def install_http_cert(self):
dirname = paths.HTTPD_ALIAS_DIR
old_cert = installutils.get_directive(paths.HTTPD_NSS_CONF,
'NSSNickname')
unquoted_cert = installutils.unquote_directive_value(old_cert,
quote_char="'")
server_cert = self.import_cert(dirname, self.options.pin,
unquoted_cert, 'HTTP/%s' % api.env.host,
'restart_httpd')
quoted_server_cert = installutils.quote_directive_value(server_cert,
quote_char="'")
installutils.set_directive(paths.HTTPD_NSS_CONF,
'NSSNickname',
quoted_server_cert,
quotes=False)
# Fix the database permissions
pent = pwd.getpwnam(constants.HTTPD_USER)
for filename in (NSS_DBM_FILES + NSS_SQL_FILES):
absname = os.path.join(dirname, filename)
if os.path.isfile(absname):
os.chmod(absname, 0o640)
os.chown(absname, 0, pent.pw_gid)
def __set_mod_nss_nickname(self, nickname):
quoted_nickname = installutils.quote_directive_value(nickname,
quote_char="'")
installutils.set_directive(paths.HTTPD_NSS_CONF,
'NSSNickname',
quoted_nickname,
quotes=False)
def install_http_cert(self):
dirname = paths.HTTPD_ALIAS_DIR
old_cert = installutils.get_directive(paths.HTTPD_NSS_CONF,
'NSSNickname')
unquoted_cert = installutils.unquote_directive_value(
old_cert, quote_char="'")
server_cert = self.import_cert(dirname, self.options.pin,
unquoted_cert, 'HTTP/%s' % api.env.host,
'restart_httpd')
quoted_server_cert = installutils.quote_directive_value(
server_cert, quote_char="'")
installutils.set_directive(
paths.HTTPD_NSS_CONF,
'NSSNickname',
quoted_server_cert,
quotes=False)
# Fix the database permissions
os.chmod(os.path.join(dirname, 'cert8.db'), 0o640)
os.chmod(os.path.join(dirname, 'key3.db'), 0o640)
os.chmod(os.path.join(dirname, 'secmod.db'), 0o640)
pent = pwd.getpwnam(constants.HTTPD_USER)
os.chown(os.path.join(dirname, 'cert8.db'), 0, pent.pw_gid)
os.chown(os.path.join(dirname, 'key3.db'), 0, pent.pw_gid)
os.chown(os.path.join(dirname, 'secmod.db'), 0, pent.pw_gid)
def __setup_dnskeysyncd(self):
# set up dnskeysyncd this is DNSSEC master
installutils.set_directive(paths.SYSCONFIG_IPA_DNSKEYSYNCD,
'ISMASTER',
'1',
quotes=False,
separator='=')
def __restore_config(self):
port = self.restore_state('nsslapd-port')
security = self.restore_state('nsslapd-security')
installutils.set_directive(self.filename, 'nsslapd-port',
port, quotes=False, separator=':')
installutils.set_directive(self.filename, 'nsslapd-security',
security, quotes=False, separator=':')
def enable_ephemeral(self):
"""
Enable ephemeral KRA requests to reduce the number of LDAP
write operations.
"""
with installutils.stopped_service('pki-tomcatd', 'pki-tomcat'):
installutils.set_directive(
self.config,
'kra.ephemeralRequests',
'true', quotes=False, separator='=')
def enable_ephemeral(self):
"""
Enable ephemeral KRA requests to reduce the number of LDAP
write operations.
"""
with installutils.stopped_service('pki-tomcatd', 'pki-tomcat'):
installutils.set_directive(self.config,
'kra.ephemeralRequests',
'true',
quotes=False,
separator='=')
def change_mod_nss_port_from_http(self):
# mod_ssl enforces SSLEngine on for vhost on 443 even though
# the listener is mod_nss. This then crashes the httpd as mod_nss
# listened port obviously does not match mod_ssl requirements.
#
# The workaround for this was to change port to http. It is no longer
# necessary, as mod_nss now ships with default configuration which
# sets SSLEngine off when mod_ssl is installed.
#
# Remove the workaround.
if sysupgrade.get_upgrade_state('nss.conf', 'listen_port_updated'):
installutils.set_directive(paths.HTTPD_NSS_CONF, 'Listen', '443', quotes=False)
sysupgrade.set_upgrade_state('nss.conf', 'listen_port_updated', False)
def change_mod_nss_port_from_http(self):
# mod_ssl enforces SSLEngine on for vhost on 443 even though
# the listener is mod_nss. This then crashes the httpd as mod_nss
# listened port obviously does not match mod_ssl requirements.
#
# The workaround for this was to change port to http. It is no longer
# necessary, as mod_nss now ships with default configuration which
# sets SSLEngine off when mod_ssl is installed.
#
# Remove the workaround.
if sysupgrade.get_upgrade_state('nss.conf', 'listen_port_updated'):
installutils.set_directive(paths.HTTPD_NSS_CONF, 'Listen', '443', quotes=False)
sysupgrade.set_upgrade_state('nss.conf', 'listen_port_updated', False)
def __restore_config(self):
port = self.restore_state('nsslapd-port')
security = self.restore_state('nsslapd-security')
installutils.set_directive(self.filename,
'nsslapd-port',
port,
quotes=False,
separator=':')
installutils.set_directive(self.filename,
'nsslapd-security',
security,
quotes=False,
separator=':')
def update_cert_cs_cfg(directive, cert, cs_cfg):
"""
When renewing a Dogtag subsystem certificate the configuration file
needs to get the new certificate as well.
``directive`` is the directive to update in CS.cfg
cert is a DER-encoded certificate.
cs_cfg is the path to the CS.cfg file
"""
with stopped_service('pki-tomcatd', 'pki-tomcat'):
installutils.set_directive(cs_cfg,
directive,
base64.b64encode(cert),
quotes=False,
separator='=')
def update_cert_cs_cfg(directive, cert, cs_cfg):
"""
When renewing a Dogtag subsystem certificate the configuration file
needs to get the new certificate as well.
``directive`` is the directive to update in CS.cfg
cert is a DER-encoded certificate.
cs_cfg is the path to the CS.cfg file
"""
with stopped_service('pki-tomcatd', 'pki-tomcat'):
installutils.set_directive(
cs_cfg,
directive,
base64.b64encode(cert),
quotes=False,
separator='=')
def update_cert_cs_cfg(directive, cert, cs_cfg):
"""
When renewing a Dogtag subsystem certificate the configuration file
needs to get the new certificate as well.
``directive`` is the directive to update in CS.cfg
cert is IPACertificate.
cs_cfg is the path to the CS.cfg file
"""
with stopped_service('pki-tomcatd', 'pki-tomcat'):
installutils.set_directive(
cs_cfg,
directive,
# the cert must be only the base64 string without headers
base64.b64encode(cert.public_bytes(x509.Encoding.DER)),
quotes=False,
separator='=')
def update_cert_cs_cfg(nickname, cert, directives, cs_cfg):
"""
When renewing a Dogtag subsystem certificate the configuration file
needs to get the new certificate as well.
nickname is one of the known nicknames.
cert is a DER-encoded certificate.
directives is the list of directives to be updated for the subsystem
cs_cfg is the path to the CS.cfg file
"""
with stopped_service('pki-tomcatd', 'pki-tomcat'):
installutils.set_directive(
cs_cfg,
directives[nickname],
base64.b64encode(cert),
quotes=False,
separator='=')
def update_cert_cs_cfg(directive, cert, cs_cfg):
"""
When renewing a Dogtag subsystem certificate the configuration file
needs to get the new certificate as well.
``directive`` is the directive to update in CS.cfg
cert is IPACertificate.
cs_cfg is the path to the CS.cfg file
"""
with stopped_service('pki-tomcatd', 'pki-tomcat'):
installutils.set_directive(
cs_cfg,
directive,
# the cert must be only the base64 string without headers
base64.b64encode(cert.public_bytes(x509.Encoding.DER)),
quotes=False,
separator='=')
def __setup_conf_files(self):
if not self.fstore.has_file(paths.OPENDNSSEC_CONF_FILE):
self.fstore.backup_file(paths.OPENDNSSEC_CONF_FILE)
if not self.fstore.has_file(paths.OPENDNSSEC_KASP_FILE):
self.fstore.backup_file(paths.OPENDNSSEC_KASP_FILE)
if not self.fstore.has_file(paths.OPENDNSSEC_ZONELIST_FILE):
self.fstore.backup_file(paths.OPENDNSSEC_ZONELIST_FILE)
pin_fd = open(paths.DNSSEC_SOFTHSM_PIN, "r")
pin = pin_fd.read()
pin_fd.close()
# add pin to template
sub_conf_dict = self.conf_file_dict
sub_conf_dict['PIN'] = pin
ods_conf_txt = ipautil.template_file(
os.path.join(paths.USR_SHARE_IPA_DIR, "opendnssec_conf.template"),
sub_conf_dict)
ods_conf_fd = open(paths.OPENDNSSEC_CONF_FILE, 'w')
ods_conf_fd.seek(0)
ods_conf_fd.truncate(0)
ods_conf_fd.write(ods_conf_txt)
ods_conf_fd.close()
ods_kasp_txt = ipautil.template_file(
os.path.join(paths.USR_SHARE_IPA_DIR, "opendnssec_kasp.template"),
self.kasp_file_dict)
ods_kasp_fd = open(paths.OPENDNSSEC_KASP_FILE, 'w')
ods_kasp_fd.seek(0)
ods_kasp_fd.truncate(0)
ods_kasp_fd.write(ods_kasp_txt)
ods_kasp_fd.close()
if not self.fstore.has_file(paths.SYSCONFIG_ODS):
self.fstore.backup_file(paths.SYSCONFIG_ODS)
installutils.set_directive(paths.SYSCONFIG_ODS,
'SOFTHSM2_CONF',
paths.DNSSEC_SOFTHSM2_CONF,
quotes=False,
separator='=')
def __setup_conf_files(self):
if not self.fstore.has_file(paths.OPENDNSSEC_CONF_FILE):
self.fstore.backup_file(paths.OPENDNSSEC_CONF_FILE)
if not self.fstore.has_file(paths.OPENDNSSEC_KASP_FILE):
self.fstore.backup_file(paths.OPENDNSSEC_KASP_FILE)
if not self.fstore.has_file(paths.OPENDNSSEC_ZONELIST_FILE):
self.fstore.backup_file(paths.OPENDNSSEC_ZONELIST_FILE)
pin_fd = open(paths.DNSSEC_SOFTHSM_PIN, "r")
pin = pin_fd.read()
pin_fd.close()
# add pin to template
sub_conf_dict = self.conf_file_dict
sub_conf_dict['PIN'] = pin
ods_conf_txt = ipautil.template_file(
os.path.join(paths.USR_SHARE_IPA_DIR, "opendnssec_conf.template"),
sub_conf_dict)
ods_conf_fd = open(paths.OPENDNSSEC_CONF_FILE, 'w')
ods_conf_fd.seek(0)
ods_conf_fd.truncate(0)
ods_conf_fd.write(ods_conf_txt)
ods_conf_fd.close()
ods_kasp_txt = ipautil.template_file(
os.path.join(paths.USR_SHARE_IPA_DIR, "opendnssec_kasp.template"),
self.kasp_file_dict)
ods_kasp_fd = open(paths.OPENDNSSEC_KASP_FILE, 'w')
ods_kasp_fd.seek(0)
ods_kasp_fd.truncate(0)
ods_kasp_fd.write(ods_kasp_txt)
ods_kasp_fd.close()
if not self.fstore.has_file(paths.SYSCONFIG_ODS):
self.fstore.backup_file(paths.SYSCONFIG_ODS)
installutils.set_directive(paths.SYSCONFIG_ODS,
'SOFTHSM2_CONF',
paths.DNSSEC_SOFTHSM2_CONF,
quotes=False, separator='=')
def __disable_listeners(self):
installutils.set_directive(self.filename, 'nsslapd-port',
0, quotes=False, separator=':')
installutils.set_directive(self.filename, 'nsslapd-security',
'off', quotes=False, separator=':')
installutils.set_directive(self.filename, 'nsslapd-ldapientrysearchbase',
None, quotes=False, separator=':')
def configure_mod_ssl_certs(self):
"""Configure the mod_ssl certificate directives"""
installutils.set_directive(paths.HTTPD_SSL_CONF, 'SSLCertificateFile',
paths.HTTPD_CERT_FILE, False)
installutils.set_directive(paths.HTTPD_SSL_CONF,
'SSLCertificateKeyFile',
paths.HTTPD_KEY_FILE, False)
installutils.set_directive(
paths.HTTPD_SSL_CONF, 'SSLPassPhraseDialog',
'exec:{passread}'.format(passread=paths.IPA_HTTPD_PASSWD_READER),
False)
installutils.set_directive(paths.HTTPD_SSL_CONF,
'SSLCACertificateFile', paths.IPA_CA_CRT,
False)
def install_http_cert(self):
dirname = certs.NSS_DIR
old_cert = installutils.get_directive(paths.HTTPD_NSS_CONF,
'NSSNickname')
server_cert = self.import_cert(dirname, self.options.pin,
old_cert, 'HTTP/%s' % api.env.host,
'restart_httpd')
installutils.set_directive(paths.HTTPD_NSS_CONF,
'NSSNickname', server_cert)
# Fix the database permissions
os.chmod(os.path.join(dirname, 'cert8.db'), 0o640)
os.chmod(os.path.join(dirname, 'key3.db'), 0o640)
os.chmod(os.path.join(dirname, 'secmod.db'), 0o640)
pent = pwd.getpwnam(constants.HTTPD_USER)
os.chown(os.path.join(dirname, 'cert8.db'), 0, pent.pw_gid)
os.chown(os.path.join(dirname, 'key3.db'), 0, pent.pw_gid)
os.chown(os.path.join(dirname, 'secmod.db'), 0, pent.pw_gid)
def update_cert_cs_cfg(nickname, cert, directives, cs_cfg,
dogtag_constants=None):
"""
When renewing a Dogtag subsystem certificate the configuration file
needs to get the new certificate as well.
nickname is one of the known nicknames.
cert is a DER-encoded certificate.
directives is the list of directives to be updated for the subsystem
cs_cfg is the path to the CS.cfg file
"""
if dogtag_constants is None:
dogtag_constants = dogtag.configured_constants()
with stopped_service(dogtag_constants.SERVICE_NAME,
instance_name=dogtag_constants.PKI_INSTANCE_NAME):
installutils.set_directive(
cs_cfg,
directives[nickname],
base64.b64encode(cert),
quotes=False,
separator='=')
def test_set_directive(self):
"""Check that set_directive writes the new data and preserves mode."""
fd, filename = tempfile.mkstemp()
try:
os.close(fd)
stat_pre = os.stat(filename)
with open(filename, 'w') as f:
for line in EXAMPLE_CONFIG:
f.write(line)
installutils.set_directive(filename, 'foo', '3', False, '=', "#")
stat_post = os.stat(filename)
with open(filename, 'r') as f:
lines = list(f)
assert lines == ['foo=3\n', 'foobar=2\n']
assert stat_pre.st_mode == stat_post.st_mode
assert stat_pre.st_uid == stat_post.st_uid
assert stat_pre.st_gid == stat_post.st_gid
finally:
os.remove(filename)
def configure_mod_ssl_certs(self):
"""Configure the mod_ssl certificate directives"""
installutils.set_directive(paths.HTTPD_SSL_CONF, 'SSLCertificateFile',
paths.HTTPD_CERT_FILE, False)
installutils.set_directive(paths.HTTPD_SSL_CONF,
'SSLCertificateKeyFile',
paths.HTTPD_KEY_FILE, False)
installutils.set_directive(paths.HTTPD_SSL_CONF,
'SSLCACertificateFile', paths.IPA_CA_CRT,
False)
def __disable_listeners(self):
installutils.set_directive(self.filename,
'nsslapd-port',
0,
quotes=False,
separator=':')
installutils.set_directive(self.filename,
'nsslapd-security',
'off',
quotes=False,
separator=':')
installutils.set_directive(self.filename,
'nsslapd-ldapientrysearchbase',
None,
quotes=False,
separator=':')
def __setup_key_exporter(self):
installutils.set_directive(paths.SYSCONFIG_IPA_ODS_EXPORTER,
'SOFTHSM2_CONF',
paths.DNSSEC_SOFTHSM2_CONF,
quotes=False, separator='=')
def set_mod_ssl_protocol(self):
installutils.set_directive(paths.HTTPD_SSL_CONF, 'SSLProtocol',
'+TLSv1 +TLSv1.1 +TLSv1.2', False)
def uninstall(self):
if not self.is_configured():
return
self.print_msg("Unconfiguring %s" % self.service_name)
running = self.restore_state("running")
enabled = self.restore_state("enabled")
# stop DNSSEC services before backing up kasp.db
try:
self.stop()
except Exception:
pass
ods_exporter = services.service('ipa-ods-exporter', api)
try:
ods_exporter.stop()
except Exception:
pass
# remove directive from ipa-dnskeysyncd, this server is not DNSSEC
# master anymore
installutils.set_directive(paths.SYSCONFIG_IPA_DNSKEYSYNCD,
'ISMASTER',
None,
quotes=False,
separator='=')
restore_list = [
paths.OPENDNSSEC_CONF_FILE, paths.OPENDNSSEC_KASP_FILE,
paths.SYSCONFIG_ODS, paths.OPENDNSSEC_ZONELIST_FILE
]
if ipautil.file_exists(paths.OPENDNSSEC_KASP_DB):
# force to export data
cmd = [paths.IPA_ODS_EXPORTER, 'ipa-full-update']
try:
self.print_msg("Exporting DNSSEC data before uninstallation")
ipautil.run(cmd, runas=constants.ODS_USER)
except CalledProcessError:
root_logger.error("DNSSEC data export failed")
try:
shutil.copy(paths.OPENDNSSEC_KASP_DB, paths.IPA_KASP_DB_BACKUP)
except IOError as e:
root_logger.error(
"Unable to backup OpenDNSSEC database %s, "
"restore will be skipped: %s", paths.OPENDNSSEC_KASP_DB, e)
else:
root_logger.info("OpenDNSSEC database backed up in %s",
paths.IPA_KASP_DB_BACKUP)
# restore OpenDNSSEC's KASP DB only if backup succeeded
# removing the file without backup could totally break DNSSEC
restore_list.append(paths.OPENDNSSEC_KASP_DB)
for f in restore_list:
try:
self.fstore.restore_file(f)
except ValueError as error:
root_logger.debug(error)
self.restore_state("kasp_db_configured") # just eat state
# disabled by default, by ldap_enable()
if enabled:
self.enable()
if running:
self.restart()
def set_mod_nss_protocol(self):
installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSProtocol', 'TLSv1.0,TLSv1.1,TLSv1.2', False)
def __setup_softhsm(self):
assert self.ods_uid is not None
assert self.named_gid is not None
token_dir_exists = os.path.exists(paths.DNSSEC_TOKENS_DIR)
# create dnssec directory
if not os.path.exists(paths.IPA_DNSSEC_DIR):
self.logger.debug("Creating %s directory", paths.IPA_DNSSEC_DIR)
os.mkdir(paths.IPA_DNSSEC_DIR)
os.chmod(paths.IPA_DNSSEC_DIR, 0o770)
# chown ods:named
os.chown(paths.IPA_DNSSEC_DIR, self.ods_uid, self.named_gid)
# setup softhsm2 config file
softhsm_conf_txt = ("# SoftHSM v2 configuration file \n"
"# File generated by IPA instalation\n"
"directories.tokendir = %(tokens_dir)s\n"
"objectstore.backend = file") % {
'tokens_dir': paths.DNSSEC_TOKENS_DIR
}
self.logger.debug("Creating new softhsm config file")
named_fd = open(paths.DNSSEC_SOFTHSM2_CONF, 'w')
named_fd.seek(0)
named_fd.truncate(0)
named_fd.write(softhsm_conf_txt)
named_fd.close()
os.chmod(paths.DNSSEC_SOFTHSM2_CONF, 0o644)
# setting up named to use softhsm2
if not self.fstore.has_file(paths.SYSCONFIG_NAMED):
self.fstore.backup_file(paths.SYSCONFIG_NAMED)
# setting up named and ipa-dnskeysyncd to use our softhsm2 config
for sysconfig in [paths.SYSCONFIG_NAMED,
paths.SYSCONFIG_IPA_DNSKEYSYNCD]:
installutils.set_directive(sysconfig, 'SOFTHSM2_CONF',
paths.DNSSEC_SOFTHSM2_CONF,
quotes=False, separator='=')
if (token_dir_exists and os.path.exists(paths.DNSSEC_SOFTHSM_PIN) and
os.path.exists(paths.DNSSEC_SOFTHSM_PIN_SO)):
# there is initialized softhsm
return
# remove old tokens
if token_dir_exists:
self.logger.debug('Removing old tokens directory %s',
paths.DNSSEC_TOKENS_DIR)
shutil.rmtree(paths.DNSSEC_TOKENS_DIR)
# create tokens subdirectory
self.logger.debug('Creating tokens %s directory',
paths.DNSSEC_TOKENS_DIR)
# sticky bit is required by daemon
os.mkdir(paths.DNSSEC_TOKENS_DIR)
os.chmod(paths.DNSSEC_TOKENS_DIR, 0o770 | stat.S_ISGID)
# chown to ods:named
os.chown(paths.DNSSEC_TOKENS_DIR, self.ods_uid, self.named_gid)
# generate PINs for softhsm
allowed_chars = u'123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'
pin_length = 30 # Bind allows max 32 bytes including ending '\0'
pin = ipautil.ipa_generate_password(allowed_chars, pin_length)
pin_so = ipautil.ipa_generate_password(allowed_chars, pin_length)
self.logger.debug("Saving user PIN to %s", paths.DNSSEC_SOFTHSM_PIN)
named_fd = open(paths.DNSSEC_SOFTHSM_PIN, 'w')
named_fd.seek(0)
named_fd.truncate(0)
named_fd.write(pin)
named_fd.close()
os.chmod(paths.DNSSEC_SOFTHSM_PIN, 0o770)
# chown to ods:named
os.chown(paths.DNSSEC_SOFTHSM_PIN, self.ods_uid, self.named_gid)
self.logger.debug("Saving SO PIN to %s", paths.DNSSEC_SOFTHSM_PIN_SO)
named_fd = open(paths.DNSSEC_SOFTHSM_PIN_SO, 'w')
named_fd.seek(0)
named_fd.truncate(0)
named_fd.write(pin_so)
named_fd.close()
# owner must be root
os.chmod(paths.DNSSEC_SOFTHSM_PIN_SO, 0o400)
# initialize SoftHSM
command = [
paths.SOFTHSM2_UTIL,
'--init-token',
'--slot', str(softhsm_slot),
'--label', softhsm_token_label,
'--pin', pin,
'--so-pin', pin_so,
]
self.logger.debug("Initializing tokens")
os.environ["SOFTHSM2_CONF"] = paths.DNSSEC_SOFTHSM2_CONF
ipautil.run(command, nolog=(pin, pin_so,))
def uninstall(self):
if not self.is_configured():
return
self.print_msg("Unconfiguring %s" % self.service_name)
running = self.restore_state("running")
enabled = self.restore_state("enabled")
# stop DNSSEC services before backing up kasp.db
try:
self.stop()
except Exception:
pass
ods_exporter = services.service('ipa-ods-exporter')
try:
ods_exporter.stop()
except Exception:
pass
# remove directive from ipa-dnskeysyncd, this server is not DNSSEC
# master anymore
installutils.set_directive(paths.SYSCONFIG_IPA_DNSKEYSYNCD,
'ISMASTER', None,
quotes=False, separator='=')
restore_list = [paths.OPENDNSSEC_CONF_FILE, paths.OPENDNSSEC_KASP_FILE,
paths.SYSCONFIG_ODS, paths.OPENDNSSEC_ZONELIST_FILE]
if ipautil.file_exists(paths.OPENDNSSEC_KASP_DB):
# force to export data
ods_enforcerd = services.knownservices.ods_enforcerd
cmd = [paths.IPA_ODS_EXPORTER, 'ipa-full-update']
try:
self.print_msg("Exporting DNSSEC data before uninstallation")
ipautil.run(cmd, runas=constants.ODS_USER)
except CalledProcessError:
root_logger.error("DNSSEC data export failed")
try:
shutil.copy(paths.OPENDNSSEC_KASP_DB,
paths.IPA_KASP_DB_BACKUP)
except IOError as e:
root_logger.error(
"Unable to backup OpenDNSSEC database %s, "
"restore will be skipped: %s", paths.OPENDNSSEC_KASP_DB, e)
else:
root_logger.info("OpenDNSSEC database backed up in %s",
paths.IPA_KASP_DB_BACKUP)
# restore OpenDNSSEC's KASP DB only if backup succeeded
# removing the file without backup could totally break DNSSEC
restore_list.append(paths.OPENDNSSEC_KASP_DB)
for f in restore_list:
try:
self.fstore.restore_file(f)
except ValueError as error:
root_logger.debug(error)
self.restore_state("kasp_db_configured") # just eat state
# disabled by default, by ldap_enable()
if enabled:
self.enable()
if running:
self.restart()
def enable_client_auth_to_db(self, config):
"""
Enable client auth connection to the internal db.
Path to CS.cfg config file passed in.
"""
with stopped_service('pki-tomcatd', 'pki-tomcat'):
installutils.set_directive(
config,
'authz.instance.DirAclAuthz.ldap.ldapauth.authtype',
'SslClientAuth', quotes=False, separator='=')
installutils.set_directive(
config,
'authz.instance.DirAclAuthz.ldap.ldapauth.clientCertNickname',
'subsystemCert cert-pki-ca', quotes=False, separator='=')
installutils.set_directive(
config,
'authz.instance.DirAclAuthz.ldap.ldapconn.port', '636',
quotes=False, separator='=')
installutils.set_directive(
config,
'authz.instance.DirAclAuthz.ldap.ldapconn.secureConn',
'true', quotes=False, separator='=')
installutils.set_directive(
config,
'internaldb.ldapauth.authtype',
'SslClientAuth', quotes=False, separator='=')
installutils.set_directive(
config,
'internaldb.ldapauth.clientCertNickname',
'subsystemCert cert-pki-ca', quotes=False, separator='=')
installutils.set_directive(
config,
'internaldb.ldapconn.port', '636', quotes=False, separator='=')
installutils.set_directive(
config,
'internaldb.ldapconn.secureConn', 'true', quotes=False,
separator='=')
# Remove internaldb password as is not needed anymore
installutils.set_directive(paths.PKI_TOMCAT_PASSWORD_CONF,
'internaldb', None)
def __setup_key_exporter(self):
installutils.set_directive(paths.SYSCONFIG_IPA_ODS_EXPORTER,
'SOFTHSM2_CONF',
paths.DNSSEC_SOFTHSM2_CONF,
quotes=False,
separator='=')
def __setup_dnskeysyncd(self):
# set up dnskeysyncd this is DNSSEC master
installutils.set_directive(paths.SYSCONFIG_IPA_DNSKEYSYNCD,
'ISMASTER',
'1',
quotes=False, separator='=')
def enable_client_auth_to_db(self, config):
"""
Enable client auth connection to the internal db.
Path to CS.cfg config file passed in.
"""
with stopped_service(
self.dogtag_constants.SERVICE_NAME,
instance_name=self.dogtag_constants.PKI_INSTANCE_NAME):
installutils.set_directive(
config,
'authz.instance.DirAclAuthz.ldap.ldapauth.authtype',
'SslClientAuth', quotes=False, separator='=')
installutils.set_directive(
config,
'authz.instance.DirAclAuthz.ldap.ldapauth.bindDN',
'uid=pkidbuser,ou=people,o=ipaca', quotes=False, separator='=')
installutils.set_directive(
config,
'authz.instance.DirAclAuthz.ldap.ldapauth.clientCertNickname',
'subsystemCert cert-pki-ca', quotes=False, separator='=')
installutils.set_directive(
config,
'authz.instance.DirAclAuthz.ldap.ldapconn.port',
str(dogtag.install_constants.DS_SECURE_PORT),
quotes=False, separator='=')
installutils.set_directive(
config,
'authz.instance.DirAclAuthz.ldap.ldapconn.secureConn',
'true', quotes=False, separator='=')
installutils.set_directive(
config,
'internaldb.ldapauth.authtype',
'SslClientAuth', quotes=False, separator='=')
installutils.set_directive(
config,
'internaldb.ldapauth.bindDN',
'uid=pkidbuser,ou=people,o=ipaca', quotes=False, separator='=')
installutils.set_directive(
config,
'internaldb.ldapauth.clientCertNickname',
'subsystemCert cert-pki-ca', quotes=False, separator='=')
installutils.set_directive(
config,
'internaldb.ldapconn.port',
str(dogtag.install_constants.DS_SECURE_PORT),
quotes=False, separator='=')
installutils.set_directive(
config,
'internaldb.ldapconn.secureConn', 'true', quotes=False,
separator='=')
# Remove internaldb password as is not needed anymore
installutils.set_directive(self.dogtag_constants.PASSWORD_CONF_PATH,
'internaldb', None)
def __set_mod_nss_passwordfile(self):
installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSPassPhraseDialog',
'file:' + paths.HTTPD_PASSWORD_CONF)
def set_mod_nss_cipher_suite(self):
ciphers = ','.join(NSS_CIPHER_SUITE)
installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSCipherSuite',
ciphers, False)
def __set_mod_nss_nickname(self, nickname):
quoted_nickname = installutils.quote_directive_value(
nickname, quote_char="'")
installutils.set_directive(
paths.HTTPD_NSS_CONF, 'NSSNickname', quoted_nickname, quotes=False)
def enable_client_auth_to_db(self, config):
"""
Enable client auth connection to the internal db.
Path to CS.cfg config file passed in.
"""
with stopped_service('pki-tomcatd', 'pki-tomcat'):
installutils.set_directive(
config,
'authz.instance.DirAclAuthz.ldap.ldapauth.authtype',
'SslClientAuth',
quotes=False,
separator='=')
installutils.set_directive(
config,
'authz.instance.DirAclAuthz.ldap.ldapauth.clientCertNickname',
'subsystemCert cert-pki-ca',
quotes=False,
separator='=')
installutils.set_directive(
config,
'authz.instance.DirAclAuthz.ldap.ldapconn.port',
'636',
quotes=False,
separator='=')
installutils.set_directive(
config,
'authz.instance.DirAclAuthz.ldap.ldapconn.secureConn',
'true',
quotes=False,
separator='=')
installutils.set_directive(config,
'internaldb.ldapauth.authtype',
'SslClientAuth',
quotes=False,
separator='=')
installutils.set_directive(
config,
'internaldb.ldapauth.clientCertNickname',
'subsystemCert cert-pki-ca',
quotes=False,
separator='=')
installutils.set_directive(config,
'internaldb.ldapconn.port',
'636',
quotes=False,
separator='=')
installutils.set_directive(config,
'internaldb.ldapconn.secureConn',
'true',
quotes=False,
separator='=')
# Remove internaldb password as is not needed anymore
installutils.set_directive(paths.PKI_TOMCAT_PASSWORD_CONF,
'internaldb', None)
def uninstall(self):
if not self.is_configured():
return
self.print_msg("Unconfiguring %s" % self.service_name)
running = self.restore_state("running")
enabled = self.restore_state("enabled")
# stop DNSSEC services before backing up kasp.db
try:
self.stop()
except Exception:
pass
ods_exporter = services.service('ipa-ods-exporter')
try:
ods_exporter.stop()
except Exception:
pass
# remove directive from ipa-dnskeysyncd, this server is not DNSSEC
# master anymore
installutils.set_directive(paths.SYSCONFIG_IPA_DNSKEYSYNCD,
'ISMASTER', None,
quotes=False, separator='=')
if ipautil.file_exists(paths.OPENDNSSEC_KASP_DB):
# force to export data
ods_enforcerd = services.knownservices.ods_enforcerd
cmd = [paths.IPA_ODS_EXPORTER, 'ipa-full-update']
try:
ipautil.run(cmd, runas=ods_enforcerd.get_user_name())
except CalledProcessError:
root_logger.debug("OpenDNSSEC database has not been updated")
try:
shutil.copy(paths.OPENDNSSEC_KASP_DB,
paths.IPA_KASP_DB_BACKUP)
except IOError as e:
root_logger.error(
"Unable to backup OpenDNSSEC database: %s", e)
else:
root_logger.info("OpenDNSSEC database backed up in %s",
paths.IPA_KASP_DB_BACKUP)
for f in [paths.OPENDNSSEC_CONF_FILE, paths.OPENDNSSEC_KASP_FILE,
paths.OPENDNSSEC_KASP_DB, paths.SYSCONFIG_ODS,
paths.OPENDNSSEC_ZONELIST_FILE]:
try:
self.fstore.restore_file(f)
except ValueError as error:
root_logger.debug(error)
pass
# disabled by default, by ldap_enable()
if enabled:
self.enable()
if running:
self.restart()
def set_mod_ssl_logdir(self):
installutils.set_directive(paths.HTTPD_SSL_CONF, 'ErrorLog',
'logs/error_log', False)
installutils.set_directive(paths.HTTPD_SSL_CONF, 'TransferLog',
'logs/access_log', False)
def __set_mod_nss_passwordfile(self):
installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSPassPhraseDialog', 'file:/etc/httpd/conf/password.conf')
def set_mod_nss_cipher_suite(self):
ciphers = ','.join(NSS_CIPHER_SUITE)
installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSCipherSuite', ciphers, False)
def __set_mod_nss_nickname(self, nickname):
installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSNickname', nickname)
def __set_mod_nss_nickname(self, nickname):
installutils.set_directive(paths.HTTPD_NSS_CONF,
'NSSNickname',
nickname,
quote_char="'")
def enable_mod_nss_renegotiate(self):
installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRenegotiation', 'on', False)
installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRequireSafeNegotiation', 'on', False)
def set_mod_nss_protocol(self):
installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSProtocol',
'TLSv1.0,TLSv1.1,TLSv1.2', False)
def __set_mod_nss_passwordfile(self):
installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSPassPhraseDialog', 'file:' + paths.HTTPD_PASSWORD_CONF)
def enable_mod_nss_renegotiate(self):
installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRenegotiation',
'on', False)
installutils.set_directive(paths.HTTPD_NSS_CONF,
'NSSRequireSafeNegotiation', 'on', False)
