diff options
Diffstat (limited to 'install/tools')
-rwxr-xr-x | install/tools/ipa-replica-install | 26 | ||||
-rwxr-xr-x | install/tools/ipa-server-install | 16 |
2 files changed, 39 insertions, 3 deletions
diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install index d9a9748a8..cfaeaa4a5 100755 --- a/install/tools/ipa-replica-install +++ b/install/tools/ipa-replica-install @@ -167,9 +167,22 @@ def install_ca(config): print "Please install dogtag and restart the setup program" sys.exit(1) + # We replicate to the master using TLS. In order for this to work we + # need an SSL server cert. To make things easier we'll re-use the + # IPA 389-ds instance certificate loaded directly into the + # dogtag 389-ds instance. Later we will replace the NSS databases with + # symbolic links. + pkcs12_info = None + if ipautil.file_exists(config.dir + "/dscert.p12"): + pkcs12_info = (config.dir + "/dscert.p12", + config.dir + "/dirsrv_pin.txt") cs = cainstance.CADSInstance() cs.create_instance(config.realm_name, config.host_name, - config.domain_name, config.dirman_password) + config.domain_name, config.dirman_password, + pkcs12_info) + cs.load_pkcs12() + cs.enable_ssl() + cs.restart_instance() ca = cainstance.CAInstance(config.realm_name, certs.NSS_DIR) ca.configure_instance(config.host_name, config.dirman_password, config.dirman_password, pkcs12_info=(cafile,), @@ -187,8 +200,8 @@ def install_ca(config): service_name = cs.service_name service.print_msg("Restarting the directory and certificate servers") cs.service_name = "dirsrv" - cs.stop("PKI-IPA") ca.stop() + cs.stop("PKI-IPA") cs.start("PKI-IPA") ca.start() cs.service_name = service_name @@ -487,6 +500,15 @@ def main(): CA.ldap_enable('CA', config.host_name, config.dirman_password, util.realm_to_suffix(config.realm_name)) + # Now we will replace the existing dogtag 389-ds instance NSS + # database with a symbolic link to the IPA 389-ds NSS database. + caconfigdir = dsinstance.config_dirname(dsinstance.realm_to_serverid('PKI-IPA')) + for filename in ['cert8.db', 'key3.db', 'secmod.db', 'pin.txt']: + os.unlink('%s%s' % (caconfigdir, filename)) + dsconfigdir = dsinstance.config_dirname(dsinstance.realm_to_serverid(config.realm_name)) + for filename in ['cert8.db', 'key3.db', 'secmod.db', 'pin.txt']: + os.symlink('%s%s' % (dsconfigdir, filename), '%s%s' % (caconfigdir, filename)) + install_krb(config, setup_pkinit=options.setup_pkinit) install_http(config) if CA: diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index 29c3f785f..9c0947c83 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -760,6 +760,7 @@ def main(): ca.configure_instance(host_name, dm_password, dm_password, subject_base=options.subject) elif external == 1: + # stage 2 of external CA installation options.realm_name = realm_name options.domain_name = domain_name options.master_password = master_password @@ -776,6 +777,7 @@ def main(): # This can happen if someone passes external_ca_file without # already having done the first stage of the CA install. sys.exit('CA is not installed yet. To install with an external CA is a two-stage process.\nFirst run the installer with --external-ca.') + cs = cainstance.CADSInstance(dm_password=dm_password) ca.configure_instance(host_name, dm_password, dm_password, cert_file=options.external_cert_file, cert_chain_file=options.external_ca_file, @@ -810,11 +812,23 @@ def main(): subject_base=options.subject, hbac_allow=not options.hbac_allow) - # We ned to ldap_enable the CA now that DS is up and running + # We need to ldap_enable the CA now that DS is up and running if not options.selfsign: ca.ldap_enable('CA', host_name, dm_password, util.realm_to_suffix(realm_name)) + # Symlink the IPA LDAP server NSS database to this one. + caconfigdir = dsinstance.config_dirname(dsinstance.realm_to_serverid('PKI-IPA')) + for filename in ['cert8.db', 'key3.db', 'secmod.db']: + os.unlink('%s%s' % (caconfigdir, filename)) + dsconfigdir = dsinstance.config_dirname(dsinstance.realm_to_serverid(realm_name)) + for filename in ['cert8.db', 'key3.db', 'secmod.db', 'pin.txt']: + os.symlink('%s%s' % (dsconfigdir, filename), '%s%s' % (caconfigdir, filename)) + + # Turn on SSL in the dogtag LDAP instance. This will get restarted + # later, we don't need SSL now. + cs.enable_ssl() + # Create a kerberos instance if options.pkinit_pin: [pw_fd, pw_name] = tempfile.mkstemp() |