Esempio n. 1
0
    def copy_ds_certificate(self):
        options = self.options

        passwd_fname = os.path.join(self.dir, "dirsrv_pin.txt")
        with open(passwd_fname, "w") as fd:
            fd.write("%s\n" % (self.dirsrv_pin or ''))

        if options.dirsrv_cert_files:
            self.log.info("Copying SSL certificate for the Directory Server")
            self.copy_info_file(self.dirsrv_pkcs12_file.name, "dscert.p12")
        else:
            if ipautil.file_exists(options.ca_file):
                # Since it is possible that the Directory Manager password
                # has changed since ipa-server-install, we need to regenerate
                # the CA PKCS#12 file and update the pki admin user password
                self.regenerate_ca_file(options.ca_file)
                self.update_pki_admin_password()
                self.copy_info_file(options.ca_file, "cacert.p12")
            else:
                raise admintool.ScriptError("Root CA PKCS#12 not "
                    "found in %s" % options.ca_file)

            self.log.info(
                "Creating SSL certificate for the Directory Server")
            self.export_certdb("dscert", passwd_fname)

        if not options.dirsrv_cert_files:
            self.log.info(
                "Creating SSL certificate for the dogtag Directory Server")
            self.export_certdb("dogtagcert", passwd_fname)
            self.log.info("Saving dogtag Directory Server port")
            port_fname = os.path.join(
                self.dir, "dogtag_directory_port.txt")
            with open(port_fname, "w") as fd:
                fd.write("%s\n" % str(dogtag.configured_constants().DS_PORT))
Esempio n. 2
0
    def issue_server_cert(self, certreq_fname, cert_fname):
        self.setup_cert_request()

        if self.host_name is None:
            raise RuntimeError("CA Host is not set.")

        f = open(certreq_fname, "r")
        csr = f.readlines()
        f.close()
        csr = "".join(csr)

        # We just want the CSR bits, make sure there is nothing else
        csr = pkcs10.strip_header(csr)

        params = {'profileId': dogtag.DEFAULT_PROFILE,
                'cert_request_type': 'pkcs10',
                'requestor_name': 'IPA Installer',
                'cert_request': csr,
                'xmlOutput': 'true'}

        # Send the request to the CA
        f = open(self.passwd_fname, "r")
        password = f.readline()
        f.close()
        result = dogtag.https_request(
            self.host_name,
            api.env.ca_ee_install_port or
                dogtag.configured_constants().EE_SECURE_PORT,
            "/ca/ee/ca/profileSubmitSSLClient",
            self.secdir, password, "ipaCert", **params)
        http_status, http_reason_phrase, http_headers, http_body = result

        if http_status != 200:
            raise CertificateOperationError(
                error=_('Unable to communicate with CMS (%s)') %
                    http_reason_phrase)

        # The result is an XML blob. Pull the certificate out of that
        doc = xml.dom.minidom.parseString(http_body)
        item_node = doc.getElementsByTagName("b64")
        try:
            try:
                cert = item_node[0].childNodes[0].data
            except IndexError:
                raise RuntimeError("Certificate issuance failed")
        finally:
            doc.unlink()

        # base64-decode the result for uniformity
        cert = base64.b64decode(cert)

        # Write the certificate to a file. It will be imported in a later
        # step. This file will be read later to be imported.
        f = open(cert_fname, "w")
        f.write(cert)
        f.close()
Esempio n. 3
0
    def validate_options(self, needs_root=True):
        super(KRAUninstaller, self).validate_options(needs_root=True)

        if self.args:
            self.option_parser.error("Too many parameters provided.")

        dogtag_constants = dogtag.configured_constants(api)
        _kra = krainstance.KRAInstance(api, dogtag_constants=dogtag_constants)
        if not _kra.is_installed():
            self.option_parser.error(
                "Cannot uninstall.  There is no KRA installed on this system."
            )
Esempio n. 4
0
def get_pin(token):
    """
    Dogtag stores its NSS pin in a file formatted as token:PIN.

    The caller is expected to handle any exceptions raised.
    """
    with open(dogtag.configured_constants().PASSWORD_CONF_PATH, 'r') as f:
        for line in f:
            (tok, pin) = line.split('=', 1)
            if token == tok:
                return pin.strip()
    return None
Esempio n. 5
0
def get_pin(token):
    """
    Dogtag stores its NSS pin in a file formatted as token:PIN.

    The caller is expected to handle any exceptions raised.
    """
    with open(dogtag.configured_constants().PASSWORD_CONF_PATH, 'r') as f:
        for line in f:
            (tok, pin) = line.split('=', 1)
            if token == tok:
                return pin.strip()
    return None
Esempio n. 6
0
    def __init__(self, realm, dogtag_constants=None):
        if dogtag_constants is None:
            dogtag_constants = dogtag.configured_constants()

        super(KRAInstance, self).__init__(
            realm=realm,
            subsystem="KRA",
            service_desc="KRA server",
            dogtag_constants=dogtag_constants
        )

        self.basedn = DN(('o', 'kra'), ('o', 'ipaca'))
        self.log = log_mgr.get_logger(self)
Esempio n. 7
0
    def issue_signing_cert(self, certreq_fname, cert_fname):
        self.setup_cert_request()

        if self.host_name is None:
            raise RuntimeError("CA Host is not set.")

        f = open(certreq_fname, "r")
        csr = f.readlines()
        f.close()
        csr = "".join(csr)

        # We just want the CSR bits, make sure there is no thing else
        csr = pkcs10.strip_header(csr)

        params = {
            'profileId': 'caJarSigningCert',
            'cert_request_type': 'pkcs10',
            'requestor_name': 'IPA Installer',
            'cert_request': csr,
            'xmlOutput': 'true'
        }

        # Send the request to the CA
        f = open(self.passwd_fname, "r")
        password = f.readline()
        f.close()
        result = dogtag.https_request(
            self.host_name, api.env.ca_ee_install_port
            or dogtag.configured_constants().EE_SECURE_PORT,
            "/ca/ee/ca/profileSubmitSSLClient", self.secdir, password,
            "ipaCert", **params)
        http_status, http_reason_phrase, http_headers, http_body = result
        if http_status != 200:
            raise RuntimeError("Unable to submit cert request")

        # The result is an XML blob. Pull the certificate out of that
        doc = xml.dom.minidom.parseString(http_body)
        item_node = doc.getElementsByTagName("b64")
        cert = item_node[0].childNodes[0].data
        doc.unlink()

        # base64-decode the cert for uniformity
        cert = base64.b64decode(cert)

        # Write the certificate to a file. It will be imported in a later
        # step. This file will be read later to be imported.
        f = open(cert_fname, "w")
        f.write(cert)
        f.close()
Esempio n. 8
0
    def update_cert_config(nickname, cert, dogtag_constants=None):
        """
        When renewing a KRA subsystem certificate the configuration file
        needs to get the new certificate as well.

        nickname is one of the known nicknames.
        cert is a DER-encoded certificate.
        """

        if dogtag_constants is None:
            dogtag_constants = dogtag.configured_constants()

        # The cert directive to update per nickname
        directives = {
            'auditSigningCert cert-pki-kra': 'kra.audit_signing.cert',
            'storageCert cert-pki-kra': 'kra.storage.cert',
            'transportCert cert-pki-kra': 'kra.transport.cert',
            'subsystemCert cert-pki-kra': 'kra.subsystem.cert',
            'Server-Cert cert-pki-ca': 'kra.sslserver.cert'}

        DogtagInstance.update_cert_cs_cfg(
            nickname, cert, directives,
            dogtag.configured_constants().KRA_CS_CFG_PATH,
            dogtag_constants)
Esempio n. 9
0
    def update_cert_config(nickname, cert, dogtag_constants=None):
        """
        When renewing a KRA subsystem certificate the configuration file
        needs to get the new certificate as well.

        nickname is one of the known nicknames.
        cert is a DER-encoded certificate.
        """

        if dogtag_constants is None:
            dogtag_constants = dogtag.configured_constants()

        # The cert directive to update per nickname
        directives = {
            'auditSigningCert cert-pki-kra': 'kra.audit_signing.cert',
            'storageCert cert-pki-kra': 'kra.storage.cert',
            'transportCert cert-pki-kra': 'kra.transport.cert',
            'subsystemCert cert-pki-kra': 'kra.subsystem.cert',
            'Server-Cert cert-pki-ca': 'kra.sslserver.cert'
        }

        DogtagInstance.update_cert_cs_cfg(
            nickname, cert, directives,
            dogtag.configured_constants().KRA_CS_CFG_PATH, dogtag_constants)
Esempio n. 10
0
    def run(self):
        super(KRAUninstaller, self).run()
        dogtag_constants = dogtag.configured_constants()

        kra_instance = krainstance.KRAInstance(
            api.env.realm, dogtag_constants=dogtag_constants)
        kra_instance.stop_tracking_certificates()
        if kra_instance.is_installed():
            kra_instance.uninstall()

        # Update config file
        parser = RawConfigParser()
        parser.read(paths.IPA_DEFAULT_CONF)
        parser.set('global', 'enable_kra', 'False')

        with open(paths.IPA_DEFAULT_CONF, 'w') as f:
            parser.write(f)
Esempio n. 11
0
def uninstall(standalone):
    dogtag_constants = dogtag.configured_constants(api)
    kra = krainstance.KRAInstance(api.env.realm,
                                  dogtag_constants=dogtag_constants)

    if standalone:
        kra.ldap_connect()
        try:
            kra.admin_conn.delete_entry(DN(('cn', 'KRA'), ('cn', api.env.host),
                                           ('cn', 'masters'), ('cn', 'ipa'),
                                           ('cn', 'etc'), api.env.basedn))
        except errors.NotFound:
            pass

    kra.stop_tracking_certificates()
    if kra.is_installed():
        kra.uninstall()
Esempio n. 12
0
    def run(self):
        super(KRAUninstaller, self).run()
        dogtag_constants = dogtag.configured_constants()

        kra_instance = krainstance.KRAInstance(
            api.env.realm, dogtag_constants=dogtag_constants)
        kra_instance.stop_tracking_certificates()
        if kra_instance.is_installed():
            kra_instance.uninstall()

        # Update config file
        parser = RawConfigParser()
        parser.read(paths.IPA_DEFAULT_CONF)
        parser.set('global', 'enable_kra', 'False')

        with open(paths.IPA_DEFAULT_CONF, 'w') as f:
            parser.write(f)
Esempio n. 13
0
def uninstall():
    dogtag_constants = dogtag.configured_constants(api=api)

    kra_instance = krainstance.KRAInstance(
        api.env.realm, dogtag_constants=dogtag_constants)
    kra_instance.stop_tracking_certificates()
    if kra_instance.is_installed():
        kra_instance.uninstall()

    # Check if config file exists, then update it
    if os.path.exists(paths.IPA_DEFAULT_CONF):
        parser = RawConfigParser()
        parser.read(paths.IPA_DEFAULT_CONF)
        parser.set('global', 'enable_kra', 'False')

        with open(paths.IPA_DEFAULT_CONF, 'w') as f:
            parser.write(f)
Esempio n. 14
0
    def update_server(self, certs):
        instance = '-'.join(api.env.realm.split('.'))
        self.update_db(
            paths.ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE % instance, certs)
        if services.knownservices.dirsrv.is_running():
            services.knownservices.dirsrv.restart(instance)

        self.update_db(paths.HTTPD_ALIAS_DIR, certs)
        if services.knownservices.httpd.is_running():
            services.knownservices.httpd.restart()

        dogtag_constants = dogtag.configured_constants()
        nickname = 'caSigningCert cert-pki-ca'
        criteria = {
            'cert-database': dogtag_constants.ALIAS_DIR,
            'cert-nickname': nickname,
            'ca-name': 'dogtag-ipa-ca-renew-agent',
        }
        request_id = certmonger.get_request_id(criteria)
        if request_id is not None:
            timeout = api.env.startup_timeout + 60

            self.log.debug("resubmitting certmonger request '%s'", request_id)
            certmonger.resubmit_request(
                request_id, profile='ipaRetrievalOrReuse')
            try:
                state = certmonger.wait_for_request(request_id, timeout)
            except RuntimeError:
                raise admintool.ScriptError(
                    "Resubmitting certmonger request '%s' timed out, "
                    "please check the request manually" % request_id)
            ca_error = certmonger.get_request_value(request_id, 'ca-error')
            if state != 'MONITORING' or ca_error:
                raise admintool.ScriptError(
                    "Error resubmitting certmonger request '%s', "
                    "please check the request manually" % request_id)

            self.log.debug("modifying certmonger request '%s'", request_id)
            certmonger.modify(request_id, profile='ipaCACertRenewal')

        self.update_file(paths.CA_CRT, certs)
Esempio n. 15
0
    def update_cert_cs_cfg(nickname, cert, directives, cs_cfg,
                           dogtag_constants=None):
        """
        When renewing a Dogtag subsystem certificate the configuration file
        needs to get the new certificate as well.

        nickname is one of the known nicknames.
        cert is a DER-encoded certificate.
        directives is the list of directives to be updated for the subsystem
        cs_cfg is the path to the CS.cfg file
        """

        if dogtag_constants is None:
            dogtag_constants = dogtag.configured_constants()

        with stopped_service(dogtag_constants.SERVICE_NAME,
                             instance_name=dogtag_constants.PKI_INSTANCE_NAME):
            installutils.set_directive(
                cs_cfg,
                directives[nickname],
                base64.b64encode(cert),
                quotes=False,
                separator='=')
Esempio n. 16
0
    def __init__(self, realm, subsystem, service_desc, dogtag_constants=None,
                 host_name=None, dm_password=None, ldapi=True):
        """Initializer"""

        if dogtag_constants is None:
            dogtag_constants = dogtag.configured_constants()

        super(DogtagInstance, self).__init__(
            '%sd' % dogtag_constants.PKI_INSTANCE_NAME,
            service_desc=service_desc,
            dm_password=dm_password,
            ldapi=ldapi
        )

        self.dogtag_constants = dogtag_constants
        self.realm = realm
        self.dm_password = None
        self.admin_password = None
        self.fqdn = host_name
        self.domain = None
        self.pkcs12_info = None
        self.clone = False

        self.basedn = DN(('o', 'ipa%s' % subsystem.lower()))
        self.admin_user = DN(('uid', 'admin'), ('ou', 'people'), ('o', 'ipaca'))
        self.agent_db = tempfile.mkdtemp(prefix="tmp-")
        self.ds_port = DEFAULT_DSPORT
        self.server_root = dogtag_constants.SERVER_ROOT
        self.subsystem = subsystem
        self.security_domain_name = "IPA"

        # replication parameters
        self.master_host = None
        self.master_replication_port = None
        self.subject_base = None

        self.log = log_mgr.get_logger(self)
Esempio n. 17
0
def install_check(api, replica_config, options):
    dogtag_constants = dogtag.configured_constants(api=api)
    kra = krainstance.KRAInstance(api.env.realm,
                                  dogtag_constants=dogtag_constants)
    if kra.is_installed():
        raise RuntimeError("KRA is already installed.")

    if not options.setup_ca:
        if cainstance.is_ca_installed_locally():
            if api.env.dogtag_version >= 10:
                # correct dogtag version of CA installed
                pass
            else:
                raise RuntimeError(
                    "Dogtag must be version 10.2 or above to install KRA")
        else:
            raise RuntimeError(
                "Dogtag CA is not installed.  Please install the CA first")

    if replica_config is not None:
        if not api.Command.kra_is_enabled()['result']:
            raise RuntimeError("KRA is not installed on the master system")

        with certdb.NSSDatabase() as tmpdb:
            pw = ipautil.write_tmp_file(ipautil.ipa_generate_password())
            tmpdb.create_db(pw.name)
            tmpdb.import_pkcs12(replica_config.dir + "/cacert.p12", pw.name,
                                replica_config.dirman_password)
            kra_cert_nicknames = [
                "storageCert cert-pki-kra", "transportCert cert-pki-kra",
                "auditSigningCert cert-pki-kra"
            ]
            if not all(tmpdb.has_nickname(nickname)
                       for nickname in kra_cert_nicknames):
                raise RuntimeError("Missing KRA certificates, please create a "
                                   "new replica file.")
Esempio n. 18
0
def install(options):
    global dirsrv_pkcs12_info
    global http_pkcs12_info
    global pkinit_pkcs12_info
    global external_cert_file
    global external_ca_file
    global http_ca_cert

    realm_name = options.realm_name
    domain_name = options.domain_name
    dm_password = options.dm_password
    master_password = options.master_password
    admin_password = options.admin_password
    host_name = options.host_name
    ip_addresses = options.ip_address
    setup_ca = options.setup_ca
    setup_kra = options.setup_kra

    global ds
    global installation_cleanup

    # Installation has started. No IPA sysrestore items are restored in case of
    # failure to enable root cause investigation
    installation_cleanup = False

    # Configuration for ipalib, we will bootstrap and finalize later, after
    # we are sure we have the configuration file ready.
    cfg = dict(
        context='installer',
        in_server=True,
        debug=options.debug
    )

    # Figure out what external CA step we're in. See cainstance.py for more
    # info on the 3 states.
    if options.external_cert_files:
        external = 2
    elif options.external_ca:
        external = 1
    else:
        external = 0

    # Create the management framework config file and finalize api
    target_fname = paths.IPA_DEFAULT_CONF
    fd = open(target_fname, "w")
    fd.write("[global]\n")
    fd.write("host=%s\n" % host_name)
    fd.write("basedn=%s\n" % ipautil.realm_to_suffix(realm_name))
    fd.write("realm=%s\n" % realm_name)
    fd.write("domain=%s\n" % domain_name)
    fd.write("xmlrpc_uri=https://%s/ipa/xml\n" % format_netloc(host_name))
    fd.write("ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n" %
             installutils.realm_to_serverid(realm_name))
    if setup_ca:
        fd.write("enable_ra=True\n")
        fd.write("ra_plugin=dogtag\n")
        fd.write("dogtag_version=%s\n" %
                 dogtag.install_constants.DOGTAG_VERSION)
    else:
        fd.write("enable_ra=False\n")
        fd.write("ra_plugin=none\n")
    fd.write("enable_kra=%s\n" % setup_kra)
    fd.write("mode=production\n")
    fd.close()

    # Must be readable for everyone
    os.chmod(target_fname, 0644)

    if not options.unattended:
        print ""
        print "The following operations may take some minutes to complete."
        print "Please wait until the prompt is returned."
        print ""

    system_hostname = get_fqdn()
    if host_name != system_hostname:
        root_logger.debug("Chosen hostname (%s) differs from system hostname "
                          "(%s) - change it" % (host_name, system_hostname))
        # configure /etc/sysconfig/network to contain the custom hostname
        tasks.backup_and_replace_hostname(fstore, sstore, host_name)
        # update `api.env.ca_host` to correct hostname
        # https://fedorahosted.org/freeipa/ticket/4936
        api.env.ca_host = host_name

    api.bootstrap(**cfg)
    if setup_ca:
        # ensure profile backend is available
        import ipaserver.plugins.dogtag
    api.finalize()

    # Create DS user/group if it doesn't exist yet
    dsinstance.create_ds_user()

    # Create a directory server instance
    if external != 2:
        # Configure ntpd
        if options.conf_ntp:
            ipaclient.ntpconf.force_ntpd(sstore)
            ntp = ntpinstance.NTPInstance(fstore)
            if not ntp.is_configured():
                ntp.create_instance()

        if options.dirsrv_cert_files:
            ds = dsinstance.DsInstance(fstore=fstore,
                                       domainlevel=options.domainlevel)
            ds.create_instance(realm_name, host_name, domain_name,
                               dm_password, dirsrv_pkcs12_info,
                               idstart=options.idstart, idmax=options.idmax,
                               subject_base=options.subject,
                               hbac_allow=not options.hbac_allow)
        else:
            ds = dsinstance.DsInstance(fstore=fstore,
                                       domainlevel=options.domainlevel)
            ds.create_instance(realm_name, host_name, domain_name,
                               dm_password,
                               idstart=options.idstart, idmax=options.idmax,
                               subject_base=options.subject,
                               hbac_allow=not options.hbac_allow)
    else:
        ds = dsinstance.DsInstance(fstore=fstore,
                                   domainlevel=options.domainlevel)
        ds.init_info(
            realm_name, host_name, domain_name, dm_password,
            options.subject, 1101, 1100, None)

    if setup_ca:
        ca = cainstance.CAInstance(realm_name, certs.NSS_DIR,
                                   dogtag_constants=dogtag.install_constants)
        if external == 0:
            ca.configure_instance(
                host_name, domain_name, dm_password, dm_password,
                subject_base=options.subject,
                ca_signing_algorithm=options.ca_signing_algorithm)
        elif external == 1:
            # stage 1 of external CA installation
            options.realm_name = realm_name
            options.domain_name = domain_name
            options.master_password = master_password
            options.dm_password = dm_password
            options.admin_password = admin_password
            options.host_name = host_name
            options.unattended = True
            options.forwarders = dns.dns_forwarders
            options.reverse_zones = dns.reverse_zones
            write_cache(vars(options))
            ca.configure_instance(
                host_name, domain_name, dm_password, dm_password,
                csr_file=paths.ROOT_IPA_CSR,
                subject_base=options.subject,
                ca_signing_algorithm=options.ca_signing_algorithm,
                ca_type=options.external_ca_type)
        else:
            # stage 2 of external CA installation
            ca.configure_instance(
                host_name, domain_name, dm_password, dm_password,
                cert_file=external_cert_file.name,
                cert_chain_file=external_ca_file.name,
                subject_base=options.subject,
                ca_signing_algorithm=options.ca_signing_algorithm)

        # Now put the CA cert where other instances exepct it
        ca.publish_ca_cert(CACERT)
    else:
        # Put the CA cert where other instances expect it
        x509.write_certificate(http_ca_cert, CACERT)
        os.chmod(CACERT, 0444)

    # we now need to enable ssl on the ds
    ds.enable_ssl()

    if setup_ca:
        # We need to ldap_enable the CA now that DS is up and running
        ca.ldap_enable('CA', host_name, dm_password,
                       ipautil.realm_to_suffix(realm_name),
                       ['caRenewalMaster'])

        # This is done within stopped_service context, which restarts CA
        ca.enable_client_auth_to_db(ca.dogtag_constants.CS_CFG_PATH)

    krb = krbinstance.KrbInstance(fstore)
    if options.pkinit_cert_files:
        krb.create_instance(realm_name, host_name, domain_name,
                            dm_password, master_password,
                            setup_pkinit=options.setup_pkinit,
                            pkcs12_info=pkinit_pkcs12_info,
                            subject_base=options.subject)
    else:
        krb.create_instance(realm_name, host_name, domain_name,
                            dm_password, master_password,
                            setup_pkinit=options.setup_pkinit,
                            subject_base=options.subject)

    # The DS instance is created before the keytab, add the SSL cert we
    # generated
    ds.add_cert_to_service()

    memcache = memcacheinstance.MemcacheInstance()
    memcache.create_instance('MEMCACHE', host_name, dm_password,
                             ipautil.realm_to_suffix(realm_name))

    otpd = otpdinstance.OtpdInstance()
    otpd.create_instance('OTPD', host_name, dm_password,
                         ipautil.realm_to_suffix(realm_name))

    # Create a HTTP instance
    http = httpinstance.HTTPInstance(fstore)
    if options.http_cert_files:
        http.create_instance(
            realm_name, host_name, domain_name, dm_password,
            pkcs12_info=http_pkcs12_info, subject_base=options.subject,
            auto_redirect=options.ui_redirect,
            ca_is_configured=setup_ca)
    else:
        http.create_instance(
            realm_name, host_name, domain_name, dm_password,
            subject_base=options.subject, auto_redirect=options.ui_redirect,
            ca_is_configured=setup_ca)
    tasks.restore_context(paths.CACHE_IPA_SESSIONS)

    # Export full CA chain
    ca_db = certs.CertDB(realm_name)
    os.chmod(CACERT, 0644)
    ca_db.publish_ca_cert(CACERT)

    set_subject_in_config(realm_name, dm_password,
                          ipautil.realm_to_suffix(realm_name), options.subject)

    # Apply any LDAP updates. Needs to be done after the configuration file
    # is created
    service.print_msg("Applying LDAP updates")
    ds.apply_updates()

    # Restart ds and krb after configurations have been changed
    service.print_msg("Restarting the directory server")
    ds.restart()

    service.print_msg("Restarting the KDC")
    krb.restart()

    if setup_ca:
        service.print_msg("Restarting the certificate server")
        ca.restart(dogtag.configured_constants().PKI_INSTANCE_NAME)

        service.print_msg("Importing certificate profiles")
        cainstance.import_included_profiles()

    if options.setup_dns:
        api.Backend.ldap2.connect(autobind=True)
        dns.install(False, False, options)
    else:
        # Create a BIND instance
        bind = bindinstance.BindInstance(fstore, dm_password)
        bind.setup(host_name, ip_addresses, realm_name,
                   domain_name, (), options.conf_ntp, (),
                   zonemgr=options.zonemgr, ca_configured=setup_ca,
                   no_dnssec_validation=options.no_dnssec_validation)
        bind.create_sample_bind_zone()

    # Restart httpd to pick up the new IPA configuration
    service.print_msg("Restarting the web server")
    http.restart()

    if setup_kra:
        kra.install(None, options, dm_password)

    # Set the admin user kerberos password
    ds.change_admin_password(admin_password)

    # Call client install script
    try:
        args = [paths.IPA_CLIENT_INSTALL, "--on-master", "--unattended",
                "--domain", domain_name, "--server", host_name,
                "--realm", realm_name, "--hostname", host_name]
        if not options.create_sshfp:
            args.append("--no-dns-sshfp")
        if options.trust_sshfp:
            args.append("--ssh-trust-dns")
        if not options.conf_ssh:
            args.append("--no-ssh")
        if not options.conf_sshd:
            args.append("--no-sshd")
        if options.mkhomedir:
            args.append("--mkhomedir")
        run(args)
    except Exception, e:
        sys.exit("Configuration of client side components failed!\n"
                 "ipa-client-install returned: " + str(e))
Esempio n. 19
0
                print "Aborting uninstall operation."
                sys.exit(1)


@common_cleanup
def uninstall(options):
    rv = 0

    print "Shutting down all IPA services"
    try:
        (stdout, stderr, rc) = run([paths.IPACTL, "stop"], raiseonerr=False)
    except Exception, e:
        pass

    # Need to get dogtag info before /etc/ipa/default.conf is removed
    dogtag_constants = dogtag.configured_constants()

    print "Removing IPA client configuration"
    try:
        (stdout, stderr, rc) = run([paths.IPA_CLIENT_INSTALL, "--on-master",
                                    "--unattended", "--uninstall"],
                                   raiseonerr=False)
        if rc not in [0, 2]:
            root_logger.debug("ipa-client-install returned %d" % rc)
            raise RuntimeError(stdout)
    except Exception, e:
        rv = 1
        print "Uninstall of client side components failed!"
        print "ipa-client-install returned: " + str(e)

    ntpinstance.NTPInstance(fstore).uninstall()
Esempio n. 20
0
    def execute(self, **options):
        ca = cainstance.CAInstance(self.api.env.realm, certs.NSS_DIR)
        if not ca.is_configured():
            self.debug("CA is not configured on this host")
            return False, []

        ldap = self.api.Backend.ldap2
        base_dn = DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'),
                     self.api.env.basedn)
        filter = '(&(cn=CA)(ipaConfigString=caRenewalMaster))'
        try:
            entries = ldap.get_entries(base_dn=base_dn, filter=filter,
                                       attrs_list=[])
        except errors.NotFound:
            pass
        else:
            self.debug("found CA renewal master %s", entries[0].dn[1].value)
            return False, []

        criteria = {
            'cert-database': paths.HTTPD_ALIAS_DIR,
            'cert-nickname': 'ipaCert',
        }
        request_id = certmonger.get_request_id(criteria)
        if request_id is not None:
            self.debug("found certmonger request for ipaCert")

            ca_name = certmonger.get_request_value(request_id, 'ca-name')
            if ca_name is None:
                self.warning(
                    "certmonger request for ipaCert is missing ca_name, "
                    "assuming local CA is renewal slave")
                return False, []
            ca_name = ca_name.strip()

            if ca_name == 'dogtag-ipa-renew-agent':
                pass
            elif ca_name == 'dogtag-ipa-retrieve-agent-submit':
                return False, []
            elif ca_name == 'dogtag-ipa-ca-renew-agent':
                return False, []
            else:
                self.warning(
                    "certmonger request for ipaCert has unknown ca_name '%s', "
                    "assuming local CA is renewal slave", ca_name)
                return False, []
        else:
            self.debug("certmonger request for ipaCert not found")

            config = installutils.get_directive(
                dogtag.configured_constants().CS_CFG_PATH,
                'subsystem.select', '=')

            if config == 'New':
                pass
            elif config == 'Clone':
                return False, []
            else:
                self.warning(
                    "CS.cfg has unknown subsystem.select value '%s', "
                    "assuming local CA is renewal slave", config)
                return (False, False, [])

        dn = DN(('cn', 'CA'), ('cn', self.api.env.host), base_dn)
        update = {
                'dn': dn,
                'updates': ['add:ipaConfigString: caRenewalMaster'],
        }

        return False, [update]
Esempio n. 21
0
    def ask_for_options(self):
        options = self.options
        super(ReplicaPrepare, self).ask_for_options()

        # get the directory manager password
        self.dirman_password = options.password
        if not options.password:
            self.dirman_password = installutils.read_password(
                "Directory Manager (existing master)",
                confirm=False, validate=False)
            if self.dirman_password is None:
                raise admintool.ScriptError(
                    "Directory Manager password required")

        # Try out the password & get the subject base
        suffix = ipautil.realm_to_suffix(api.env.realm)
        try:
            conn = api.Backend.ldap2
            conn.connect(bind_dn=DN(('cn', 'directory manager')),
                         bind_pw=self.dirman_password)

            entry_attrs = conn.get_ipa_config()
            self.subject_base = entry_attrs.get(
                'ipacertificatesubjectbase', [None])[0]

            ca_enabled = api.Command.ca_is_enabled()['result']

            conn.disconnect()
        except errors.ACIError:
            raise admintool.ScriptError("The password provided is incorrect "
                "for LDAP server %s" % api.env.host)
        except errors.LDAPError:
            raise admintool.ScriptError(
                "Unable to connect to LDAP server %s" % api.env.host)
        except errors.DatabaseError as e:
            raise admintool.ScriptError(e.desc)

        if not ca_enabled and not options.http_cert_files:
            raise admintool.ScriptError(
                "Cannot issue certificates: a CA is not installed. Use the "
                "--http-cert-file, --dirsrv-cert-file options to provide "
                "custom certificates.")

        if self.subject_base is not None:
            self.subject_base = DN(self.subject_base)

        # Validate more options using the password
        try:
            installutils.verify_fqdn(self.replica_fqdn, local_hostname=False)
        except installutils.BadHostError as e:
            msg = str(e)
            if isinstance(e, installutils.HostLookupError):
                if not options.ip_addresses:
                    if dns_container_exists(
                            api.env.host, api.env.basedn,
                            dm_password=self.dirman_password,
                            ldapi=True, realm=api.env.realm):
                        self.log.info('You might use the --ip-address option '
                                      'to create a DNS entry if the DNS zone '
                                      'is managed by IPA.')
                    raise
                else:
                    # The host doesn't exist in DNS but we're adding it.
                    pass
            else:
                raise

        if options.ip_addresses:
            if not dns_container_exists(api.env.host, api.env.basedn,
                                        dm_password=self.dirman_password,
                                        ldapi=True, realm=api.env.realm):
                self.log.error(
                    "It is not possible to add a DNS record automatically "
                    "because DNS is not managed by IPA. Please create DNS "
                    "record manually and then omit --ip-address option.")
                raise admintool.ScriptError("Cannot add DNS record")

            disconnect = False
            if not api.Backend.ldap2.isconnected():
                api.Backend.ldap2.connect(
                    bind_dn=DN(('cn', 'Directory Manager')),
                    bind_pw=self.dirman_password)
                disconnect = True

            options.reverse_zones = bindinstance.check_reverse_zones(
                options.ip_addresses, options.reverse_zones, options, False,
                True)

            host, zone = self.replica_fqdn.split('.', 1)
            if not bindinstance.dns_zone_exists(zone, api=api):
                self.log.error("DNS zone %s does not exist in IPA managed DNS "
                               "server. Either create DNS zone or omit "
                               "--ip-address option." % zone)
                raise admintool.ScriptError("Cannot add DNS record")

            if disconnect:
                api.Backend.ldap2.disconnect()

        self.http_pin = self.dirsrv_pin = self.pkinit_pin = None

        if options.http_cert_files:
            if options.http_pin is None:
                options.http_pin = installutils.read_password(
                    "Enter Apache Server private key unlock",
                    confirm=False, validate=False)
                if options.http_pin is None:
                    raise admintool.ScriptError(
                        "Apache Server private key unlock password required")
            http_pkcs12_file, http_pin, http_ca_cert = self.load_pkcs12(
                options.http_cert_files, options.http_pin,
                options.http_cert_name)
            self.http_pkcs12_file = http_pkcs12_file
            self.http_pin = http_pin

        if options.dirsrv_cert_files:
            if options.dirsrv_pin is None:
                options.dirsrv_pin = installutils.read_password(
                    "Enter Directory Server private key unlock",
                    confirm=False, validate=False)
                if options.dirsrv_pin is None:
                    raise admintool.ScriptError(
                        "Directory Server private key unlock password required")
            dirsrv_pkcs12_file, dirsrv_pin, dirsrv_ca_cert = self.load_pkcs12(
                options.dirsrv_cert_files, options.dirsrv_pin,
                options.dirsrv_cert_name)
            self.dirsrv_pkcs12_file = dirsrv_pkcs12_file
            self.dirsrv_pin = dirsrv_pin

        if options.pkinit_cert_files:
            if options.pkinit_pin is None:
                options.pkinit_pin = installutils.read_password(
                    "Enter Kerberos KDC private key unlock",
                    confirm=False, validate=False)
                if options.pkinit_pin is None:
                    raise admintool.ScriptError(
                        "Kerberos KDC private key unlock password required")
            pkinit_pkcs12_file, pkinit_pin, pkinit_ca_cert = self.load_pkcs12(
                options.pkinit_cert_files, options.pkinit_pin,
                options.pkinit_cert_name)
            self.pkinit_pkcs12_file = pkinit_pkcs12_file
            self.pkinit_pin = pkinit_pin

        if (options.http_cert_files and options.dirsrv_cert_files and
            http_ca_cert != dirsrv_ca_cert):
            raise admintool.ScriptError(
                "Apache Server SSL certificate and Directory Server SSL "
                 "certificate are not signed by the same CA certificate")

        if (not ipautil.file_exists(
                    dogtag.configured_constants().CS_CFG_PATH) and
                options.dirsrv_pin is None):
            self.log.info("If you installed IPA with your own certificates "
                "using PKCS#12 files you must provide PKCS#12 files for any "
                "replicas you create as well.")
            raise admintool.ScriptError("The replica must be created on the "
                "primary IPA server.")
Esempio n. 22
0
                    raise admintool.ScriptError(
                        "Kerberos KDC private key unlock password required")
            pkinit_pkcs12_file, pkinit_pin, pkinit_ca_cert = self.load_pkcs12(
                options.pkinit_cert_files, options.pkinit_pin,
                options.pkinit_cert_name)
            self.pkinit_pkcs12_file = pkinit_pkcs12_file
            self.pkinit_pin = pkinit_pin

        if (options.http_cert_files and options.dirsrv_cert_files and
            http_ca_cert != dirsrv_ca_cert):
            raise admintool.ScriptError(
                "Apache Server SSL certificate and Directory Server SSL "
                 "certificate are not signed by the same CA certificate")

        if (not ipautil.file_exists(
                    dogtag.configured_constants().CS_CFG_PATH) and
                options.dirsrv_pin is None):
            self.log.info("If you installed IPA with your own certificates "
                "using PKCS#12 files you must provide PKCS#12 files for any "
                "replicas you create as well.")
            raise admintool.ScriptError("The replica must be created on the "
                "primary IPA server.")

    def run(self):
        options = self.options
        super(ReplicaPrepare, self).run()

        self.log.info("Preparing replica for %s from %s",
            self.replica_fqdn, api.env.host)
        enable_replication_version_checking(api.env.host, api.env.realm,
            self.dirman_password)
Esempio n. 23
0
def install(filename, options):
    global config

    # Create the management framework config file
    # Note: We must do this before bootstraping and finalizing ipalib.api
    old_umask = os.umask(022)   # must be readable for httpd
    try:
        fd = open(paths.IPA_DEFAULT_CONF, "w")
        fd.write("[global]\n")
        fd.write("host=%s\n" % config.host_name)
        fd.write("basedn=%s\n" %
                 str(ipautil.realm_to_suffix(config.realm_name)))
        fd.write("realm=%s\n" % config.realm_name)
        fd.write("domain=%s\n" % config.domain_name)
        fd.write("xmlrpc_uri=https://%s/ipa/xml\n" %
                 ipautil.format_netloc(config.host_name))
        fd.write("ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n" %
                 installutils.realm_to_serverid(config.realm_name))
        if ipautil.file_exists(config.dir + "/cacert.p12"):
            fd.write("enable_ra=True\n")
            fd.write("ra_plugin=dogtag\n")
            fd.write("dogtag_version=%s\n" %
                     dogtag.install_constants.DOGTAG_VERSION)
        else:
            fd.write("enable_ra=False\n")
            fd.write("ra_plugin=none\n")

        fd.write("enable_kra=%s\n" % config.setup_kra)

        fd.write("mode=production\n")
        fd.close()
    finally:
        os.umask(old_umask)

    api.bootstrap(in_server=True, context='installer')
    api.finalize()

    # Create DS user/group if it doesn't exist yet
    dsinstance.create_ds_user()

    cafile = config.dir + "/ca.crt"

    ldapuri = 'ldaps://%s' % ipautil.format_netloc(config.master_host_name)
    remote_api = create_api(mode=None)
    remote_api.bootstrap(in_server=True, context='installer',
                         ldap_uri=ldapuri, basedn=DN())
    remote_api.finalize()
    conn = remote_api.Backend.ldap2
    replman = None
    try:
        try:
            # Try out the password
            conn.connect(bind_dn=DIRMAN_DN, bind_pw=config.dirman_password,
                         tls_cacertfile=cafile)
            replman = ReplicationManager(config.realm_name,
                                         config.master_host_name,
                                         config.dirman_password)

            # Check that we don't already have a replication agreement
            try:
                (agreement_cn, agreement_dn) = replman.agreement_dn(
                    config.host_name)
                entry = conn.get_entry(agreement_dn, ['*'])
            except errors.NotFound:
                pass
            else:
                root_logger.info('Error: A replication agreement for this '
                                 'host already exists.')
                print('A replication agreement for this host already exists. '
                      'It needs to be removed.')
                print "Run this on the master that generated the info file:"
                print("    %% ipa-replica-manage del %s --force" %
                      config.host_name)
                sys.exit(3)

            # Detect the current domain level
            try:
                current = remote_api.Command['domainlevel_get']()['result']
            except errors.NotFound:
                # If we're joining an older master, domain entry is not
                # available
                current = 0

            # Detect if current level is out of supported range
            # for this IPA version
            under_lower_bound = current < constants.MIN_DOMAIN_LEVEL
            above_upper_bound = current > constants.MAX_DOMAIN_LEVEL

            if under_lower_bound or above_upper_bound:
                message = ("This version of FreeIPA does not support "
                           "the Domain Level which is currently set for "
                           "this domain. The Domain Level needs to be "
                           "raised before installing a replica with "
                           "this version is allowed to be installed "
                           "within this domain.")
                root_logger.error(message)
                print(message)
                sys.exit(3)

            # Check pre-existing host entry
            try:
                entry = conn.find_entries(u'fqdn=%s' % config.host_name,
                                          ['fqdn'], DN(api.env.container_host,
                                                       api.env.basedn))
            except errors.NotFound:
                pass
            else:
                root_logger.info('Error: Host %s already exists on the master '
                                 'server.' % config.host_name)
                print('The host %s already exists on the master server.' %
                      config.host_name)
                print "You should remove it before proceeding:"
                print "    %% ipa host-del %s" % config.host_name
                sys.exit(3)

            # Install CA cert so that we can do SSL connections with ldap
            install_ca_cert(conn, api.env.basedn, api.env.realm, cafile)

            dns_masters = remote_api.Object['dnsrecord'].get_dns_masters()
            if dns_masters:
                if not options.no_host_dns:
                    master = config.master_host_name
                    root_logger.debug('Check forward/reverse DNS resolution')
                    resolution_ok = (
                        check_dns_resolution(master, dns_masters) and
                        check_dns_resolution(config.host_name, dns_masters))
                    if not resolution_ok and not options.unattended:
                        if not ipautil.user_input("Continue?", False):
                            sys.exit(0)
            else:
                root_logger.debug('No IPA DNS servers, '
                                  'skipping forward/reverse resolution check')

        except errors.ACIError:
            sys.exit("\nThe password provided is incorrect for LDAP server "
                     "%s" % config.master_host_name)
        except errors.LDAPError:
            sys.exit("\nUnable to connect to LDAP server %s" %
                     config.master_host_name)
        finally:
            if replman and replman.conn:
                replman.conn.unbind()

        if options.skip_schema_check:
            root_logger.info("Skipping CA DS schema check")
        else:
            cainstance.replica_ca_install_check(config)

        # Configure ntpd
        if options.conf_ntp:
            ipaclient.ntpconf.force_ntpd(sstore)
            ntp = ntpinstance.NTPInstance()
            ntp.create_instance()

        # Configure dirsrv
        ds = install_replica_ds(config)

        # Configure the CA if necessary
        CA = cainstance.install_replica_ca(config)

        # Always try to install DNS records
        install_dns_records(config, options, remote_api)
    finally:
        if conn.isconnected():
            conn.disconnect()

    # We need to ldap_enable the CA now that DS is up and running
    if CA and config.setup_ca:
        CA.ldap_enable('CA', config.host_name, config.dirman_password,
                       ipautil.realm_to_suffix(config.realm_name))

        # This is done within stopped_service context, which restarts CA
        CA.enable_client_auth_to_db(CA.dogtag_constants.CS_CFG_PATH)

    krb = install_krb(config, setup_pkinit=options.setup_pkinit)
    http = install_http(config, auto_redirect=options.ui_redirect)

    otpd = otpdinstance.OtpdInstance()
    otpd.create_instance('OTPD', config.host_name, config.dirman_password,
                         ipautil.realm_to_suffix(config.realm_name))

    if CA:
        CA.configure_certmonger_renewal()
        CA.import_ra_cert(config.dir + "/ra.p12")
        CA.fix_ra_perms()

    # The DS instance is created before the keytab, add the SSL cert we
    # generated
    ds.add_cert_to_service()

    # Apply any LDAP updates. Needs to be done after the replica is synced-up
    service.print_msg("Applying LDAP updates")
    ds.apply_updates()

    if options.setup_kra:
        kra.install(config, options, config.dirman_password)
    else:
        service.print_msg("Restarting the directory server")
        ds.restart()

    service.print_msg("Restarting the KDC")
    krb.restart()

    if CA and config.setup_ca:
        service.print_msg("Restarting the certificate server")
        CA.restart(dogtag.configured_constants().PKI_INSTANCE_NAME)

    if options.setup_dns:
        api.Backend.ldap2.connect(autobind=True)
        dns.install(False, True, options)

    # Restart httpd to pick up the new IPA configuration
    service.print_msg("Restarting the web server")
    http.restart()

    # Call client install script
    try:
        args = [paths.IPA_CLIENT_INSTALL, "--on-master", "--unattended",
                "--domain", config.domain_name, "--server", config.host_name,
                "--realm", config.realm_name]
        if not options.create_sshfp:
            args.append("--no-dns-sshfp")
        if options.trust_sshfp:
            args.append("--ssh-trust-dns")
        if not options.conf_ssh:
            args.append("--no-ssh")
        if not options.conf_sshd:
            args.append("--no-sshd")
        if options.mkhomedir:
            args.append("--mkhomedir")
        ipautil.run(args)
    except Exception, e:
        print "Configuration of client side components failed!"
        print "ipa-client-install returned: " + str(e)
        raise RuntimeError("Failed to configure the client")
Esempio n. 24
0
    def execute(self, **options):
        ca = cainstance.CAInstance(self.api.env.realm, certs.NSS_DIR)
        if not ca.is_configured():
            self.debug("CA is not configured on this host")
            return False, []

        ldap = self.api.Backend.ldap2
        base_dn = DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'),
                     self.api.env.basedn)
        filter = '(&(cn=CA)(ipaConfigString=caRenewalMaster))'
        try:
            entries = ldap.get_entries(base_dn=base_dn, filter=filter,
                                       attrs_list=[])
        except errors.NotFound:
            pass
        else:
            self.debug("found CA renewal master %s", entries[0].dn[1].value)
            return False, []

        criteria = {
            'cert-database': paths.HTTPD_ALIAS_DIR,
            'cert-nickname': 'ipaCert',
        }
        request_id = certmonger.get_request_id(criteria)
        if request_id is not None:
            self.debug("found certmonger request for ipaCert")

            ca_name = certmonger.get_request_value(request_id, 'ca-name')
            if ca_name is None:
                self.warning(
                    "certmonger request for ipaCert is missing ca_name, "
                    "assuming local CA is renewal slave")
                return False, []
            ca_name = ca_name.strip()

            if ca_name == 'dogtag-ipa-renew-agent':
                pass
            elif ca_name == 'dogtag-ipa-retrieve-agent-submit':
                return False, []
            elif ca_name == 'dogtag-ipa-ca-renew-agent':
                return False, []
            else:
                self.warning(
                    "certmonger request for ipaCert has unknown ca_name '%s', "
                    "assuming local CA is renewal slave", ca_name)
                return False, []
        else:
            self.debug("certmonger request for ipaCert not found")

            config = installutils.get_directive(
                dogtag.configured_constants().CS_CFG_PATH,
                'subsystem.select', '=')

            if config == 'New':
                pass
            elif config == 'Clone':
                return False, []
            else:
                self.warning(
                    "CS.cfg has unknown subsystem.select value '%s', "
                    "assuming local CA is renewal slave", config)
                return (False, False, [])

        dn = DN(('cn', 'CA'), ('cn', self.api.env.host), base_dn)
        update = {
                'dn': dn,
                'updates': [
                    dict(action='add', attr='ipaConfigString',
                         value='caRenewalMaster')
                ],
        }

        return False, [update]
Esempio n. 25
0
    def issue_signing_cert(self, certreq_fname, cert_fname):
        self.setup_cert_request()
        if self.self_signed_ca:
            p = subprocess.Popen(["/usr/bin/certutil",
                                  "-d", self.secdir,
                                  "-C", "-c", self.cacert_name,
                                  "-i", certreq_fname,
                                  "-o", cert_fname,
                                  "-m", next_serial(),
                                  "-v", self.valid_months,
                                  "-f", self.passwd_fname,
                                  "-1", "-5"],
                                 stdin=subprocess.PIPE,
                                 stdout=subprocess.PIPE)

            # Bah - this sucks, but I guess it isn't possible to fully
            # control this with command line arguments.
            #
            # What this is requesting is:
            #  -1 (Create key usage extension)
            #     0 - Digital Signature
            #     5 - Cert signing key
            #     9 - done
            #     n - not critical
            #
            #  -5 (Create netscape cert type extension)
            #     3 - Object Signing
            #     9 - done
            #     n - not critical
            p.stdin.write("0\n5\n9\nn\n3\n9\nn\n")
            p.wait()
        else:
            if self.host_name is None:
                raise RuntimeError("CA Host is not set.")

            f = open(certreq_fname, "r")
            csr = f.readlines()
            f.close()
            csr = "".join(csr)

            # We just want the CSR bits, make sure there is no thing else
            csr = pkcs10.strip_header(csr)

            params = {'profileId': 'caJarSigningCert',
                    'cert_request_type': 'pkcs10',
                    'requestor_name': 'IPA Installer',
                    'cert_request': csr,
                    'xmlOutput': 'true'}

            # Send the request to the CA
            f = open(self.passwd_fname, "r")
            password = f.readline()
            f.close()
            result = dogtag.https_request(
                self.host_name,
                api.env.ca_ee_install_port or
                    dogtag.configured_constants().EE_SECURE_PORT,
                "/ca/ee/ca/profileSubmitSSLClient",
                self.secdir, password, "ipaCert", **params)
            http_status, http_reason_phrase, http_headers, http_body = result
            if http_status != 200:
                raise RuntimeError("Unable to submit cert request")

            # The result is an XML blob. Pull the certificate out of that
            doc = xml.dom.minidom.parseString(http_body)
            item_node = doc.getElementsByTagName("b64")
            cert = item_node[0].childNodes[0].data
            doc.unlink()

            # base64-decode the cert for uniformity
            cert = base64.b64decode(cert)

            # Write the certificate to a file. It will be imported in a later
            # step. This file will be read later to be imported.
            f = open(cert_fname, "w")
            f.write(cert)
            f.close()

        return
Esempio n. 26
0
    def issue_signing_cert(self, certreq_fname, cert_fname):
        self.setup_cert_request()
        if self.self_signed_ca:
            p = subprocess.Popen([
                "/usr/bin/certutil", "-d", self.secdir, "-C", "-c",
                self.cacert_name, "-i", certreq_fname, "-o", cert_fname, "-m",
                next_serial(), "-v", self.valid_months, "-f",
                self.passwd_fname, "-1", "-5"
            ],
                                 stdin=subprocess.PIPE,
                                 stdout=subprocess.PIPE)

            # Bah - this sucks, but I guess it isn't possible to fully
            # control this with command line arguments.
            #
            # What this is requesting is:
            #  -1 (Create key usage extension)
            #     0 - Digital Signature
            #     5 - Cert signing key
            #     9 - done
            #     n - not critical
            #
            #  -5 (Create netscape cert type extension)
            #     3 - Object Signing
            #     9 - done
            #     n - not critical
            p.stdin.write("0\n5\n9\nn\n3\n9\nn\n")
            p.wait()
        else:
            if self.host_name is None:
                raise RuntimeError("CA Host is not set.")

            f = open(certreq_fname, "r")
            csr = f.readlines()
            f.close()
            csr = "".join(csr)

            # We just want the CSR bits, make sure there is no thing else
            csr = pkcs10.strip_header(csr)

            params = {
                'profileId': 'caJarSigningCert',
                'cert_request_type': 'pkcs10',
                'requestor_name': 'IPA Installer',
                'cert_request': csr,
                'xmlOutput': 'true'
            }

            # Send the request to the CA
            f = open(self.passwd_fname, "r")
            password = f.readline()
            f.close()
            result = dogtag.https_request(
                self.host_name, api.env.ca_ee_install_port
                or dogtag.configured_constants().EE_SECURE_PORT,
                "/ca/ee/ca/profileSubmitSSLClient", self.secdir, password,
                "ipaCert", **params)
            http_status, http_reason_phrase, http_headers, http_body = result
            if http_status != 200:
                raise RuntimeError("Unable to submit cert request")

            # The result is an XML blob. Pull the certificate out of that
            doc = xml.dom.minidom.parseString(http_body)
            item_node = doc.getElementsByTagName("b64")
            cert = item_node[0].childNodes[0].data
            doc.unlink()

            # base64-decode the cert for uniformity
            cert = base64.b64decode(cert)

            # Write the certificate to a file. It will be imported in a later
            # step. This file will be read later to be imported.
            f = open(cert_fname, "w")
            f.write(cert)
            f.close()

        return
Esempio n. 27
0
                if options.pkinit_pin is None:
                    raise admintool.ScriptError(
                        "Kerberos KDC private key unlock password required")
            pkinit_pkcs12_file, pkinit_pin, pkinit_ca_cert = self.load_pkcs12(
                options.pkinit_cert_files, options.pkinit_pin,
                options.pkinit_cert_name)
            self.pkinit_pkcs12_file = pkinit_pkcs12_file
            self.pkinit_pin = pkinit_pin

        if (options.http_cert_files and options.dirsrv_cert_files
                and http_ca_cert != dirsrv_ca_cert):
            raise admintool.ScriptError(
                "Apache Server SSL certificate and Directory Server SSL "
                "certificate are not signed by the same CA certificate")

        if (not ipautil.file_exists(dogtag.configured_constants().CS_CFG_PATH)
                and options.dirsrv_pin is None):
            self.log.info(
                "If you installed IPA with your own certificates "
                "using PKCS#12 files you must provide PKCS#12 files for any "
                "replicas you create as well.")
            raise admintool.ScriptError("The replica must be created on the "
                                        "primary IPA server.")

    def run(self):
        options = self.options
        super(ReplicaPrepare, self).run()

        self.log.info("Preparing replica for %s from %s", self.replica_fqdn,
                      api.env.host)
        enable_replication_version_checking(api.env.host, api.env.realm,
Esempio n. 28
0
from ipapython import sysrestore, ipautil, dogtag, ipaldap
from ipapython.dn import DN
from ipapython.ipa_log_manager import *
from ipalib import errors, certstore
from ipaplatform import services
from ipaplatform.paths import paths

# The service name as stored in cn=masters,cn=ipa,cn=etc. In the tuple
# the first value is the *nix service name, the second the start order.
SERVICE_LIST = {
    'KDC': ('krb5kdc', 10),
    'KPASSWD': ('kadmin', 20),
    'DNS': ('named', 30),
    'MEMCACHE': ('ipa_memcached', 39),
    'HTTP': ('httpd', 40),
    'CA': ('%sd' % dogtag.configured_constants().PKI_INSTANCE_NAME, 50),
    'ADTRUST': ('smb', 60),
    'EXTID': ('winbind', 70),
    'OTPD': ('ipa-otpd', 80),
    'DNSKeyExporter': ('ipa-ods-exporter', 90),
    'DNSSEC': ('ods-enforcerd', 100),
    'DNSKeySync': ('ipa-dnskeysyncd', 110),
}


def print_msg(message, output_fd=sys.stdout):
    root_logger.debug(message)
    output_fd.write(message)
    output_fd.write("\n")
    output_fd.flush()
Esempio n. 29
0
from ipapython.dn import DN
from ipapython.ipa_log_manager import *
from ipalib import errors, certstore
from ipaplatform import services
from ipaplatform.paths import paths


# The service name as stored in cn=masters,cn=ipa,cn=etc. In the tuple
# the first value is the *nix service name, the second the start order.
SERVICE_LIST = {
    'KDC': ('krb5kdc', 10),
    'KPASSWD': ('kadmin', 20),
    'DNS': ('named', 30),
    'MEMCACHE': ('ipa_memcached', 39),
    'HTTP': ('httpd', 40),
    'CA': ('%sd' % dogtag.configured_constants().PKI_INSTANCE_NAME, 50),
    'ADTRUST': ('smb', 60),
    'EXTID': ('winbind', 70),
    'OTPD': ('ipa-otpd', 80),
    'DNSKeyExporter': ('ipa-ods-exporter', 90),
    'DNSSEC': ('ods-enforcerd', 100),
    'DNSKeySync': ('ipa-dnskeysyncd', 110),
}

def print_msg(message, output_fd=sys.stdout):
    root_logger.debug(message)
    output_fd.write(message)
    output_fd.write("\n")
    output_fd.flush()