diff options
| author | Ade Lee <alee@redhat.com> | 2014-03-18 11:23:30 -0400 |
|---|---|---|
| committer | Ade Lee <alee@redhat.com> | 2014-05-27 14:44:00 -0400 |
| commit | c8a824c850dd20012a233ae9fbcf47775e05801b (patch) | |
| tree | 123c06302f2c66cdc40be99655e7bede2f219413 /install/tools/ipa-server-install | |
| parent | 71c6d2f1eb9610a0e0a994a6cfd78fdf9bb9d1fa (diff) | |
| download | freeipa-c8a824c850dd20012a233ae9fbcf47775e05801b.tar.gz freeipa-c8a824c850dd20012a233ae9fbcf47775e05801b.tar.xz freeipa-c8a824c850dd20012a233ae9fbcf47775e05801b.zip | |
Add a DRM to IPA
This patch adds the capability of installing a Dogtag DRM
to an IPA instance. With this patch, when ipa-server-install
is run, a Dogtag CA and a Dogtag DRM are created. The DRM
shares the same tomcat instance and DS instance as the Dogtag CA.
Moreover, the same admin user/agent (and agent cert) can be used
for both subsystems. Certmonger is also confgured to monitor the
new subsystem certificates.
It is also possible to clone the DRM. When the IPA instance is
cloned, if --enable-ca and --enable-drm are specified, the DRM
is cloned as well.
Installing a DRM requires the user to have a Dogtag CA instance.
We can look into possibly relaxing that requirement in a later patch.
The install scripts have been refactored somewhat to minimize
duplication of code. A new base class dogtagintance.py has
been introduced containing code that is common to DRM and CA
installs. This will become very useful when we add more PKI
subsystems.
I am still working on patches for a ipa-drm-install script, which
would be used to add a DRM to an existing master (that includes
a dogtag CA), or an existing clone.
Diffstat (limited to 'install/tools/ipa-server-install')
| -rwxr-xr-x | install/tools/ipa-server-install | 37 |
1 files changed, 31 insertions, 6 deletions
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index 232d84a2c..4aa6fcca5 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -3,7 +3,7 @@ # Simo Sorce <ssorce@redhat.com> # Rob Crittenden <rcritten@redhat.com> # -# Copyright (C) 2007-2010 Red Hat +# Copyright (C) 2007-2014 Red Hat # see file 'COPYING' for use and warranty information # # This program is free software; you can redistribute it and/or modify @@ -53,6 +53,7 @@ from ipaserver.install import httpinstance from ipaserver.install import ntpinstance from ipaserver.install import certs from ipaserver.install import cainstance +from ipaserver.install import drminstance from ipaserver.install import memcacheinstance from ipaserver.install import otpdinstance from ipaserver.install import sysupgrade @@ -492,11 +493,19 @@ def uninstall(): dogtag_constants=dogtag_constants) if cads_instance.is_configured(): cads_instance.uninstall() - cainstance.stop_tracking_certificates(dogtag_constants) + + drm_instance = drminstance.DRMInstance( + api.env.realm, dogtag_constants=dogtag_constants) + drm_instance.stop_tracking_certificates(dogtag_constants) + if drm_instance.is_installed(): + drm_instance.uninstall() + ca_instance = cainstance.CAInstance( api.env.realm, certs.NSS_DIR, dogtag_constants=dogtag_constants) + ca_instance.stop_tracking_certificates(dogtag_constants) if ca_instance.is_configured(): ca_instance.uninstall() + bindinstance.BindInstance(fstore).uninstall() httpinstance.HTTPInstance(fstore).uninstall() krbinstance.KrbInstance(fstore).uninstall() @@ -755,6 +764,7 @@ def main(): setup_ca = False else: setup_ca = True + setup_drm = True # Figure out what external CA step we're in. See cainstance.py for more # info on the 3 states. @@ -771,6 +781,8 @@ def main(): print "This includes:" if setup_ca: print " * Configure a stand-alone CA (dogtag) for certificate management" + if setup_drm: + print " * Configure a stand-alone DRM (dogtag) for key storage" if options.conf_ntp: print " * Configure the Network Time Daemon (ntpd)" print " * Create and configure an instance of Directory Server" @@ -1017,6 +1029,7 @@ def main(): else: fd.write("enable_ra=False\n") fd.write("ra_plugin=none\n") + fd.write("enable_drm=%s\n" % setup_drm) fd.write("mode=production\n") fd.close() @@ -1118,7 +1131,7 @@ def main(): ipautil.realm_to_suffix(realm_name), ['caRenewalMaster']) # This is done within stopped_service context, which restarts CA - ca.enable_client_auth_to_db() + ca.enable_client_auth_to_db(ca.dogtag_constants.CS_CFG_PATH) krb = krbinstance.KrbInstance(fstore) if options.pkinit_pkcs12: @@ -1195,6 +1208,17 @@ def main(): service.print_msg("Restarting the web server") http.restart() + if setup_drm: + # code to create drm here + drm = drminstance.DRMInstance(realm_name, + dogtag_constants=dogtag.install_constants) + drm.configure_instance(host_name, domain_name, dm_password, + dm_password, subject_base=options.subject) + + # This is done within stopped_service context, which restarts DRM + ds.restart() + drm.enable_client_auth_to_db(drm.dogtag_constants.DRM_CS_CFG_PATH) + # Set the admin user kerberos password ds.change_admin_password(admin_password) @@ -1247,9 +1271,10 @@ def main(): print "" if setup_ca: - print "Be sure to back up the CA certificate stored in /root/cacert.p12" - print "This file is required to create replicas. The password for this" - print "file is the Directory Manager password" + print "Be sure to back up the CA certificates stored in /root/cacert.p12" + print "and the DRM certificates stored in /root/drmcert.p12" + print "These files are required to create replicas. The password for these" + print "files is the Directory Manager password" else: print "In order for Firefox autoconfiguration to work you will need to" print "use a SSL signing certificate. See the IPA documentation for more details." |