diff options
Diffstat (limited to 'ipaserver/install/cainstance.py')
-rw-r--r-- | ipaserver/install/cainstance.py | 84 |
1 files changed, 43 insertions, 41 deletions
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 8d627efa3..6bbb6f545 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -82,6 +82,7 @@ RootDNPwd= $PASSWORD ConfigFile = /usr/share/pki/ca/conf/database.ldif """ + def get_preop_pin(instance_root, instance_name): # Only used for Dogtag 9 preop_pin = None @@ -90,17 +91,17 @@ def get_preop_pin(instance_root, instance_name): # read the config file and get the preop pin try: - f=open(filename) + f = open(filename) except IOError, e: root_logger.error("Cannot open configuration file." + str(e)) raise e data = f.read() data = data.split('\n') - pattern = re.compile("preop.pin=(.*)" ) + pattern = re.compile("preop.pin=(.*)") for line in data: match = re.search(pattern, line) - if (match): - preop_pin=match.group(1) + if match: + preop_pin = match.group(1) break if preop_pin is None: @@ -108,6 +109,7 @@ def get_preop_pin(instance_root, instance_name): return preop_pin + def import_pkcs12(input_file, input_passwd, cert_database, cert_passwd): ipautil.run(["/usr/bin/pk12util", "-d", cert_database, @@ -115,21 +117,23 @@ def import_pkcs12(input_file, input_passwd, cert_database, "-k", cert_passwd, "-w", input_passwd]) + def get_value(s): """ Parse out a name/value pair from a Javascript variable. """ try: - expr = s.split('=',1) + expr = s.split('=', 1) value = expr[1] value = value.replace('\"', '') - value = value.replace(';','') - value = value.replace('\\n','\n') - value = value.replace('\\r','\r') + value = value.replace(';', '') + value = value.replace('\\n', '\n') + value = value.replace('\\r', '\r') return value except IndexError: return None + def find_substring(data, value): """ Scan through a list looking for a string that starts with value. @@ -138,6 +142,7 @@ def find_substring(data, value): if d.startswith(value): return get_value(d) + def get_defList(data): """ Return a dictionary of defList name/value pairs. @@ -173,6 +178,7 @@ def get_defList(data): return defdict + def get_outputList(data): """ Return a dictionary of outputList name/value pairs. @@ -198,6 +204,7 @@ def get_outputList(data): return outputdict + def get_crl_files(path=None): """ Traverse dogtag's CRL files in default CRL publish directory or in chosen @@ -217,8 +224,8 @@ def get_crl_files(path=None): def is_step_one_done(): - '''Read CS.cfg and determine if step one of an external CA install is done - ''' + """Read CS.cfg and determine if step one of an external CA install is done + """ path = dogtag.install_constants.CS_CFG_PATH if not os.path.exists(path): return False @@ -235,7 +242,8 @@ class CADSInstance(service.Service): Thus this class only does uninstallation. """ def __init__(self, host_name=None, realm_name=None, domain_name=None, dm_password=None, dogtag_constants=None): - service.Service.__init__(self, "pkids", + service.Service.__init__( + self, "pkids", service_desc="directory server for the CA", dm_password=dm_password, ldapi=False, @@ -318,16 +326,6 @@ class CAInstance(DogtagInstance): self.ra_cert = None self.requestId = None - def is_installed(self): - """ - Installing with an external CA is a two-step process. This - is used to determine if the first step has been done. - - Returns True/False - """ - return os.path.exists(os.path.join( - self.server_root, self.dogtag_constants.PKI_INSTANCE_NAME)) - def configure_instance(self, host_name, domain, dm_password, admin_password, ds_port=DEFAULT_DSPORT, pkcs12_info=None, master_host=None, csr_file=None, @@ -363,12 +361,12 @@ class CAInstance(DogtagInstance): # Determine if we are installing as an externally-signed CA and # what stage we're in. if csr_file is not None: - self.csr_file=csr_file - self.external=1 + self.csr_file = csr_file + self.external = 1 elif cert_file is not None: - self.cert_file=cert_file - self.cert_chain_file=cert_chain_file - self.external=2 + self.cert_file = cert_file + self.cert_chain_file = cert_chain_file + self.external = 2 self.step("creating certificate server user", self.__create_ca_user) if self.dogtag_constants.DOGTAG_VERSION >= 10: @@ -403,7 +401,7 @@ class CAInstance(DogtagInstance): self.step("issuing RA agent certificate", self.__issue_ra_cert) self.step("adding RA agent as a trusted user", self.__configure_ra) self.step("configure certmonger for renewals", self.configure_certmonger_renewal) - self.step("configure certificate renewals", self.configure_renewal) + self.step("configure certificate renewals", self.configure_cert_renewal) if not self.clone: self.step("configure RA certificate renewal", self.configure_agent_renewal) self.step("configure Server-Cert certificate renewal", self.track_servercert) @@ -493,7 +491,7 @@ class CAInstance(DogtagInstance): config.set("CA", "pki_audit_signing_nickname", "auditSigningCert cert-pki-ca") config.set("CA", "pki_ca_signing_nickname", "caSigningCert cert-pki-ca") - if (self.clone): + if self.clone: cafile = self.pkcs12_info[0] shutil.copy(cafile, "/tmp/ca.p12") pent = pwd.getpwnam(PKI_USER) @@ -540,7 +538,7 @@ class CAInstance(DogtagInstance): print "ipa-server-install --external_cert_file=/path/to/signed_certificate --external_ca_file=/path/to/external_ca_certificate" sys.exit(0) else: - shutil.move("/var/lib/pki/pki-tomcat/alias/ca_backup_keys.p12", \ + shutil.move("/var/lib/pki/pki-tomcat/alias/ca_backup_keys.p12", "/root/cacert.p12") root_logger.debug("completed creating ca instance") @@ -573,7 +571,8 @@ class CAInstance(DogtagInstance): ] ipautil.run(args, env={'PKI_HOSTNAME':self.fqdn}) - def __create_ca_user(self): + @staticmethod + def __create_ca_user(): try: pwd.getpwnam(PKI_USER) root_logger.debug("ca user %s exists" % PKI_USER) @@ -643,7 +642,7 @@ class CAInstance(DogtagInstance): else: args.append("-external") args.append("false") - if (self.clone): + if self.clone: """sd = security domain --> all CS systems get registered to a security domain. This is set to the hostname and port of the master CA. @@ -952,7 +951,7 @@ class CAInstance(DogtagInstance): ) finally: os.remove(chain_name) - subid = subid + 1 + subid += 1 def __request_ra_certificate(self): # Create a noise file for generating our private key @@ -1243,7 +1242,8 @@ class CAInstance(DogtagInstance): fd.close() os.chmod(location, 0444) - def configure_certmonger_renewal(self): + @staticmethod + def configure_certmonger_renewal(): """ Create a new CA type for certmonger that will retrieve updated certificates from the dogtag master server. @@ -1263,7 +1263,8 @@ class CAInstance(DogtagInstance): 'dogtag-ipa-ca-renew-agent', '/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit', []) - def configure_agent_renewal(self): + @staticmethod + def configure_agent_renewal(): try: certmonger.dogtag_start_tracking( ca='dogtag-ipa-ca-renew-agent', @@ -1285,7 +1286,7 @@ class CAInstance(DogtagInstance): raise RuntimeError( 'Unable to determine PIN for CA instance: %s' % e) - def configure_renewal(self): + def configure_cert_renewal(self): """ Configure system certificates for renewal. """ @@ -1315,7 +1316,7 @@ class CAInstance(DogtagInstance): root_logger.error( "certmonger failed to start tracking certificate: %s" % e) - def stop_tracking_certificates(self, dogtag_constants): + def stop_tracking_system_certificates(self, dogtag_constants): """Stop tracking our certificates. Called on uninstall. """ nicknames = ['Server-Cert cert-pki-ca', @@ -1346,7 +1347,7 @@ class CAInstance(DogtagInstance): # this is the default setting from pki-ca/pki-tomcat. Don't touch it # if a user has manually modified it. if setlist == '1,2,3,4,5,6,7,8' or setlist == '1,2,3,4,5,6,7,8,9': - setlist = setlist + ',10' + setlist += ',10' installutils.set_directive( self.dogtag_constants.IPA_SERVICE_PROFILE, 'policyset.serverCertSet.list', @@ -1430,7 +1431,8 @@ class CAInstance(DogtagInstance): return True - def update_cert_config(self, nickname, cert, dogtag_constants=None): + @staticmethod + def update_cert_config(nickname, cert, dogtag_constants=None): """ When renewing a CA subsystem certificate the configuration file needs to get the new certificate as well. @@ -1449,12 +1451,11 @@ class CAInstance(DogtagInstance): 'subsystemCert cert-pki-ca': 'ca.subsystem.cert', 'Server-Cert cert-pki-ca': 'ca.sslserver.cert'} - DogtagInstance.update_cert_config( - self, nickname, cert, directives, + DogtagInstance.update_cert_cs_cfg( + nickname, cert, directives, dogtag.configured_constants().CS_CFG_PATH, dogtag_constants) - def replica_ca_install_check(config): if not config.setup_ca: return @@ -1578,6 +1579,7 @@ def install_replica_ca(config, postinstall=False): return ca + def update_people_entry(dercert): """ Update the userCerticate for an entry in the dogtag ou=People. This |