def __setup_ssl(self): fqdn = self.fqdn ca_db = certs.CertDB(self.realm, host_name=fqdn, subject_base=self.subject_base) db = certs.CertDB(self.realm, subject_base=self.subject_base) if self.pkcs12_info: if self.ca_is_configured: trust_flags = 'CT,C,C' else: trust_flags = None db.create_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1], passwd=None, ca_file=self.ca_file, trust_flags=trust_flags) server_certs = db.find_server_certs() if len(server_certs) == 0: raise RuntimeError("Could not find a suitable server cert in import in %s" % self.pkcs12_info[0]) db.create_password_conf() # We only handle one server cert nickname = server_certs[0][0] self.dercert = db.get_cert_from_db(nickname, pem=False) if self.ca_is_configured: db.track_server_cert(nickname, self.principal, db.passwd_fname, 'restart_httpd') self.__set_mod_nss_nickname(nickname) else: db.create_password_conf() self.dercert = db.create_server_cert(self.cert_nickname, self.fqdn, ca_db) db.track_server_cert(self.cert_nickname, self.principal, db.passwd_fname, 'restart_httpd') db.create_signing_cert("Signing-Cert", "Object Signing Cert", ca_db) # Fix the database permissions os.chmod(certs.NSS_DIR + "/cert8.db", 0660) os.chmod(certs.NSS_DIR + "/key3.db", 0660) os.chmod(certs.NSS_DIR + "/secmod.db", 0660) os.chmod(certs.NSS_DIR + "/pwdfile.txt", 0660) pent = pwd.getpwnam("apache") os.chown(certs.NSS_DIR + "/cert8.db", 0, pent.pw_gid ) os.chown(certs.NSS_DIR + "/key3.db", 0, pent.pw_gid ) os.chown(certs.NSS_DIR + "/secmod.db", 0, pent.pw_gid ) os.chown(certs.NSS_DIR + "/pwdfile.txt", 0, pent.pw_gid ) # Fix SELinux permissions on the database tasks.restore_context(certs.NSS_DIR + "/cert8.db") tasks.restore_context(certs.NSS_DIR + "/key3.db")
def setup_firefox_extension(self, realm, domain): """Set up the signed browser configuration extension """ target_fname = paths.KRB_JS sub_dict = dict(REALM=realm, DOMAIN=domain) db = certs.CertDB(realm) with open(db.passwd_fname) as pwdfile: pwd = pwdfile.read() ipautil.copy_template_file(ipautil.SHARE_DIR + "krb.js.template", target_fname, sub_dict) os.chmod(target_fname, 0644) # Setup extension tmpdir = tempfile.mkdtemp(prefix="tmp-") extdir = tmpdir + "/ext" target_fname = paths.KERBEROSAUTH_XPI shutil.copytree(paths.FFEXTENSION, extdir) if db.has_nickname('Signing-Cert'): db.run_signtool(["-k", "Signing-Cert", "-p", pwd, "-X", "-Z", target_fname, extdir]) else: root_logger.warning('Object-signing certificate was not found. ' 'Creating unsigned Firefox configuration extension.') filenames = os.listdir(extdir) ipautil.run([paths.ZIP, '-r', target_fname] + filenames, cwd=extdir) shutil.rmtree(tmpdir) os.chmod(target_fname, 0644)
def __setup_autoconfig(self): target_fname = paths.PREFERENCES_HTML ipautil.copy_template_file( ipautil.SHARE_DIR + "preferences.html.template", target_fname, self.sub_dict) os.chmod(target_fname, 0644) # The signing cert is generated in __setup_ssl db = certs.CertDB(self.realm, subject_base=self.subject_base) with open(db.passwd_fname) as pwdfile: pwd = pwdfile.read() # Setup configure.jar if db.has_nickname('Signing-Cert'): tmpdir = tempfile.mkdtemp(prefix="tmp-") target_fname = paths.CONFIGURE_JAR shutil.copy(paths.PREFERENCES_HTML, tmpdir) db.run_signtool(["-k", "Signing-Cert", "-Z", target_fname, "-e", ".html", "-p", pwd, tmpdir]) shutil.rmtree(tmpdir) os.chmod(target_fname, 0644) else: root_logger.warning('Object-signing certificate was not found; ' 'therefore, configure.jar was not created.') self.setup_firefox_extension(self.realm, self.domain)
def __upload_ca_cert(self): """ Upload the CA certificate in DER form in the LDAP directory. """ dirname = config_dirname(self.serverid) certdb = certs.CertDB(self.realm_name, nssdir=dirname, subject_base=self.subject_base) dercert = certdb.get_cert_from_db(certdb.cacert_name, pem=False) self.sub_dict['CADERCERT'] = base64.b64encode(dercert) self._ldap_mod('upload-cacert.ldif', self.sub_dict)
def setup_firefox_extension(self, realm, domain, force=False): """Set up the signed browser configuration extension If the extension is already set up, skip the installation unless ``force`` is true. """ target_fname = '/usr/share/ipa/html/krb.js' if os.path.exists(target_fname) and not force: root_logger.info( '%s exists, skipping install of Firefox extension', target_fname) return sub_dict = dict(REALM=realm, DOMAIN=domain) db = certs.CertDB(realm) with open(db.passwd_fname) as pwdfile: pwd = pwdfile.read() ipautil.copy_template_file(ipautil.SHARE_DIR + "krb.js.template", target_fname, sub_dict) os.chmod(target_fname, 0644) # Setup extension tmpdir = tempfile.mkdtemp(prefix="tmp-") extdir = tmpdir + "/ext" target_fname = "/usr/share/ipa/html/kerberosauth.xpi" shutil.copytree("/usr/share/ipa/ffextension", extdir) if db.has_nickname('Signing-Cert'): db.run_signtool([ "-k", "Signing-Cert", "-p", pwd, "-X", "-Z", target_fname, extdir ]) else: root_logger.warning( 'Object-signing certificate was not found. ' 'Creating unsigned Firefox configuration extension.') filenames = os.listdir(extdir) ipautil.run(['/usr/bin/zip', '-r', target_fname] + filenames, cwd=extdir) shutil.rmtree(tmpdir) os.chmod(target_fname, 0644)
def uninstall(self): if self.is_configured(): self.print_msg("Unconfiguring web server") running = self.restore_state("running") enabled = self.restore_state("enabled") if not running is None: self.stop() db = certs.CertDB(api.env.realm) db.untrack_server_cert("Server-Cert") if not enabled is None and not enabled: self.disable() for f in ["/etc/httpd/conf.d/ipa.conf", SSL_CONF, NSS_CONF]: try: self.fstore.restore_file(f) except ValueError, error: root_logger.debug(error) pass
def __setup_autoconfig(self): target_fname = '/usr/share/ipa/html/preferences.html' ipautil.copy_template_file( ipautil.SHARE_DIR + "preferences.html.template", target_fname, self.sub_dict) os.chmod(target_fname, 0644) # The signing cert is generated in __setup_ssl db = certs.CertDB(self.realm, subject_base=self.subject_base) with open(db.passwd_fname) as pwdfile: pwd = pwdfile.read() # Setup configure.jar tmpdir = tempfile.mkdtemp(prefix="tmp-") target_fname = '/usr/share/ipa/html/configure.jar' shutil.copy("/usr/share/ipa/html/preferences.html", tmpdir) db.run_signtool([ "-k", "Signing-Cert", "-Z", target_fname, "-e", ".html", "-p", pwd, tmpdir ]) shutil.rmtree(tmpdir) os.chmod(target_fname, 0644) self.setup_firefox_extension(self.realm, self.domain, force=True)
def __publish_ca_cert(self): ca_db = certs.CertDB(self.realm) ca_db.publish_ca_cert("/usr/share/ipa/html/ca.crt")
def __setup_ssl(self): fqdn = None if not self.self_signed_ca: fqdn = self.fqdn ca_db = certs.CertDB(self.realm, host_name=fqdn, subject_base=self.subject_base) db = certs.CertDB(self.realm, subject_base=self.subject_base) if self.pkcs12_info: db.create_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1], passwd=None) server_certs = db.find_server_certs() if len(server_certs) == 0: raise RuntimeError( "Could not find a suitable server cert in import in %s" % self.pkcs12_info[0]) db.create_password_conf() # We only handle one server cert nickname = server_certs[0][0] self.dercert = db.get_cert_from_db(nickname, pem=False) db.track_server_cert(nickname, self.principal, db.passwd_fname, 'restart_httpd') self.__set_mod_nss_nickname(nickname) else: if self.self_signed_ca: db.create_from_cacert(ca_db.cacert_fname) db.create_password_conf() self.dercert = db.create_server_cert("Server-Cert", self.fqdn, ca_db) db.track_server_cert("Server-Cert", self.principal, db.passwd_fname, 'restart_httpd') db.create_signing_cert("Signing-Cert", "Object Signing Cert", ca_db) # Fix the database permissions os.chmod(certs.NSS_DIR + "/cert8.db", 0660) os.chmod(certs.NSS_DIR + "/key3.db", 0660) os.chmod(certs.NSS_DIR + "/secmod.db", 0660) os.chmod(certs.NSS_DIR + "/pwdfile.txt", 0660) pent = pwd.getpwnam("apache") os.chown(certs.NSS_DIR + "/cert8.db", 0, pent.pw_gid) os.chown(certs.NSS_DIR + "/key3.db", 0, pent.pw_gid) os.chown(certs.NSS_DIR + "/secmod.db", 0, pent.pw_gid) os.chown(certs.NSS_DIR + "/pwdfile.txt", 0, pent.pw_gid) # Fix SELinux permissions on the database ipaservices.restore_context(certs.NSS_DIR + "/cert8.db") ipaservices.restore_context(certs.NSS_DIR + "/key3.db") # In case this got generated as part of the install, reset the # context if ipautil.file_exists(certs.CA_SERIALNO): ipaservices.restore_context(certs.CA_SERIALNO) os.chown(certs.CA_SERIALNO, 0, pent.pw_gid) os.chmod(certs.CA_SERIALNO, 0664)
def __enable_ssl(self): dirname = config_dirname(self.serverid) dsdb = certs.CertDB(self.realm_name, nssdir=dirname, subject_base=self.subject_base) if self.pkcs12_info: dsdb.create_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1]) server_certs = dsdb.find_server_certs() if len(server_certs) == 0: raise RuntimeError( "Could not find a suitable server cert in import in %s" % self.pkcs12_info[0]) # We only handle one server cert nickname = server_certs[0][0] self.dercert = dsdb.get_cert_from_db(nickname, pem=False) dsdb.track_server_cert(nickname, self.principal, dsdb.passwd_fname, 'restart_dirsrv %s' % self.serverid) else: nickname = "Server-Cert" cadb = certs.CertDB(self.realm_name, host_name=self.fqdn, subject_base=self.subject_base) if self.self_signed_ca: dsdb.create_from_cacert(cadb.cacert_fname, passwd=None) self.dercert = dsdb.create_server_cert("Server-Cert", self.fqdn, cadb) dsdb.track_server_cert("Server-Cert", self.principal, dsdb.passwd_fname, 'restart_dirsrv %s' % self.serverid) dsdb.create_pin_file() else: # FIXME, need to set this nickname in the RA plugin cadb.export_ca_cert('ipaCert', False) dsdb.create_from_cacert(cadb.cacert_fname, passwd=None) self.dercert = dsdb.create_server_cert("Server-Cert", self.fqdn, cadb) dsdb.track_server_cert("Server-Cert", self.principal, dsdb.passwd_fname, 'restart_dirsrv %s' % self.serverid) dsdb.create_pin_file() conn = ipaldap.IPAdmin(self.fqdn) conn.simple_bind_s(DN(('cn', 'directory manager')), self.dm_password) mod = [ (ldap.MOD_REPLACE, "nsSSLClientAuth", "allowed"), (ldap.MOD_REPLACE, "nsSSL3Ciphers", "-rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,\ +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,\ +fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,\ +tls_rsa_export1024_with_des_cbc_sha") ] conn.modify_s(DN(('cn', 'encryption'), ('cn', 'config')), mod) mod = [(ldap.MOD_ADD, "nsslapd-security", "on")] conn.modify_s(DN(('cn', 'config')), mod) entry = ipaldap.Entry( DN(('cn', 'RSA'), ('cn', 'encryption'), ('cn', 'config'))) entry.setValues("objectclass", "top", "nsEncryptionModule") entry.setValues("cn", "RSA") entry.setValues("nsSSLPersonalitySSL", nickname) entry.setValues("nsSSLToken", "internal (software)") entry.setValues("nsSSLActivation", "on") conn.addEntry(entry) conn.unbind() # check for open secure port 636 from now on self.open_ports.append(636)
try: self.fstore.restore_file("/etc/security/limits.conf") self.fstore.restore_file("/etc/sysconfig/dirsrv") except ValueError, error: root_logger.debug(error) pass if not enabled is None and not enabled: self.disable() serverid = self.restore_state("serverid") if not serverid is None: # drop the trailing / off the config_dirname so the directory # will match what is in certmonger dirname = config_dirname(serverid)[:-1] dsdb = certs.CertDB(self.realm_name, nssdir=dirname) dsdb.untrack_server_cert("Server-Cert") erase_ds_instance_data(serverid) # At one time we removed this user on uninstall. That can potentially # orphan files, or worse, if another useradd runs in the intermim, # cause files to have a new owner. user_exists = self.restore_state("user_exists") # Make sure some upgrade-related state is removed. This could cause # re-installation problems. self.restore_state('nsslapd-port') self.restore_state('nsslapd-security') self.restore_state('nsslapd-ldapiautobind') # If any dirsrv instances remain after we've removed ours then
def stop_tracking_certificates(self): db = certs.CertDB(api.env.realm) db.untrack_server_cert(self.cert_nickname)
def __publish_ca_cert(self): ca_db = certs.CertDB(self.realm) ca_db.publish_ca_cert(paths.CA_CRT)
def __import_ca_certs(self): db = certs.CertDB(self.realm, subject_base=self.subject_base) self.import_ca_certs(db, self.ca_is_configured)