def __setup_ssl(self):
fqdn = self.fqdn
ca_db = certs.CertDB(self.realm, host_name=fqdn, subject_base=self.subject_base)
db = certs.CertDB(self.realm, subject_base=self.subject_base)
if self.pkcs12_info:
if self.ca_is_configured:
trust_flags = 'CT,C,C'
else:
trust_flags = None
db.create_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1],
passwd=None, ca_file=self.ca_file,
trust_flags=trust_flags)
server_certs = db.find_server_certs()
if len(server_certs) == 0:
raise RuntimeError("Could not find a suitable server cert in import in %s" % self.pkcs12_info[0])
db.create_password_conf()
# We only handle one server cert
nickname = server_certs[0][0]
self.dercert = db.get_cert_from_db(nickname, pem=False)
if self.ca_is_configured:
db.track_server_cert(nickname, self.principal, db.passwd_fname, 'restart_httpd')
self.__set_mod_nss_nickname(nickname)
else:
db.create_password_conf()
self.dercert = db.create_server_cert(self.cert_nickname, self.fqdn,
ca_db)
db.track_server_cert(self.cert_nickname, self.principal,
db.passwd_fname, 'restart_httpd')
db.create_signing_cert("Signing-Cert", "Object Signing Cert", ca_db)
# Fix the database permissions
os.chmod(certs.NSS_DIR + "/cert8.db", 0660)
os.chmod(certs.NSS_DIR + "/key3.db", 0660)
os.chmod(certs.NSS_DIR + "/secmod.db", 0660)
os.chmod(certs.NSS_DIR + "/pwdfile.txt", 0660)
pent = pwd.getpwnam("apache")
os.chown(certs.NSS_DIR + "/cert8.db", 0, pent.pw_gid )
os.chown(certs.NSS_DIR + "/key3.db", 0, pent.pw_gid )
os.chown(certs.NSS_DIR + "/secmod.db", 0, pent.pw_gid )
os.chown(certs.NSS_DIR + "/pwdfile.txt", 0, pent.pw_gid )
# Fix SELinux permissions on the database
tasks.restore_context(certs.NSS_DIR + "/cert8.db")
tasks.restore_context(certs.NSS_DIR + "/key3.db")
def setup_firefox_extension(self, realm, domain):
"""Set up the signed browser configuration extension
"""
target_fname = paths.KRB_JS
sub_dict = dict(REALM=realm, DOMAIN=domain)
db = certs.CertDB(realm)
with open(db.passwd_fname) as pwdfile:
pwd = pwdfile.read()
ipautil.copy_template_file(ipautil.SHARE_DIR + "krb.js.template",
target_fname, sub_dict)
os.chmod(target_fname, 0644)
# Setup extension
tmpdir = tempfile.mkdtemp(prefix="tmp-")
extdir = tmpdir + "/ext"
target_fname = paths.KERBEROSAUTH_XPI
shutil.copytree(paths.FFEXTENSION, extdir)
if db.has_nickname('Signing-Cert'):
db.run_signtool(["-k", "Signing-Cert",
"-p", pwd,
"-X", "-Z", target_fname,
extdir])
else:
root_logger.warning('Object-signing certificate was not found. '
'Creating unsigned Firefox configuration extension.')
filenames = os.listdir(extdir)
ipautil.run([paths.ZIP, '-r', target_fname] + filenames,
cwd=extdir)
shutil.rmtree(tmpdir)
os.chmod(target_fname, 0644)
def __setup_autoconfig(self):
target_fname = paths.PREFERENCES_HTML
ipautil.copy_template_file(
ipautil.SHARE_DIR + "preferences.html.template",
target_fname, self.sub_dict)
os.chmod(target_fname, 0644)
# The signing cert is generated in __setup_ssl
db = certs.CertDB(self.realm, subject_base=self.subject_base)
with open(db.passwd_fname) as pwdfile:
pwd = pwdfile.read()
# Setup configure.jar
if db.has_nickname('Signing-Cert'):
tmpdir = tempfile.mkdtemp(prefix="tmp-")
target_fname = paths.CONFIGURE_JAR
shutil.copy(paths.PREFERENCES_HTML, tmpdir)
db.run_signtool(["-k", "Signing-Cert",
"-Z", target_fname,
"-e", ".html", "-p", pwd,
tmpdir])
shutil.rmtree(tmpdir)
os.chmod(target_fname, 0644)
else:
root_logger.warning('Object-signing certificate was not found; '
'therefore, configure.jar was not created.')
self.setup_firefox_extension(self.realm, self.domain)
def __upload_ca_cert(self):
"""
Upload the CA certificate in DER form in the LDAP directory.
"""
dirname = config_dirname(self.serverid)
certdb = certs.CertDB(self.realm_name,
nssdir=dirname,
subject_base=self.subject_base)
dercert = certdb.get_cert_from_db(certdb.cacert_name, pem=False)
self.sub_dict['CADERCERT'] = base64.b64encode(dercert)
self._ldap_mod('upload-cacert.ldif', self.sub_dict)
def setup_firefox_extension(self, realm, domain, force=False):
"""Set up the signed browser configuration extension
If the extension is already set up, skip the installation unless
``force`` is true.
"""
target_fname = '/usr/share/ipa/html/krb.js'
if os.path.exists(target_fname) and not force:
root_logger.info(
'%s exists, skipping install of Firefox extension',
target_fname)
return
sub_dict = dict(REALM=realm, DOMAIN=domain)
db = certs.CertDB(realm)
with open(db.passwd_fname) as pwdfile:
pwd = pwdfile.read()
ipautil.copy_template_file(ipautil.SHARE_DIR + "krb.js.template",
target_fname, sub_dict)
os.chmod(target_fname, 0644)
# Setup extension
tmpdir = tempfile.mkdtemp(prefix="tmp-")
extdir = tmpdir + "/ext"
target_fname = "/usr/share/ipa/html/kerberosauth.xpi"
shutil.copytree("/usr/share/ipa/ffextension", extdir)
if db.has_nickname('Signing-Cert'):
db.run_signtool([
"-k", "Signing-Cert", "-p", pwd, "-X", "-Z", target_fname,
extdir
])
else:
root_logger.warning(
'Object-signing certificate was not found. '
'Creating unsigned Firefox configuration extension.')
filenames = os.listdir(extdir)
ipautil.run(['/usr/bin/zip', '-r', target_fname] + filenames,
cwd=extdir)
shutil.rmtree(tmpdir)
os.chmod(target_fname, 0644)
def uninstall(self):
if self.is_configured():
self.print_msg("Unconfiguring web server")
running = self.restore_state("running")
enabled = self.restore_state("enabled")
if not running is None:
self.stop()
db = certs.CertDB(api.env.realm)
db.untrack_server_cert("Server-Cert")
if not enabled is None and not enabled:
self.disable()
for f in ["/etc/httpd/conf.d/ipa.conf", SSL_CONF, NSS_CONF]:
try:
self.fstore.restore_file(f)
except ValueError, error:
root_logger.debug(error)
pass
def __setup_autoconfig(self):
target_fname = '/usr/share/ipa/html/preferences.html'
ipautil.copy_template_file(
ipautil.SHARE_DIR + "preferences.html.template", target_fname,
self.sub_dict)
os.chmod(target_fname, 0644)
# The signing cert is generated in __setup_ssl
db = certs.CertDB(self.realm, subject_base=self.subject_base)
with open(db.passwd_fname) as pwdfile:
pwd = pwdfile.read()
# Setup configure.jar
tmpdir = tempfile.mkdtemp(prefix="tmp-")
target_fname = '/usr/share/ipa/html/configure.jar'
shutil.copy("/usr/share/ipa/html/preferences.html", tmpdir)
db.run_signtool([
"-k", "Signing-Cert", "-Z", target_fname, "-e", ".html", "-p", pwd,
tmpdir
])
shutil.rmtree(tmpdir)
os.chmod(target_fname, 0644)
self.setup_firefox_extension(self.realm, self.domain, force=True)
def __publish_ca_cert(self):
ca_db = certs.CertDB(self.realm)
ca_db.publish_ca_cert("/usr/share/ipa/html/ca.crt")
def __setup_ssl(self):
fqdn = None
if not self.self_signed_ca:
fqdn = self.fqdn
ca_db = certs.CertDB(self.realm,
host_name=fqdn,
subject_base=self.subject_base)
db = certs.CertDB(self.realm, subject_base=self.subject_base)
if self.pkcs12_info:
db.create_from_pkcs12(self.pkcs12_info[0],
self.pkcs12_info[1],
passwd=None)
server_certs = db.find_server_certs()
if len(server_certs) == 0:
raise RuntimeError(
"Could not find a suitable server cert in import in %s" %
self.pkcs12_info[0])
db.create_password_conf()
# We only handle one server cert
nickname = server_certs[0][0]
self.dercert = db.get_cert_from_db(nickname, pem=False)
db.track_server_cert(nickname, self.principal, db.passwd_fname,
'restart_httpd')
self.__set_mod_nss_nickname(nickname)
else:
if self.self_signed_ca:
db.create_from_cacert(ca_db.cacert_fname)
db.create_password_conf()
self.dercert = db.create_server_cert("Server-Cert", self.fqdn,
ca_db)
db.track_server_cert("Server-Cert", self.principal,
db.passwd_fname, 'restart_httpd')
db.create_signing_cert("Signing-Cert", "Object Signing Cert",
ca_db)
# Fix the database permissions
os.chmod(certs.NSS_DIR + "/cert8.db", 0660)
os.chmod(certs.NSS_DIR + "/key3.db", 0660)
os.chmod(certs.NSS_DIR + "/secmod.db", 0660)
os.chmod(certs.NSS_DIR + "/pwdfile.txt", 0660)
pent = pwd.getpwnam("apache")
os.chown(certs.NSS_DIR + "/cert8.db", 0, pent.pw_gid)
os.chown(certs.NSS_DIR + "/key3.db", 0, pent.pw_gid)
os.chown(certs.NSS_DIR + "/secmod.db", 0, pent.pw_gid)
os.chown(certs.NSS_DIR + "/pwdfile.txt", 0, pent.pw_gid)
# Fix SELinux permissions on the database
ipaservices.restore_context(certs.NSS_DIR + "/cert8.db")
ipaservices.restore_context(certs.NSS_DIR + "/key3.db")
# In case this got generated as part of the install, reset the
# context
if ipautil.file_exists(certs.CA_SERIALNO):
ipaservices.restore_context(certs.CA_SERIALNO)
os.chown(certs.CA_SERIALNO, 0, pent.pw_gid)
os.chmod(certs.CA_SERIALNO, 0664)
def __enable_ssl(self):
dirname = config_dirname(self.serverid)
dsdb = certs.CertDB(self.realm_name,
nssdir=dirname,
subject_base=self.subject_base)
if self.pkcs12_info:
dsdb.create_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1])
server_certs = dsdb.find_server_certs()
if len(server_certs) == 0:
raise RuntimeError(
"Could not find a suitable server cert in import in %s" %
self.pkcs12_info[0])
# We only handle one server cert
nickname = server_certs[0][0]
self.dercert = dsdb.get_cert_from_db(nickname, pem=False)
dsdb.track_server_cert(nickname, self.principal, dsdb.passwd_fname,
'restart_dirsrv %s' % self.serverid)
else:
nickname = "Server-Cert"
cadb = certs.CertDB(self.realm_name,
host_name=self.fqdn,
subject_base=self.subject_base)
if self.self_signed_ca:
dsdb.create_from_cacert(cadb.cacert_fname, passwd=None)
self.dercert = dsdb.create_server_cert("Server-Cert",
self.fqdn, cadb)
dsdb.track_server_cert("Server-Cert", self.principal,
dsdb.passwd_fname,
'restart_dirsrv %s' % self.serverid)
dsdb.create_pin_file()
else:
# FIXME, need to set this nickname in the RA plugin
cadb.export_ca_cert('ipaCert', False)
dsdb.create_from_cacert(cadb.cacert_fname, passwd=None)
self.dercert = dsdb.create_server_cert("Server-Cert",
self.fqdn, cadb)
dsdb.track_server_cert("Server-Cert", self.principal,
dsdb.passwd_fname,
'restart_dirsrv %s' % self.serverid)
dsdb.create_pin_file()
conn = ipaldap.IPAdmin(self.fqdn)
conn.simple_bind_s(DN(('cn', 'directory manager')), self.dm_password)
mod = [
(ldap.MOD_REPLACE, "nsSSLClientAuth", "allowed"),
(ldap.MOD_REPLACE, "nsSSL3Ciphers",
"-rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,\
+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,\
+fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,\
+tls_rsa_export1024_with_des_cbc_sha")
]
conn.modify_s(DN(('cn', 'encryption'), ('cn', 'config')), mod)
mod = [(ldap.MOD_ADD, "nsslapd-security", "on")]
conn.modify_s(DN(('cn', 'config')), mod)
entry = ipaldap.Entry(
DN(('cn', 'RSA'), ('cn', 'encryption'), ('cn', 'config')))
entry.setValues("objectclass", "top", "nsEncryptionModule")
entry.setValues("cn", "RSA")
entry.setValues("nsSSLPersonalitySSL", nickname)
entry.setValues("nsSSLToken", "internal (software)")
entry.setValues("nsSSLActivation", "on")
conn.addEntry(entry)
conn.unbind()
# check for open secure port 636 from now on
self.open_ports.append(636)
try:
self.fstore.restore_file("/etc/security/limits.conf")
self.fstore.restore_file("/etc/sysconfig/dirsrv")
except ValueError, error:
root_logger.debug(error)
pass
if not enabled is None and not enabled:
self.disable()
serverid = self.restore_state("serverid")
if not serverid is None:
# drop the trailing / off the config_dirname so the directory
# will match what is in certmonger
dirname = config_dirname(serverid)[:-1]
dsdb = certs.CertDB(self.realm_name, nssdir=dirname)
dsdb.untrack_server_cert("Server-Cert")
erase_ds_instance_data(serverid)
# At one time we removed this user on uninstall. That can potentially
# orphan files, or worse, if another useradd runs in the intermim,
# cause files to have a new owner.
user_exists = self.restore_state("user_exists")
# Make sure some upgrade-related state is removed. This could cause
# re-installation problems.
self.restore_state('nsslapd-port')
self.restore_state('nsslapd-security')
self.restore_state('nsslapd-ldapiautobind')
# If any dirsrv instances remain after we've removed ours then
def stop_tracking_certificates(self):
db = certs.CertDB(api.env.realm)
db.untrack_server_cert(self.cert_nickname)
def __publish_ca_cert(self):
ca_db = certs.CertDB(self.realm)
ca_db.publish_ca_cert(paths.CA_CRT)
def __import_ca_certs(self):
db = certs.CertDB(self.realm, subject_base=self.subject_base)
self.import_ca_certs(db, self.ca_is_configured)
