def __setup_conf_files(self):
if not self.fstore.has_file(paths.OPENDNSSEC_CONF_FILE):
self.fstore.backup_file(paths.OPENDNSSEC_CONF_FILE)
if not self.fstore.has_file(paths.OPENDNSSEC_KASP_FILE):
self.fstore.backup_file(paths.OPENDNSSEC_KASP_FILE)
pin_fd = open(paths.DNSSEC_SOFTHSM_PIN, "r")
pin = pin_fd.read()
pin_fd.close()
# add pin to template
sub_conf_dict = self.conf_file_dict
sub_conf_dict["PIN"] = pin
ods_conf_txt = ipautil.template_file(ipautil.SHARE_DIR + "opendnssec_conf.template", sub_conf_dict)
ods_conf_fd = open(paths.OPENDNSSEC_CONF_FILE, "w")
ods_conf_fd.seek(0)
ods_conf_fd.truncate(0)
ods_conf_fd.write(ods_conf_txt)
ods_conf_fd.close()
ods_kasp_txt = ipautil.template_file(ipautil.SHARE_DIR + "opendnssec_kasp.template", self.kasp_file_dict)
ods_kasp_fd = open(paths.OPENDNSSEC_KASP_FILE, "w")
ods_kasp_fd.seek(0)
ods_kasp_fd.truncate(0)
ods_kasp_fd.write(ods_kasp_txt)
ods_kasp_fd.close()
if not self.fstore.has_file(paths.SYSCONFIG_ODS):
self.fstore.backup_file(paths.SYSCONFIG_ODS)
installutils.set_directive(
paths.SYSCONFIG_ODS, "SOFTHSM2_CONF", paths.DNSSEC_SOFTHSM2_CONF, quotes=False, separator="="
)
def __setup_dnskeysyncd(self):
# set up dnskeysyncd this is DNSSEC master
installutils.set_directive(paths.SYSCONFIG_IPA_DNSKEYSYNCD,
'ISMASTER',
'1',
quotes=False,
separator='=')
def uninstall(self):
if not self.is_configured():
return
self.print_msg("Unconfiguring %s" % self.service_name)
running = self.restore_state("running")
enabled = self.restore_state("enabled")
# stop DNSSEC services before backing up kasp.db
try:
self.stop()
except Exception:
pass
ods_exporter = services.service('ipa-ods-exporter')
try:
ods_exporter.stop()
except Exception:
pass
# remove directive from ipa-dnskeysyncd, this server is not DNSSEC
# master anymore
installutils.set_directive(paths.SYSCONFIG_IPA_DNSKEYSYNCD,
'ISMASTER', None,
quotes=False, separator='=')
if ipautil.file_exists(paths.OPENDNSSEC_KASP_DB):
# force to export data
ods_enforcerd = services.knownservices.ods_enforcerd
cmd = [paths.IPA_ODS_EXPORTER, 'ipa-full-update']
try:
ipautil.run(cmd, runas=ods_enforcerd.get_user_name())
except CalledProcessError:
root_logger.debug("OpenDNSSEC database has not been updated")
try:
shutil.copy(paths.OPENDNSSEC_KASP_DB,
paths.IPA_KASP_DB_BACKUP)
except IOError as e:
root_logger.error(
"Unable to backup OpenDNSSEC database: %s", e)
else:
root_logger.info("OpenDNSSEC database backed up in %s",
paths.IPA_KASP_DB_BACKUP)
for f in [paths.OPENDNSSEC_CONF_FILE, paths.OPENDNSSEC_KASP_FILE,
paths.OPENDNSSEC_KASP_DB, paths.SYSCONFIG_ODS]:
try:
self.fstore.restore_file(f)
except ValueError, error:
root_logger.debug(error)
pass
def change_mod_nss_port_from_http(self):
# mod_ssl enforces SSLEngine on for vhost on 443 even though
# the listener is mod_nss. This then crashes the httpd as mod_nss
# listened port obviously does not match mod_ssl requirements.
#
# The workaround for this was to change port to http. It is no longer
# necessary, as mod_nss now ships with default configuration which
# sets SSLEngine off when mod_ssl is installed.
#
# Remove the workaround.
if sysupgrade.get_upgrade_state('nss.conf', 'listen_port_updated'):
installutils.set_directive(paths.HTTPD_NSS_CONF, 'Listen', '443', quotes=False)
sysupgrade.set_upgrade_state('nss.conf', 'listen_port_updated', False)
def change_mod_nss_port_from_http(self):
# mod_ssl enforces SSLEngine on for vhost on 443 even though
# the listener is mod_nss. This then crashes the httpd as mod_nss
# listened port obviously does not match mod_ssl requirements.
#
# The workaround for this was to change port to http. It is no longer
# necessary, as mod_nss now ships with default configuration which
# sets SSLEngine off when mod_ssl is installed.
#
# Remove the workaround.
if sysupgrade.get_upgrade_state('nss.conf', 'listen_port_updated'):
installutils.set_directive(paths.HTTPD_NSS_CONF, 'Listen', '443', quotes=False)
sysupgrade.set_upgrade_state('nss.conf', 'listen_port_updated', False)
def __setup_conf_files(self):
if not self.fstore.has_file(paths.OPENDNSSEC_CONF_FILE):
self.fstore.backup_file(paths.OPENDNSSEC_CONF_FILE)
if not self.fstore.has_file(paths.OPENDNSSEC_KASP_FILE):
self.fstore.backup_file(paths.OPENDNSSEC_KASP_FILE)
pin_fd = open(paths.DNSSEC_SOFTHSM_PIN, "r")
pin = pin_fd.read()
pin_fd.close()
# add pin to template
sub_conf_dict = self.conf_file_dict
sub_conf_dict['PIN'] = pin
ods_conf_txt = ipautil.template_file(
ipautil.SHARE_DIR + "opendnssec_conf.template", sub_conf_dict)
ods_conf_fd = open(paths.OPENDNSSEC_CONF_FILE, 'w')
ods_conf_fd.seek(0)
ods_conf_fd.truncate(0)
ods_conf_fd.write(ods_conf_txt)
ods_conf_fd.close()
ods_kasp_txt = ipautil.template_file(
ipautil.SHARE_DIR + "opendnssec_kasp.template",
self.kasp_file_dict)
ods_kasp_fd = open(paths.OPENDNSSEC_KASP_FILE, 'w')
ods_kasp_fd.seek(0)
ods_kasp_fd.truncate(0)
ods_kasp_fd.write(ods_kasp_txt)
ods_kasp_fd.close()
if not self.fstore.has_file(paths.SYSCONFIG_ODS):
self.fstore.backup_file(paths.SYSCONFIG_ODS)
installutils.set_directive(paths.SYSCONFIG_ODS,
'SOFTHSM2_CONF',
paths.DNSSEC_SOFTHSM2_CONF,
quotes=False,
separator='=')
def enable_mod_nss_renegotiate(self):
installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRenegotiation', 'on', False)
installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRequireSafeNegotiation', 'on', False)
def set_mod_nss_protocol(self):
installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSProtocol', 'TLSv1.0,TLSv1.1,TLSv1.2', False)
def __set_mod_nss_nickname(self, nickname):
installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSNickname', nickname)
def __setup_softhsm(self):
assert self.ods_uid is not None
assert self.named_gid is not None
token_dir_exists = os.path.exists(paths.DNSSEC_TOKENS_DIR)
# create dnssec directory
if not os.path.exists(paths.IPA_DNSSEC_DIR):
self.logger.debug("Creating %s directory", paths.IPA_DNSSEC_DIR)
os.mkdir(paths.IPA_DNSSEC_DIR, 0o770)
# chown ods:named
os.chown(paths.IPA_DNSSEC_DIR, self.ods_uid, self.named_gid)
# setup softhsm2 config file
softhsm_conf_txt = ("# SoftHSM v2 configuration file \n"
"# File generated by IPA instalation\n"
"directories.tokendir = %(tokens_dir)s\n"
"objectstore.backend = file") % {
'tokens_dir': paths.DNSSEC_TOKENS_DIR
}
self.logger.debug("Creating new softhsm config file")
named_fd = open(paths.DNSSEC_SOFTHSM2_CONF, 'w')
named_fd.seek(0)
named_fd.truncate(0)
named_fd.write(softhsm_conf_txt)
named_fd.close()
# setting up named to use softhsm2
if not self.fstore.has_file(paths.SYSCONFIG_NAMED):
self.fstore.backup_file(paths.SYSCONFIG_NAMED)
# setting up named and ipa-dnskeysyncd to use our softhsm2 config
for sysconfig in [paths.SYSCONFIG_NAMED,
paths.SYSCONFIG_IPA_DNSKEYSYNCD]:
installutils.set_directive(sysconfig, 'SOFTHSM2_CONF',
paths.DNSSEC_SOFTHSM2_CONF,
quotes=False, separator='=')
if (token_dir_exists and os.path.exists(paths.DNSSEC_SOFTHSM_PIN) and
os.path.exists(paths.DNSSEC_SOFTHSM_PIN_SO)):
# there is initialized softhsm
return
# remove old tokens
if token_dir_exists:
self.logger.debug('Removing old tokens directory %s',
paths.DNSSEC_TOKENS_DIR)
shutil.rmtree(paths.DNSSEC_TOKENS_DIR)
# create tokens subdirectory
self.logger.debug('Creating tokens %s directory',
paths.DNSSEC_TOKENS_DIR)
# sticky bit is required by daemon
os.mkdir(paths.DNSSEC_TOKENS_DIR)
os.chmod(paths.DNSSEC_TOKENS_DIR, 0o770 | stat.S_ISGID)
# chown to ods:named
os.chown(paths.DNSSEC_TOKENS_DIR, self.ods_uid, self.named_gid)
# generate PINs for softhsm
allowed_chars = u'123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'
pin_length = 30 # Bind allows max 32 bytes including ending '\0'
pin = ipautil.ipa_generate_password(allowed_chars, pin_length)
pin_so = ipautil.ipa_generate_password(allowed_chars, pin_length)
self.logger.debug("Saving user PIN to %s", paths.DNSSEC_SOFTHSM_PIN)
named_fd = open(paths.DNSSEC_SOFTHSM_PIN, 'w')
named_fd.seek(0)
named_fd.truncate(0)
named_fd.write(pin)
named_fd.close()
os.chmod(paths.DNSSEC_SOFTHSM_PIN, 0o770)
# chown to ods:named
os.chown(paths.DNSSEC_SOFTHSM_PIN, self.ods_uid, self.named_gid)
self.logger.debug("Saving SO PIN to %s", paths.DNSSEC_SOFTHSM_PIN_SO)
named_fd = open(paths.DNSSEC_SOFTHSM_PIN_SO, 'w')
named_fd.seek(0)
named_fd.truncate(0)
named_fd.write(pin_so)
named_fd.close()
# owner must be root
os.chmod(paths.DNSSEC_SOFTHSM_PIN_SO, 0o400)
# initialize SoftHSM
command = [
paths.SOFTHSM2_UTIL,
'--init-token',
'--slot', str(softhsm_slot),
'--label', softhsm_token_label,
'--pin', pin,
'--so-pin', pin_so,
]
self.logger.debug("Initializing tokens")
os.environ["SOFTHSM2_CONF"] = paths.DNSSEC_SOFTHSM2_CONF
ipautil.run(command, nolog=(pin, pin_so,))
def __set_mod_nss_nickname(self, nickname):
installutils.set_directive(NSS_CONF, 'NSSNickname', nickname)
def __setup_key_exporter(self):
installutils.set_directive(paths.SYSOCNFIG_IPA_ODS_EXPORTER,
'SOFTHSM2_CONF',
paths.DNSSEC_SOFTHSM2_CONF,
quotes=False, separator='=')
def set_mod_nss_protocol(self):
installutils.set_directive(NSS_CONF, 'NSSProtocol',
'TLSv1.0,TLSv1.1,TLSv1.2', False)
def __set_mod_nss_passwordfile(self):
installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSPassPhraseDialog', 'file:/etc/httpd/conf/password.conf')
def __setup_softhsm(self):
assert self.ods_uid is not None
assert self.named_gid is not None
token_dir_exists = os.path.exists(paths.DNSSEC_TOKENS_DIR)
# create dnssec directory
if not os.path.exists(paths.IPA_DNSSEC_DIR):
self.logger.debug("Creating %s directory", paths.IPA_DNSSEC_DIR)
os.mkdir(paths.IPA_DNSSEC_DIR, 0770)
# chown ods:named
os.chown(paths.IPA_DNSSEC_DIR, self.ods_uid, self.named_gid)
# setup softhsm2 config file
softhsm_conf_txt = ("# SoftHSM v2 configuration file \n"
"# File generated by IPA instalation\n"
"directories.tokendir = %(tokens_dir)s\n"
"objectstore.backend = file") % {
'tokens_dir': paths.DNSSEC_TOKENS_DIR
}
self.logger.debug("Creating new softhsm config file")
named_fd = open(paths.DNSSEC_SOFTHSM2_CONF, 'w')
named_fd.seek(0)
named_fd.truncate(0)
named_fd.write(softhsm_conf_txt)
named_fd.close()
# setting up named to use softhsm2
if not self.fstore.has_file(paths.SYSCONFIG_NAMED):
self.fstore.backup_file(paths.SYSCONFIG_NAMED)
# setting up named and ipa-dnskeysyncd to use our softhsm2 config
for sysconfig in [
paths.SYSCONFIG_NAMED, paths.SYSCONFIG_IPA_DNSKEYSYNCD
]:
installutils.set_directive(sysconfig,
'SOFTHSM2_CONF',
paths.DNSSEC_SOFTHSM2_CONF,
quotes=False,
separator='=')
if (token_dir_exists and os.path.exists(paths.DNSSEC_SOFTHSM_PIN)
and os.path.exists(paths.DNSSEC_SOFTHSM_PIN_SO)):
# there is initialized softhsm
return
# remove old tokens
if token_dir_exists:
self.logger.debug('Removing old tokens directory %s',
paths.DNSSEC_TOKENS_DIR)
shutil.rmtree(paths.DNSSEC_TOKENS_DIR)
# create tokens subdirectory
self.logger.debug('Creating tokens %s directory',
paths.DNSSEC_TOKENS_DIR)
# sticky bit is required by daemon
os.mkdir(paths.DNSSEC_TOKENS_DIR)
os.chmod(paths.DNSSEC_TOKENS_DIR, 0770 | stat.S_ISGID)
# chown to ods:named
os.chown(paths.DNSSEC_TOKENS_DIR, self.ods_uid, self.named_gid)
# generate PINs for softhsm
allowed_chars = u'123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'
pin_length = 30 # Bind allows max 32 bytes including ending '\0'
pin = ipautil.ipa_generate_password(allowed_chars, pin_length)
pin_so = ipautil.ipa_generate_password(allowed_chars, pin_length)
self.logger.debug("Saving user PIN to %s", paths.DNSSEC_SOFTHSM_PIN)
named_fd = open(paths.DNSSEC_SOFTHSM_PIN, 'w')
named_fd.seek(0)
named_fd.truncate(0)
named_fd.write(pin)
named_fd.close()
os.chmod(paths.DNSSEC_SOFTHSM_PIN, 0770)
# chown to ods:named
os.chown(paths.DNSSEC_SOFTHSM_PIN, self.ods_uid, self.named_gid)
self.logger.debug("Saving SO PIN to %s", paths.DNSSEC_SOFTHSM_PIN_SO)
named_fd = open(paths.DNSSEC_SOFTHSM_PIN_SO, 'w')
named_fd.seek(0)
named_fd.truncate(0)
named_fd.write(pin_so)
named_fd.close()
# owner must be root
os.chmod(paths.DNSSEC_SOFTHSM_PIN_SO, 0400)
# initialize SoftHSM
command = [
paths.SOFTHSM2_UTIL,
'--init-token',
'--slot',
str(softhsm_slot),
'--label',
softhsm_token_label,
'--pin',
pin,
'--so-pin',
pin_so,
]
self.logger.debug("Initializing tokens")
os.environ["SOFTHSM2_CONF"] = paths.DNSSEC_SOFTHSM2_CONF
ipautil.run(command, nolog=(
pin,
pin_so,
))
def __set_mod_nss_passwordfile(self):
installutils.set_directive(NSS_CONF, 'NSSPassPhraseDialog',
'file:/etc/httpd/conf/password.conf')
def enable_mod_nss_renegotiate(self):
installutils.set_directive(NSS_CONF, 'NSSRenegotiation', 'on', False)
installutils.set_directive(NSS_CONF, 'NSSRequireSafeNegotiation', 'on',
False)
def __setup_dnskeysyncd(self):
# set up dnskeysyncd this is DNSSEC master
installutils.set_directive(paths.SYSCONFIG_IPA_DNSKEYSYNCD,
'ISMASTER',
'1',
quotes=False, separator='=')
def __setup_key_exporter(self):
installutils.set_directive(paths.SYSOCNFIG_IPA_ODS_EXPORTER,
'SOFTHSM2_CONF',
paths.DNSSEC_SOFTHSM2_CONF,
quotes=False, separator='=')
