From 861d1bbdca4793fb45fb233d236d3793cc23da36 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Mon, 14 Mar 2011 16:27:19 -0400 Subject: Fix SELinux errors caused by enabling TLS on dogtag 389-ds instance. This fixes 2 AVCS: * One because we are enabling port 7390 because an SSL port must be defined to use TLS On 7389. * We were symlinking to the main IPA 389-ds NSS certificate databsae. Instead generate a separate NSS database and certificate and have certmonger track it separately I also noticed some variable inconsistency in cainstance.py. Everywhere else we use self.fqdn and that was using self.host_name. I found it confusing so I fixed it. ticket 1085 --- install/tools/ipa-replica-install | 26 +++++++------------------- install/tools/ipa-replica-prepare | 8 ++++++++ install/tools/ipa-server-install | 14 +++++--------- 3 files changed, 20 insertions(+), 28 deletions(-) (limited to 'install') diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install index cfaeaa4a5..2bc9a17e9 100755 --- a/install/tools/ipa-replica-install +++ b/install/tools/ipa-replica-install @@ -167,14 +167,9 @@ def install_ca(config): print "Please install dogtag and restart the setup program" sys.exit(1) - # We replicate to the master using TLS. In order for this to work we - # need an SSL server cert. To make things easier we'll re-use the - # IPA 389-ds instance certificate loaded directly into the - # dogtag 389-ds instance. Later we will replace the NSS databases with - # symbolic links. pkcs12_info = None - if ipautil.file_exists(config.dir + "/dscert.p12"): - pkcs12_info = (config.dir + "/dscert.p12", + if ipautil.file_exists(config.dir + "/dogtagcert.p12"): + pkcs12_info = (config.dir + "/dogtagcert.p12", config.dir + "/dirsrv_pin.txt") cs = cainstance.CADSInstance() cs.create_instance(config.realm_name, config.host_name, @@ -206,7 +201,7 @@ def install_ca(config): ca.start() cs.service_name = service_name - return ca + return (ca, cs) def install_replica_ds(config): dsinstance.check_existing_installation() @@ -487,7 +482,7 @@ def main(): ntp.create_instance() # Configure the CA if necessary - CA = install_ca(config) + (CA, cs) = install_ca(config) # Always try to install DNS records install_dns_records(config, options) @@ -495,19 +490,12 @@ def main(): # Configure dirsrv ds = install_replica_ds(config) - # We ned to ldap_enable the CA now that DS is up and running + # We need to ldap_enable the CA now that DS is up and running if CA: CA.ldap_enable('CA', config.host_name, config.dirman_password, util.realm_to_suffix(config.realm_name)) - - # Now we will replace the existing dogtag 389-ds instance NSS - # database with a symbolic link to the IPA 389-ds NSS database. - caconfigdir = dsinstance.config_dirname(dsinstance.realm_to_serverid('PKI-IPA')) - for filename in ['cert8.db', 'key3.db', 'secmod.db', 'pin.txt']: - os.unlink('%s%s' % (caconfigdir, filename)) - dsconfigdir = dsinstance.config_dirname(dsinstance.realm_to_serverid(config.realm_name)) - for filename in ['cert8.db', 'key3.db', 'secmod.db', 'pin.txt']: - os.symlink('%s%s' % (dsconfigdir, filename), '%s%s' % (caconfigdir, filename)) + cs.add_simple_service('dogtagldap/%s@%s' % (config.host_name, config.realm_name)) + cs.add_cert_to_service() install_krb(config, setup_pkinit=options.setup_pkinit) install_http(config) diff --git a/install/tools/ipa-replica-prepare b/install/tools/ipa-replica-prepare index 36e34d78b..e9122351f 100755 --- a/install/tools/ipa-replica-prepare +++ b/install/tools/ipa-replica-prepare @@ -338,6 +338,14 @@ def main(): print "%s" % e sys.exit(1) + if not certs.ipa_self_signed(): + print "Creating SSL certificate for the dogtag Directory Server" + try: + export_certdb(api.env.realm, ds_dir, dir, passwd_fname, "dogtagcert", replica_fqdn, subject_base) + except errors.CertificateOperationError, e: + print "%s" % e + sys.exit(1) + if options.http_pin: passwd = options.http_pin else: diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index 9c0947c83..f3a01e892 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -754,7 +754,7 @@ def main(): if options.external_cert_file is None: cs = cainstance.CADSInstance() - cs.create_instance(realm_name, host_name, domain_name, dm_password) + cs.create_instance(realm_name, host_name, domain_name, dm_password, subject_base=options.subject) ca = cainstance.CAInstance(realm_name, certs.NSS_DIR) if external == 0: ca.configure_instance(host_name, dm_password, dm_password, @@ -817,17 +817,13 @@ def main(): ca.ldap_enable('CA', host_name, dm_password, util.realm_to_suffix(realm_name)) - # Symlink the IPA LDAP server NSS database to this one. - caconfigdir = dsinstance.config_dirname(dsinstance.realm_to_serverid('PKI-IPA')) - for filename in ['cert8.db', 'key3.db', 'secmod.db']: - os.unlink('%s%s' % (caconfigdir, filename)) - dsconfigdir = dsinstance.config_dirname(dsinstance.realm_to_serverid(realm_name)) - for filename in ['cert8.db', 'key3.db', 'secmod.db', 'pin.txt']: - os.symlink('%s%s' % (dsconfigdir, filename), '%s%s' % (caconfigdir, filename)) - # Turn on SSL in the dogtag LDAP instance. This will get restarted # later, we don't need SSL now. + cs.create_certdb() cs.enable_ssl() + # Add the IPA service for storing the PKI-IPA server certificate. + cs.add_simple_service('dogtagldap/%s@%s' % (host_name, realm_name)) + cs.add_cert_to_service() # Create a kerberos instance if options.pkinit_pin: -- cgit