diff options
author | Ade Lee <alee@redhat.com> | 2014-03-18 11:23:30 -0400 |
---|---|---|
committer | Ade Lee <alee@redhat.com> | 2014-05-27 14:44:00 -0400 |
commit | c8a824c850dd20012a233ae9fbcf47775e05801b (patch) | |
tree | 123c06302f2c66cdc40be99655e7bede2f219413 /install | |
parent | 71c6d2f1eb9610a0e0a994a6cfd78fdf9bb9d1fa (diff) | |
download | freeipa-c8a824c850dd20012a233ae9fbcf47775e05801b.tar.gz freeipa-c8a824c850dd20012a233ae9fbcf47775e05801b.tar.xz freeipa-c8a824c850dd20012a233ae9fbcf47775e05801b.zip |
Add a DRM to IPA
This patch adds the capability of installing a Dogtag DRM
to an IPA instance. With this patch, when ipa-server-install
is run, a Dogtag CA and a Dogtag DRM are created. The DRM
shares the same tomcat instance and DS instance as the Dogtag CA.
Moreover, the same admin user/agent (and agent cert) can be used
for both subsystems. Certmonger is also confgured to monitor the
new subsystem certificates.
It is also possible to clone the DRM. When the IPA instance is
cloned, if --enable-ca and --enable-drm are specified, the DRM
is cloned as well.
Installing a DRM requires the user to have a Dogtag CA instance.
We can look into possibly relaxing that requirement in a later patch.
The install scripts have been refactored somewhat to minimize
duplication of code. A new base class dogtagintance.py has
been introduced containing code that is common to DRM and CA
installs. This will become very useful when we add more PKI
subsystems.
I am still working on patches for a ipa-drm-install script, which
would be used to add a DRM to an existing master (that includes
a dogtag CA), or an existing clone.
Diffstat (limited to 'install')
-rw-r--r-- | install/conf/ipa-pki-proxy.conf | 4 | ||||
-rw-r--r-- | install/restart_scripts/renew_ca_cert | 13 | ||||
-rwxr-xr-x | install/tools/ipa-ca-install | 2 | ||||
-rwxr-xr-x | install/tools/ipa-replica-install | 31 | ||||
-rwxr-xr-x | install/tools/ipa-server-install | 37 | ||||
-rw-r--r-- | install/tools/ipa-upgradeconfig | 2 |
6 files changed, 65 insertions, 24 deletions
diff --git a/install/conf/ipa-pki-proxy.conf b/install/conf/ipa-pki-proxy.conf index 224cdd45b..9a6345898 100644 --- a/install/conf/ipa-pki-proxy.conf +++ b/install/conf/ipa-pki-proxy.conf @@ -11,7 +11,7 @@ ProxyRequests Off </LocationMatch> # matches for admin port and installer -<LocationMatch "^/ca/admin/ca/getCertChain|^/ca/admin/ca/getConfigEntries|^/ca/admin/ca/getCookie|^/ca/admin/ca/getStatus|^/ca/admin/ca/securityDomainLogin|^/ca/admin/ca/getDomainXML|^/ca/rest/installer/installToken|^/ca/admin/ca/updateNumberRange|^/ca/rest/securityDomain/domainInfo|^/ca/rest/account/login|^/ca/admin/ca/tokenAuthenticate|^/ca/admin/ca/updateNumberRange|^/ca/admin/ca/updateDomainXML|^/ca/rest/account/logout|^/ca/rest/securityDomain/installToken"> +<LocationMatch "^/ca/admin/ca/getCertChain|^/ca/admin/ca/getConfigEntries|^/ca/admin/ca/getCookie|^/ca/admin/ca/getStatus|^/ca/admin/ca/securityDomainLogin|^/ca/admin/ca/getDomainXML|^/ca/rest/installer/installToken|^/ca/admin/ca/updateNumberRange|^/ca/rest/securityDomain/domainInfo|^/ca/rest/account/login|^/ca/admin/ca/tokenAuthenticate|^/ca/admin/ca/updateNumberRange|^/ca/admin/ca/updateDomainXML|^/ca/rest/account/logout|^/ca/rest/securityDomain/installToken|^/ca/admin/ca/updateConnector|^/ca/admin/ca/getSubsystemCert|^/kra/admin/kra/updateNumberRange|^/kra/admin/kra/getConfigEntries"> NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate NSSVerifyClient none ProxyPassMatch ajp://localhost:$DOGTAG_PORT @@ -19,7 +19,7 @@ ProxyRequests Off </LocationMatch> # matches for agent port and eeca port -<LocationMatch "^/ca/agent/ca/displayBySerial|^/ca/agent/ca/doRevoke|^/ca/agent/ca/doUnrevoke|^/ca/agent/ca/updateDomainXML|^/ca/eeca/ca/profileSubmitSSLClient"> +<LocationMatch "^/ca/agent/ca/displayBySerial|^/ca/agent/ca/doRevoke|^/ca/agent/ca/doUnrevoke|^/ca/agent/ca/updateDomainXML|^/ca/eeca/ca/profileSubmitSSLClient|^/kra/agent/kra/connector"> NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate NSSVerifyClient require ProxyPassMatch ajp://localhost:$DOGTAG_PORT diff --git a/install/restart_scripts/renew_ca_cert b/install/restart_scripts/renew_ca_cert index 2663887d6..d9c98d5ce 100644 --- a/install/restart_scripts/renew_ca_cert +++ b/install/restart_scripts/renew_ca_cert @@ -21,17 +21,13 @@ # along with this program. If not, see <http://www.gnu.org/licenses/>. import sys -import os import syslog -import tempfile -import shutil import traceback -from ipapython import dogtag, certmonger, ipautil +from ipapython import dogtag, ipautil from ipapython import services as ipaservices -from ipalib import api, errors, x509, util -from ipaserver.install import certs, cainstance, installutils -from ipaserver.plugins.ldap2 import ldap2 +from ipalib import api +from ipaserver.install import certs, cainstance def main(): nickname = sys.argv[1] @@ -68,9 +64,8 @@ def main(): syslog.syslog(syslog.LOG_ERR, 'No certificate %s found.' % nickname) sys.exit(1) - cainstance.update_cert_config(nickname, cert, configured_constants) - ca = cainstance.CAInstance(api.env.realm, certs.NSS_DIR) + ca.update_cert_config(nickname, cert, configured_constants) if ca.is_renewal_master(): cainstance.update_people_entry(cert) diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install index 18c81dc1f..d4a287951 100755 --- a/install/tools/ipa-ca-install +++ b/install/tools/ipa-ca-install @@ -184,7 +184,7 @@ def main(): ipautil.realm_to_suffix(config.realm_name)) # This is done within stopped_service context, which restarts CA - CA.enable_client_auth_to_db() + CA.enable_client_auth_to_db(CA.dogtag_constants.CS_CFG_PATH) # Install CA DNS records install_dns_records(config, options) diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install index 41c1a0533..b79aeade2 100755 --- a/install/tools/ipa-replica-install +++ b/install/tools/ipa-replica-install @@ -38,9 +38,10 @@ from ipaserver.install import otpdinstance from ipaserver.install.replication import replica_conn_check, ReplicationManager from ipaserver.install.installutils import (ReplicaConfig, expand_replica_info, read_replica_info, get_host_name, BadHostError, private_ccache, - read_replica_info_dogtag_port) + read_replica_info_dogtag_port, read_replica_info_drm_enabled) from ipaserver.plugins.ldap2 import ldap2 from ipaserver.install import cainstance +from ipaserver.install import drminstance from ipalib import api, errors, util from ipalib.constants import CACERT from ipapython import version @@ -63,6 +64,8 @@ def parse_options(): basic_group = OptionGroup(parser, "basic options") basic_group.add_option("--setup-ca", dest="setup_ca", action="store_true", default=False, help="configure a dogtag CA") + basic_group.add_option("--setup-drm", dest="setup_drm", action="store_true", + default=False, help="configure a dogtag DRM") basic_group.add_option("--ip-address", dest="ip_address", type="ip", ip_local=True, help="Replica server IP Address") @@ -541,6 +544,15 @@ def main(): print 'CA cannot be installed in CA-less setup.' sys.exit(1) + config.setup_drm = options.setup_drm + if config.setup_drm: + if not config.setup_ca: + print "CA must be installed with the KRA" + sys.exit(1) + if not read_replica_info_drm_enabled(config.dir): + print "DRM is not installed on the master system" + sys.exit(1) + installutils.verify_fqdn(config.master_host_name, options.no_host_dns) # check connection @@ -574,6 +586,10 @@ def main(): else: fd.write("enable_ra=False\n") fd.write("ra_plugin=none\n") + if config.setup_drm: + fd.write("enable_drm=True\n") + else: + fd.write("enable_drm=False\n") fd.write("mode=production\n") fd.close() finally: @@ -684,7 +700,7 @@ def main(): ipautil.realm_to_suffix(config.realm_name)) # This is done within stopped_service context, which restarts CA - CA.enable_client_auth_to_db() + CA.enable_client_auth_to_db(CA.dogtag_constants.CS_CFG_PATH) krb = install_krb(config, setup_pkinit=options.setup_pkinit) http = install_http(config, auto_redirect=options.ui_redirect) @@ -707,9 +723,14 @@ def main(): service.print_msg("Applying LDAP updates") ds.apply_updates() - # Restart ds and krb after configurations have been changed - service.print_msg("Restarting the directory server") - ds.restart() + if options.setup_drm: + drm = drminstance.install_replica_drm(config) + service.print_msg("Restarting the directory server") + ds.restart() + drm.enable_client_auth_to_db(drm.dogtag_constants.DRM_CS_CFG_PATH) + else: + service.print_msg("Restarting the directory server") + ds.restart() service.print_msg("Restarting the KDC") krb.restart() diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index 232d84a2c..4aa6fcca5 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -3,7 +3,7 @@ # Simo Sorce <ssorce@redhat.com> # Rob Crittenden <rcritten@redhat.com> # -# Copyright (C) 2007-2010 Red Hat +# Copyright (C) 2007-2014 Red Hat # see file 'COPYING' for use and warranty information # # This program is free software; you can redistribute it and/or modify @@ -53,6 +53,7 @@ from ipaserver.install import httpinstance from ipaserver.install import ntpinstance from ipaserver.install import certs from ipaserver.install import cainstance +from ipaserver.install import drminstance from ipaserver.install import memcacheinstance from ipaserver.install import otpdinstance from ipaserver.install import sysupgrade @@ -492,11 +493,19 @@ def uninstall(): dogtag_constants=dogtag_constants) if cads_instance.is_configured(): cads_instance.uninstall() - cainstance.stop_tracking_certificates(dogtag_constants) + + drm_instance = drminstance.DRMInstance( + api.env.realm, dogtag_constants=dogtag_constants) + drm_instance.stop_tracking_certificates(dogtag_constants) + if drm_instance.is_installed(): + drm_instance.uninstall() + ca_instance = cainstance.CAInstance( api.env.realm, certs.NSS_DIR, dogtag_constants=dogtag_constants) + ca_instance.stop_tracking_certificates(dogtag_constants) if ca_instance.is_configured(): ca_instance.uninstall() + bindinstance.BindInstance(fstore).uninstall() httpinstance.HTTPInstance(fstore).uninstall() krbinstance.KrbInstance(fstore).uninstall() @@ -755,6 +764,7 @@ def main(): setup_ca = False else: setup_ca = True + setup_drm = True # Figure out what external CA step we're in. See cainstance.py for more # info on the 3 states. @@ -771,6 +781,8 @@ def main(): print "This includes:" if setup_ca: print " * Configure a stand-alone CA (dogtag) for certificate management" + if setup_drm: + print " * Configure a stand-alone DRM (dogtag) for key storage" if options.conf_ntp: print " * Configure the Network Time Daemon (ntpd)" print " * Create and configure an instance of Directory Server" @@ -1017,6 +1029,7 @@ def main(): else: fd.write("enable_ra=False\n") fd.write("ra_plugin=none\n") + fd.write("enable_drm=%s\n" % setup_drm) fd.write("mode=production\n") fd.close() @@ -1118,7 +1131,7 @@ def main(): ipautil.realm_to_suffix(realm_name), ['caRenewalMaster']) # This is done within stopped_service context, which restarts CA - ca.enable_client_auth_to_db() + ca.enable_client_auth_to_db(ca.dogtag_constants.CS_CFG_PATH) krb = krbinstance.KrbInstance(fstore) if options.pkinit_pkcs12: @@ -1195,6 +1208,17 @@ def main(): service.print_msg("Restarting the web server") http.restart() + if setup_drm: + # code to create drm here + drm = drminstance.DRMInstance(realm_name, + dogtag_constants=dogtag.install_constants) + drm.configure_instance(host_name, domain_name, dm_password, + dm_password, subject_base=options.subject) + + # This is done within stopped_service context, which restarts DRM + ds.restart() + drm.enable_client_auth_to_db(drm.dogtag_constants.DRM_CS_CFG_PATH) + # Set the admin user kerberos password ds.change_admin_password(admin_password) @@ -1247,9 +1271,10 @@ def main(): print "" if setup_ca: - print "Be sure to back up the CA certificate stored in /root/cacert.p12" - print "This file is required to create replicas. The password for this" - print "file is the Directory Manager password" + print "Be sure to back up the CA certificates stored in /root/cacert.p12" + print "and the DRM certificates stored in /root/drmcert.p12" + print "These files are required to create replicas. The password for these" + print "files is the Directory Manager password" else: print "In order for Firefox autoconfiguration to work you will need to" print "use a SSL signing certificate. See the IPA documentation for more details." diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig index 265d71c33..5f751becb 100644 --- a/install/tools/ipa-upgradeconfig +++ b/install/tools/ipa-upgradeconfig @@ -675,7 +675,7 @@ def certificate_renewal_update(ca): # Ok, now we need to stop tracking, then we can start tracking them # again with new configuration: - cainstance.stop_tracking_certificates(dogtag_constants) + ca.stop_tracking_certificates(dogtag_constants) if not sysupgrade.get_upgrade_state('dogtag', 'certificate_renewal_update_1'): |