Add a DRM to IPA

This patch adds the capability of installing a Dogtag DRM
to an IPA instance.  With this patch, when ipa-server-install
is run, a Dogtag CA and a Dogtag DRM are created.  The DRM
shares the same tomcat instance and DS instance as the Dogtag CA.
Moreover, the same admin user/agent (and agent cert) can be used
for both subsystems.  Certmonger is also confgured to monitor the
new subsystem certificates.

It is also possible to clone the DRM.  When the IPA instance is
cloned, if --enable-ca and --enable-drm are specified, the DRM
is cloned as well.

Installing a DRM requires the user to have a Dogtag CA instance.
We can look into possibly relaxing that requirement in a later patch.

The install scripts have been refactored somewhat to minimize
duplication of code.  A new base class dogtagintance.py has
been introduced containing code that is common to DRM and CA
installs.  This will become very useful when we add more PKI
subsystems.

I am still working on patches for a ipa-drm-install script, which
would be used to add a DRM to an existing master (that includes
a dogtag CA), or an existing clone.

6 files changed, 65 insertions, 24 deletions

diff --git a/install/conf/ipa-pki-proxy.conf b/install/conf/ipa-pki-proxy.conf
index 224cdd45b..9a6345898 100644
--- a/install/conf/ipa-pki-proxy.conf
+++ b/install/conf/ipa-pki-proxy.conf
@@ -11,7 +11,7 @@ ProxyRequests Off
 </LocationMatch>
 
 # matches for admin port and installer
-<LocationMatch "^/ca/admin/ca/getCertChain|^/ca/admin/ca/getConfigEntries|^/ca/admin/ca/getCookie|^/ca/admin/ca/getStatus|^/ca/admin/ca/securityDomainLogin|^/ca/admin/ca/getDomainXML|^/ca/rest/installer/installToken|^/ca/admin/ca/updateNumberRange|^/ca/rest/securityDomain/domainInfo|^/ca/rest/account/login|^/ca/admin/ca/tokenAuthenticate|^/ca/admin/ca/updateNumberRange|^/ca/admin/ca/updateDomainXML|^/ca/rest/account/logout|^/ca/rest/securityDomain/installToken">
+<LocationMatch "^/ca/admin/ca/getCertChain|^/ca/admin/ca/getConfigEntries|^/ca/admin/ca/getCookie|^/ca/admin/ca/getStatus|^/ca/admin/ca/securityDomainLogin|^/ca/admin/ca/getDomainXML|^/ca/rest/installer/installToken|^/ca/admin/ca/updateNumberRange|^/ca/rest/securityDomain/domainInfo|^/ca/rest/account/login|^/ca/admin/ca/tokenAuthenticate|^/ca/admin/ca/updateNumberRange|^/ca/admin/ca/updateDomainXML|^/ca/rest/account/logout|^/ca/rest/securityDomain/installToken|^/ca/admin/ca/updateConnector|^/ca/admin/ca/getSubsystemCert|^/kra/admin/kra/updateNumberRange|^/kra/admin/kra/getConfigEntries">
     NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
     NSSVerifyClient none
     ProxyPassMatch ajp://localhost:$DOGTAG_PORT
@@ -19,7 +19,7 @@ ProxyRequests Off
 </LocationMatch>
 
 # matches for agent port and eeca port
-<LocationMatch "^/ca/agent/ca/displayBySerial|^/ca/agent/ca/doRevoke|^/ca/agent/ca/doUnrevoke|^/ca/agent/ca/updateDomainXML|^/ca/eeca/ca/profileSubmitSSLClient">
+<LocationMatch "^/ca/agent/ca/displayBySerial|^/ca/agent/ca/doRevoke|^/ca/agent/ca/doUnrevoke|^/ca/agent/ca/updateDomainXML|^/ca/eeca/ca/profileSubmitSSLClient|^/kra/agent/kra/connector">
     NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
     NSSVerifyClient require
     ProxyPassMatch ajp://localhost:$DOGTAG_PORT
diff --git a/install/restart_scripts/renew_ca_cert b/install/restart_scripts/renew_ca_cert
index 2663887d6..d9c98d5ce 100644
--- a/install/restart_scripts/renew_ca_cert
+++ b/install/restart_scripts/renew_ca_cert
@@ -21,17 +21,13 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 import sys
-import os
 import syslog
-import tempfile
-import shutil
 import traceback
 
-from ipapython import dogtag, certmonger, ipautil
+from ipapython import dogtag, ipautil
 from ipapython import services as ipaservices
-from ipalib import api, errors, x509, util
-from ipaserver.install import certs, cainstance, installutils
-from ipaserver.plugins.ldap2 import ldap2
+from ipalib import api
+from ipaserver.install import certs, cainstance
 
 def main():
     nickname = sys.argv[1]
@@ -68,9 +64,8 @@ def main():
         syslog.syslog(syslog.LOG_ERR, 'No certificate %s found.' % nickname)
         sys.exit(1)
 
-    cainstance.update_cert_config(nickname, cert, configured_constants)
-
     ca = cainstance.CAInstance(api.env.realm, certs.NSS_DIR)
+    ca.update_cert_config(nickname, cert, configured_constants)
     if ca.is_renewal_master():
         cainstance.update_people_entry(cert)
 
diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install
index 18c81dc1f..d4a287951 100755
--- a/install/tools/ipa-ca-install
+++ b/install/tools/ipa-ca-install
@@ -184,7 +184,7 @@ def main():
                    ipautil.realm_to_suffix(config.realm_name))
 
     # This is done within stopped_service context, which restarts CA
-    CA.enable_client_auth_to_db()
+    CA.enable_client_auth_to_db(CA.dogtag_constants.CS_CFG_PATH)
 
     # Install CA DNS records
     install_dns_records(config, options)
diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
index 41c1a0533..b79aeade2 100755
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
@@ -38,9 +38,10 @@ from ipaserver.install import otpdinstance
 from ipaserver.install.replication import replica_conn_check, ReplicationManager
 from ipaserver.install.installutils import (ReplicaConfig, expand_replica_info,
         read_replica_info, get_host_name, BadHostError, private_ccache,
-        read_replica_info_dogtag_port)
+        read_replica_info_dogtag_port, read_replica_info_drm_enabled)
 from ipaserver.plugins.ldap2 import ldap2
 from ipaserver.install import cainstance
+from ipaserver.install import drminstance
 from ipalib import api, errors, util
 from ipalib.constants import CACERT
 from ipapython import version
@@ -63,6 +64,8 @@ def parse_options():
     basic_group = OptionGroup(parser, "basic options")
     basic_group.add_option("--setup-ca", dest="setup_ca", action="store_true",
                       default=False, help="configure a dogtag CA")
+    basic_group.add_option("--setup-drm", dest="setup_drm", action="store_true",
+                      default=False, help="configure a dogtag DRM")
     basic_group.add_option("--ip-address", dest="ip_address",
                       type="ip", ip_local=True,
                       help="Replica server IP Address")
@@ -541,6 +544,15 @@ def main():
         print 'CA cannot be installed in CA-less setup.'
         sys.exit(1)
 
+    config.setup_drm = options.setup_drm
+    if config.setup_drm:
+        if not config.setup_ca:
+            print "CA must be installed with the KRA"
+            sys.exit(1)
+        if not read_replica_info_drm_enabled(config.dir):
+            print "DRM is not installed on the master system"
+            sys.exit(1)
+
     installutils.verify_fqdn(config.master_host_name, options.no_host_dns)
 
     # check connection
@@ -574,6 +586,10 @@ def main():
         else:
             fd.write("enable_ra=False\n")
             fd.write("ra_plugin=none\n")
+        if config.setup_drm:
+            fd.write("enable_drm=True\n")
+        else:
+            fd.write("enable_drm=False\n")
         fd.write("mode=production\n")
         fd.close()
     finally:
@@ -684,7 +700,7 @@ def main():
                        ipautil.realm_to_suffix(config.realm_name))
 
         # This is done within stopped_service context, which restarts CA
-        CA.enable_client_auth_to_db()
+        CA.enable_client_auth_to_db(CA.dogtag_constants.CS_CFG_PATH)
 
     krb = install_krb(config, setup_pkinit=options.setup_pkinit)
     http = install_http(config, auto_redirect=options.ui_redirect)
@@ -707,9 +723,14 @@ def main():
     service.print_msg("Applying LDAP updates")
     ds.apply_updates()
 
-    # Restart ds and krb after configurations have been changed
-    service.print_msg("Restarting the directory server")
-    ds.restart()
+    if options.setup_drm:
+        drm = drminstance.install_replica_drm(config)
+        service.print_msg("Restarting the directory server")
+        ds.restart()
+        drm.enable_client_auth_to_db(drm.dogtag_constants.DRM_CS_CFG_PATH)
+    else:
+        service.print_msg("Restarting the directory server")
+        ds.restart()
 
     service.print_msg("Restarting the KDC")
     krb.restart()
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index 232d84a2c..4aa6fcca5 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -3,7 +3,7 @@
 #          Simo Sorce <ssorce@redhat.com>
 #          Rob Crittenden <rcritten@redhat.com>
 #
-# Copyright (C) 2007-2010  Red Hat
+# Copyright (C) 2007-2014  Red Hat
 # see file 'COPYING' for use and warranty information
 #
 # This program is free software; you can redistribute it and/or modify
@@ -53,6 +53,7 @@ from ipaserver.install import httpinstance
 from ipaserver.install import ntpinstance
 from ipaserver.install import certs
 from ipaserver.install import cainstance
+from ipaserver.install import drminstance
 from ipaserver.install import memcacheinstance
 from ipaserver.install import otpdinstance
 from ipaserver.install import sysupgrade
@@ -492,11 +493,19 @@ def uninstall():
             dogtag_constants=dogtag_constants)
         if cads_instance.is_configured():
             cads_instance.uninstall()
-    cainstance.stop_tracking_certificates(dogtag_constants)
+
+    drm_instance = drminstance.DRMInstance(
+        api.env.realm, dogtag_constants=dogtag_constants)
+    drm_instance.stop_tracking_certificates(dogtag_constants)
+    if drm_instance.is_installed():
+        drm_instance.uninstall()
+
     ca_instance = cainstance.CAInstance(
         api.env.realm, certs.NSS_DIR, dogtag_constants=dogtag_constants)
+    ca_instance.stop_tracking_certificates(dogtag_constants)
     if ca_instance.is_configured():
         ca_instance.uninstall()
+
     bindinstance.BindInstance(fstore).uninstall()
     httpinstance.HTTPInstance(fstore).uninstall()
     krbinstance.KrbInstance(fstore).uninstall()
@@ -755,6 +764,7 @@ def main():
         setup_ca = False
     else:
         setup_ca = True
+        setup_drm = True
 
     # Figure out what external CA step we're in. See cainstance.py for more
     # info on the 3 states.
@@ -771,6 +781,8 @@ def main():
     print "This includes:"
     if setup_ca:
         print "  * Configure a stand-alone CA (dogtag) for certificate management"
+    if setup_drm:
+        print "  * Configure a stand-alone DRM (dogtag) for key storage"
     if options.conf_ntp:
         print "  * Configure the Network Time Daemon (ntpd)"
     print "  * Create and configure an instance of Directory Server"
@@ -1017,6 +1029,7 @@ def main():
     else:
         fd.write("enable_ra=False\n")
         fd.write("ra_plugin=none\n")
+    fd.write("enable_drm=%s\n" % setup_drm)
     fd.write("mode=production\n")
     fd.close()
 
@@ -1118,7 +1131,7 @@ def main():
                        ipautil.realm_to_suffix(realm_name), ['caRenewalMaster'])
 
         # This is done within stopped_service context, which restarts CA
-        ca.enable_client_auth_to_db()
+        ca.enable_client_auth_to_db(ca.dogtag_constants.CS_CFG_PATH)
 
     krb = krbinstance.KrbInstance(fstore)
     if options.pkinit_pkcs12:
@@ -1195,6 +1208,17 @@ def main():
     service.print_msg("Restarting the web server")
     http.restart()
 
+    if setup_drm:
+        # code to create drm here
+        drm = drminstance.DRMInstance(realm_name,
+            dogtag_constants=dogtag.install_constants)
+        drm.configure_instance(host_name, domain_name, dm_password,
+                               dm_password, subject_base=options.subject)
+
+        # This is done within stopped_service context, which restarts DRM
+        ds.restart()
+        drm.enable_client_auth_to_db(drm.dogtag_constants.DRM_CS_CFG_PATH)
+
     # Set the admin user kerberos password
     ds.change_admin_password(admin_password)
 
@@ -1247,9 +1271,10 @@ def main():
 
     print ""
     if setup_ca:
-        print "Be sure to back up the CA certificate stored in /root/cacert.p12"
-        print "This file is required to create replicas. The password for this"
-        print "file is the Directory Manager password"
+        print "Be sure to back up the CA certificates stored in /root/cacert.p12"
+        print "and the DRM certificates stored in /root/drmcert.p12"
+        print "These files are required to create replicas. The password for these"
+        print "files is the Directory Manager password"
     else:
         print "In order for Firefox autoconfiguration to work you will need to"
         print "use a SSL signing certificate. See the IPA documentation for more details."
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index 265d71c33..5f751becb 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -675,7 +675,7 @@ def certificate_renewal_update(ca):
 
     # Ok, now we need to stop tracking, then we can start tracking them
     # again with new configuration:
-    cainstance.stop_tracking_certificates(dogtag_constants)
+    ca.stop_tracking_certificates(dogtag_constants)
 
     if not sysupgrade.get_upgrade_state('dogtag',
                                         'certificate_renewal_update_1'):