def enable_client_auth_to_db(self):
"""
Enable client auth connection to the internal db.
"""
with stopped_service('pki-tomcatd', 'pki-tomcat'):
directivesetter.set_directive(
self.config,
'authz.instance.DirAclAuthz.ldap.ldapauth.authtype',
'SslClientAuth',
quotes=False,
separator='=')
directivesetter.set_directive(
self.config,
'authz.instance.DirAclAuthz.ldap.ldapauth.clientCertNickname',
'subsystemCert cert-pki-ca',
quotes=False,
separator='=')
directivesetter.set_directive(
self.config,
'authz.instance.DirAclAuthz.ldap.ldapconn.port',
'636',
quotes=False,
separator='=')
directivesetter.set_directive(
self.config,
'authz.instance.DirAclAuthz.ldap.ldapconn.secureConn',
'true',
quotes=False,
separator='=')
directivesetter.set_directive(self.config,
'internaldb.ldapauth.authtype',
'SslClientAuth',
quotes=False,
separator='=')
directivesetter.set_directive(
self.config,
'internaldb.ldapauth.clientCertNickname',
'subsystemCert cert-pki-ca',
quotes=False,
separator='=')
directivesetter.set_directive(self.config,
'internaldb.ldapconn.port',
'636',
quotes=False,
separator='=')
directivesetter.set_directive(self.config,
'internaldb.ldapconn.secureConn',
'true',
quotes=False,
separator='=')
# Remove internaldb password as is not needed anymore
directivesetter.set_directive(paths.PKI_TOMCAT_PASSWORD_CONF,
'internaldb',
None,
separator='=')
def enable_client_auth_to_db(self, config):
"""
Enable client auth connection to the internal db.
Path to CS.cfg config file passed in.
"""
with stopped_service(
self.dogtag_constants.SERVICE_NAME,
instance_name=self.dogtag_constants.PKI_INSTANCE_NAME):
installutils.set_directive(
config,
'authz.instance.DirAclAuthz.ldap.ldapauth.authtype',
'SslClientAuth', quotes=False, separator='=')
installutils.set_directive(
config,
'authz.instance.DirAclAuthz.ldap.ldapauth.bindDN',
'uid=pkidbuser,ou=people,o=ipaca', quotes=False, separator='=')
installutils.set_directive(
config,
'authz.instance.DirAclAuthz.ldap.ldapauth.clientCertNickname',
'subsystemCert cert-pki-ca', quotes=False, separator='=')
installutils.set_directive(
config,
'authz.instance.DirAclAuthz.ldap.ldapconn.port',
str(dogtag.install_constants.DS_SECURE_PORT),
quotes=False, separator='=')
installutils.set_directive(
config,
'authz.instance.DirAclAuthz.ldap.ldapconn.secureConn',
'true', quotes=False, separator='=')
installutils.set_directive(
config,
'internaldb.ldapauth.authtype',
'SslClientAuth', quotes=False, separator='=')
installutils.set_directive(
config,
'internaldb.ldapauth.bindDN',
'uid=pkidbuser,ou=people,o=ipaca', quotes=False, separator='=')
installutils.set_directive(
config,
'internaldb.ldapauth.clientCertNickname',
'subsystemCert cert-pki-ca', quotes=False, separator='=')
installutils.set_directive(
config,
'internaldb.ldapconn.port',
str(dogtag.install_constants.DS_SECURE_PORT),
quotes=False, separator='=')
installutils.set_directive(
config,
'internaldb.ldapconn.secureConn', 'true', quotes=False,
separator='=')
# Remove internaldb password as is not needed anymore
installutils.set_directive(self.dogtag_constants.PASSWORD_CONF_PATH,
'internaldb', None)
def enable_ephemeral(self):
"""
Enable ephemeral KRA requests to reduce the number of LDAP
write operations.
"""
with installutils.stopped_service('pki-tomcatd', 'pki-tomcat'):
directivesetter.set_directive(
self.config,
'kra.ephemeralRequests',
'true', quotes=False, separator='=')
def enable_ephemeral(self):
"""
Enable ephemeral KRA requests to reduce the number of LDAP
write operations.
"""
with installutils.stopped_service('pki-tomcatd', 'pki-tomcat'):
directivesetter.set_directive(
self.config,
'kra.ephemeralRequests',
'true', quotes=False, separator='=')
def enable_client_auth_to_db(self, config):
"""
Enable client auth connection to the internal db.
Path to CS.cfg config file passed in.
"""
with stopped_service('pki-tomcatd', 'pki-tomcat'):
installutils.set_directive(
config,
'authz.instance.DirAclAuthz.ldap.ldapauth.authtype',
'SslClientAuth', quotes=False, separator='=')
installutils.set_directive(
config,
'authz.instance.DirAclAuthz.ldap.ldapauth.bindDN',
'uid=pkidbuser,ou=people,o=ipaca', quotes=False, separator='=')
installutils.set_directive(
config,
'authz.instance.DirAclAuthz.ldap.ldapauth.clientCertNickname',
'subsystemCert cert-pki-ca', quotes=False, separator='=')
installutils.set_directive(
config,
'authz.instance.DirAclAuthz.ldap.ldapconn.port', '636',
quotes=False, separator='=')
installutils.set_directive(
config,
'authz.instance.DirAclAuthz.ldap.ldapconn.secureConn',
'true', quotes=False, separator='=')
installutils.set_directive(
config,
'internaldb.ldapauth.authtype',
'SslClientAuth', quotes=False, separator='=')
installutils.set_directive(
config,
'internaldb.ldapauth.bindDN',
'uid=pkidbuser,ou=people,o=ipaca', quotes=False, separator='=')
installutils.set_directive(
config,
'internaldb.ldapauth.clientCertNickname',
'subsystemCert cert-pki-ca', quotes=False, separator='=')
installutils.set_directive(
config,
'internaldb.ldapconn.port', '636', quotes=False, separator='=')
installutils.set_directive(
config,
'internaldb.ldapconn.secureConn', 'true', quotes=False,
separator='=')
# Remove internaldb password as is not needed anymore
installutils.set_directive(paths.PKI_TOMCAT_PASSWORD_CONF,
'internaldb', None)
def enable_client_auth_to_db(self):
"""
Enable client auth connection to the internal db.
"""
sub_system_nickname = "subsystemCert cert-pki-ca"
if self.token_name != "internal":
# TODO: Dogtag 10.6.9 does not like "internal" prefix.
sub_system_nickname = '{}:{}'.format(
self.token_name, sub_system_nickname
)
with stopped_service('pki-tomcatd', 'pki-tomcat'):
directivesetter.set_directive(
self.config,
'authz.instance.DirAclAuthz.ldap.ldapauth.authtype',
'SslClientAuth', quotes=False, separator='=')
directivesetter.set_directive(
self.config,
'authz.instance.DirAclAuthz.ldap.ldapauth.clientCertNickname',
sub_system_nickname, quotes=False, separator='=')
directivesetter.set_directive(
self.config,
'authz.instance.DirAclAuthz.ldap.ldapconn.port', '636',
quotes=False, separator='=')
directivesetter.set_directive(
self.config,
'authz.instance.DirAclAuthz.ldap.ldapconn.secureConn',
'true', quotes=False, separator='=')
directivesetter.set_directive(
self.config,
'internaldb.ldapauth.authtype',
'SslClientAuth', quotes=False, separator='=')
directivesetter.set_directive(
self.config,
'internaldb.ldapauth.clientCertNickname',
sub_system_nickname, quotes=False, separator='=')
directivesetter.set_directive(
self.config,
'internaldb.ldapconn.port', '636', quotes=False, separator='=')
directivesetter.set_directive(
self.config,
'internaldb.ldapconn.secureConn', 'true', quotes=False,
separator='=')
# Remove internaldb password as is not needed anymore
directivesetter.set_directive(paths.PKI_TOMCAT_PASSWORD_CONF,
'internaldb', None, separator='=')
def enable_client_auth_to_db(self):
"""
Enable client auth connection to the internal db.
"""
sub_system_nickname = "subsystemCert cert-pki-ca"
if self.token_name != INTERNAL_TOKEN:
# TODO: Dogtag 10.6.9 does not like "internal" prefix.
sub_system_nickname = '{}:{}'.format(
self.token_name, sub_system_nickname
)
with stopped_service('pki-tomcatd', 'pki-tomcat'):
directivesetter.set_directive(
self.config,
'authz.instance.DirAclAuthz.ldap.ldapauth.authtype',
'SslClientAuth', quotes=False, separator='=')
directivesetter.set_directive(
self.config,
'authz.instance.DirAclAuthz.ldap.ldapauth.clientCertNickname',
sub_system_nickname, quotes=False, separator='=')
directivesetter.set_directive(
self.config,
'authz.instance.DirAclAuthz.ldap.ldapconn.port', '636',
quotes=False, separator='=')
directivesetter.set_directive(
self.config,
'authz.instance.DirAclAuthz.ldap.ldapconn.secureConn',
'true', quotes=False, separator='=')
directivesetter.set_directive(
self.config,
'internaldb.ldapauth.authtype',
'SslClientAuth', quotes=False, separator='=')
directivesetter.set_directive(
self.config,
'internaldb.ldapauth.clientCertNickname',
sub_system_nickname, quotes=False, separator='=')
directivesetter.set_directive(
self.config,
'internaldb.ldapconn.port', '636', quotes=False, separator='=')
directivesetter.set_directive(
self.config,
'internaldb.ldapconn.secureConn', 'true', quotes=False,
separator='=')
# Remove internaldb password as is not needed anymore
directivesetter.set_directive(paths.PKI_TOMCAT_PASSWORD_CONF,
'internaldb', None, separator='=')
def update_cert_cs_cfg(directive, cert, cs_cfg):
"""
When renewing a Dogtag subsystem certificate the configuration file
needs to get the new certificate as well.
``directive`` is the directive to update in CS.cfg
cert is a DER-encoded certificate.
cs_cfg is the path to the CS.cfg file
"""
with stopped_service('pki-tomcatd', 'pki-tomcat'):
installutils.set_directive(cs_cfg,
directive,
base64.b64encode(cert),
quotes=False,
separator='=')
def update_cert_cs_cfg(directive, cert, cs_cfg):
"""
When renewing a Dogtag subsystem certificate the configuration file
needs to get the new certificate as well.
``directive`` is the directive to update in CS.cfg
cert is a DER-encoded certificate.
cs_cfg is the path to the CS.cfg file
"""
with stopped_service('pki-tomcatd', 'pki-tomcat'):
installutils.set_directive(
cs_cfg,
directive,
base64.b64encode(cert),
quotes=False,
separator='=')
def update_cert_cs_cfg(directive, cert, cs_cfg):
"""
When renewing a Dogtag subsystem certificate the configuration file
needs to get the new certificate as well.
``directive`` is the directive to update in CS.cfg
cert is IPACertificate.
cs_cfg is the path to the CS.cfg file
"""
with stopped_service('pki-tomcatd', 'pki-tomcat'):
installutils.set_directive(
cs_cfg,
directive,
# the cert must be only the base64 string without headers
base64.b64encode(cert.public_bytes(x509.Encoding.DER)),
quotes=False,
separator='=')
def update_cert_cs_cfg(nickname, cert, directives, cs_cfg):
"""
When renewing a Dogtag subsystem certificate the configuration file
needs to get the new certificate as well.
nickname is one of the known nicknames.
cert is a DER-encoded certificate.
directives is the list of directives to be updated for the subsystem
cs_cfg is the path to the CS.cfg file
"""
with stopped_service('pki-tomcatd', 'pki-tomcat'):
installutils.set_directive(
cs_cfg,
directives[nickname],
base64.b64encode(cert),
quotes=False,
separator='=')
def update_cert_cs_cfg(directive, cert, cs_cfg):
"""
When renewing a Dogtag subsystem certificate the configuration file
needs to get the new certificate as well.
``directive`` is the directive to update in CS.cfg
cert is IPACertificate.
cs_cfg is the path to the CS.cfg file
"""
with stopped_service('pki-tomcatd', 'pki-tomcat'):
installutils.set_directive(
cs_cfg,
directive,
# the cert must be only the base64 string without headers
base64.b64encode(cert.public_bytes(x509.Encoding.DER)),
quotes=False,
separator='=')
def enable_client_auth_to_db(self):
"""
Enable client auth connection to the internal db.
"""
with stopped_service('pki-tomcatd', 'pki-tomcat'):
directivesetter.set_directive(
self.config,
'authz.instance.DirAclAuthz.ldap.ldapauth.authtype',
'SslClientAuth', quotes=False, separator='=')
directivesetter.set_directive(
self.config,
'authz.instance.DirAclAuthz.ldap.ldapauth.clientCertNickname',
'subsystemCert cert-pki-ca', quotes=False, separator='=')
directivesetter.set_directive(
self.config,
'authz.instance.DirAclAuthz.ldap.ldapconn.port', '636',
quotes=False, separator='=')
directivesetter.set_directive(
self.config,
'authz.instance.DirAclAuthz.ldap.ldapconn.secureConn',
'true', quotes=False, separator='=')
directivesetter.set_directive(
self.config,
'internaldb.ldapauth.authtype',
'SslClientAuth', quotes=False, separator='=')
directivesetter.set_directive(
self.config,
'internaldb.ldapauth.clientCertNickname',
'subsystemCert cert-pki-ca', quotes=False, separator='=')
directivesetter.set_directive(
self.config,
'internaldb.ldapconn.port', '636', quotes=False, separator='=')
directivesetter.set_directive(
self.config,
'internaldb.ldapconn.secureConn', 'true', quotes=False,
separator='=')
# Remove internaldb password as is not needed anymore
directivesetter.set_directive(paths.PKI_TOMCAT_PASSWORD_CONF,
'internaldb', None, separator='=')
def update_cert_cs_cfg(nickname, cert, directives, cs_cfg,
dogtag_constants=None):
"""
When renewing a Dogtag subsystem certificate the configuration file
needs to get the new certificate as well.
nickname is one of the known nicknames.
cert is a DER-encoded certificate.
directives is the list of directives to be updated for the subsystem
cs_cfg is the path to the CS.cfg file
"""
if dogtag_constants is None:
dogtag_constants = dogtag.configured_constants()
with stopped_service(dogtag_constants.SERVICE_NAME,
instance_name=dogtag_constants.PKI_INSTANCE_NAME):
installutils.set_directive(
cs_cfg,
directives[nickname],
base64.b64encode(cert),
quotes=False,
separator='=')