diff options
| -rw-r--r-- | install/conf/ipa-pki-proxy.conf | 2 | ||||
| -rwxr-xr-x | install/tools/ipa-replica-install | 7 | ||||
| -rwxr-xr-x | install/tools/ipa-server-install | 1 | ||||
| -rw-r--r-- | install/tools/ipa-upgradeconfig | 2 | ||||
| -rw-r--r-- | ipaserver/install/cainstance.py | 84 | ||||
| -rw-r--r-- | ipaserver/install/dogtaginstance.py | 89 | ||||
| -rw-r--r-- | ipaserver/install/drminstance.py | 76 |
7 files changed, 142 insertions, 119 deletions
diff --git a/install/conf/ipa-pki-proxy.conf b/install/conf/ipa-pki-proxy.conf index 9a6345898..4368896b9 100644 --- a/install/conf/ipa-pki-proxy.conf +++ b/install/conf/ipa-pki-proxy.conf @@ -1,4 +1,4 @@ -# VERSION 4 - DO NOT REMOVE THIS LINE +# VERSION 5 - DO NOT REMOVE THIS LINE ProxyRequests Off diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install index b79aeade2..0beca24d9 100755 --- a/install/tools/ipa-replica-install +++ b/install/tools/ipa-replica-install @@ -586,10 +586,9 @@ def main(): else: fd.write("enable_ra=False\n") fd.write("ra_plugin=none\n") - if config.setup_drm: - fd.write("enable_drm=True\n") - else: - fd.write("enable_drm=False\n") + + fd.write("enable_drm=%s\n" % config.setup_drm) + fd.write("mode=production\n") fd.close() finally: diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index 4aa6fcca5..440d108a6 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -1209,7 +1209,6 @@ def main(): http.restart() if setup_drm: - # code to create drm here drm = drminstance.DRMInstance(realm_name, dogtag_constants=dogtag.install_constants) drm.configure_instance(host_name, domain_name, dm_password, diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig index b45b3179a..0dbe892d3 100644 --- a/install/tools/ipa-upgradeconfig +++ b/install/tools/ipa-upgradeconfig @@ -675,7 +675,7 @@ def certificate_renewal_update(ca): # Ok, now we need to stop tracking, then we can start tracking them # again with new configuration: - ca.stop_tracking_certificates(dogtag_constants) + ca.stop_tracking_system_certificates(dogtag_constants) if not sysupgrade.get_upgrade_state('dogtag', 'certificate_renewal_update_1'): diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 8d627efa3..6bbb6f545 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -82,6 +82,7 @@ RootDNPwd= $PASSWORD ConfigFile = /usr/share/pki/ca/conf/database.ldif """ + def get_preop_pin(instance_root, instance_name): # Only used for Dogtag 9 preop_pin = None @@ -90,17 +91,17 @@ def get_preop_pin(instance_root, instance_name): # read the config file and get the preop pin try: - f=open(filename) + f = open(filename) except IOError, e: root_logger.error("Cannot open configuration file." + str(e)) raise e data = f.read() data = data.split('\n') - pattern = re.compile("preop.pin=(.*)" ) + pattern = re.compile("preop.pin=(.*)") for line in data: match = re.search(pattern, line) - if (match): - preop_pin=match.group(1) + if match: + preop_pin = match.group(1) break if preop_pin is None: @@ -108,6 +109,7 @@ def get_preop_pin(instance_root, instance_name): return preop_pin + def import_pkcs12(input_file, input_passwd, cert_database, cert_passwd): ipautil.run(["/usr/bin/pk12util", "-d", cert_database, @@ -115,21 +117,23 @@ def import_pkcs12(input_file, input_passwd, cert_database, "-k", cert_passwd, "-w", input_passwd]) + def get_value(s): """ Parse out a name/value pair from a Javascript variable. """ try: - expr = s.split('=',1) + expr = s.split('=', 1) value = expr[1] value = value.replace('\"', '') - value = value.replace(';','') - value = value.replace('\\n','\n') - value = value.replace('\\r','\r') + value = value.replace(';', '') + value = value.replace('\\n', '\n') + value = value.replace('\\r', '\r') return value except IndexError: return None + def find_substring(data, value): """ Scan through a list looking for a string that starts with value. @@ -138,6 +142,7 @@ def find_substring(data, value): if d.startswith(value): return get_value(d) + def get_defList(data): """ Return a dictionary of defList name/value pairs. @@ -173,6 +178,7 @@ def get_defList(data): return defdict + def get_outputList(data): """ Return a dictionary of outputList name/value pairs. @@ -198,6 +204,7 @@ def get_outputList(data): return outputdict + def get_crl_files(path=None): """ Traverse dogtag's CRL files in default CRL publish directory or in chosen @@ -217,8 +224,8 @@ def get_crl_files(path=None): def is_step_one_done(): - '''Read CS.cfg and determine if step one of an external CA install is done - ''' + """Read CS.cfg and determine if step one of an external CA install is done + """ path = dogtag.install_constants.CS_CFG_PATH if not os.path.exists(path): return False @@ -235,7 +242,8 @@ class CADSInstance(service.Service): Thus this class only does uninstallation. """ def __init__(self, host_name=None, realm_name=None, domain_name=None, dm_password=None, dogtag_constants=None): - service.Service.__init__(self, "pkids", + service.Service.__init__( + self, "pkids", service_desc="directory server for the CA", dm_password=dm_password, ldapi=False, @@ -318,16 +326,6 @@ class CAInstance(DogtagInstance): self.ra_cert = None self.requestId = None - def is_installed(self): - """ - Installing with an external CA is a two-step process. This - is used to determine if the first step has been done. - - Returns True/False - """ - return os.path.exists(os.path.join( - self.server_root, self.dogtag_constants.PKI_INSTANCE_NAME)) - def configure_instance(self, host_name, domain, dm_password, admin_password, ds_port=DEFAULT_DSPORT, pkcs12_info=None, master_host=None, csr_file=None, @@ -363,12 +361,12 @@ class CAInstance(DogtagInstance): # Determine if we are installing as an externally-signed CA and # what stage we're in. if csr_file is not None: - self.csr_file=csr_file - self.external=1 + self.csr_file = csr_file + self.external = 1 elif cert_file is not None: - self.cert_file=cert_file - self.cert_chain_file=cert_chain_file - self.external=2 + self.cert_file = cert_file + self.cert_chain_file = cert_chain_file + self.external = 2 self.step("creating certificate server user", self.__create_ca_user) if self.dogtag_constants.DOGTAG_VERSION >= 10: @@ -403,7 +401,7 @@ class CAInstance(DogtagInstance): self.step("issuing RA agent certificate", self.__issue_ra_cert) self.step("adding RA agent as a trusted user", self.__configure_ra) self.step("configure certmonger for renewals", self.configure_certmonger_renewal) - self.step("configure certificate renewals", self.configure_renewal) + self.step("configure certificate renewals", self.configure_cert_renewal) if not self.clone: self.step("configure RA certificate renewal", self.configure_agent_renewal) self.step("configure Server-Cert certificate renewal", self.track_servercert) @@ -493,7 +491,7 @@ class CAInstance(DogtagInstance): config.set("CA", "pki_audit_signing_nickname", "auditSigningCert cert-pki-ca") config.set("CA", "pki_ca_signing_nickname", "caSigningCert cert-pki-ca") - if (self.clone): + if self.clone: cafile = self.pkcs12_info[0] shutil.copy(cafile, "/tmp/ca.p12") pent = pwd.getpwnam(PKI_USER) @@ -540,7 +538,7 @@ class CAInstance(DogtagInstance): print "ipa-server-install --external_cert_file=/path/to/signed_certificate --external_ca_file=/path/to/external_ca_certificate" sys.exit(0) else: - shutil.move("/var/lib/pki/pki-tomcat/alias/ca_backup_keys.p12", \ + shutil.move("/var/lib/pki/pki-tomcat/alias/ca_backup_keys.p12", "/root/cacert.p12") root_logger.debug("completed creating ca instance") @@ -573,7 +571,8 @@ class CAInstance(DogtagInstance): ] ipautil.run(args, env={'PKI_HOSTNAME':self.fqdn}) - def __create_ca_user(self): + @staticmethod + def __create_ca_user(): try: pwd.getpwnam(PKI_USER) root_logger.debug("ca user %s exists" % PKI_USER) @@ -643,7 +642,7 @@ class CAInstance(DogtagInstance): else: args.append("-external") args.append("false") - if (self.clone): + if self.clone: """sd = security domain --> all CS systems get registered to a security domain. This is set to the hostname and port of the master CA. @@ -952,7 +951,7 @@ class CAInstance(DogtagInstance): ) finally: os.remove(chain_name) - subid = subid + 1 + subid += 1 def __request_ra_certificate(self): # Create a noise file for generating our private key @@ -1243,7 +1242,8 @@ class CAInstance(DogtagInstance): fd.close() os.chmod(location, 0444) - def configure_certmonger_renewal(self): + @staticmethod + def configure_certmonger_renewal(): """ Create a new CA type for certmonger that will retrieve updated certificates from the dogtag master server. @@ -1263,7 +1263,8 @@ class CAInstance(DogtagInstance): 'dogtag-ipa-ca-renew-agent', '/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit', []) - def configure_agent_renewal(self): + @staticmethod + def configure_agent_renewal(): try: certmonger.dogtag_start_tracking( ca='dogtag-ipa-ca-renew-agent', @@ -1285,7 +1286,7 @@ class CAInstance(DogtagInstance): raise RuntimeError( 'Unable to determine PIN for CA instance: %s' % e) - def configure_renewal(self): + def configure_cert_renewal(self): """ Configure system certificates for renewal. """ @@ -1315,7 +1316,7 @@ class CAInstance(DogtagInstance): root_logger.error( "certmonger failed to start tracking certificate: %s" % e) - def stop_tracking_certificates(self, dogtag_constants): + def stop_tracking_system_certificates(self, dogtag_constants): """Stop tracking our certificates. Called on uninstall. """ nicknames = ['Server-Cert cert-pki-ca', @@ -1346,7 +1347,7 @@ class CAInstance(DogtagInstance): # this is the default setting from pki-ca/pki-tomcat. Don't touch it # if a user has manually modified it. if setlist == '1,2,3,4,5,6,7,8' or setlist == '1,2,3,4,5,6,7,8,9': - setlist = setlist + ',10' + setlist += ',10' installutils.set_directive( self.dogtag_constants.IPA_SERVICE_PROFILE, 'policyset.serverCertSet.list', @@ -1430,7 +1431,8 @@ class CAInstance(DogtagInstance): return True - def update_cert_config(self, nickname, cert, dogtag_constants=None): + @staticmethod + def update_cert_config(nickname, cert, dogtag_constants=None): """ When renewing a CA subsystem certificate the configuration file needs to get the new certificate as well. @@ -1449,12 +1451,11 @@ class CAInstance(DogtagInstance): 'subsystemCert cert-pki-ca': 'ca.subsystem.cert', 'Server-Cert cert-pki-ca': 'ca.sslserver.cert'} - DogtagInstance.update_cert_config( - self, nickname, cert, directives, + DogtagInstance.update_cert_cs_cfg( + nickname, cert, directives, dogtag.configured_constants().CS_CFG_PATH, dogtag_constants) - def replica_ca_install_check(config): if not config.setup_ca: return @@ -1578,6 +1579,7 @@ def install_replica_ca(config, postinstall=False): return ca + def update_people_entry(dercert): """ Update the userCerticate for an entry in the dogtag ou=People. This diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py index b482d8e08..14b96ba36 100644 --- a/ipaserver/install/dogtaginstance.py +++ b/ipaserver/install/dogtaginstance.py @@ -51,12 +51,12 @@ def check_inst(subsystem): if not os.path.exists(dogtag.install_constants.DESTROY_BINARY): return False - # This is the template tomcat file for a DRM if not os.path.exists('/usr/share/pki/%s/conf/server.xml' % subsystem): return False return True + class DogtagInstance(service.Service): """ This is the base class for a Dogtag 10+ instance, which uses a @@ -71,9 +71,8 @@ class DogtagInstance(service.Service): dogtag_constants = dogtag.configured_constants() service.Service.__init__(self, - '%sd' % dogtag_constants.PKI_INSTANCE_NAME, - service_desc=service_desc - ) + '%sd' % dogtag_constants.PKI_INSTANCE_NAME, + service_desc=service_desc) self.dogtag_constants = dogtag_constants self.realm = realm @@ -85,13 +84,18 @@ class DogtagInstance(service.Service): self.clone = False self.basedn = DN(('o', 'ipa%s' % subsystem.lower())) - self.agent_db = tempfile.mkdtemp(prefix = "tmp-") + self.agent_db = tempfile.mkdtemp(prefix="tmp-") self.ds_port = DEFAULT_DSPORT self.server_root = dogtag_constants.SERVER_ROOT self.subsystem = subsystem self.security_domain_name = "IPA" self.tracking_nicknames = None + # replication parameters + self.master_host = None + self.master_replication_port = None + self.subject_base = None + def __del__(self): shutil.rmtree(self.agent_db, ignore_errors=True) @@ -103,7 +107,7 @@ class DogtagInstance(service.Service): """ return os.path.exists(os.path.join( self.server_root, self.dogtag_constants.PKI_INSTANCE_NAME, - self.subsystem.lower())) + self.subsystem.lower())) def spawn_instance(self, cfg_file): """ @@ -118,12 +122,12 @@ class DogtagInstance(service.Service): args = ["/usr/sbin/pkispawn", "-s", subsystem, - "-f", cfg_file ] + "-f", cfg_file] with open(cfg_file) as f: root_logger.debug( 'Contents of pkispawn configuration file (%s):\n%s' % - (cfg_file, ipautil.nolog_replace(f.read(), nolog))) + (cfg_file, ipautil.nolog_replace(f.read(), nolog))) try: ipautil.run(args, nolog=nolog) @@ -135,6 +139,7 @@ class DogtagInstance(service.Service): def enable(self): self.backup_state("enabled", self.is_enabled()) + # noinspection PyBroadException def restart_instance(self): try: self.restart(self.dogtag_constants.PKI_INSTANCE_NAME) @@ -144,6 +149,7 @@ class DogtagInstance(service.Service): "Failed to restart the Dogtag instance." "See the installation log for details.") + # noinspection PyBroadException def start_instance(self): try: self.start(self.dogtag_constants.PKI_INSTANCE_NAME) @@ -153,6 +159,7 @@ class DogtagInstance(service.Service): "Failed to restart the Dogtag instance." "See the installation log for details.") + # noinspection PyBroadException def stop_instance(self): try: self.stop(self.dogtag_constants.PKI_INSTANCE_NAME) @@ -169,38 +176,51 @@ class DogtagInstance(service.Service): """ with stopped_service(self.dogtag_constants.SERVICE_NAME, - instance_name=self.dogtag_constants.PKI_INSTANCE_NAME): - - installutils.set_directive(config, + instance_name=self.dogtag_constants.PKI_INSTANCE_NAME): + installutils.set_directive( + config, 'authz.instance.DirAclAuthz.ldap.ldapauth.authtype', 'SslClientAuth', quotes=False, separator='=') - installutils.set_directive(config, + installutils.set_directive( + config, 'authz.instance.DirAclAuthz.ldap.ldapauth.bindDN', 'uid=pkidbuser,ou=people,o=ipaca', quotes=False, separator='=') - installutils.set_directive(config, + installutils.set_directive( + config, 'authz.instance.DirAclAuthz.ldap.ldapauth.clientCertNickname', 'subsystemCert cert-pki-ca', quotes=False, separator='=') - installutils.set_directive(config, + installutils.set_directive( + config, 'authz.instance.DirAclAuthz.ldap.ldapconn.port', str(dogtag.install_constants.DS_SECURE_PORT), quotes=False, separator='=') - installutils.set_directive(config, + installutils.set_directive( + config, 'authz.instance.DirAclAuthz.ldap.ldapconn.secureConn', 'true', quotes=False, separator='=') - installutils.set_directive(config, 'internaldb.ldapauth.authtype', + installutils.set_directive( + config, + 'internaldb.ldapauth.authtype', 'SslClientAuth', quotes=False, separator='=') - installutils.set_directive(config, 'internaldb.ldapauth.bindDN', + + installutils.set_directive( + config, + 'internaldb.ldapauth.bindDN', 'uid=pkidbuser,ou=people,o=ipaca', quotes=False, separator='=') - installutils.set_directive(config, + installutils.set_directive( + config, 'internaldb.ldapauth.clientCertNickname', 'subsystemCert cert-pki-ca', quotes=False, separator='=') - installutils.set_directive(config, 'internaldb.ldapconn.port', + installutils.set_directive( + config, + 'internaldb.ldapconn.port', str(dogtag.install_constants.DS_SECURE_PORT), quotes=False, separator='=') - installutils.set_directive(config, - 'internaldb.ldapconn.secureConn', 'true', quotes=False, - separator='=') + installutils.set_directive( + config, + 'internaldb.ldapconn.secureConn', 'true', quotes=False, + separator='=') def uninstall(self): if self.is_installed(): @@ -212,10 +232,10 @@ class DogtagInstance(service.Service): "-s", self.subsystem]) except ipautil.CalledProcessError, e: root_logger.critical("failed to uninstall %s instance %s" - % (self.subsystem,e)) + % (self.subsystem, e)) def http_proxy(self): - ''' Update the http proxy file ''' + """ Update the http proxy file """ template_filename = ipautil.SHARE_DIR + "ipa-pki-proxy.conf" sub_dict = dict( DOGTAG_PORT=self.dogtag_constants.AJP_PORT, @@ -229,17 +249,17 @@ class DogtagInstance(service.Service): def __get_pin(self): try: return certmonger.get_pin('internal', - dogtag_constants=self.dogtag_constants) + dogtag_constants=self.dogtag_constants) except IOError, e: root_logger.debug( - 'Unable to determine PIN for DRM instance: %s' % str(e)) + 'Unable to determine PIN for the Dogtag instance: %s' % str(e)) raise RuntimeError(e) def configure_renewal(self, nicknames=None): - ''' Configure certmonger to renew system certs + """ Configure certmonger to renew system certs - @param nickname: list of nicknames - ''' + @param nicknames: list of nicknames + """ cmonger = ipaservices.knownservices.certmonger cmonger.enable() ipaservices.knownservices.messagebus.start() @@ -263,9 +283,9 @@ class DogtagInstance(service.Service): except (ipautil.CalledProcessError, RuntimeError), e: root_logger.error( "certmonger failed to start tracking certificate: %s" % - str(e)) + str(e)) - def stop_tracking_certificates(self, dogtag_constants, nicknames = None): + def stop_tracking_certificates(self, dogtag_constants, nicknames=None): """Stop tracking our certificates. Called on uninstall. """ cmonger = ipaservices.knownservices.certmonger @@ -286,10 +306,11 @@ class DogtagInstance(service.Service): cmonger.stop() - def update_cert_config(self, nickname, cert, directives, cs_cfg, + @staticmethod + def update_cert_cs_cfg(nickname, cert, directives, cs_cfg, dogtag_constants=None): """ - When renewing a DRM subsystem certificate the configuration file + When renewing a Dogtag subsystem certificate the configuration file needs to get the new certificate as well. nickname is one of the known nicknames. @@ -302,7 +323,7 @@ class DogtagInstance(service.Service): dogtag_constants = dogtag.configured_constants() with stopped_service(dogtag_constants.SERVICE_NAME, - instance_name=dogtag_constants.PKI_INSTANCE_NAME): + instance_name=dogtag_constants.PKI_INSTANCE_NAME): installutils.set_directive( cs_cfg, directives[nickname], diff --git a/ipaserver/install/drminstance.py b/ipaserver/install/drminstance.py index 6eab9d822..c4edd2cd4 100644 --- a/ipaserver/install/drminstance.py +++ b/ipaserver/install/drminstance.py @@ -41,6 +41,7 @@ from ipapython.ipa_log_manager import * # replicas with DRM configured IPA_DRM_RECORD = "ipa-drm" + class DRMInstance(DogtagInstance): """ We assume that the CA has already been installed, and we use the @@ -96,7 +97,7 @@ class DRMInstance(DogtagInstance): # Confirm that a Dogtag 10 CA instance already exists ca = cainstance.CAInstance( api.env.realm, certs.NSS_DIR, - dogtag_constants = dogtag.Dogtag10Constants) + dogtag_constants=dogtag.Dogtag10Constants) if not ca.is_installed(): raise RuntimeError( "DRM configuration failed. " @@ -168,7 +169,7 @@ class DRMInstance(DogtagInstance): config.set("KRA", "pki_admin_password", self.admin_password) config.set("KRA", "pki_admin_nickname", "ipa-ca-agent") config.set("KRA", "pki_admin_subject_dn", - str(DN(('cn', 'ipa-ca-agent'), self.subject_base))) + str(DN(('cn', 'ipa-ca-agent'), self.subject_base))) config.set("KRA", "pki_import_admin_cert", "True") config.set("KRA", "pki_admin_cert_file", "/root/.dogtag/pki-tomcat/ca_admin.cert") @@ -178,18 +179,19 @@ class DRMInstance(DogtagInstance): config.set("KRA", "pki_ds_ldap_port", str(self.ds_port)) config.set("KRA", "pki_ds_password", self.dm_password) config.set("KRA", "pki_ds_base_dn", self.basedn) - config.set("KRA", "pki_ds_database", "ipakra") + config.set("KRA", "pki_ds_database", "ipadrm") - # Certificate subject DN's + # Certificate subject DNs config.set("KRA", "pki_subsystem_subject_dn", - str(DN(('cn', 'CA Subsystem'), self.subject_base))) + str(DN(('cn', 'CA Subsystem'), self.subject_base))) config.set("KRA", "pki_ssl_server_subject_dn", - str(DN(('cn', self.fqdn), self.subject_base))) + str(DN(('cn', self.fqdn), self.subject_base))) config.set("KRA", "pki_audit_signing_subject_dn", - str(DN(('cn', 'DRM Audit'), self.subject_base))) + str(DN(('cn', 'DRM Audit'), self.subject_base))) config.set("KRA", "pki_transport_subject_dn", - str(DN(('cn', 'DRM Transport Certificate'), self.subject_base))) - config.set("KRA", "pki_storage_subject_dn", + str(DN(('cn', 'DRM Transport Certificate'), self.subject_base))) + config.set( + "KRA", "pki_storage_subject_dn", str(DN(('cn', 'DRM Storage Certificate'), self.subject_base))) # Certificate nicknames @@ -210,11 +212,11 @@ class DRMInstance(DogtagInstance): # Needed because CA and KRA share the same database # We will use the dbuser created for the CA config.set("KRA", "pki_share_db", "True") - config.set("KRA", "pki_share_dbuser_dn", - str(DN(('uid', 'pkidbuser'),('ou', 'people'),('o','ipaca')))) - + config.set( + "KRA", "pki_share_dbuser_dn", + str(DN(('uid', 'pkidbuser'), ('ou', 'people'), ('o', 'ipaca')))) - if (self.clone): + if self.clone: drmfile = self.pkcs12_info[0] shutil.copy(drmfile, "/tmp/drm.p12") pent = pwd.getpwnam(PKI_USER) @@ -233,12 +235,12 @@ class DRMInstance(DogtagInstance): config.set("KRA", "pki_clone_pkcs12_password", self.dm_password) config.set("KRA", "pki_clone_replication_security", "TLS") config.set("KRA", "pki_clone_replication_master_port", - str(self.master_replication_port)) + str(self.master_replication_port)) config.set("KRA", "pki_clone_replication_clone_port", - dogtag.install_constants.DS_PORT) + dogtag.install_constants.DS_PORT) config.set("KRA", "pki_clone_replicate_schema", "False") config.set("KRA", "pki_clone_uri", - "https://%s" % ipautil.format_netloc(self.master_host, 443)) + "https://%s" % ipautil.format_netloc(self.master_host, 443)) # Generate configuration file with open(cfg_file, "wb") as f: @@ -254,7 +256,8 @@ class DRMInstance(DogtagInstance): root_logger.debug("completed creating DRM instance") - def update_cert_config(self, nickname, cert, dogtag_constants=None): + @staticmethod + def update_cert_config(nickname, cert, dogtag_constants=None): """ When renewing a DRM subsystem certificate the configuration file needs to get the new certificate as well. @@ -274,8 +277,8 @@ class DRMInstance(DogtagInstance): 'subsystemCert cert-pki-drm': 'kra.subsystem.cert', 'Server-Cert cert-pki-ca': 'kra.sslserver.cert'} - DogtagInstance.update_cert_config( - self, nickname, cert, directives, + DogtagInstance.update_cert_cs_cfg( + nickname, cert, directives, dogtag.configured_constants().DRM_CS_CFG_PATH, dogtag_constants) @@ -299,38 +302,37 @@ def install_replica_drm(config, postinstall=False): if not ipautil.file_exists(drmfile): raise RuntimeError( - "Unable to clone DRM." - " cacert.p12 file not found in replica file") - - drm = DRMInstance(config.realm_name, - dogtag_constants=dogtag.install_constants) - drm.dm_password = config.dirman_password - drm.subject_base = config.subject_base - if drm.is_installed(): + "Unable to clone DRM." + " cacert.p12 file not found in replica file") + + _drm = DRMInstance(config.realm_name, + dogtag_constants=dogtag.install_constants) + _drm.dm_password = config.dirman_password + _drm.subject_base = config.subject_base + if _drm.is_installed(): sys.exit("A DRM is already configured on this system.") - drm.configure_instance(config.host_name, config.domain_name, - config.dirman_password, config.dirman_password, - pkcs12_info=(drmfile,), - master_host=config.master_host_name, - master_replication_port=config.ca_ds_port, - subject_base=config.subject_base) + _drm.configure_instance(config.host_name, config.domain_name, + config.dirman_password, config.dirman_password, + pkcs12_info=(drmfile,), + master_host=config.master_host_name, + master_replication_port=config.ca_ds_port, + subject_base=config.subject_base) # Restart httpd since we changed it's config and added ipa-pki-proxy.conf if postinstall: ipaservices.knownservices.httpd.restart() - # The dogtag DS instance needs to be restarted after installation. # The procedure for this is: stop dogtag, stop DS, start DS, start # dogtag service.print_msg("Restarting the directory and DRM servers") - drm.stop(dogtag.install_constants.PKI_INSTANCE_NAME) + _drm.stop(dogtag.install_constants.PKI_INSTANCE_NAME) ipaservices.knownservices.dirsrv.restart() - drm.start(dogtag.install_constants.PKI_INSTANCE_NAME) + _drm.start(dogtag.install_constants.PKI_INSTANCE_NAME) - return drm + return _drm if __name__ == "__main__": standard_logging_setup("install.log") |