summaryrefslogtreecommitdiffstats
path: root/ipaserver/install/cainstance.py
Commit message (Collapse)AuthorAgeFilesLines
* uninstall: untrack lightweight CA certsFraser Tweedale2016-07-121-0/+6
| | | | | Fixes: https://fedorahosted.org/freeipa/ticket/6020 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Fix upgrade when Dogtag also upgraded from 10.2 -> 10.3Fraser Tweedale2016-07-011-3/+11
| | | | | | | | | | | | | | ipa-server-upgrade from pre-lightweight CAs version fails when Dogtag is also being upgraded from pre-lightweight CAs version, because Dogtag needs to be restarted after adding the lightweight CAs container, before requesting information about the host authority. Move the addition of the Dogtag lightweight CAs container entry a bit earlier in the upgrade procedure, ensuring restart. Fixes: https://fedorahosted.org/freeipa/ticket/6011 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Fix migration from pre-lightweight CAs masterFraser Tweedale2016-07-011-1/+30
| | | | | | | | | Some container objects are not added when migrating from a pre-lightweight CAs master, causing replica installation to fail. Make sure that the containers exist and add an explanatory comment. Fixes: https://fedorahosted.org/freeipa/ticket/5963 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* Fix replica install with CAMartin Basti2016-06-301-10/+0
| | | | | | | | The incorrect api was used, and CA record updated was duplicated. https://fedorahosted.org/freeipa/ticket/5966 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* Update lightweight CA serial after renewalFraser Tweedale2016-06-291-18/+71
| | | | | | | | | | | | | | | For CA replicas to pick up renewed lightweight CA signing certificates, the authoritySerial attribute can be updated with the new serial number. Update the renew_ca_cert script, which is executed by Certmonger after writing a renewed CA certificate to the NSSDB, to update the authoritySerial attribute if the certificate belongs to a lightweight CA. Part of: https://fedorahosted.org/freeipa/ticket/4559 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Skip CS.cfg update if cert nickname not knownFraser Tweedale2016-06-291-2/+3
| | | | | | | | | | | | After CA certificate renewal, the ``renew_ca_cert`` helper updates certificate data in CS.cfg. An unrecognised nickname will raise ``KeyError``. To allow the helper to be used for arbitrary certificates (e.g. lightweight CAs), do not fail if the nickname is unrecognised - just skip the update. Part of: https://fedorahosted.org/freeipa/ticket/4559 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Set default OCSP URI on install and upgradeFraser Tweedale2016-06-281-0/+4
| | | | | | | | | | | | | | Dogtag has been updated to support a default OCSP URI when the profile includes AuthInfoAccess with URI method but does not specify the URI (instead of constructing one based on Dogtag's hostname and port). Add the pkispawn config to ensure that the OCSP URI is set before issuing CA and system certificates, and add the config to existing CA instances on upgrade. Fixes: https://fedorahosted.org/freeipa/ticket/5956 Reviewed-By: Martin Basti <mbasti@redhat.com>
* CA replica promotion: add proper CA DNS recordsMartin Basti2016-06-281-5/+11
| | | | | | | | Update 'ipa-ca' records with A/AAAA records of the newly added replica https://fedorahosted.org/freeipa/ticket/5966 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* replica-install: configure key retriever before starting DogtagFraser Tweedale2016-06-151-2/+2
| | | | | | | | | | | | After installing a replica, Dogtag's Lightweight CA key retrieval fails until Dogtag is restarted, because the already-running instance doesn't pick up the changes to CS.cfg. Configure the key retriever before the instance is started. Part of: https://fedorahosted.org/freeipa/ticket/4559 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Add IPA CA entry on install / upgradeFraser Tweedale2016-06-151-0/+37
| | | | | | | | | | | In addition to user-created lightweight CAs, CA ACLs need to be able to refer to the "main" CA. Add an entry for the IPA CA on installation and upgrade. Part of: https://fedorahosted.org/freeipa/ticket/4559 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Add 'ca' pluginFraser Tweedale2016-06-151-0/+7
| | | | | | | | | | | | | | | | | | | | This commit adds the 'ca' plugin for creating and managing lightweight CAs. The initial implementation supports a single level of sub-CAs underneath the IPA CA. This commit also: - adds the container for FreeIPA CA objects - adds schema for the FreeIPA CA objects - updates ipa-pki-proxy.conf to allow access to the Dogtag lightweight CAs REST API. Part of: https://fedorahosted.org/freeipa/ticket/4559 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Authorise CA Agent to manage lightweight CAsFraser Tweedale2016-06-091-5/+41
| | | | | | | | | Add Dogtag ACLs that authorise the CA Agent certificate to manage lightweight CAs. Part of: https://fedorahosted.org/freeipa/ticket/4559 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Setup lightweight CA key retrieval on install/upgradeFraser Tweedale2016-06-091-0/+56
| | | | | | | | | | | | | | | | | | Add the ipa-pki-retrieve-key helper program and configure lightweight CA key replication on installation and upgrade. The specific configuration steps are: - Add the 'dogtag/$HOSTNAME' service principal - Create the pricipal's Custodia keys - Retrieve the principal's keytab - Configure Dogtag's CS.cfg to use ExternalProcessKeyRetriever to invoke ipa-pki-retrieve-key for key retrieval Also bump the minimum version of Dogtag to 10.3.2. Part of: https://fedorahosted.org/freeipa/ticket/4559 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* replica install: do not set CA renewal master flagJan Cholasta2016-05-241-1/+1
| | | | | | | | | | | | | The CA renewal master flag was uncoditionally set on every replica during replica install. This causes the Dogtag certificates initially shared among all replicas to differ after renewal. Do not set the CA renewal master flag in replica install anymore. On upgrade, remove the flag from all but one IPA masters. https://fedorahosted.org/freeipa/ticket/5902 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Detect and repair incorrect caIPAserviceCert configFraser Tweedale2016-05-191-3/+46
| | | | | | | | | | | A regression caused replica installation to replace the FreeIPA version of caIPAserviceCert with the version shipped by Dogtag. During upgrade, detect and repair occurrences of this problem. Part of: https://fedorahosted.org/freeipa/ticket/5881 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Prevent replica install from overwriting cert profilesFraser Tweedale2016-05-191-6/+12
| | | | | | | | | | | | | | An earlier change that unconditionally triggers import of file-based profiles to LDAP during server or replica install results in replicas overwriting FreeIPA-managed profiles with profiles of the same name shipped with Dogtag. ('caIPAserviceCert' is the affected profile). Avoid this situation by never overwriting existing profiles during the LDAP import. Fixes: https://fedorahosted.org/freeipa/ticket/5881 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Move user/group constants for PKI and DS into ipaplatformChristian Heimes2016-03-221-8/+8
| | | | | | | https://fedorahosted.org/freeipa/ticket/5619 Reviewed-By: David Kupka <dkupka@redhat.com> Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
* use LDAPS during standalone CA/KRA subsystem deploymentMartin Babinsky2016-03-011-0/+3
| | | | | | | | | | The deployment descriptor used during CA/KRA install was modified to use LDAPS to communicate with DS backend. This will enable standalone CA/KRA installation on top of hardened directory server configuration. https://fedorahosted.org/freeipa/ticket/5570 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* upgrade: unconditional import of certificate profiles into LDAPMartin Babinsky2016-02-231-2/+6
| | | | | | | | | | | | | | During IPA server upgrade, the migration of Dogtag profiles into LDAP backend was bound to the update of CS.cfg which enabled the LDAP profile subsystem. If the subsequent profile migration failed, the subsequent upgrades were not executing the migration code leaving CA subsystem in broken state. Therefore the migration code path should be executed regardless of the status of the main Dogtag config file. https://fedorahosted.org/freeipa/ticket/5682 Reviewed-By: Fraser Tweedale <ftweedal@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Remove unused importsMartin Basti2015-12-231-1/+0
| | | | | | | This patch removes unused imports, alse pylint has been configured to check unused imports. Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Explicitly call chmod on newly created directoriesMartin Basti2015-12-141-0/+1
| | | | | | | | | Without calling os.chmod(), umask is effective and may cause that directory is created with permission that causes failure. This can be related to https://fedorahosted.org/freeipa/ticket/5520 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Install RA cert during replica promotionMartin Basti2015-12-141-4/+0
| | | | | | | | This cert is needed with KRA to be able store and retrieve secrets. https://fedorahosted.org/freeipa/ticket/5512 Reviewed-By: David Kupka <dkupka@redhat.com>
* Refactor ipautil.runPetr Viktorin2015-12-141-21/+31
| | | | | | | | | | | | | | | | | | | | | The ipautil.run function now returns an object with returncode and output are accessible as attributes. The stdout and stderr of all commands are logged (unless skip_output is given). The stdout/stderr contents must be explicitly requested with a keyword argument, otherwise they are None. This is because in Python 3, the output needs to be decoded, and that can fail if it's not decodable (human-readable) text. The raw (bytes) output is always available from the result object, as is "leniently" decoded output suitable for logging. All calls are changed to reflect this. A use of Popen in cainstance is changed to ipautil.run. Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* replica install: improvements in the handling of CA-related IPA config entriesMartin Babinsky2015-12-041-1/+18
| | | | | | | | | | | | When a CA-less replica is installed, its IPA config file should be updated so that ca_host points to nearest CA master and all certificate requests are forwarded to it. A subsequent installation of CA subsystem on the replica should clear this entry from the config so that all certificate requests are handled by freshly installed local CA. https://fedorahosted.org/freeipa/ticket/5506 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Remove invalid error messages from topology upgradeMartin Basti2015-11-251-3/+1
| | | | | | | | | Return False does not mean that update failed, it mean that nothing has been updated, respectively ldap is up to date. https://fedorahosted.org/freeipa/ticket/5482 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* install: drop support for Dogtag 9Jan Cholasta2015-11-251-312/+49
| | | | | | | | | | | Dogtag 9 CA and CA DS install and uninstall code was removed. Existing Dogtag 9 CA and CA DS instances are disabled on upgrade. Creating a replica of a Dogtag 9 IPA master is still supported. https://fedorahosted.org/freeipa/ticket/5197 Reviewed-By: David Kupka <dkupka@redhat.com>
* do not disconnect when using existing connection to check default CA ACLsMartin Babinsky2015-11-241-2/+3
| | | | | | https://fedorahosted.org/freeipa/ticket/5459 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* disconnect ldap2 backend after adding default CA ACL profilesMartin Babinsky2015-11-241-0/+3
| | | | | | | | | | ensure_default_caacl() was leaking open api.Backend.ldap2 connection which could crash server/replica installation at later stages. This patch ensures that after checking default CA ACL profiles the backend is disconnected. https://fedorahosted.org/freeipa/ticket/5459 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Add profiles and default CA ACL on migrationFraser Tweedale2015-11-241-26/+74
| | | | | | | | | | | | | | | | | | | | Profiles and the default CA ACL were not being added during replica install from pre-4.2 servers. Update ipa-replica-install to add these if they are missing. Also update the caacl plugin to prevent deletion of the default CA ACL and instruct the administrator to disable it instead. To ensure that the cainstance installation can add profiles, supply the RA certificate as part of the instance configuration. Certmonger renewal setup is avoided at this point because the NSSDB gets reinitialised later in installation procedure. Also move the addition of the default CA ACL from dsinstance installation to cainstance installation. Fixes: https://fedorahosted.org/freeipa/ticket/5459 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Avoid race condition caused by profile delete and recreateFraser Tweedale2015-11-231-2/+1
| | | | | | | | | | | | | | | When importing IPA-managed certificate profiles into Dogtag, profiles with the same name (usually caIPAserviceCert) are removed, then immediately recreated with the new profile data. This causes a race condition - Dogtag's LDAPProfileSystem profileChangeMonitor thread could observe and process the deletion after the profile was recreated, disappearing it again. Update the profile instead of deleting and recreating it to avoid this race condition. Fixes: https://fedorahosted.org/freeipa/ticket/5269 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* cert renewal: make renewal of ipaCert atomicJan Cholasta2015-11-191-1/+1
| | | | | | | | | This prevents errors when renewing other certificates during the renewal of ipaCert. https://fedorahosted.org/freeipa/ticket/5436 Reviewed-By: David Kupka <dkupka@redhat.com>
* ipaplatform: Add HTTPD_USER to constants, and use it.Timo Aaltonen2015-11-041-1/+2
| | | | | | https://fedorahosted.org/freeipa/ticket/5343 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Domain levels: use constants rather than hardcoded valuesMartin Basti2015-10-271-1/+1
| | | | | | | | | | | Added constants for domain levels DOMAIN_LEVEL_0 = 0 DOMAIN_LEVEL_1 = 1 This allows to search for domain level easier in code. Reviewed-By: Petr Spacek <pspacek@redhat.com> Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Allow to install the KRA on a promoted serverSimo Sorce2015-10-221-105/+3
| | | | | | Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Allow to setup the CA when promoting a replicaSimo Sorce2015-10-151-5/+226
| | | | | | | | | This patch makes --setup-ca work to set upa clone CA while creating a new replica. The standalone ipa-ca-install script is not converted yet though. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* topology: manage ca replication agreementsPetr Vobornik2015-10-151-0/+10
| | | | | | | | | | | | | Configure IPA so that topology plugin will manage also CA replication agreements. upgrades if CA is congigured: - ipaca suffix is added to cn=topology,cn=ipa,cn=etc,$SUFFIX - ipaReplTopoManagedSuffix: o=ipaca is added to master entry - binddngroup is added to o=ipaca replica entry Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Implement replica promotion functionalitySimo Sorce2015-10-151-0/+26
| | | | | | | | | | | | | | | | | | This patch implements a new flag --promote for the ipa-replica-install command that allows an administrative user to 'promote' an already joined client to become a full ipa server. The only credentials used are that of an administrator. This code relies on ipa-custodia being available on the peer master as well as a number of other patches to allow a computer account to request certificates for its services. Therefore this feature is marked to work only with domain level 1 and above servers. Ticket: https://fedorahosted.org/freeipa/ticket/2888 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* install: always export KRA agent PEM fileJan Cholasta2015-10-081-2/+6
| | | | | | | | | Export the file even when KRA is not installed locally so that vault commands work on all IPA replicas. https://fedorahosted.org/freeipa/ticket/5302 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Use six.moves.http_client instead of httplibPetr Viktorin2015-10-071-1/+7
| | | | | | | | The module was renamed in Python 3. Reviewed-By: David Kupka <dkupka@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com>
* Use six.moves.configparser instead of ConfigParserPetr Viktorin2015-10-071-2/+2
| | | | | | | | The module name was lowercased in Python 3. Reviewed-By: David Kupka <dkupka@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com>
* Use six.moves.urllib instead of urllib/urllib2/urlparsePetr Viktorin2015-10-071-3/+4
| | | | | | | | In Python 3, these modules are reorganized. Reviewed-By: David Kupka <dkupka@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com>
* Simplify the install_replica_ca functionSimo Sorce2015-09-221-10/+5
| | | | | | | | Instantiate CAInstall only once instead of 3 times in a row always with the same values. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Remove unused argumentsSimo Sorce2015-09-221-6/+4
| | | | | | | | In the dogtag/ca/kra instances self.domain is never used. Remove it. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Using LDAPI to setup CA and KRA agents.Endi S. Dewata2015-09-071-20/+29
| | | | | | | | | | | The CA and KRA installation code has been modified to use LDAPI to create the CA and KRA agents directly in the CA and KRA database. This way it's no longer necessary to use the Directory Manager password or CA and KRA admin certificate. https://fedorahosted.org/freeipa/ticket/5257 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Modernize use of range()Petr Viktorin2015-09-011-2/+2
| | | | | | | | | | | | In Python 3, range() behaves like the old xrange(). The difference between range() and xrange() is usually not significant, especially if the whole result is iterated over. Convert xrange() usage to range() for small ranges. Use modern idioms in a few other uses of range(). Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Use the print functionPetr Viktorin2015-09-011-4/+6
| | | | | | | | | In Python 3, `print` is no longer a statement. Call it as a function everywhere, and include the future import to remove the statement in Python 2 code as well. Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* cert renewal: Include KRA users in Dogtag LDAP updateJan Cholasta2015-08-271-4/+9
| | | | | | https://fedorahosted.org/freeipa/ticket/5253 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Modernize 'except' clausesPetr Viktorin2015-08-121-12/+12
| | | | | | | The 'as' syntax works from Python 2 on, and Python 3 will drop the "comma" syntax. Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Modernize number literalsPetr Viktorin2015-07-311-5/+5
| | | | | | | | | | | | | | Use Python-3 compatible syntax, without breaking compatibility with py 2.7 - Octals literals start with 0o to prevent confusion - The "L" at the end of large int literals is not required as they use long on Python 2 automatically. - Using 'int' instead of 'long' for small numbers is OK in all cases except strict type checking checking, e.g. type(0). https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* plugable: Pass API to plugins on initialization rather than using set_apiJan Cholasta2015-07-011-4/+4
| | | | | | https://fedorahosted.org/freeipa/ticket/3090 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
generated by cgit (git 2.34.1) at 2025-09-02 15:45:04 +0000