Skip to content

Commit

Permalink
replica install: merge RA cert import into CA install
Browse files Browse the repository at this point in the history 
Merge all RA cert import code paths into a single code path in CA install.

https://fedorahosted.org/freeipa/ticket/6392

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
  • Loading branch information
Jan Cholasta committed Nov 11, 2016
1 parent bddd4fa commit 822e1bc
Show file tree
Hide file tree
Showing 5 changed files with 103 additions and 96 deletions.
11 changes: 9 additions & 2 deletions ipaserver/install/ca.py
View file
Expand Up @@ -25,6 +25,9 @@ def install_check(standalone, replica_config, options):
global external_cert_file
global external_ca_file

if replica_config is not None and not replica_config.setup_ca:
return

realm_name = options.realm_name
host_name = options.host_name
subject_base = options.subject
Expand Down Expand Up @@ -143,6 +146,7 @@ def install_step_0(standalone, replica_config, options):
master_host = None
master_replication_port = None
ra_p12 = None
ra_only = False
promote = False
else:
cafile = os.path.join(replica_config.dir, 'cacert.p12')
Expand All @@ -167,12 +171,11 @@ def install_step_0(standalone, replica_config, options):
master_host = replica_config.ca_host_name
master_replication_port = replica_config.ca_ds_port
ra_p12 = os.path.join(replica_config.dir, 'ra.p12')
ra_only = not replica_config.setup_ca
promote = options.promote

ca = cainstance.CAInstance(realm_name, certs.NSS_DIR,
host_name=host_name)
if standalone or replica_config is not None:
ca.create_ra_agent_db = False
ca.configure_instance(host_name, dm_password, dm_password,
subject_base=subject_base,
ca_signing_algorithm=ca_signing_algorithm,
Expand All @@ -184,10 +187,14 @@ def install_step_0(standalone, replica_config, options):
master_host=master_host,
master_replication_port=master_replication_port,
ra_p12=ra_p12,
ra_only=ra_only,
promote=promote)


def install_step_1(standalone, replica_config, options):
if replica_config is not None and not replica_config.setup_ca:
return

realm_name = options.realm_name
dm_password = options.dm_password
host_name = options.host_name
Expand Down
132 changes: 71 additions & 61 deletions ipaserver/install/cainstance.py
View file
Expand Up @@ -60,13 +60,16 @@
from ipapython.secrets.kem import IPAKEMKeys

from ipaserver.install import certs
from ipaserver.install import custodiainstance
from ipaserver.install import dsinstance
from ipaserver.install import installutils
from ipaserver.install import ldapupdate
from ipaserver.install import replication
from ipaserver.install import sysupgrade
# pylint: disable=unused-import
from ipaserver.install.dogtaginstance import (export_kra_agent_pem,
DogtagInstance)
# pylint: enable=unused-import
from ipaserver.plugins import ldap2

# We need to reset the template because the CA uses the regular boot
Expand Down Expand Up @@ -309,7 +312,6 @@ def __init__(self, realm=None, ra_db=None, host_name=None):
self.csr_file = None
self.cert_file = None
self.cert_chain_file = None
self.create_ra_agent_db = True

if realm is not None:
self.canickname = get_ca_nickname(realm)
Expand All @@ -330,7 +332,8 @@ def configure_instance(self, host_name, dm_password, admin_password,
cert_file=None, cert_chain_file=None,
master_replication_port=None,
subject_base=None, ca_signing_algorithm=None,
ca_type=None, ra_p12=None, promote=False):
ca_type=None, ra_p12=None, ra_only=False,
promote=False):
"""Create a CA instance.
To create a clone, pass in pkcs12_info.
Expand Down Expand Up @@ -374,62 +377,72 @@ def configure_instance(self, host_name, dm_password, admin_password,
self.cert_chain_file = cert_chain_file
self.external = 2

self.step("creating certificate server user", create_ca_user)
if promote:
# Setup Database
self.step("creating certificate server db", self.__create_ds_db)
self.step("setting up initial replication", self.__setup_replication)
self.step("creating installation admin user", self.setup_admin)
self.step("configuring certificate server instance",
self.__spawn_instance)
self.step("stopping certificate server instance to update CS.cfg", self.stop_instance)
self.step("backing up CS.cfg", self.backup_config)
self.step("disabling nonces", self.__disable_nonce)
self.step("set up CRL publishing", self.__enable_crl_publish)
self.step("enable PKIX certificate path discovery and validation", self.enable_pkix)
if promote:
self.step("destroying installation admin user", self.teardown_admin)
self.step("starting certificate server instance", self.start_instance)
if self.clone:
cert_db = certs.CertDB(self.realm)
has_ra_cert = (cert_db.get_cert_from_db('ipaCert') != '')
else:
has_ra_cert = False

if not ra_only:
self.step("creating certificate server user", create_ca_user)
if promote:
# Setup Database
self.step("creating certificate server db", self.__create_ds_db)
self.step("setting up initial replication", self.__setup_replication)
self.step("creating installation admin user", self.setup_admin)
self.step("configuring certificate server instance",
self.__spawn_instance)
self.step("stopping certificate server instance to update CS.cfg", self.stop_instance)
self.step("backing up CS.cfg", self.backup_config)
self.step("disabling nonces", self.__disable_nonce)
self.step("set up CRL publishing", self.__enable_crl_publish)
self.step("enable PKIX certificate path discovery and validation", self.enable_pkix)
if promote:
self.step("destroying installation admin user", self.teardown_admin)
self.step("starting certificate server instance", self.start_instance)
# Step 1 of external is getting a CSR so we don't need to do these
# steps until we get a cert back from the external CA.
if self.external != 1:
self.step("importing CA chain to RA certificate database", self.__import_ca_chain)
self.step("setting up signing cert profile", self.__setup_sign_profile)
self.step("setting audit signing renewal to 2 years", self.set_audit_renewal)
self.step("configure certmonger for renewals",
self.configure_certmonger_renewal)
if not self.clone:
if not has_ra_cert:
self.step("configure certmonger for renewals",
self.configure_certmonger_renewal)
if not self.clone:
self.step("requesting RA certificate from CA", self.__request_ra_certificate)
elif promote:
self.step("Importing RA key", self.__import_ra_key)
else:
self.step("importing RA certificate from PKCS #12 file",
lambda: self.import_ra_cert(ra_p12))
if not ra_only:
self.step("importing CA chain to RA certificate database", self.__import_ca_chain)
self.step("setting up signing cert profile", self.__setup_sign_profile)
self.step("setting audit signing renewal to 2 years", self.set_audit_renewal)
self.step("restarting certificate server", self.restart_instance)
self.step("requesting RA certificate from CA", self.__request_ra_certificate)
self.step("exporting RA agent certificate",
lambda: export_kra_agent_pem())
self.step("adding RA agent as a trusted user", self.__create_ca_agent)
elif not promote and ra_p12 is not None:
self.step("importing RA certificate from PKCS #12 file",
lambda: self.import_ra_cert(ra_p12, configure_renewal=False))
self.step("authorizing RA to modify profiles", configure_profiles_acl)
self.step("authorizing RA to manage lightweight CAs",
configure_lightweight_ca_acls)
self.step("Ensure lightweight CAs container exists",
ensure_lightweight_cas_container)
self.step("configure certificate renewals", self.configure_renewal)
self.step("configure Server-Cert certificate renewal", self.track_servercert)
self.step("Configure HTTP to proxy connections",
self.http_proxy)
self.step("restarting certificate server", self.restart_instance)
if not promote:
self.step("migrating certificate profiles to LDAP",
migrate_profiles_to_ldap)
self.step("importing IPA certificate profiles",
import_included_profiles)
self.step("adding default CA ACL", ensure_default_caacl)
self.step("adding 'ipa' CA entry", ensure_ipa_authority_entry)
self.step("updating IPA configuration", update_ipa_conf)

self.step("enabling CA instance", self.__enable_instance)

self.step("configuring certmonger renewal for lightweight CAs",
self.__add_lightweight_ca_tracking_requests)
if not self.clone:
self.step("adding RA agent as a trusted user", self.__create_ca_agent)
self.step("authorizing RA to modify profiles", configure_profiles_acl)
self.step("authorizing RA to manage lightweight CAs",
configure_lightweight_ca_acls)
self.step("Ensure lightweight CAs container exists",
ensure_lightweight_cas_container)
self.step("configure certificate renewals", self.configure_renewal)
self.step("configure Server-Cert certificate renewal", self.track_servercert)
self.step("Configure HTTP to proxy connections",
self.http_proxy)
self.step("restarting certificate server", self.restart_instance)
if not promote:
self.step("migrating certificate profiles to LDAP",
migrate_profiles_to_ldap)
self.step("importing IPA certificate profiles",
import_included_profiles)
self.step("adding default CA ACL", ensure_default_caacl)
self.step("adding 'ipa' CA entry", ensure_ipa_authority_entry)
self.step("updating IPA configuration", update_ipa_conf)

self.step("enabling CA instance", self.__enable_instance)

self.step("configuring certmonger renewal for lightweight CAs",
self.__add_lightweight_ca_tracking_requests)

self.start_creation(runtime=210)

Expand Down Expand Up @@ -485,9 +498,6 @@ def __spawn_instance(self):
config.set("CA", "pki_ds_base_dn", self.basedn)
config.set("CA", "pki_ds_database", "ipaca")

if not self.create_ra_agent_db and not self.clone:
self._use_ldaps_during_spawn(config)

# Certificate subject DN's
config.set("CA", "pki_subsystem_subject_dn",
str(DN(('cn', 'CA Subsystem'), self.subject_base)))
Expand Down Expand Up @@ -642,10 +652,10 @@ def import_ra_cert(self, rafile, configure_renewal=True):
finally:
os.remove(agent_name)

if configure_renewal:
self.configure_agent_renewal()

export_kra_agent_pem()
def __import_ra_key(self):
custodia = custodiainstance.CustodiaInstance(host_name=self.fqdn,
realm=self.realm)
custodia.import_ra_key(self.master_host)

def __create_ca_agent(self):
"""
Expand Down
9 changes: 3 additions & 6 deletions ipaserver/install/custodiainstance.py
View file
Expand Up @@ -22,15 +22,14 @@


class CustodiaInstance(SimpleServiceInstance):
def __init__(self, host_name=None, realm=None, ca_is_configured=True):
def __init__(self, host_name=None, realm=None):
super(CustodiaInstance, self).__init__("ipa-custodia")
self.config_file = paths.IPA_CUSTODIA_CONF
self.server_keys = os.path.join(paths.IPA_CUSTODIA_CONF_DIR,
'server.keys')
self.ldap_uri = None
self.fqdn = host_name
self.realm = realm
self.ca_is_configured = ca_is_configured
self.__CustodiaClient = functools.partial(
CustodiaClient,
client_service='host@%s' % self.fqdn,
Expand Down Expand Up @@ -86,8 +85,6 @@ def create_replica(self, master_host_name):

self.step("Generating ipa-custodia config file", self.__config_file)
self.step("Generating ipa-custodia keys", self.__gen_keys)
if self.ca_is_configured:
self.step("Importing RA Key", self.__import_ra_key)
super(CustodiaInstance, self).create_instance(gensvc_name='KEYS',
fqdn=self.fqdn,
ldap_suffix=suffix,
Expand All @@ -105,8 +102,8 @@ def __create_container(self):
updater = ldapupdate.LDAPUpdate(sub_dict=sub_dict)
updater.update([os.path.join(paths.UPDATES_DIR, '73-custodia.update')])

def __import_ra_key(self):
cli = self.__CustodiaClient(server=self.master_host_name)
def import_ra_key(self, master_host_name):
cli = self.__CustodiaClient(server=master_host_name)
cli.fetch_key('ra/ipaCert')

def import_dm_password(self, master_host_name):
Expand Down
2 changes: 2 additions & 0 deletions ipaserver/install/httpinstance.py
View file
Expand Up @@ -354,6 +354,8 @@ def __setup_ssl(self):

# We only handle one server cert
nickname = server_certs[0][0]
if nickname == 'ipaCert':
nickname = server_certs[1][0]
self.dercert = db.get_cert_from_db(nickname, pem=False)

if self.ca_is_configured:
Expand Down

0 comments on commit 822e1bc

Please sign in to comment.