Exemple #1
0
def install_check(api, replica_config, options):
    if replica_config is not None and not replica_config.setup_kra:
        return

    kra = krainstance.KRAInstance(api.env.realm)
    if kra.is_installed():
        raise RuntimeError("KRA is already installed.")

    if not options.setup_ca:
        if cainstance.is_ca_installed_locally():
            if api.env.dogtag_version >= 10:
                # correct dogtag version of CA installed
                pass
            else:
                raise RuntimeError(
                    "Dogtag must be version 10.2 or above to install KRA")
        else:
            raise RuntimeError(
                "Dogtag CA is not installed.  Please install the CA first")

    if replica_config is not None:
        if not api.Command.kra_is_enabled()['result']:
            raise RuntimeError(
                "KRA is not installed on the master system. Please use "
                "'ipa-kra-install' command to install the first instance.")
Exemple #2
0
def uninstall_check(options):
    """Check if the host is CRL generation master"""
    # Skip the checks if the host is not a CA instance
    ca = cainstance.CAInstance(api.env.realm)
    if not (api.Command.ca_is_enabled()['result'] and
       cainstance.is_ca_installed_locally()):
        return

    # skip the checks if the host is the last master
    ipa_config = api.Command.config_show()['result']
    ipa_masters = ipa_config.get('ipa_master_server', [])
    if len(ipa_masters) <= 1:
        return

    try:
        crlgen_enabled = ca.is_crlgen_enabled()
    except cainstance.InconsistentCRLGenConfigException:
        # If config is inconsistent, let's be safe and act as if
        # crl gen was enabled
        crlgen_enabled = True

    if crlgen_enabled:
        print("Deleting this server will leave your installation "
              "without a CRL generation master.")
        if (options.unattended and not options.ignore_last_of_role) or \
           not (options.unattended or ipautil.user_input(
                "Are you sure you want to continue with the uninstall "
                "procedure?", False)):
            raise ScriptError("Aborting uninstall operation.")
Exemple #3
0
    def run(self):
        if not is_ipa_configured():
            print("IPA is not configured.")
            return 2

        if not cainstance.is_ca_installed_locally():
            print("CA is not installed on this server.")
            return 3

        api.bootstrap(in_server=True, confdir=paths.ETC_IPA)
        api.finalize()
        api.Backend.ldap2.connect()

        state = acme_state(api)
        with state as ca_api:
            if self.command == Command.ENABLE:
                self.check_san_status()
                ca_api.enable()
            elif self.command == Command.DISABLE:
                ca_api.disable()
            elif self.command == Command.STATUS:
                status = "enabled" if dogtag.acme_status() else "disabled"
                print("ACME is {}".format(status))
                return 0
            else:
                raise RuntimeError('programmer error: unhandled enum case')

        return 0
Exemple #4
0
def install_check(api, replica_config, options):
    if replica_config is not None and not replica_config.setup_kra:
        return

    kra = krainstance.KRAInstance(api.env.realm)
    if kra.is_installed():
        raise RuntimeError("KRA is already installed.")

    if not options.setup_ca:
        if cainstance.is_ca_installed_locally():
            if api.env.dogtag_version >= 10:
                # correct dogtag version of CA installed
                pass
            else:
                raise RuntimeError(
                    "Dogtag must be version 10.2 or above to install KRA")
        else:
            raise RuntimeError(
                "Dogtag CA is not installed.  Please install the CA first")

    if replica_config is not None:
        if not api.Command.kra_is_enabled()['result']:
            raise RuntimeError(
                "KRA is not installed on the master system. Please use "
                "'ipa-kra-install' command to install the first instance.")
    def run(self):
        if not is_ipa_configured():
            print("IPA is not configured.")
            return 2

        if not cainstance.is_ca_installed_locally():
            print("CA is not installed on this server.")
            return 1

        if self.command == Command.ENABLE:
            directive = 'enabled'
            value = 'true'
        elif self.command == Command.DISABLE:
            directive = 'enabled'
            value = 'false'
        else:
            raise RuntimeError('programmer error: unhandled enum case')

        with DirectiveSetter(
                paths.PKI_ACME_ENGINE_CONF,
                separator='=',
                quotes=False,
        ) as ds:
            ds.set(directive, value)

        # Work around a limitation in PKI ACME service file watching
        # where renames (what DirectiveSetter does) are not detected.
        # It will be fixed, but keeping the workaround will do no harm.
        pathlib.Path(paths.PKI_ACME_ENGINE_CONF).touch()

        # Nothing else to do; the Dogtag ACME service monitors engine.conf
        # for updates and reconfigures itself as required.

        return 0
Exemple #6
0
def uninstall_check(options):
    """Check if the host is CRL generation master"""
    # Skip the checks if the host is not a CA instance
    ca = cainstance.CAInstance(api.env.realm)
    if not (api.Command.ca_is_enabled()['result']
            and cainstance.is_ca_installed_locally()):
        return

    # skip the checks if the host is the last master
    ipa_config = api.Command.config_show()['result']
    ipa_masters = ipa_config.get('ipa_master_server', [])
    if len(ipa_masters) <= 1:
        return

    try:
        crlgen_enabled = ca.is_crlgen_enabled()
    except cainstance.InconsistentCRLGenConfigException:
        # If config is inconsistent, let's be safe and act as if
        # crl gen was enabled
        crlgen_enabled = True

    if crlgen_enabled:
        print("Deleting this server will leave your installation "
              "without a CRL generation master.")
        if (options.unattended and not options.ignore_last_of_role) or \
           not (options.unattended or ipautil.user_input(
                "Are you sure you want to continue with the uninstall "
                "procedure?", False)):
            raise ScriptError("Aborting uninstall operation.")
Exemple #7
0
 def check_local_ca_instance(self, raiseOnErr=False):
     if not api.Command.ca_is_enabled()['result'] or \
        not cainstance.is_ca_installed_locally():
         if raiseOnErr:
             raise RuntimeError("Dogtag CA is not installed. "
                                "Please install a CA first with the "
                                "`ipa-ca-install` command.")
         else:
             logger.warning(
                 "Warning: Dogtag CA is not installed on this server.")
             return False
     return True
Exemple #8
0
def install_check(api, replica_config, options):
    if replica_config is not None and not replica_config.setup_kra:
        return

    kra = krainstance.KRAInstance(api.env.realm)
    if kra.is_installed():
        raise RuntimeError("KRA is already installed.")

    if not options.setup_ca:
        if cainstance.is_ca_installed_locally():
            if api.env.dogtag_version >= 10:
                # correct dogtag version of CA installed
                pass
            else:
                raise RuntimeError(
                    "Dogtag must be version 10.2 or above to install KRA")
        else:
            raise RuntimeError(
                "Dogtag CA is not installed.  Please install the CA first")

    if replica_config is not None:
        if not api.Command.kra_is_enabled()['result']:
            raise RuntimeError(
                "KRA is not installed on the master system. Please use "
                "'ipa-kra-install' command to install the first instance.")

        if options.promote:
            return

        with certdb.NSSDatabase() as tmpdb:
            pw = ipautil.write_tmp_file(ipautil.ipa_generate_password())
            tmpdb.create_db(pw.name)
            tmpdb.import_pkcs12(replica_config.dir + "/cacert.p12", pw.name,
                                replica_config.dirman_password)
            kra_cert_nicknames = [
                "storageCert cert-pki-kra", "transportCert cert-pki-kra",
                "auditSigningCert cert-pki-kra"
            ]
            if not all(
                    tmpdb.has_nickname(nickname)
                    for nickname in kra_cert_nicknames):
                raise RuntimeError("Missing KRA certificates, please create a "
                                   "new replica file.")
Exemple #9
0
def install_check(api, replica_config, options):
    if replica_config is not None and not replica_config.setup_kra:
        return

    kra = krainstance.KRAInstance(api.env.realm)
    if kra.is_installed():
        raise RuntimeError("KRA is already installed.")

    if not options.setup_ca:
        if cainstance.is_ca_installed_locally():
            if api.env.dogtag_version >= 10:
                # correct dogtag version of CA installed
                pass
            else:
                raise RuntimeError(
                    "Dogtag must be version 10.2 or above to install KRA")
        else:
            raise RuntimeError(
                "Dogtag CA is not installed.  Please install the CA first")

    if replica_config is not None:
        if not api.Command.kra_is_enabled()['result']:
            raise RuntimeError(
                "KRA is not installed on the master system. Please use "
                "'ipa-kra-install' command to install the first instance.")

        if options.promote:
            return

        with certdb.NSSDatabase() as tmpdb:
            pw = ipautil.write_tmp_file(ipautil.ipa_generate_password())
            tmpdb.create_db(pw.name)
            tmpdb.import_pkcs12(replica_config.dir + "/cacert.p12", pw.name,
                                replica_config.dirman_password)
            kra_cert_nicknames = [
                "storageCert cert-pki-kra", "transportCert cert-pki-kra",
                "auditSigningCert cert-pki-kra"
            ]
            if not all(tmpdb.has_nickname(nickname)
                       for nickname in kra_cert_nicknames):
                raise RuntimeError("Missing KRA certificates, please create a "
                                   "new replica file.")
Exemple #10
0
def install_check(replica_config, options, enable_kra, dogtag_version):
    if enable_kra:
        raise RuntimeError("KRA is already installed.")

    if not options.setup_ca:
        if cainstance.is_ca_installed_locally():
            if dogtag_version >= 10:
                # correct dogtag version of CA installed
                pass
            else:
                raise RuntimeError(
                    "Dogtag must be version 10.2 or above to install KRA")
        else:
            raise RuntimeError(
                "Dogtag CA is not installed.  Please install the CA first")

    if replica_config is not None:
        if not read_replica_info_kra_enabled(replica_config.dir):
            raise RuntimeError(
                "Either KRA is not installed on the master system or "
                "your replica file is out of date"
            )
Exemple #11
0
    def validate_options(self, needs_root=True):
        super(KRAInstaller, self).validate_options(needs_root=True)

        dogtag_version = int(api.env.dogtag_version)
        enable_kra = api.env.enable_kra

        if enable_kra:
            self.option_parser.error("KRA is already installed.")

        ca_installed = cainstance.is_ca_installed_locally()

        if ca_installed:
            if dogtag_version >= 10:
                # correct dogtag version of CA installed
                pass
            else:
                self.option_parser.error(
                    "Dogtag must be version 10.2 or above to install KRA")
        else:
            self.option_parser.error(
                "Dogtag CA is not installed.  Please install the CA first")

        self.installing_replica = dogtaginstance.is_installing_replica("KRA")
        if self.installing_replica:
            if not self.args:
                self.option_parser.error("A replica file is required.")
            if len(self.args) > 1:
                self.option_parser.error("Too many arguments provided")

            self.replica_file = self.args[0]
            if not ipautil.file_exists(self.replica_file):
                self.option_parser.error(
                    "Replica file %s does not exist" % self.replica_file)
        else:
            if self.args:
                self.option_parser.error("Too many parameters provided.  "
                                         "No replica file is required.")
Exemple #12
0
    def validate_options(self, needs_root=True):
        super(KRAInstaller, self).validate_options(needs_root=True)

        dogtag_version = int(api.env.dogtag_version)
        enable_kra = api.env.enable_kra

        if enable_kra:
            self.option_parser.error("KRA is already installed.")

        ca_installed = cainstance.is_ca_installed_locally()

        if ca_installed:
            if dogtag_version >= 10:
                # correct dogtag version of CA installed
                pass
            else:
                self.option_parser.error(
                    "Dogtag must be version 10.2 or above to install KRA")
        else:
            self.option_parser.error(
                "Dogtag CA is not installed.  Please install the CA first")

        self.installing_replica = dogtaginstance.is_installing_replica("KRA")
        if self.installing_replica:
            if not self.args:
                self.option_parser.error("A replica file is required.")
            if len(self.args) > 1:
                self.option_parser.error("Too many arguments provided")

            self.replica_file = self.args[0]
            if not ipautil.file_exists(self.replica_file):
                self.option_parser.error("Replica file %s does not exist" %
                                         self.replica_file)
        else:
            if self.args:
                self.option_parser.error("Too many parameters provided.  "
                                         "No replica file is required.")
Exemple #13
0
    def run(self):
        super(KRAInstaller, self).run()

        # Verify DM password. This has to be called after ask_for_options(),
        # so it can't be placed in validate_options().
        try:
            installutils.validate_dm_password_ldap(self.options.password)
        except ValueError:
            raise admintool.ScriptError(
                "Directory Manager password is invalid")

        if not cainstance.is_ca_installed_locally():
            raise RuntimeError("Dogtag CA is not installed. "
                               "Please install a CA first with the "
                               "`ipa-ca-install` command.")

        # check if KRA is not already installed
        _kra = krainstance.KRAInstance(api)
        if _kra.is_installed():
            raise admintool.ScriptError("KRA already installed")

        # this check can be done only when CA is installed
        self.installing_replica = dogtaginstance.is_installing_replica("KRA")
        self.options.promote = False

        if self.installing_replica:
            domain_level = dsinstance.get_domain_level(api)
            if domain_level > DOMAIN_LEVEL_0:
                self.options.promote = True
            elif not self.args:
                raise RuntimeError("A replica file is required.")

        if self.args and (not self.installing_replica or self.options.promote):
            raise RuntimeError("Too many parameters provided. "
                               "No replica file is required.")

        self.options.dm_password = self.options.password
        self.options.setup_ca = False
        self.options.setup_kra = True

        api.Backend.ldap2.connect()

        config = None
        if self.installing_replica:
            if self.options.promote:
                config = ReplicaConfig()
                config.kra_host_name = None
                config.realm_name = api.env.realm
                config.host_name = api.env.host
                config.domain_name = api.env.domain
                config.dirman_password = self.options.password
                config.ca_ds_port = 389
                config.top_dir = tempfile.mkdtemp("ipa")
                config.dir = config.top_dir
            else:
                config = create_replica_config(
                    self.options.password,
                    self.replica_file,
                    self.options)
                config.kra_host_name = config.master_host_name

            config.setup_kra = True

            if config.subject_base is None:
                attrs = api.Backend.ldap2.get_ipa_config()
                config.subject_base = attrs.get('ipacertificatesubjectbase')[0]

            if config.kra_host_name is None:
                config.kra_host_name = service.find_providing_server(
                    'KRA', api.Backend.ldap2, api.env.ca_host)

        try:
            kra.install_check(api, config, self.options)
        except RuntimeError as e:
            raise admintool.ScriptError(str(e))

        print(dedent(self.INSTALLER_START_MESSAGE))

        try:
            kra.install(api, config, self.options)
        except:
            logger.error('%s', dedent(self.FAIL_MESSAGE))
            raise

        api.Backend.ldap2.disconnect()
Exemple #14
0
    def run(self):
        if not is_ipa_configured():
            print("IPA is not configured.")
            return 2

        if not cainstance.is_ca_installed_locally():
            print("CA is not installed on this server.")
            return 1

        try:
            ipautil.run(['pki-server', 'cert-fix', '--help'], raiseonerr=True)
        except ipautil.CalledProcessError:
            print(
                "The 'pki-server cert-fix' command is not available; "
                "cannot proceed."
            )
            return 1

        api.bootstrap(in_server=True, confdir=paths.ETC_IPA)
        api.finalize()
        api.Backend.ldap2.connect()  # ensure DS is up

        subject_base = dsinstance.DsInstance().find_subject_base()
        if not subject_base:
            raise RuntimeError("Cannot determine certificate subject base.")

        ca_subject_dn = ca.lookup_ca_subject(api, subject_base)

        now = datetime.datetime.now() + datetime.timedelta(weeks=2)
        certs, extra_certs = expired_certs(now)

        if not certs and not extra_certs:
            print("Nothing to do.")
            return 0

        print(msg)

        print_intentions(certs, extra_certs)

        response = ipautil.user_input('Enter "yes" to proceed')
        if response.lower() != 'yes':
            print("Not proceeding.")
            return 0
        print("Proceeding.")

        try:
            run_cert_fix(certs, extra_certs)
        except ipautil.CalledProcessError:
            if any(x[0] is IPACertType.LDAPS for x in extra_certs):
                # The DS cert was expired.  This will cause
                # 'pki-server cert-fix' to fail at the final
                # restart.  Therefore ignore the CalledProcessError
                # and proceed to installing the IPA-specific certs.
                pass
            else:
                raise  # otherwise re-raise

        replicate_dogtag_certs(subject_base, ca_subject_dn, certs)
        install_ipa_certs(subject_base, ca_subject_dn, extra_certs)

        if any(x[0] != 'sslserver' for x in certs) \
                or any(x[0] is IPACertType.IPARA for x in extra_certs):
            # we renewed a "shared" certificate, therefore we must
            # become the renewal master
            print("Becoming renewal master.")
            cainstance.CAInstance().set_renewal_master()

        ipautil.run(['ipactl', 'restart'], raiseonerr=True)

        return 0
Exemple #15
0
    def run(self):
        if not is_ipa_configured():
            print("IPA is not configured.")
            return 2

        if not cainstance.is_ca_installed_locally():
            print("CA is not installed on this server.")
            return 1

        try:
            ipautil.run(['pki-server', 'cert-fix', '--help'], raiseonerr=True)
        except ipautil.CalledProcessError:
            print("The 'pki-server cert-fix' command is not available; "
                  "cannot proceed.")
            return 1

        api.bootstrap(in_server=True, confdir=paths.ETC_IPA)
        api.finalize()

        if not dsinstance.is_ds_running(realm_to_serverid(api.env.realm)):
            print("The LDAP server is not running; cannot proceed.")
            return 1

        api.Backend.ldap2.connect()  # ensure DS is up

        subject_base = dsinstance.DsInstance().find_subject_base()
        if not subject_base:
            raise RuntimeError("Cannot determine certificate subject base.")

        ca_subject_dn = ca.lookup_ca_subject(api, subject_base)

        now = datetime.datetime.now() + datetime.timedelta(weeks=2)
        certs, extra_certs, non_renewed = expired_certs(now)

        if not certs and not extra_certs:
            print("Nothing to do.")
            return 0

        print(msg)

        print_intentions(certs, extra_certs, non_renewed)

        response = ipautil.user_input('Enter "yes" to proceed')
        if response.lower() != 'yes':
            print("Not proceeding.")
            return 0
        print("Proceeding.")

        try:
            fix_certreq_directives(certs)
            run_cert_fix(certs, extra_certs)
        except ipautil.CalledProcessError:
            if any(x[0] is IPACertType.LDAPS
                   for x in extra_certs + non_renewed):
                # The DS cert was expired.  This will cause 'pki-server
                # cert-fix' to fail at the final restart, and return nonzero.
                # So this exception *might* be OK to ignore.
                #
                # If 'pki-server cert-fix' has written new certificates
                # corresponding to all the extra_certs, then ignore the
                # CalledProcessError and proceed to installing the IPA-specific
                # certs.  Otherwise re-raise.
                if check_renewed_ipa_certs(extra_certs):
                    pass
                else:
                    raise
            else:
                raise  # otherwise re-raise

        replicate_dogtag_certs(subject_base, ca_subject_dn, certs)
        install_ipa_certs(subject_base, ca_subject_dn, extra_certs)

        if any(x[0] != 'sslserver' for x in certs) \
                or any(x[0] is IPACertType.IPARA for x in extra_certs):
            # we renewed a "shared" certificate, therefore we must
            # become the renewal master
            print("Becoming renewal master.")
            cainstance.CAInstance().set_renewal_master()

        print("Restarting IPA")
        ipautil.run(['ipactl', 'restart'], raiseonerr=True)

        print(renewal_note)
        return 0
Exemple #16
0
def install_check(standalone, replica_config, options):
    global external_cert_file
    global external_ca_file

    realm_name = options.realm_name
    host_name = options.host_name
    subject_base = options.subject

    if replica_config is not None:
        if standalone and api.env.ra_plugin == 'selfsign':
            sys.exit('A selfsign CA can not be added')

        if not ipautil.file_exists(replica_config.dir + "/cacert.p12"):
            print 'CA cannot be installed in CA-less setup.'
            sys.exit(1)

        if standalone and not options.skip_conncheck:
            replica_conn_check(
                replica_config.master_host_name, host_name, realm_name, True,
                replica_config.ca_ds_port, options.admin_password)

        if options.skip_schema_check:
            root_logger.info("Skipping CA DS schema check")
        else:
            cainstance.replica_ca_install_check(replica_config)

        return

    if standalone:
        if cainstance.is_ca_installed_locally():
            sys.exit("CA is already installed on this host.")
        elif api.Command.ca_is_enabled()['result']:
            sys.exit(
                "One or more CA masters are already present in IPA realm "
                "'%s'.\nIf you wish to replicate CA to this host, please "
                "re-run 'ipa-ca-install'\nwith a replica file generated on "
                "an existing CA master as argument." % realm_name
            )

    if options.external_cert_files:
        if not cainstance.is_step_one_done():
            # This can happen if someone passes external_ca_file without
            # already having done the first stage of the CA install.
            print("CA is not installed yet. To install with an external CA "
                  "is a two-stage process.\nFirst run the installer with "
                  "--external-ca.")
            sys.exit(1)

        external_cert_file, external_ca_file = installutils.load_external_cert(
            options.external_cert_files, options.subject)
    elif options.external_ca:
        if cainstance.is_step_one_done():
            print("CA is already installed.\nRun the installer with "
                  "--external-cert-file.")
            sys.exit(1)
        if ipautil.file_exists(paths.ROOT_IPA_CSR):
            print("CA CSR file %s already exists.\nIn order to continue "
                  "remove the file and run the installer again." %
                  paths.ROOT_IPA_CSR)
            sys.exit(1)

    if not options.external_cert_files:
        if not cainstance.check_port():
            print("IPA requires port 8443 for PKI but it is currently in use.")
            sys.exit("Aborting installation")

    if standalone:
        dirname = dsinstance.config_dirname(
            installutils.realm_to_serverid(realm_name))
        cadb = certs.CertDB(realm_name, subject_base=subject_base)
        dsdb = certs.CertDB(realm_name, nssdir=dirname, subject_base=subject_base)

        for db in (cadb, dsdb):
            for nickname, trust_flags in db.list_certs():
                if nickname in (certdb.get_ca_nickname(realm_name),
                                'ipaCert',
                                'Signing-Cert'):
                    print ("Certificate with nickname %s is present in %s, "
                           "cannot continue." % (nickname, db.secdir))
                    sys.exit(1)

                cert = db.get_cert_from_db(nickname)
                if not cert:
                    continue
                subject = DN(str(x509.get_subject(cert)))
                if subject in (DN('CN=Certificate Authority', subject_base),
                               DN('CN=IPA RA', subject_base),
                               DN('CN=Object Signing Cert', subject_base)):
                    print ("Certificate with subject %s is present in %s, "
                           "cannot continue." % (subject, db.secdir))
                    sys.exit(1)
Exemple #17
0
    def run(self):
        super(KRAInstaller, self).run()

        # Verify DM password. This has to be called after ask_for_options(),
        # so it can't be placed in validate_options().
        try:
            installutils.validate_dm_password_ldap(self.options.password)
        except ValueError:
            raise admintool.ScriptError(
                "Directory Manager password is invalid")

        if not cainstance.is_ca_installed_locally():
            raise RuntimeError("Dogtag CA is not installed. "
                               "Please install a CA first with the "
                               "`ipa-ca-install` command.")

        # check if KRA is not already installed
        _kra = krainstance.KRAInstance(api)
        if _kra.is_installed():
            raise admintool.ScriptError("KRA already installed")

        # this check can be done only when CA is installed
        self.installing_replica = dogtaginstance.is_installing_replica("KRA")

        if self.installing_replica:
            domain_level = dsinstance.get_domain_level(api)
            if domain_level < DOMAIN_LEVEL_1:
                raise RuntimeError("Unsupported domain level %d." %
                                   domain_level)

        if self.args:
            raise RuntimeError("Too many parameters provided.")

        self.options.dm_password = self.options.password
        self.options.setup_ca = False
        self.options.setup_kra = True

        api.Backend.ldap2.connect()

        if self.installing_replica:
            config = ReplicaConfig()
            config.kra_host_name = None
            config.realm_name = api.env.realm
            config.host_name = api.env.host
            config.domain_name = api.env.domain
            config.dirman_password = self.options.password
            config.ca_ds_port = 389
            config.top_dir = tempfile.mkdtemp("ipa")
            config.dir = config.top_dir

            config.setup_kra = True

            if config.subject_base is None:
                attrs = api.Backend.ldap2.get_ipa_config()
                config.subject_base = attrs.get('ipacertificatesubjectbase')[0]

            if config.kra_host_name is None:
                config.kra_host_name = find_providing_server(
                    'KRA', api.Backend.ldap2, [api.env.ca_host])
                if config.kra_host_name is None:
                    # all CA/KRA servers are down or unreachable.
                    raise admintool.ScriptError(
                        "Failed to find an active KRA server!")
            custodia = custodiainstance.get_custodia_instance(
                config, custodiainstance.CustodiaModes.KRA_PEER)
        else:
            config = None
            custodia = None

        try:
            kra.install_check(api, config, self.options)
        except RuntimeError as e:
            raise admintool.ScriptError(str(e))

        print(dedent(self.INSTALLER_START_MESSAGE))

        try:
            kra.install(api, config, self.options, custodia=custodia)
        except:
            logger.error('%s', dedent(self.FAIL_MESSAGE))
            raise

        # pki-spawn restarts 389-DS, reconnect
        api.Backend.ldap2.close()
        api.Backend.ldap2.connect()

        # Enable configured services and update DNS SRV records
        service.sync_services_state(api.env.host)
        api.Command.dns_update_system_records()
        api.Backend.ldap2.disconnect()
Exemple #18
0
    def run(self):
        super(KRAInstaller, self).run()

        # Verify DM password. This has to be called after ask_for_options(),
        # so it can't be placed in validate_options().
        try:
            installutils.validate_dm_password_ldap(self.options.password)
        except ValueError:
            raise admintool.ScriptError(
                "Directory Manager password is invalid")

        if not cainstance.is_ca_installed_locally():
            raise RuntimeError("Dogtag CA is not installed. "
                               "Please install the CA first")

        # check if KRA is not already installed
        _kra = krainstance.KRAInstance(api)
        if _kra.is_installed():
            raise admintool.ScriptError("KRA already installed")

        # this check can be done only when CA is installed
        self.installing_replica = dogtaginstance.is_installing_replica("KRA")
        self.options.promote = False

        if self.installing_replica:
            domain_level = dsinstance.get_domain_level(api)
            if domain_level > DOMAIN_LEVEL_0:
                self.options.promote = True
            elif not self.args:
                raise RuntimeError("A replica file is required.")

        if self.args and (not self.installing_replica or self.options.promote):
            raise RuntimeError("Too many parameters provided. "
                               "No replica file is required.")

        self.options.dm_password = self.options.password
        self.options.setup_ca = False
        self.options.setup_kra = True

        api.Backend.ldap2.connect()

        config = None
        if self.installing_replica:
            if self.options.promote:
                config = ReplicaConfig()
                config.kra_host_name = None
                config.realm_name = api.env.realm
                config.host_name = api.env.host
                config.domain_name = api.env.domain
                config.dirman_password = self.options.password
                config.ca_ds_port = 389
                config.top_dir = tempfile.mkdtemp("ipa")
                config.dir = config.top_dir
            else:
                config = create_replica_config(
                    self.options.password,
                    self.replica_file,
                    self.options)
                config.kra_host_name = config.master_host_name

            config.setup_kra = True

            if config.subject_base is None:
                attrs = api.Backend.ldap2.get_ipa_config()
                config.subject_base = attrs.get('ipacertificatesubjectbase')[0]

            if config.kra_host_name is None:
                config.kra_host_name = service.find_providing_server(
                    'KRA', api.Backend.ldap2, api.env.ca_host)

        try:
            kra.install_check(api, config, self.options)
        except RuntimeError as e:
            raise admintool.ScriptError(str(e))

        print(dedent(self.INSTALLER_START_MESSAGE))

        try:
            kra.install(api, config, self.options)
        except:
            self.log.error(dedent(self.FAIL_MESSAGE))
            raise

        api.Backend.ldap2.disconnect()
Exemple #19
0
    def run(self):
        super(KRAInstaller, self).run()

        # Verify DM password. This has to be called after ask_for_options(),
        # so it can't be placed in validate_options().
        try:
            installutils.validate_dm_password_ldap(self.options.password)
        except ValueError:
            raise admintool.ScriptError(
                "Directory Manager password is invalid")

        if not cainstance.is_ca_installed_locally():
            raise RuntimeError("Dogtag CA is not installed. "
                               "Please install a CA first with the "
                               "`ipa-ca-install` command.")

        # check if KRA is not already installed
        _kra = krainstance.KRAInstance(api)
        if _kra.is_installed():
            raise admintool.ScriptError("KRA already installed")

        # this check can be done only when CA is installed
        self.installing_replica = dogtaginstance.is_installing_replica("KRA")

        if self.installing_replica:
            domain_level = dsinstance.get_domain_level(api)
            if domain_level < DOMAIN_LEVEL_1:
                raise RuntimeError(
                    "Unsupported domain level %d." % domain_level)

        if self.args:
            raise RuntimeError("Too many parameters provided.")

        self.options.dm_password = self.options.password
        self.options.setup_ca = False
        self.options.setup_kra = True

        api.Backend.ldap2.connect()

        if self.installing_replica:
            config = ReplicaConfig()
            config.kra_host_name = None
            config.realm_name = api.env.realm
            config.host_name = api.env.host
            config.domain_name = api.env.domain
            config.dirman_password = self.options.password
            config.ca_ds_port = 389
            config.top_dir = tempfile.mkdtemp("ipa")
            config.dir = config.top_dir

            config.setup_kra = True

            if config.subject_base is None:
                attrs = api.Backend.ldap2.get_ipa_config()
                config.subject_base = attrs.get('ipacertificatesubjectbase')[0]

            if config.kra_host_name is None:
                config.kra_host_name = find_providing_server(
                    'KRA', api.Backend.ldap2, [api.env.ca_host]
                )
                if config.kra_host_name is None:
                    # all CA/KRA servers are down or unreachable.
                    raise admintool.ScriptError(
                        "Failed to find an active KRA server!"
                    )
            custodia = custodiainstance.get_custodia_instance(
                config, custodiainstance.CustodiaModes.KRA_PEER)
        else:
            config = None
            custodia = None

        try:
            kra.install_check(api, config, self.options)
        except RuntimeError as e:
            raise admintool.ScriptError(str(e))

        print(dedent(self.INSTALLER_START_MESSAGE))

        try:
            kra.install(api, config, self.options, custodia=custodia)
        except:
            logger.error('%s', dedent(self.FAIL_MESSAGE))
            raise

        # pki-spawn restarts 389-DS, reconnect
        api.Backend.ldap2.close()
        api.Backend.ldap2.connect()

        # Enable configured services and update DNS SRV records
        service.sync_services_state(api.env.host)
        api.Command.dns_update_system_records()
        api.Backend.ldap2.disconnect()
Exemple #20
0
    def run(self):
        super(KRAInstaller, self).run()

        if not cainstance.is_ca_installed_locally():
            raise RuntimeError("Dogtag CA is not installed. " "Please install the CA first")

        # check if KRA is not already installed
        _kra = krainstance.KRAInstance(api)
        if _kra.is_installed():
            raise admintool.ScriptError("KRA already installed")

        # this check can be done only when CA is installed
        self.installing_replica = dogtaginstance.is_installing_replica("KRA")
        self.options.promote = False

        if self.installing_replica:
            domain_level = dsinstance.get_domain_level(api)
            if domain_level > DOMAIN_LEVEL_0:
                self.options.promote = True
            elif not self.args:
                raise RuntimeError("A replica file is required.")

        if self.args and (not self.installing_replica or self.options.promote):
            raise RuntimeError("Too many parameters provided. " "No replica file is required.")

        self.options.dm_password = self.options.password
        self.options.setup_ca = False

        conn = api.Backend.ldap2
        conn.connect(bind_dn=DN(("cn", "Directory Manager")), bind_pw=self.options.password)

        config = None
        if self.installing_replica:
            if self.options.promote:
                config = ReplicaConfig()
                config.master_host_name = None
                config.realm_name = api.env.realm
                config.host_name = api.env.host
                config.domain_name = api.env.domain
                config.dirman_password = self.options.password
                config.ca_ds_port = 389
                config.top_dir = tempfile.mkdtemp("ipa")
                config.dir = config.top_dir
            else:
                config = create_replica_config(self.options.password, self.replica_file, self.options)

            if config.subject_base is None:
                attrs = conn.get_ipa_config()
                config.subject_base = attrs.get("ipacertificatesubjectbase")[0]

            if config.master_host_name is None:
                config.kra_host_name = service.find_providing_server("KRA", conn, api.env.ca_host)
                config.master_host_name = config.kra_host_name
            else:
                config.kra_host_name = config.master_host_name

        try:
            kra.install_check(api, config, self.options)
        except RuntimeError as e:
            raise admintool.ScriptError(str(e))

        print(dedent(self.INSTALLER_START_MESSAGE))

        try:
            kra.install(api, config, self.options)
        except:
            self.log.error(dedent(self.FAIL_MESSAGE))
            raise