freeipa · tiran · Aug 30, 2018 · Aug 30, 2018 · Aug 30, 2018 · Aug 30, 2018
diff --git a/freeipa.spec.in b/freeipa.spec.in
@@ -1435,6 +1435,7 @@ fi
 # END
 %{_usr}/share/ipa/wsgi.py*
 %{_usr}/share/ipa/kdcproxy.wsgi
+%{_usr}/share/ipa/ipaca*.ini
 %{_usr}/share/ipa/*.ldif
 %{_usr}/share/ipa/*.uldif
 %{_usr}/share/ipa/*.template

diff --git a/install/share/Makefile.am b/install/share/Makefile.am
@@ -95,6 +95,9 @@ dist_app_DATA =				\
 	ipa-kdc-proxy.conf.template	\
 	ipa-pki-proxy.conf.template	\
 	ipa-rewrite.conf.template	\
+	ipaca_default.ini		\
+	ipaca_customize.ini		\
+	ipaca_softhsm2.ini		\
 	$(NULL)
 
 kdcproxyconfdir = $(IPA_SYSCONF_DIR)/kdcproxy

diff --git a/install/share/ipaca_customize.ini b/install/share/ipaca_customize.ini
@@ -0,0 +1,122 @@
+#
+# Dogtag PKI configuration file
+#
+# Notes:
+#  - "%" must be quoted as "%%".
+#  - options in the [CA] and [KRA] section cannot be overriden from options
+#    in the [DEFAULT] section
+#  - pki_*_token options are hard-coded to pki_token_name
+#  - pki_sslserver_token is hard-coded to 'internal'
+#  - pki_backup_keys is automatically disabled when HSM support is enabled,
+#    as HSM backup is not possible with the default mechanism.
+#
+# Predefined variables
+#  - ipa_ca_subject
+#  - ipa_fqdn
+#  - ipa_subject_base
+#  - pki_admin_password
+#  - pki_dns_domainname
+#  - softhsm2_so
+
+
+[DEFAULT]
+# default algorithms for all certificates
+ipa_key_algorithm=SHA256withRSA
+ipa_key_size=2048
+ipa_key_type=rsa
+ipa_signing_algorithm=SHA256withRSA
+
+# Used for IPA CA
+# signing algorithm can be overriden on command line
+ipa_ca_signing_algorithm=%(ipa_key_algorithm)s
+ipa_ca_key_size=%(ipa_key_size)s
+ipa_ca_key_type=%(ipa_key_type)s
+
+# HSM support
+pki_hsm_enable=False
+pki_hsm_libfile=
+pki_hsm_modulename=
+pki_token_name=internal
+# backup is automatically disabled when HSM support is enabled
+pki_backup_keys=True
+pki_backup_password=%(pki_admin_password)s
+
+pki_admin_email=root@localhost
+
+## auditSigningCert cert-pki-ca / auditSigningCert cert-pki-kra
+pki_audit_signing_key_algorithm=%(ipa_key_algorithm)s
+pki_audit_signing_key_size=%(ipa_key_size)s
+pki_audit_signing_key_type=%(ipa_key_type)s
+pki_audit_signing_signing_algorithm=%(ipa_signing_algorithm)s
+pki_audit_signing_token=%(pki_token_name)s
+
+# Configures the status request timeout, i.e. the connect/data
+# timeout on the HTTP request to get the status of Dogtag.
+#
+# This configuration is needed in "multiple IP address" scenarios
+# where this server's hostname has multiple IP addresses but the
+# HTTP server is only listening on one of them.  Without a timeout,
+# if a "wrong" IP address is tried first, it will take a long time
+# to timeout, exceeding the overall timeout hence the request will
+# not be re-tried.  Setting a shorter timeout allows the request
+# to be re-tried.
+#
+# Note that HSMs cause different behaviour so this value might
+# not be suitable for when we implement HSM support.  It is
+# known that a value of 5s is too short in HSM environment.
+#
+pki_status_request_timeout=15
+
+# for supporting server cert SAN injection
+pki_san_inject=False
+pki_san_for_server_cert=
+
+## Server-Cert cert-pki-ca
+pki_sslserver_key_algorithm=%(ipa_key_algorithm)s
+pki_sslserver_key_size=%(ipa_key_size)s
+pki_sslserver_key_type=%(ipa_key_type)s
+
+## subsystemCert cert-pki-ca
+pki_subsystem_key_algorithm=%(ipa_key_algorithm)s
+pki_subsystem_key_size=%(ipa_key_size)s
+pki_subsystem_key_type=%(ipa_key_type)s
+pki_subsystem_token=%(pki_token_name)s
+
+[CA]
+pki_random_serial_numbers_enable=False
+
+## caSigningCert cert-pki-ca
+pki_ca_signing_key_algorithm=%(ipa_ca_signing_algorithm)s
+pki_ca_signing_key_size=%(ipa_ca_key_size)s
+pki_ca_signing_key_type=%(ipa_ca_key_type)s
+pki_ca_signing_signing_algorithm=%(ipa_ca_signing_algorithm)s
+pki_ca_signing_token=%(pki_token_name)s
+
+# MS subca request ext data
+pki_req_ext_oid=1.3.6.1.4.1.311.20.2
+pki_req_ext_critical=False
+pki_req_ext_data=1E0A00530075006200430041
+
+## ocspSigningCert cert-pki-ca
+pki_ocsp_signing_key_algorithm=%(ipa_key_algorithm)s
+pki_ocsp_signing_key_size=%(ipa_key_size)s
+pki_ocsp_signing_key_type=%(ipa_key_type)s
+pki_ocsp_signing_signing_algorithm=%(ipa_signing_algorithm)s
+pki_ocsp_signing_token=%(pki_token_name)s
+
+[KRA]
+pki_kra_ephemeral_requests=True
+
+## storageCert cert-pki-kra
+pki_storage_key_algorithm=%(ipa_key_algorithm)s
+pki_storage_key_size=%(ipa_key_size)s
+pki_storage_key_type=%(ipa_key_type)s
+pki_storage_signing_algorithm=%(ipa_signing_algorithm)s
+pki_storage_token=%(pki_token_name)s
+
+## transportCert cert-pki-kra
+pki_transport_key_algorithm=%(ipa_key_algorithm)s
+pki_transport_key_size=%(ipa_key_size)s
+pki_transport_key_type=%(ipa_key_type)s
+pki_transport_signing_algorithm=%(ipa_signing_algorithm)s
+pki_transport_token=%(pki_token_name)s
diff --git a/install/share/ipaca_default.ini b/install/share/ipaca_default.ini
@@ -0,0 +1,169 @@
+#
+# Dogtag PKI configuration file
+#
+# The ipaca_default.ini contains hard-coded defaults that cannot be modified
+# by a user without breaking FreeIPA internals.
+#
+# Note: "%" must be quoted as "%%".
+#
+
+[DEFAULT]
+ipa_ca_pem_file=/etc/ipa/ca.crt
+
+## dynamic values
+# ipa_ca_subject=
+# ipa_subject_base=
+# ipa_fqdn=
+# ipa_ocsp_uri=
+# ipa_admin_cert_p12=
+# ipa_admin_user=
+
+# sensitive dynamic values
+# pki_admin_password=
+# pki_ds_password=
+
+# Dogtag defaults
+pki_instance_name=pki-tomcat
+pki_configuration_path=/etc/pki
+pki_instance_configuration_path=%(pki_configuration_path)s/%(pki_instance_name)s
+
+pki_admin_cert_file=%(pki_client_dir)s/ca_admin.cert
+pki_admin_cert_request_type=pkcs10
+pki_admin_dualkey=False
+pki_admin_name=%(ipa_admin_user)s
+pki_admin_nickname=ipa-ca-agent
+pki_admin_subject_dn=cn=ipa-ca-agent,%(ipa_subject_base)s
+pki_admin_uid=%(ipa_admin_user)s
+
+pki_ca_hostname=%(pki_security_domain_hostname)s
+pki_ca_port=%(pki_security_domain_https_port)s
+
+# nickname and subject are hard-coded
+pki_ca_signing_nickname=caSigningCert cert-pki-ca
+pki_ca_signing_cert_path=%(pki_instance_configuration_path)s/external_ca.cert
+
+pki_client_admin_cert_p12=%(ipa_admin_cert_p12)s
+pki_client_database_password=
+pki_client_database_purge=True
+pki_client_dir=%(home_dir)s/.dogtag/%(pki_instance_name)s
+pki_client_pkcs12_password=%(pki_admin_password)s
+pki_ds_bind_dn=cn=Directory Manager
+pki_ds_ldap_port=389
+pki_ds_ldaps_port=636
+# CA: o=ipaca, KRA: o=kra,o=ipaca
+pki_ds_base_dn=o=ipaca
+pki_ds_database=ipaca
+pki_ds_hostname=%(ipa_fqdn)s
+pki_ds_remove_data=True
+pki_ds_secure_connection=False
+pki_ds_secure_connection_ca_nickname=Directory Server CA certificate
+pki_ds_secure_connection_ca_pem_file=%(ipa_ca_pem_file)s
+
+pki_issuing_ca_hostname=%(pki_security_domain_hostname)s
+pki_issuing_ca_https_port=%(pki_security_domain_https_port)s
+pki_issuing_ca_uri=https://%(ipa_fqdn)s:443
+pki_issuing_ca=%(pki_issuing_ca_uri)s
+pki_replication_password=
+
+pki_enable_proxy=True
+pki_restart_configured_instance=False
+pki_security_domain_hostname=%(ipa_fqdn)s
+pki_security_domain_https_port=443
+pki_security_domain_name=IPA
+pki_security_domain_password=%(pki_admin_password)s
+pki_security_domain_user=%(ipa_admin_user)s
+pki_self_signed_token=internal
+
+pki_skip_configuration=False
+pki_skip_ds_verify=False
+pki_skip_installation=False
+pki_skip_sd_verify=False
+
+pki_sslserver_token=internal
+pki_ssl_server_token=%(pki_sslserver_token)s
+pki_sslserver_nickname=Server-Cert cert-pki-ca
+pki_sslserver_subject_dn=cn=%(ipa_fqdn)s,%(ipa_subject_base)s
+
+# nickname and subject are hard-coded
+pki_subsystem_nickname=subsystemCert cert-pki-ca
+pki_subsystem_subject_dn=cn=CA Subsystem,%(ipa_subject_base)s
+
+pki_theme_enable=True
+pki_theme_server_dir=/usr/share/pki/common-ui
+pki_audit_group=pkiaudit
+pki_group=pkiuser
+pki_user=pkiuser
+pki_existing=False
+
+pki_cert_chain_path=%(pki_instance_configuration_path)s/external_ca_chain.cert
+pki_cert_chain_nickname=caSigningCert External CA
+
+pki_pkcs12_path=
+pki_pkcs12_password=
+
+
+[CA]
+pki_ds_base_dn=o=ipaca
+
+pki_ca_signing_record_create=True
+pki_ca_signing_serial_number=1
+pki_ca_signing_subject_dn=%(ipa_ca_subject)s
+
+pki_ca_signing_csr_path=/root/ipa.csr
+
+pki_ca_starting_crl_number=0
+
+pki_external=False
+pki_external_step_two=False
+pki_req_ext_add=False
+
+pki_external_pkcs12_path=%(pki_pkcs12_path)s
+pki_external_pkcs12_password=%(pki_pkcs12_password)s
+pki_import_admin_cert=False
+
+pki_ocsp_signing_nickname=ocspSigningCert cert-pki-ca
+pki_ocsp_signing_subject_dn=cn=OCSP Subsystem,%(ipa_subject_base)s
+
+pki_profiles_in_ldap=True
+pki_subordinate=False
+pki_subordinate_create_new_security_domain=False
+
+pki_audit_signing_nickname=auditSigningCert cert-pki-ca
+pki_audit_signing_subject_dn=cn=CA Audit,%(ipa_subject_base)s
+
+pki_share_db=False
+pki_master_crl_enable=True
+
+pki_default_ocsp_uri=%(ipa_ocsp_uri)s
+
+pki_serial_number_range_start=1
+pki_serial_number_range_end=10000000
+pki_request_number_range_start=1
+pki_request_number_range_end=10000000
+pki_replica_number_range_start=1
+pki_replica_number_range_end=100
+
+
+[KRA]
+pki_ds_base_dn=o=kra,o=ipaca
+pki_ds_create_new_db=False
+pki_ds_secure_connection=True
+
+pki_import_admin_cert=True
+pki_standalone=False
+
+pki_external_step_two=False
+
+pki_storage_nickname=storageCert cert-pki-kra
+pki_storage_subject_dn=cn=KRA Storage Certificate,%(ipa_subject_base)s
+
+pki_transport_nickname=transportCert cert-pki-kra
+pki_transport_subject_dn=cn=KRA Transport Certificate,%(ipa_subject_base)s
+
+pki_audit_signing_nickname=auditSigningCert cert-pki-kra
+pki_audit_signing_subject_dn=cn=KRA Audit,%(ipa_subject_base)s
+
+# Needed because CA and KRA share the same database
+# We will use the dbuser created for the CA.
+pki_share_db=True
+pki_share_dbuser_dn=uid=pkidbuser,ou=people,o=ipaca
diff --git a/install/share/ipaca_softhsm2.ini b/install/share/ipaca_softhsm2.ini
@@ -0,0 +1,9 @@
+#
+# Example config for softhsm2
+#
+
+[DEFAULT]
+pki_hsm_enable=True
+pki_hsm_libfile=%(softhsm2_so)s
+pki_hsm_modulename=softhsm2
+pki_token_name=softhsm_token
diff --git a/install/tools/ipa-ca-install.in b/install/tools/ipa-ca-install.in
@@ -86,6 +86,7 @@ def parse_options():
                       type="choice", choices=ca_algos,
                       metavar="{{{0}}}".format(",".join(ca_algos)),
                       help="Signing algorithm of the IPA CA certificate")
+
     parser.add_option("-P", "--principal", dest="principal", sensitive=True,
                       default=None, help="User allowed to manage replicas")
     parser.add_option("--subject-base", dest="subject_base",
@@ -101,6 +102,10 @@ def parse_options():
                           "(default CN=Certificate Authority,O=<realm-name>). "
                           "RDNs are in LDAP order (most specific RDN first)."))
 
+    parser.add_option("--pki-config-override", dest="pki_config_override",
+                      default=None,
+                      help="Path to ini file with config overrides.")
+
     options, args = parser.parse_args()
     safe_options = parser.get_safe_opts(options)
 

diff --git a/install/tools/man/ipa-ca-install.1 b/install/tools/man/ipa-ca-install.1
@@ -73,6 +73,9 @@ The CA certificate subject DN (default CN=Certificate Authority,O=REALM.NAME).
 \fB\-\-subject\-base\fR=\fISUBJECT\fR
 The subject base for certificates issued by IPA (default O=REALM.NAME).  RDNs are in LDAP order (most specific RDN first).
 .TP
+\fB\-\-pki\-config\-override\fR=\fIFILE\fR
+File containing overrides for CA installation.
+.TP
 \fB\-\-ca\-signing\-algorithm\fR=\fIALGORITHM\fR
 Signing algorithm of the IPA CA certificate. Possible values are SHA1withRSA, SHA256withRSA, SHA512withRSA. Default value is SHA256withRSA. Use this option with --external-ca if the external CA does not support the default signing algorithm.
 .TP

diff --git a/install/tools/man/ipa-kra-install.1 b/install/tools/man/ipa-kra-install.1
@@ -51,6 +51,9 @@ Output only errors
 .TP
 \fB\-\-log-file\fR=\fRFILE\fR
 Log to the given file
+.TP
+\fB\-\-pki\-config\-override\fR=\fIFILE\fR
+File containing overrides for KRA installation.
 .SH "EXIT STATUS"
 0 if the command was successful
 

diff --git a/install/tools/man/ipa-replica-install.1 b/install/tools/man/ipa-replica-install.1
@@ -140,6 +140,9 @@ Name of the Apache Server SSL certificate to install
 \fB\-\-pkinit\-cert\-name\fR=NAME
 Name of the Kerberos KDC SSL certificate to install
 .TP
+\fB\-\-pki\-config\-override\fR=\fIFILE\fR
+File containing overrides for CA and KRA installation.
+.TP
 \fB\-\-skip\-schema\-check\fR
 Skip check for updated CA DS schema on the remote master
 

diff --git a/install/tools/man/ipa-server-install.1 b/install/tools/man/ipa-server-install.1
@@ -152,6 +152,9 @@ Name of the Kerberos KDC SSL certificate to install.
 \fB\-\-ca\-cert\-file\fR=\fIFILE\fR
 File containing the CA certificate of the CA which issued the Directory Server, Apache Server and Kerberos KDC certificates. The file is accepted in PEM and DER certificate and PKCS#7 certificate chain formats. This option may be used multiple times. Use this option if the CA certificate is not present in the certificate files.
 .TP
+\fB\-\-pki\-config\-override\fR=\fIFILE\fR
+File containing overrides for CA and KRA installation.
+.TP
 \fB\-\-ca\-subject\fR=\fISUBJECT\fR
 The CA certificate subject DN (default CN=Certificate Authority,O=REALM.NAME). RDNs are in LDAP order (most specific RDN first).
 .TP