.configured_constants().UNSECURE_PORT), options.get('sizelimit', 100)) + url = 'http://%s/ca/rest/certs/search?size=%d' % ( + ipautil.format_netloc(self.ca_host, 8080), + options.get('sizelimit', 100)) opener = urllib.request.build_opener() opener.addheaders = [('Accept-Encoding', 'gzip, deflate'), |