6 files changed, 65 insertions, 24 deletions
diff --git a/install/conf/ipa-pki-proxy.conf b/install/conf/ipa-pki-proxy.conf
index 224cdd45b..9a6345898 100644
--- a/install/conf/ipa-pki-proxy.conf
+++ b/install/conf/ipa-pki-proxy.conf
@@ -11,7 +11,7 @@ ProxyRequests Off
 </LocationMatch>
 
 # matches for admin port and installer
-<LocationMatch "^/ca/admin/ca/getCertChain|^/ca/admin/ca/getConfigEntries|^/ca/admin/ca/getCookie|^/ca/admin/ca/getStatus|^/ca/admin/ca/securityDomainLogin|^/ca/admin/ca/getDomainXML|^/ca/rest/installer/installToken|^/ca/admin/ca/updateNumberRange|^/ca/rest/securityDomain/domainInfo|^/ca/rest/account/login|^/ca/admin/ca/tokenAuthenticate|^/ca/admin/ca/updateNumberRange|^/ca/admin/ca/updateDomainXML|^/ca/rest/account/logout|^/ca/rest/securityDomain/installToken">
+<LocationMatch "^/ca/admin/ca/getCertChain|^/ca/admin/ca/getConfigEntries|^/ca/admin/ca/getCookie|^/ca/admin/ca/getStatus|^/ca/admin/ca/securityDomainLogin|^/ca/admin/ca/getDomainXML|^/ca/rest/installer/installToken|^/ca/admin/ca/updateNumberRange|^/ca/rest/securityDomain/domainInfo|^/ca/rest/account/login|^/ca/admin/ca/tokenAuthenticate|^/ca/admin/ca/updateNumberRange|^/ca/admin/ca/updateDomainXML|^/ca/rest/account/logout|^/ca/rest/securityDomain/installToken|^/ca/admin/ca/updateConnector|^/ca/admin/ca/getSubsystemCert|^/kra/admin/kra/updateNumberRange|^/kra/admin/kra/getConfigEntries">
     NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
     NSSVerifyClient none
     ProxyPassMatch ajp://localhost:$DOGTAG_PORT
@@ -19,7 +19,7 @@ ProxyRequests Off
 </LocationMatch>
 
 # matches for agent port and eeca port
-<LocationMatch "^/ca/agent/ca/displayBySerial|^/ca/agent/ca/doRevoke|^/ca/agent/ca/doUnrevoke|^/ca/agent/ca/updateDomainXML|^/ca/eeca/ca/profileSubmitSSLClient">
+<LocationMatch "^/ca/agent/ca/displayBySerial|^/ca/agent/ca/doRevoke|^/ca/agent/ca/doUnrevoke|^/ca/agent/ca/updateDomainXML|^/ca/eeca/ca/profileSubmitSSLClient|^/kra/agent/kra/connector">
     NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
     NSSVerifyClient require
     ProxyPassMatch ajp://localhost:$DOGTAG_PORT
diff --git a/install/restart_scripts/renew_ca_cert b/install/restart_scripts/renew_ca_cert
index 2663887d6..d9c98d5ce 100644
--- a/install/restart_scripts/renew_ca_cert
+++ b/install/restart_scripts/renew_ca_cert
@@ -21,17 +21,13 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 import sys
-import os
 import syslog
-import tempfile
-import shutil
 import traceback
 
-from ipapython import dogtag, certmonger, ipautil
+from ipapython import dogtag, ipautil
 from ipapython import services as ipaservices
-from ipalib import api, errors, x509, util
-from ipaserver.install import certs, cainstance, installutils
-from ipaserver.plugins.ldap2 import ldap2
+from ipalib import api
+from ipaserver.install import certs, cainstance
 
 def main():
     nickname = sys.argv[1]
@@ -68,9 +64,8 @@ def main():
         syslog.syslog(syslog.LOG_ERR, 'No certificate %s found.' % nickname)
         sys.exit(1)
 
-    cainstance.update_cert_config(nickname, cert, configured_constants)
-
     ca = cainstance.CAInstance(api.env.realm, certs.NSS_DIR)
+    ca.update_cert_config(nickname, cert, configured_constants)
     if ca.is_renewal_master():
         cainstance.update_people_entry(cert)
 
diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install
index 26f6993a0..a5801204f 100755
--- a/install/tools/ipa-ca-install
+++ b/install/tools/ipa-ca-install
@@ -183,7 +183,7 @@ def main():
                    ipautil.realm_to_suffix(config.realm_name))
 
     # This is done within stopped_service context, which restarts CA
-    CA.enable_client_auth_to_db()
+    CA.enable_client_auth_to_db(CA.dogtag_constants.CS_CFG_PATH)
 
     # Install CA DNS records
     install_dns_records(config, options)
diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
index f5e7197b5..192dc0d42 100755
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
@@ -38,9 +38,10 @@ from ipaserver.install import otpdinstance
 from ipaserver.install.replication import replica_conn_check, ReplicationManager
 from ipaserver.install.installutils import (ReplicaConfig, expand_replica_info,
         read_replica_info, get_host_name, BadHostError, private_ccache,
-        read_replica_info_dogtag_port)
+        read_replica_info_dogtag_port, read_replica_info_drm_enabled)
 from ipaserver.plugins.ldap2 import ldap2
 from ipaserver.install import cainstance
+from ipaserver.install import drminstance
 from ipalib import api, errors, util
 from ipalib.constants import CACERT
 from ipapython import version
@@ -63,6 +64,8 @@ def parse_options():
     basic_group = OptionGroup(parser, "basic options")
     basic_group.add_option("--setup-ca", dest="setup_ca", action="store_true",
                       default=False, help="configure a dogtag CA")
+    basic_group.add_option("--setup-drm", dest="setup_drm", action="store_true",
+                      default=False, help="configure a dogtag DRM")
     basic_group.add_option("--ip-address", dest="ip_address",
                       type="ip", ip_local=True,
                       help="Replica server IP Address")
@@ -540,6 +543,15 @@ def main():
         print 'CA cannot be installed in CA-less setup.'
         sys.exit(1)
 
+    config.setup_drm = options.setup_drm
+    if config.setup_drm:
+        if not config.setup_ca:
+            print "CA must be installed with the KRA"
+            sys.exit(1)
+        if not read_replica_info_drm_enabled(config.dir):
+            print "DRM is not installed on the master system"
+            sys.exit(1)
+
     installutils.verify_fqdn(config.master_host_name, options.no_host_dns)
 
     # check connection
@@ -573,6 +585,10 @@ def main():
         else:
             fd.write("enable_ra=False\n")
             fd.write("ra_plugin=none\n")
+        if config.setup_drm:
+            fd.write("enable_drm=True\n")
+        else:
+            fd.write("enable_drm=False\n")
         fd.write("mode=production\n")
         fd.close()
     finally:
@@ -683,7 +699,7 @@ def main():
                        ipautil.realm_to_suffix(config.realm_name))
 
         # This is done within stopped_service context, which restarts CA
-        CA.enable_client_auth_to_db()
+        CA.enable_client_auth_to_db(CA.dogtag_constants.CS_CFG_PATH)
 
     krb = install_krb(config, setup_pkinit=options.setup_pkinit)
     http = install_http(config, auto_redirect=options.ui_redirect)
@@ -706,9 +722,14 @@ def main():
     service.print_msg("Applying LDAP updates")
     ds.apply_updates()
 
-    # Restart ds and krb after configurations have been changed
-    service.print_msg("Restarting the directory server")
-    ds.restart()
+    if options.setup_drm:
+        drm = drminstance.install_replica_drm(config)
+        service.print_msg("Restarting the directory server")
+        ds.restart()
+        drm.enable_client_auth_to_db(drm.dogtag_constants.DRM_CS_CFG_PATH)
+    else:
+        service.print_msg("Restarting the directory server")
+        ds.restart()
 
     service.print_msg("Restarting the KDC")
     krb.restart()
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index 34393b7df..46e5f180a 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -3,7 +3,7 @@
 #          Simo Sorce <ssorce@redhat.com>
 #          Rob Crittenden <rcritten@redhat.com>
 #
-# Copyright (C) 2007-2010  Red Hat
+# Copyright (C) 2007-2014  Red Hat
 # see file 'COPYING' for use and warranty information
 #
 # This program is free software; you can redistribute it and/or modify
@@ -53,6 +53,7 @@ from ipaserver.install import httpinstance
 from ipaserver.install import ntpinstance
 from ipaserver.install import certs
 from ipaserver.install import cainstance
+from ipaserver.install import drminstance
 from ipaserver.install import memcacheinstance
 from ipaserver.install import otpdinstance
 from ipaserver.install import sysupgrade
@@ -492,11 +493,19 @@ def uninstall():
             dogtag_constants=dogtag_constants)
         if cads_instance.is_configured():
             cads_instance.uninstall()
-    cainstance.stop_tracking_certificates(dogtag_constants)
+
+    drm_instance = drminstance.DRMInstance(
+        api.env.realm, dogtag_constants=dogtag_constants)
+    drm_instance.stop_tracking_certificates(dogtag_constants)
+    if drm_instance.is_installed():
+        drm_instance.uninstall()
+
     ca_instance = cainstance.CAInstance(
         api.env.realm, certs.NSS_DIR, dogtag_constants=dogtag_constants)
+    ca_instance.stop_tracking_certificates(dogtag_constants)
     if ca_instance.is_configured():
         ca_instance.uninstall()
+
     bindinstance.BindInstance(fstore).uninstall()
     httpinstance.HTTPInstance(fstore).uninstall()
     krbinstance.KrbInstance(fstore).uninstall()
@@ -754,6 +763,7 @@ def main():
         setup_ca = False
     else:
         setup_ca = True
+        setup_drm = True
 
     # Figure out what external CA step we're in. See cainstance.py for more
     # info on the 3 states.
@@ -770,6 +780,8 @@ def main():
     print "This includes:"
     if setup_ca:
         print "  * Configure a stand-alone CA (dogtag) for certificate management"
+    if setup_drm:
+        print "  * Configure a stand-alone DRM (dogtag) for key storage"
     if options.conf_ntp:
         print "  * Configure the Network Time Daemon (ntpd)"
     print "  * Create and configure an instance of Directory Server"
@@ -1016,6 +1028,7 @@ def main():
     else:
         fd.write("enable_ra=False\n")
         fd.write("ra_plugin=none\n")
+    fd.write("enable_drm=%s\n" % setup_drm)
     fd.write("mode=production\n")
     fd.close()
 
@@ -1117,7 +1130,7 @@ def main():
                        ipautil.realm_to_suffix(realm_name), ['caRenewalMaster'])
 
         # This is done within stopped_service context, which restarts CA
-        ca.enable_client_auth_to_db()
+        ca.enable_client_auth_to_db(ca.dogtag_constants.CS_CFG_PATH)
 
     krb = krbinstance.KrbInstance(fstore)
     if options.pkinit_pkcs12:
@@ -1194,6 +1207,17 @@ def main():
     service.print_msg("Restarting the web server")
     http.restart()
 
+    if setup_drm:
+        # code to create drm here
+        drm = drminstance.DRMInstance(realm_name,
+            dogtag_constants=dogtag.install_constants)
+        drm.configure_instance(host_name, domain_name, dm_password,
+                               dm_password, subject_base=options.subject)
+
+        # This is done within stopped_service context, which restarts DRM
+        ds.restart()
+        drm.enable_client_auth_to_db(drm.dogtag_constants.DRM_CS_CFG_PATH)
+
     # Set the admin user kerberos password
     ds.change_admin_password(admin_password)
 
@@ -1246,9 +1270,10 @@ def main():
 
     print ""
     if setup_ca:
-        print "Be sure to back up the CA certificate stored in /root/cacert.p12"
-        print "This file is required to create replicas. The password for this"
-        print "file is the Directory Manager password"
+        print "Be sure to back up the CA certificates stored in /root/cacert.p12"
+        print "and the DRM certificates stored in /root/drmcert.p12"
+        print "These files are required to create replicas. The password for these"
+        print "files is the Directory Manager password"
     else:
         print "In order for Firefox autoconfiguration to work you will need to"
         print "use a SSL signing certificate. See the IPA documentation for more details."
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index d77a33816..87338d580 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -675,7 +675,7 @@ def certificate_renewal_update(ca):
 
     # Ok, now we need to stop tracking, then we can start tracking them
     # again with new configuration:
-    cainstance.stop_tracking_certificates(dogtag_constants)
+    ca.stop_tracking_certificates(dogtag_constants)
 
     if not sysupgrade.get_upgrade_state('dogtag',
                                         'certificate_renewal_update_1'):