def install_check(api, replica_config, options):
if replica_config is not None and not replica_config.setup_kra:
return
kra = krainstance.KRAInstance(api.env.realm)
if kra.is_installed():
raise RuntimeError("KRA is already installed.")
if not options.setup_ca:
if cainstance.is_ca_installed_locally():
if api.env.dogtag_version >= 10:
# correct dogtag version of CA installed
pass
else:
raise RuntimeError(
"Dogtag must be version 10.2 or above to install KRA")
else:
raise RuntimeError(
"Dogtag CA is not installed. Please install the CA first")
if replica_config is not None:
if not api.Command.kra_is_enabled()['result']:
raise RuntimeError(
"KRA is not installed on the master system. Please use "
"'ipa-kra-install' command to install the first instance.")
def uninstall_check(options):
"""Check if the host is CRL generation master"""
# Skip the checks if the host is not a CA instance
ca = cainstance.CAInstance(api.env.realm)
if not (api.Command.ca_is_enabled()['result'] and
cainstance.is_ca_installed_locally()):
return
# skip the checks if the host is the last master
ipa_config = api.Command.config_show()['result']
ipa_masters = ipa_config.get('ipa_master_server', [])
if len(ipa_masters) <= 1:
return
try:
crlgen_enabled = ca.is_crlgen_enabled()
except cainstance.InconsistentCRLGenConfigException:
# If config is inconsistent, let's be safe and act as if
# crl gen was enabled
crlgen_enabled = True
if crlgen_enabled:
print("Deleting this server will leave your installation "
"without a CRL generation master.")
if (options.unattended and not options.ignore_last_of_role) or \
not (options.unattended or ipautil.user_input(
"Are you sure you want to continue with the uninstall "
"procedure?", False)):
raise ScriptError("Aborting uninstall operation.")
def run(self):
if not is_ipa_configured():
print("IPA is not configured.")
return 2
if not cainstance.is_ca_installed_locally():
print("CA is not installed on this server.")
return 3
api.bootstrap(in_server=True, confdir=paths.ETC_IPA)
api.finalize()
api.Backend.ldap2.connect()
state = acme_state(api)
with state as ca_api:
if self.command == Command.ENABLE:
self.check_san_status()
ca_api.enable()
elif self.command == Command.DISABLE:
ca_api.disable()
elif self.command == Command.STATUS:
status = "enabled" if dogtag.acme_status() else "disabled"
print("ACME is {}".format(status))
return 0
else:
raise RuntimeError('programmer error: unhandled enum case')
return 0
def install_check(api, replica_config, options):
if replica_config is not None and not replica_config.setup_kra:
return
kra = krainstance.KRAInstance(api.env.realm)
if kra.is_installed():
raise RuntimeError("KRA is already installed.")
if not options.setup_ca:
if cainstance.is_ca_installed_locally():
if api.env.dogtag_version >= 10:
# correct dogtag version of CA installed
pass
else:
raise RuntimeError(
"Dogtag must be version 10.2 or above to install KRA")
else:
raise RuntimeError(
"Dogtag CA is not installed. Please install the CA first")
if replica_config is not None:
if not api.Command.kra_is_enabled()['result']:
raise RuntimeError(
"KRA is not installed on the master system. Please use "
"'ipa-kra-install' command to install the first instance.")
def run(self):
if not is_ipa_configured():
print("IPA is not configured.")
return 2
if not cainstance.is_ca_installed_locally():
print("CA is not installed on this server.")
return 1
if self.command == Command.ENABLE:
directive = 'enabled'
value = 'true'
elif self.command == Command.DISABLE:
directive = 'enabled'
value = 'false'
else:
raise RuntimeError('programmer error: unhandled enum case')
with DirectiveSetter(
paths.PKI_ACME_ENGINE_CONF,
separator='=',
quotes=False,
) as ds:
ds.set(directive, value)
# Work around a limitation in PKI ACME service file watching
# where renames (what DirectiveSetter does) are not detected.
# It will be fixed, but keeping the workaround will do no harm.
pathlib.Path(paths.PKI_ACME_ENGINE_CONF).touch()
# Nothing else to do; the Dogtag ACME service monitors engine.conf
# for updates and reconfigures itself as required.
return 0
def uninstall_check(options):
"""Check if the host is CRL generation master"""
# Skip the checks if the host is not a CA instance
ca = cainstance.CAInstance(api.env.realm)
if not (api.Command.ca_is_enabled()['result']
and cainstance.is_ca_installed_locally()):
return
# skip the checks if the host is the last master
ipa_config = api.Command.config_show()['result']
ipa_masters = ipa_config.get('ipa_master_server', [])
if len(ipa_masters) <= 1:
return
try:
crlgen_enabled = ca.is_crlgen_enabled()
except cainstance.InconsistentCRLGenConfigException:
# If config is inconsistent, let's be safe and act as if
# crl gen was enabled
crlgen_enabled = True
if crlgen_enabled:
print("Deleting this server will leave your installation "
"without a CRL generation master.")
if (options.unattended and not options.ignore_last_of_role) or \
not (options.unattended or ipautil.user_input(
"Are you sure you want to continue with the uninstall "
"procedure?", False)):
raise ScriptError("Aborting uninstall operation.")
def check_local_ca_instance(self, raiseOnErr=False):
if not api.Command.ca_is_enabled()['result'] or \
not cainstance.is_ca_installed_locally():
if raiseOnErr:
raise RuntimeError("Dogtag CA is not installed. "
"Please install a CA first with the "
"`ipa-ca-install` command.")
else:
logger.warning(
"Warning: Dogtag CA is not installed on this server.")
return False
return True
def install_check(api, replica_config, options):
if replica_config is not None and not replica_config.setup_kra:
return
kra = krainstance.KRAInstance(api.env.realm)
if kra.is_installed():
raise RuntimeError("KRA is already installed.")
if not options.setup_ca:
if cainstance.is_ca_installed_locally():
if api.env.dogtag_version >= 10:
# correct dogtag version of CA installed
pass
else:
raise RuntimeError(
"Dogtag must be version 10.2 or above to install KRA")
else:
raise RuntimeError(
"Dogtag CA is not installed. Please install the CA first")
if replica_config is not None:
if not api.Command.kra_is_enabled()['result']:
raise RuntimeError(
"KRA is not installed on the master system. Please use "
"'ipa-kra-install' command to install the first instance.")
if options.promote:
return
with certdb.NSSDatabase() as tmpdb:
pw = ipautil.write_tmp_file(ipautil.ipa_generate_password())
tmpdb.create_db(pw.name)
tmpdb.import_pkcs12(replica_config.dir + "/cacert.p12", pw.name,
replica_config.dirman_password)
kra_cert_nicknames = [
"storageCert cert-pki-kra", "transportCert cert-pki-kra",
"auditSigningCert cert-pki-kra"
]
if not all(
tmpdb.has_nickname(nickname)
for nickname in kra_cert_nicknames):
raise RuntimeError("Missing KRA certificates, please create a "
"new replica file.")
def install_check(api, replica_config, options):
if replica_config is not None and not replica_config.setup_kra:
return
kra = krainstance.KRAInstance(api.env.realm)
if kra.is_installed():
raise RuntimeError("KRA is already installed.")
if not options.setup_ca:
if cainstance.is_ca_installed_locally():
if api.env.dogtag_version >= 10:
# correct dogtag version of CA installed
pass
else:
raise RuntimeError(
"Dogtag must be version 10.2 or above to install KRA")
else:
raise RuntimeError(
"Dogtag CA is not installed. Please install the CA first")
if replica_config is not None:
if not api.Command.kra_is_enabled()['result']:
raise RuntimeError(
"KRA is not installed on the master system. Please use "
"'ipa-kra-install' command to install the first instance.")
if options.promote:
return
with certdb.NSSDatabase() as tmpdb:
pw = ipautil.write_tmp_file(ipautil.ipa_generate_password())
tmpdb.create_db(pw.name)
tmpdb.import_pkcs12(replica_config.dir + "/cacert.p12", pw.name,
replica_config.dirman_password)
kra_cert_nicknames = [
"storageCert cert-pki-kra", "transportCert cert-pki-kra",
"auditSigningCert cert-pki-kra"
]
if not all(tmpdb.has_nickname(nickname)
for nickname in kra_cert_nicknames):
raise RuntimeError("Missing KRA certificates, please create a "
"new replica file.")
def install_check(replica_config, options, enable_kra, dogtag_version):
if enable_kra:
raise RuntimeError("KRA is already installed.")
if not options.setup_ca:
if cainstance.is_ca_installed_locally():
if dogtag_version >= 10:
# correct dogtag version of CA installed
pass
else:
raise RuntimeError(
"Dogtag must be version 10.2 or above to install KRA")
else:
raise RuntimeError(
"Dogtag CA is not installed. Please install the CA first")
if replica_config is not None:
if not read_replica_info_kra_enabled(replica_config.dir):
raise RuntimeError(
"Either KRA is not installed on the master system or "
"your replica file is out of date"
)
def validate_options(self, needs_root=True):
super(KRAInstaller, self).validate_options(needs_root=True)
dogtag_version = int(api.env.dogtag_version)
enable_kra = api.env.enable_kra
if enable_kra:
self.option_parser.error("KRA is already installed.")
ca_installed = cainstance.is_ca_installed_locally()
if ca_installed:
if dogtag_version >= 10:
# correct dogtag version of CA installed
pass
else:
self.option_parser.error(
"Dogtag must be version 10.2 or above to install KRA")
else:
self.option_parser.error(
"Dogtag CA is not installed. Please install the CA first")
self.installing_replica = dogtaginstance.is_installing_replica("KRA")
if self.installing_replica:
if not self.args:
self.option_parser.error("A replica file is required.")
if len(self.args) > 1:
self.option_parser.error("Too many arguments provided")
self.replica_file = self.args[0]
if not ipautil.file_exists(self.replica_file):
self.option_parser.error(
"Replica file %s does not exist" % self.replica_file)
else:
if self.args:
self.option_parser.error("Too many parameters provided. "
"No replica file is required.")
def validate_options(self, needs_root=True):
super(KRAInstaller, self).validate_options(needs_root=True)
dogtag_version = int(api.env.dogtag_version)
enable_kra = api.env.enable_kra
if enable_kra:
self.option_parser.error("KRA is already installed.")
ca_installed = cainstance.is_ca_installed_locally()
if ca_installed:
if dogtag_version >= 10:
# correct dogtag version of CA installed
pass
else:
self.option_parser.error(
"Dogtag must be version 10.2 or above to install KRA")
else:
self.option_parser.error(
"Dogtag CA is not installed. Please install the CA first")
self.installing_replica = dogtaginstance.is_installing_replica("KRA")
if self.installing_replica:
if not self.args:
self.option_parser.error("A replica file is required.")
if len(self.args) > 1:
self.option_parser.error("Too many arguments provided")
self.replica_file = self.args[0]
if not ipautil.file_exists(self.replica_file):
self.option_parser.error("Replica file %s does not exist" %
self.replica_file)
else:
if self.args:
self.option_parser.error("Too many parameters provided. "
"No replica file is required.")
def run(self):
super(KRAInstaller, self).run()
# Verify DM password. This has to be called after ask_for_options(),
# so it can't be placed in validate_options().
try:
installutils.validate_dm_password_ldap(self.options.password)
except ValueError:
raise admintool.ScriptError(
"Directory Manager password is invalid")
if not cainstance.is_ca_installed_locally():
raise RuntimeError("Dogtag CA is not installed. "
"Please install a CA first with the "
"`ipa-ca-install` command.")
# check if KRA is not already installed
_kra = krainstance.KRAInstance(api)
if _kra.is_installed():
raise admintool.ScriptError("KRA already installed")
# this check can be done only when CA is installed
self.installing_replica = dogtaginstance.is_installing_replica("KRA")
self.options.promote = False
if self.installing_replica:
domain_level = dsinstance.get_domain_level(api)
if domain_level > DOMAIN_LEVEL_0:
self.options.promote = True
elif not self.args:
raise RuntimeError("A replica file is required.")
if self.args and (not self.installing_replica or self.options.promote):
raise RuntimeError("Too many parameters provided. "
"No replica file is required.")
self.options.dm_password = self.options.password
self.options.setup_ca = False
self.options.setup_kra = True
api.Backend.ldap2.connect()
config = None
if self.installing_replica:
if self.options.promote:
config = ReplicaConfig()
config.kra_host_name = None
config.realm_name = api.env.realm
config.host_name = api.env.host
config.domain_name = api.env.domain
config.dirman_password = self.options.password
config.ca_ds_port = 389
config.top_dir = tempfile.mkdtemp("ipa")
config.dir = config.top_dir
else:
config = create_replica_config(
self.options.password,
self.replica_file,
self.options)
config.kra_host_name = config.master_host_name
config.setup_kra = True
if config.subject_base is None:
attrs = api.Backend.ldap2.get_ipa_config()
config.subject_base = attrs.get('ipacertificatesubjectbase')[0]
if config.kra_host_name is None:
config.kra_host_name = service.find_providing_server(
'KRA', api.Backend.ldap2, api.env.ca_host)
try:
kra.install_check(api, config, self.options)
except RuntimeError as e:
raise admintool.ScriptError(str(e))
print(dedent(self.INSTALLER_START_MESSAGE))
try:
kra.install(api, config, self.options)
except:
logger.error('%s', dedent(self.FAIL_MESSAGE))
raise
api.Backend.ldap2.disconnect()
def run(self):
if not is_ipa_configured():
print("IPA is not configured.")
return 2
if not cainstance.is_ca_installed_locally():
print("CA is not installed on this server.")
return 1
try:
ipautil.run(['pki-server', 'cert-fix', '--help'], raiseonerr=True)
except ipautil.CalledProcessError:
print(
"The 'pki-server cert-fix' command is not available; "
"cannot proceed."
)
return 1
api.bootstrap(in_server=True, confdir=paths.ETC_IPA)
api.finalize()
api.Backend.ldap2.connect() # ensure DS is up
subject_base = dsinstance.DsInstance().find_subject_base()
if not subject_base:
raise RuntimeError("Cannot determine certificate subject base.")
ca_subject_dn = ca.lookup_ca_subject(api, subject_base)
now = datetime.datetime.now() + datetime.timedelta(weeks=2)
certs, extra_certs = expired_certs(now)
if not certs and not extra_certs:
print("Nothing to do.")
return 0
print(msg)
print_intentions(certs, extra_certs)
response = ipautil.user_input('Enter "yes" to proceed')
if response.lower() != 'yes':
print("Not proceeding.")
return 0
print("Proceeding.")
try:
run_cert_fix(certs, extra_certs)
except ipautil.CalledProcessError:
if any(x[0] is IPACertType.LDAPS for x in extra_certs):
# The DS cert was expired. This will cause
# 'pki-server cert-fix' to fail at the final
# restart. Therefore ignore the CalledProcessError
# and proceed to installing the IPA-specific certs.
pass
else:
raise # otherwise re-raise
replicate_dogtag_certs(subject_base, ca_subject_dn, certs)
install_ipa_certs(subject_base, ca_subject_dn, extra_certs)
if any(x[0] != 'sslserver' for x in certs) \
or any(x[0] is IPACertType.IPARA for x in extra_certs):
# we renewed a "shared" certificate, therefore we must
# become the renewal master
print("Becoming renewal master.")
cainstance.CAInstance().set_renewal_master()
ipautil.run(['ipactl', 'restart'], raiseonerr=True)
return 0
def run(self):
if not is_ipa_configured():
print("IPA is not configured.")
return 2
if not cainstance.is_ca_installed_locally():
print("CA is not installed on this server.")
return 1
try:
ipautil.run(['pki-server', 'cert-fix', '--help'], raiseonerr=True)
except ipautil.CalledProcessError:
print("The 'pki-server cert-fix' command is not available; "
"cannot proceed.")
return 1
api.bootstrap(in_server=True, confdir=paths.ETC_IPA)
api.finalize()
if not dsinstance.is_ds_running(realm_to_serverid(api.env.realm)):
print("The LDAP server is not running; cannot proceed.")
return 1
api.Backend.ldap2.connect() # ensure DS is up
subject_base = dsinstance.DsInstance().find_subject_base()
if not subject_base:
raise RuntimeError("Cannot determine certificate subject base.")
ca_subject_dn = ca.lookup_ca_subject(api, subject_base)
now = datetime.datetime.now() + datetime.timedelta(weeks=2)
certs, extra_certs, non_renewed = expired_certs(now)
if not certs and not extra_certs:
print("Nothing to do.")
return 0
print(msg)
print_intentions(certs, extra_certs, non_renewed)
response = ipautil.user_input('Enter "yes" to proceed')
if response.lower() != 'yes':
print("Not proceeding.")
return 0
print("Proceeding.")
try:
fix_certreq_directives(certs)
run_cert_fix(certs, extra_certs)
except ipautil.CalledProcessError:
if any(x[0] is IPACertType.LDAPS
for x in extra_certs + non_renewed):
# The DS cert was expired. This will cause 'pki-server
# cert-fix' to fail at the final restart, and return nonzero.
# So this exception *might* be OK to ignore.
#
# If 'pki-server cert-fix' has written new certificates
# corresponding to all the extra_certs, then ignore the
# CalledProcessError and proceed to installing the IPA-specific
# certs. Otherwise re-raise.
if check_renewed_ipa_certs(extra_certs):
pass
else:
raise
else:
raise # otherwise re-raise
replicate_dogtag_certs(subject_base, ca_subject_dn, certs)
install_ipa_certs(subject_base, ca_subject_dn, extra_certs)
if any(x[0] != 'sslserver' for x in certs) \
or any(x[0] is IPACertType.IPARA for x in extra_certs):
# we renewed a "shared" certificate, therefore we must
# become the renewal master
print("Becoming renewal master.")
cainstance.CAInstance().set_renewal_master()
print("Restarting IPA")
ipautil.run(['ipactl', 'restart'], raiseonerr=True)
print(renewal_note)
return 0
def install_check(standalone, replica_config, options):
global external_cert_file
global external_ca_file
realm_name = options.realm_name
host_name = options.host_name
subject_base = options.subject
if replica_config is not None:
if standalone and api.env.ra_plugin == 'selfsign':
sys.exit('A selfsign CA can not be added')
if not ipautil.file_exists(replica_config.dir + "/cacert.p12"):
print 'CA cannot be installed in CA-less setup.'
sys.exit(1)
if standalone and not options.skip_conncheck:
replica_conn_check(
replica_config.master_host_name, host_name, realm_name, True,
replica_config.ca_ds_port, options.admin_password)
if options.skip_schema_check:
root_logger.info("Skipping CA DS schema check")
else:
cainstance.replica_ca_install_check(replica_config)
return
if standalone:
if cainstance.is_ca_installed_locally():
sys.exit("CA is already installed on this host.")
elif api.Command.ca_is_enabled()['result']:
sys.exit(
"One or more CA masters are already present in IPA realm "
"'%s'.\nIf you wish to replicate CA to this host, please "
"re-run 'ipa-ca-install'\nwith a replica file generated on "
"an existing CA master as argument." % realm_name
)
if options.external_cert_files:
if not cainstance.is_step_one_done():
# This can happen if someone passes external_ca_file without
# already having done the first stage of the CA install.
print("CA is not installed yet. To install with an external CA "
"is a two-stage process.\nFirst run the installer with "
"--external-ca.")
sys.exit(1)
external_cert_file, external_ca_file = installutils.load_external_cert(
options.external_cert_files, options.subject)
elif options.external_ca:
if cainstance.is_step_one_done():
print("CA is already installed.\nRun the installer with "
"--external-cert-file.")
sys.exit(1)
if ipautil.file_exists(paths.ROOT_IPA_CSR):
print("CA CSR file %s already exists.\nIn order to continue "
"remove the file and run the installer again." %
paths.ROOT_IPA_CSR)
sys.exit(1)
if not options.external_cert_files:
if not cainstance.check_port():
print("IPA requires port 8443 for PKI but it is currently in use.")
sys.exit("Aborting installation")
if standalone:
dirname = dsinstance.config_dirname(
installutils.realm_to_serverid(realm_name))
cadb = certs.CertDB(realm_name, subject_base=subject_base)
dsdb = certs.CertDB(realm_name, nssdir=dirname, subject_base=subject_base)
for db in (cadb, dsdb):
for nickname, trust_flags in db.list_certs():
if nickname in (certdb.get_ca_nickname(realm_name),
'ipaCert',
'Signing-Cert'):
print ("Certificate with nickname %s is present in %s, "
"cannot continue." % (nickname, db.secdir))
sys.exit(1)
cert = db.get_cert_from_db(nickname)
if not cert:
continue
subject = DN(str(x509.get_subject(cert)))
if subject in (DN('CN=Certificate Authority', subject_base),
DN('CN=IPA RA', subject_base),
DN('CN=Object Signing Cert', subject_base)):
print ("Certificate with subject %s is present in %s, "
"cannot continue." % (subject, db.secdir))
sys.exit(1)
def run(self):
super(KRAInstaller, self).run()
# Verify DM password. This has to be called after ask_for_options(),
# so it can't be placed in validate_options().
try:
installutils.validate_dm_password_ldap(self.options.password)
except ValueError:
raise admintool.ScriptError(
"Directory Manager password is invalid")
if not cainstance.is_ca_installed_locally():
raise RuntimeError("Dogtag CA is not installed. "
"Please install a CA first with the "
"`ipa-ca-install` command.")
# check if KRA is not already installed
_kra = krainstance.KRAInstance(api)
if _kra.is_installed():
raise admintool.ScriptError("KRA already installed")
# this check can be done only when CA is installed
self.installing_replica = dogtaginstance.is_installing_replica("KRA")
if self.installing_replica:
domain_level = dsinstance.get_domain_level(api)
if domain_level < DOMAIN_LEVEL_1:
raise RuntimeError("Unsupported domain level %d." %
domain_level)
if self.args:
raise RuntimeError("Too many parameters provided.")
self.options.dm_password = self.options.password
self.options.setup_ca = False
self.options.setup_kra = True
api.Backend.ldap2.connect()
if self.installing_replica:
config = ReplicaConfig()
config.kra_host_name = None
config.realm_name = api.env.realm
config.host_name = api.env.host
config.domain_name = api.env.domain
config.dirman_password = self.options.password
config.ca_ds_port = 389
config.top_dir = tempfile.mkdtemp("ipa")
config.dir = config.top_dir
config.setup_kra = True
if config.subject_base is None:
attrs = api.Backend.ldap2.get_ipa_config()
config.subject_base = attrs.get('ipacertificatesubjectbase')[0]
if config.kra_host_name is None:
config.kra_host_name = find_providing_server(
'KRA', api.Backend.ldap2, [api.env.ca_host])
if config.kra_host_name is None:
# all CA/KRA servers are down or unreachable.
raise admintool.ScriptError(
"Failed to find an active KRA server!")
custodia = custodiainstance.get_custodia_instance(
config, custodiainstance.CustodiaModes.KRA_PEER)
else:
config = None
custodia = None
try:
kra.install_check(api, config, self.options)
except RuntimeError as e:
raise admintool.ScriptError(str(e))
print(dedent(self.INSTALLER_START_MESSAGE))
try:
kra.install(api, config, self.options, custodia=custodia)
except:
logger.error('%s', dedent(self.FAIL_MESSAGE))
raise
# pki-spawn restarts 389-DS, reconnect
api.Backend.ldap2.close()
api.Backend.ldap2.connect()
# Enable configured services and update DNS SRV records
service.sync_services_state(api.env.host)
api.Command.dns_update_system_records()
api.Backend.ldap2.disconnect()
def run(self):
super(KRAInstaller, self).run()
# Verify DM password. This has to be called after ask_for_options(),
# so it can't be placed in validate_options().
try:
installutils.validate_dm_password_ldap(self.options.password)
except ValueError:
raise admintool.ScriptError(
"Directory Manager password is invalid")
if not cainstance.is_ca_installed_locally():
raise RuntimeError("Dogtag CA is not installed. "
"Please install the CA first")
# check if KRA is not already installed
_kra = krainstance.KRAInstance(api)
if _kra.is_installed():
raise admintool.ScriptError("KRA already installed")
# this check can be done only when CA is installed
self.installing_replica = dogtaginstance.is_installing_replica("KRA")
self.options.promote = False
if self.installing_replica:
domain_level = dsinstance.get_domain_level(api)
if domain_level > DOMAIN_LEVEL_0:
self.options.promote = True
elif not self.args:
raise RuntimeError("A replica file is required.")
if self.args and (not self.installing_replica or self.options.promote):
raise RuntimeError("Too many parameters provided. "
"No replica file is required.")
self.options.dm_password = self.options.password
self.options.setup_ca = False
self.options.setup_kra = True
api.Backend.ldap2.connect()
config = None
if self.installing_replica:
if self.options.promote:
config = ReplicaConfig()
config.kra_host_name = None
config.realm_name = api.env.realm
config.host_name = api.env.host
config.domain_name = api.env.domain
config.dirman_password = self.options.password
config.ca_ds_port = 389
config.top_dir = tempfile.mkdtemp("ipa")
config.dir = config.top_dir
else:
config = create_replica_config(
self.options.password,
self.replica_file,
self.options)
config.kra_host_name = config.master_host_name
config.setup_kra = True
if config.subject_base is None:
attrs = api.Backend.ldap2.get_ipa_config()
config.subject_base = attrs.get('ipacertificatesubjectbase')[0]
if config.kra_host_name is None:
config.kra_host_name = service.find_providing_server(
'KRA', api.Backend.ldap2, api.env.ca_host)
try:
kra.install_check(api, config, self.options)
except RuntimeError as e:
raise admintool.ScriptError(str(e))
print(dedent(self.INSTALLER_START_MESSAGE))
try:
kra.install(api, config, self.options)
except:
self.log.error(dedent(self.FAIL_MESSAGE))
raise
api.Backend.ldap2.disconnect()
def run(self):
super(KRAInstaller, self).run()
# Verify DM password. This has to be called after ask_for_options(),
# so it can't be placed in validate_options().
try:
installutils.validate_dm_password_ldap(self.options.password)
except ValueError:
raise admintool.ScriptError(
"Directory Manager password is invalid")
if not cainstance.is_ca_installed_locally():
raise RuntimeError("Dogtag CA is not installed. "
"Please install a CA first with the "
"`ipa-ca-install` command.")
# check if KRA is not already installed
_kra = krainstance.KRAInstance(api)
if _kra.is_installed():
raise admintool.ScriptError("KRA already installed")
# this check can be done only when CA is installed
self.installing_replica = dogtaginstance.is_installing_replica("KRA")
if self.installing_replica:
domain_level = dsinstance.get_domain_level(api)
if domain_level < DOMAIN_LEVEL_1:
raise RuntimeError(
"Unsupported domain level %d." % domain_level)
if self.args:
raise RuntimeError("Too many parameters provided.")
self.options.dm_password = self.options.password
self.options.setup_ca = False
self.options.setup_kra = True
api.Backend.ldap2.connect()
if self.installing_replica:
config = ReplicaConfig()
config.kra_host_name = None
config.realm_name = api.env.realm
config.host_name = api.env.host
config.domain_name = api.env.domain
config.dirman_password = self.options.password
config.ca_ds_port = 389
config.top_dir = tempfile.mkdtemp("ipa")
config.dir = config.top_dir
config.setup_kra = True
if config.subject_base is None:
attrs = api.Backend.ldap2.get_ipa_config()
config.subject_base = attrs.get('ipacertificatesubjectbase')[0]
if config.kra_host_name is None:
config.kra_host_name = find_providing_server(
'KRA', api.Backend.ldap2, [api.env.ca_host]
)
if config.kra_host_name is None:
# all CA/KRA servers are down or unreachable.
raise admintool.ScriptError(
"Failed to find an active KRA server!"
)
custodia = custodiainstance.get_custodia_instance(
config, custodiainstance.CustodiaModes.KRA_PEER)
else:
config = None
custodia = None
try:
kra.install_check(api, config, self.options)
except RuntimeError as e:
raise admintool.ScriptError(str(e))
print(dedent(self.INSTALLER_START_MESSAGE))
try:
kra.install(api, config, self.options, custodia=custodia)
except:
logger.error('%s', dedent(self.FAIL_MESSAGE))
raise
# pki-spawn restarts 389-DS, reconnect
api.Backend.ldap2.close()
api.Backend.ldap2.connect()
# Enable configured services and update DNS SRV records
service.sync_services_state(api.env.host)
api.Command.dns_update_system_records()
api.Backend.ldap2.disconnect()
def run(self):
super(KRAInstaller, self).run()
if not cainstance.is_ca_installed_locally():
raise RuntimeError("Dogtag CA is not installed. " "Please install the CA first")
# check if KRA is not already installed
_kra = krainstance.KRAInstance(api)
if _kra.is_installed():
raise admintool.ScriptError("KRA already installed")
# this check can be done only when CA is installed
self.installing_replica = dogtaginstance.is_installing_replica("KRA")
self.options.promote = False
if self.installing_replica:
domain_level = dsinstance.get_domain_level(api)
if domain_level > DOMAIN_LEVEL_0:
self.options.promote = True
elif not self.args:
raise RuntimeError("A replica file is required.")
if self.args and (not self.installing_replica or self.options.promote):
raise RuntimeError("Too many parameters provided. " "No replica file is required.")
self.options.dm_password = self.options.password
self.options.setup_ca = False
conn = api.Backend.ldap2
conn.connect(bind_dn=DN(("cn", "Directory Manager")), bind_pw=self.options.password)
config = None
if self.installing_replica:
if self.options.promote:
config = ReplicaConfig()
config.master_host_name = None
config.realm_name = api.env.realm
config.host_name = api.env.host
config.domain_name = api.env.domain
config.dirman_password = self.options.password
config.ca_ds_port = 389
config.top_dir = tempfile.mkdtemp("ipa")
config.dir = config.top_dir
else:
config = create_replica_config(self.options.password, self.replica_file, self.options)
if config.subject_base is None:
attrs = conn.get_ipa_config()
config.subject_base = attrs.get("ipacertificatesubjectbase")[0]
if config.master_host_name is None:
config.kra_host_name = service.find_providing_server("KRA", conn, api.env.ca_host)
config.master_host_name = config.kra_host_name
else:
config.kra_host_name = config.master_host_name
try:
kra.install_check(api, config, self.options)
except RuntimeError as e:
raise admintool.ScriptError(str(e))
print(dedent(self.INSTALLER_START_MESSAGE))
try:
kra.install(api, config, self.options)
except:
self.log.error(dedent(self.FAIL_MESSAGE))
raise