diff options
| -rwxr-xr-x | install/tools/ipa-replica-install | 4 | ||||
| -rwxr-xr-x | install/tools/ipa-server-install | 4 | ||||
| -rw-r--r-- | install/updates/50-dogtag10-migration.update | 18 | ||||
| -rw-r--r-- | install/updates/Makefile.am | 1 |
4 files changed, 27 insertions, 0 deletions
diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install index cebcbf1a4..9f420aef6 100755 --- a/install/tools/ipa-replica-install +++ b/install/tools/ipa-replica-install @@ -713,6 +713,10 @@ def main(): service.print_msg("Restarting the KDC") krb.restart() + if CA and config.setup_ca: + service.print_msg("Restarting the certificate server") + CA.restart(dogtag.configured_constants().PKI_INSTANCE_NAME) + if options.setup_dns: install_bind(config, options) diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index 17af03989..7ca34e2cf 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -1191,6 +1191,10 @@ def main(): service.print_msg("Restarting the KDC") krb.restart() + if setup_ca: + service.print_msg("Restarting the certificate server") + ca.restart(dogtag.configured_constants().PKI_INSTANCE_NAME) + # Create a BIND instance bind = bindinstance.BindInstance(fstore, dm_password) bind.setup(host_name, ip_address, realm_name, domain_name, dns_forwarders, diff --git a/install/updates/50-dogtag10-migration.update b/install/updates/50-dogtag10-migration.update new file mode 100644 index 000000000..d71892354 --- /dev/null +++ b/install/updates/50-dogtag10-migration.update @@ -0,0 +1,18 @@ +# PKI/Dogtag does not automatically upgrade it's database. When Dogtag 10 +# based replica is being installed from a Dogtag 9 based replica, +# the database will miss ACLs added in Dogtag 10 resulting in limited +# functionality. +# +# This update file can be removed when Dogtag database upgrades are done +# in PKI component. Upstream tickets: +# * https://fedorahosted.org/pki/ticket/710 (database upgrade framework) +# * https://fedorahosted.org/pki/ticket/906 (checking database version) + +dn: cn=aclResources,o=ipaca +addifexist:resourceACLS:'certServer.ca.account:login,logout:allow (login,logout) user="anybody":Anybody can login and logout' +addifexist:resourceACLS:'certServer.ca.certrequests:execute:allow (execute) group="Certificate Manager Agents":Agents may execute cert request operations' +addifexist:resourceACLS:'certServer.ca.certs:execute:allow (execute) group="Certificate Manager Agents":Agents may execute cert operations' +addifexist:resourceACLS:'certServer.ca.groups:execute:allow (execute) group="Administrators":Admins may execute group operations' +addifexist:resourceACLS:'certServer.ca.users:execute:allow (execute) group="Administrators":Admins may execute user operations' +replace:resourceACLS:'certServer.securitydomain.domainxml:read,modify:allow (read) user="anybody";allow (modify) group="Subsystem Group":Anybody is allowed to read domain.xml but only Subsystem group is allowed to modify the domain.xml::certServer.securitydomain.domainxml:read,modify:allow (read) user="anybody";allow (modify) group="Subsystem Group" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise RA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators":Anybody is allowed to read domain.xml but only Subsystem group and Enterprise Administrators are allowed to modify the domain.xml' +replace:resourceACLS:'certServer.ca.connectorInfo:read,modify:allow (modify,read) group="Enterprise KRA Administrators":Only Enterprise Administrators are allowed to update the connector information::certServer.ca.connectorInfo:read,modify:allow (read) group="Enterprise KRA Administrators";allow (modify) group="Enterprise KRA Administrators" || group="Subsystem Group":Only Enterprise Administrators and Subsystem Group are allowed to update the connector information' diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am index 67c33eef5..a6d24b94f 100644 --- a/install/updates/Makefile.am +++ b/install/updates/Makefile.am @@ -29,6 +29,7 @@ app_DATA = \ 40-otp.update \ 45-roles.update \ 50-7_bit_check.update \ + 50-dogtag10-migration.update \ 50-lockout-policy.update \ 50-groupuuid.update \ 50-hbacservice.update \ |