def __setup_conf_files(self): if not self.fstore.has_file(paths.OPENDNSSEC_CONF_FILE): self.fstore.backup_file(paths.OPENDNSSEC_CONF_FILE) if not self.fstore.has_file(paths.OPENDNSSEC_KASP_FILE): self.fstore.backup_file(paths.OPENDNSSEC_KASP_FILE) pin_fd = open(paths.DNSSEC_SOFTHSM_PIN, "r") pin = pin_fd.read() pin_fd.close() # add pin to template sub_conf_dict = self.conf_file_dict sub_conf_dict["PIN"] = pin ods_conf_txt = ipautil.template_file(ipautil.SHARE_DIR + "opendnssec_conf.template", sub_conf_dict) ods_conf_fd = open(paths.OPENDNSSEC_CONF_FILE, "w") ods_conf_fd.seek(0) ods_conf_fd.truncate(0) ods_conf_fd.write(ods_conf_txt) ods_conf_fd.close() ods_kasp_txt = ipautil.template_file(ipautil.SHARE_DIR + "opendnssec_kasp.template", self.kasp_file_dict) ods_kasp_fd = open(paths.OPENDNSSEC_KASP_FILE, "w") ods_kasp_fd.seek(0) ods_kasp_fd.truncate(0) ods_kasp_fd.write(ods_kasp_txt) ods_kasp_fd.close() if not self.fstore.has_file(paths.SYSCONFIG_ODS): self.fstore.backup_file(paths.SYSCONFIG_ODS) installutils.set_directive( paths.SYSCONFIG_ODS, "SOFTHSM2_CONF", paths.DNSSEC_SOFTHSM2_CONF, quotes=False, separator="=" )
def __setup_dnskeysyncd(self): # set up dnskeysyncd this is DNSSEC master installutils.set_directive(paths.SYSCONFIG_IPA_DNSKEYSYNCD, 'ISMASTER', '1', quotes=False, separator='=')
def uninstall(self): if not self.is_configured(): return self.print_msg("Unconfiguring %s" % self.service_name) running = self.restore_state("running") enabled = self.restore_state("enabled") # stop DNSSEC services before backing up kasp.db try: self.stop() except Exception: pass ods_exporter = services.service('ipa-ods-exporter') try: ods_exporter.stop() except Exception: pass # remove directive from ipa-dnskeysyncd, this server is not DNSSEC # master anymore installutils.set_directive(paths.SYSCONFIG_IPA_DNSKEYSYNCD, 'ISMASTER', None, quotes=False, separator='=') if ipautil.file_exists(paths.OPENDNSSEC_KASP_DB): # force to export data ods_enforcerd = services.knownservices.ods_enforcerd cmd = [paths.IPA_ODS_EXPORTER, 'ipa-full-update'] try: ipautil.run(cmd, runas=ods_enforcerd.get_user_name()) except CalledProcessError: root_logger.debug("OpenDNSSEC database has not been updated") try: shutil.copy(paths.OPENDNSSEC_KASP_DB, paths.IPA_KASP_DB_BACKUP) except IOError as e: root_logger.error( "Unable to backup OpenDNSSEC database: %s", e) else: root_logger.info("OpenDNSSEC database backed up in %s", paths.IPA_KASP_DB_BACKUP) for f in [paths.OPENDNSSEC_CONF_FILE, paths.OPENDNSSEC_KASP_FILE, paths.OPENDNSSEC_KASP_DB, paths.SYSCONFIG_ODS]: try: self.fstore.restore_file(f) except ValueError, error: root_logger.debug(error) pass
def change_mod_nss_port_from_http(self): # mod_ssl enforces SSLEngine on for vhost on 443 even though # the listener is mod_nss. This then crashes the httpd as mod_nss # listened port obviously does not match mod_ssl requirements. # # The workaround for this was to change port to http. It is no longer # necessary, as mod_nss now ships with default configuration which # sets SSLEngine off when mod_ssl is installed. # # Remove the workaround. if sysupgrade.get_upgrade_state('nss.conf', 'listen_port_updated'): installutils.set_directive(paths.HTTPD_NSS_CONF, 'Listen', '443', quotes=False) sysupgrade.set_upgrade_state('nss.conf', 'listen_port_updated', False)
def __setup_conf_files(self): if not self.fstore.has_file(paths.OPENDNSSEC_CONF_FILE): self.fstore.backup_file(paths.OPENDNSSEC_CONF_FILE) if not self.fstore.has_file(paths.OPENDNSSEC_KASP_FILE): self.fstore.backup_file(paths.OPENDNSSEC_KASP_FILE) pin_fd = open(paths.DNSSEC_SOFTHSM_PIN, "r") pin = pin_fd.read() pin_fd.close() # add pin to template sub_conf_dict = self.conf_file_dict sub_conf_dict['PIN'] = pin ods_conf_txt = ipautil.template_file( ipautil.SHARE_DIR + "opendnssec_conf.template", sub_conf_dict) ods_conf_fd = open(paths.OPENDNSSEC_CONF_FILE, 'w') ods_conf_fd.seek(0) ods_conf_fd.truncate(0) ods_conf_fd.write(ods_conf_txt) ods_conf_fd.close() ods_kasp_txt = ipautil.template_file( ipautil.SHARE_DIR + "opendnssec_kasp.template", self.kasp_file_dict) ods_kasp_fd = open(paths.OPENDNSSEC_KASP_FILE, 'w') ods_kasp_fd.seek(0) ods_kasp_fd.truncate(0) ods_kasp_fd.write(ods_kasp_txt) ods_kasp_fd.close() if not self.fstore.has_file(paths.SYSCONFIG_ODS): self.fstore.backup_file(paths.SYSCONFIG_ODS) installutils.set_directive(paths.SYSCONFIG_ODS, 'SOFTHSM2_CONF', paths.DNSSEC_SOFTHSM2_CONF, quotes=False, separator='=')
def enable_mod_nss_renegotiate(self): installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRenegotiation', 'on', False) installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRequireSafeNegotiation', 'on', False)
def set_mod_nss_protocol(self): installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSProtocol', 'TLSv1.0,TLSv1.1,TLSv1.2', False)
def __set_mod_nss_nickname(self, nickname): installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSNickname', nickname)
def __setup_softhsm(self): assert self.ods_uid is not None assert self.named_gid is not None token_dir_exists = os.path.exists(paths.DNSSEC_TOKENS_DIR) # create dnssec directory if not os.path.exists(paths.IPA_DNSSEC_DIR): self.logger.debug("Creating %s directory", paths.IPA_DNSSEC_DIR) os.mkdir(paths.IPA_DNSSEC_DIR, 0o770) # chown ods:named os.chown(paths.IPA_DNSSEC_DIR, self.ods_uid, self.named_gid) # setup softhsm2 config file softhsm_conf_txt = ("# SoftHSM v2 configuration file \n" "# File generated by IPA instalation\n" "directories.tokendir = %(tokens_dir)s\n" "objectstore.backend = file") % { 'tokens_dir': paths.DNSSEC_TOKENS_DIR } self.logger.debug("Creating new softhsm config file") named_fd = open(paths.DNSSEC_SOFTHSM2_CONF, 'w') named_fd.seek(0) named_fd.truncate(0) named_fd.write(softhsm_conf_txt) named_fd.close() # setting up named to use softhsm2 if not self.fstore.has_file(paths.SYSCONFIG_NAMED): self.fstore.backup_file(paths.SYSCONFIG_NAMED) # setting up named and ipa-dnskeysyncd to use our softhsm2 config for sysconfig in [paths.SYSCONFIG_NAMED, paths.SYSCONFIG_IPA_DNSKEYSYNCD]: installutils.set_directive(sysconfig, 'SOFTHSM2_CONF', paths.DNSSEC_SOFTHSM2_CONF, quotes=False, separator='=') if (token_dir_exists and os.path.exists(paths.DNSSEC_SOFTHSM_PIN) and os.path.exists(paths.DNSSEC_SOFTHSM_PIN_SO)): # there is initialized softhsm return # remove old tokens if token_dir_exists: self.logger.debug('Removing old tokens directory %s', paths.DNSSEC_TOKENS_DIR) shutil.rmtree(paths.DNSSEC_TOKENS_DIR) # create tokens subdirectory self.logger.debug('Creating tokens %s directory', paths.DNSSEC_TOKENS_DIR) # sticky bit is required by daemon os.mkdir(paths.DNSSEC_TOKENS_DIR) os.chmod(paths.DNSSEC_TOKENS_DIR, 0o770 | stat.S_ISGID) # chown to ods:named os.chown(paths.DNSSEC_TOKENS_DIR, self.ods_uid, self.named_gid) # generate PINs for softhsm allowed_chars = u'123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ' pin_length = 30 # Bind allows max 32 bytes including ending '\0' pin = ipautil.ipa_generate_password(allowed_chars, pin_length) pin_so = ipautil.ipa_generate_password(allowed_chars, pin_length) self.logger.debug("Saving user PIN to %s", paths.DNSSEC_SOFTHSM_PIN) named_fd = open(paths.DNSSEC_SOFTHSM_PIN, 'w') named_fd.seek(0) named_fd.truncate(0) named_fd.write(pin) named_fd.close() os.chmod(paths.DNSSEC_SOFTHSM_PIN, 0o770) # chown to ods:named os.chown(paths.DNSSEC_SOFTHSM_PIN, self.ods_uid, self.named_gid) self.logger.debug("Saving SO PIN to %s", paths.DNSSEC_SOFTHSM_PIN_SO) named_fd = open(paths.DNSSEC_SOFTHSM_PIN_SO, 'w') named_fd.seek(0) named_fd.truncate(0) named_fd.write(pin_so) named_fd.close() # owner must be root os.chmod(paths.DNSSEC_SOFTHSM_PIN_SO, 0o400) # initialize SoftHSM command = [ paths.SOFTHSM2_UTIL, '--init-token', '--slot', str(softhsm_slot), '--label', softhsm_token_label, '--pin', pin, '--so-pin', pin_so, ] self.logger.debug("Initializing tokens") os.environ["SOFTHSM2_CONF"] = paths.DNSSEC_SOFTHSM2_CONF ipautil.run(command, nolog=(pin, pin_so,))
def __set_mod_nss_nickname(self, nickname): installutils.set_directive(NSS_CONF, 'NSSNickname', nickname)
def __setup_key_exporter(self): installutils.set_directive(paths.SYSOCNFIG_IPA_ODS_EXPORTER, 'SOFTHSM2_CONF', paths.DNSSEC_SOFTHSM2_CONF, quotes=False, separator='=')
def set_mod_nss_protocol(self): installutils.set_directive(NSS_CONF, 'NSSProtocol', 'TLSv1.0,TLSv1.1,TLSv1.2', False)
def __set_mod_nss_passwordfile(self): installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSPassPhraseDialog', 'file:/etc/httpd/conf/password.conf')
def __setup_softhsm(self): assert self.ods_uid is not None assert self.named_gid is not None token_dir_exists = os.path.exists(paths.DNSSEC_TOKENS_DIR) # create dnssec directory if not os.path.exists(paths.IPA_DNSSEC_DIR): self.logger.debug("Creating %s directory", paths.IPA_DNSSEC_DIR) os.mkdir(paths.IPA_DNSSEC_DIR, 0770) # chown ods:named os.chown(paths.IPA_DNSSEC_DIR, self.ods_uid, self.named_gid) # setup softhsm2 config file softhsm_conf_txt = ("# SoftHSM v2 configuration file \n" "# File generated by IPA instalation\n" "directories.tokendir = %(tokens_dir)s\n" "objectstore.backend = file") % { 'tokens_dir': paths.DNSSEC_TOKENS_DIR } self.logger.debug("Creating new softhsm config file") named_fd = open(paths.DNSSEC_SOFTHSM2_CONF, 'w') named_fd.seek(0) named_fd.truncate(0) named_fd.write(softhsm_conf_txt) named_fd.close() # setting up named to use softhsm2 if not self.fstore.has_file(paths.SYSCONFIG_NAMED): self.fstore.backup_file(paths.SYSCONFIG_NAMED) # setting up named and ipa-dnskeysyncd to use our softhsm2 config for sysconfig in [ paths.SYSCONFIG_NAMED, paths.SYSCONFIG_IPA_DNSKEYSYNCD ]: installutils.set_directive(sysconfig, 'SOFTHSM2_CONF', paths.DNSSEC_SOFTHSM2_CONF, quotes=False, separator='=') if (token_dir_exists and os.path.exists(paths.DNSSEC_SOFTHSM_PIN) and os.path.exists(paths.DNSSEC_SOFTHSM_PIN_SO)): # there is initialized softhsm return # remove old tokens if token_dir_exists: self.logger.debug('Removing old tokens directory %s', paths.DNSSEC_TOKENS_DIR) shutil.rmtree(paths.DNSSEC_TOKENS_DIR) # create tokens subdirectory self.logger.debug('Creating tokens %s directory', paths.DNSSEC_TOKENS_DIR) # sticky bit is required by daemon os.mkdir(paths.DNSSEC_TOKENS_DIR) os.chmod(paths.DNSSEC_TOKENS_DIR, 0770 | stat.S_ISGID) # chown to ods:named os.chown(paths.DNSSEC_TOKENS_DIR, self.ods_uid, self.named_gid) # generate PINs for softhsm allowed_chars = u'123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ' pin_length = 30 # Bind allows max 32 bytes including ending '\0' pin = ipautil.ipa_generate_password(allowed_chars, pin_length) pin_so = ipautil.ipa_generate_password(allowed_chars, pin_length) self.logger.debug("Saving user PIN to %s", paths.DNSSEC_SOFTHSM_PIN) named_fd = open(paths.DNSSEC_SOFTHSM_PIN, 'w') named_fd.seek(0) named_fd.truncate(0) named_fd.write(pin) named_fd.close() os.chmod(paths.DNSSEC_SOFTHSM_PIN, 0770) # chown to ods:named os.chown(paths.DNSSEC_SOFTHSM_PIN, self.ods_uid, self.named_gid) self.logger.debug("Saving SO PIN to %s", paths.DNSSEC_SOFTHSM_PIN_SO) named_fd = open(paths.DNSSEC_SOFTHSM_PIN_SO, 'w') named_fd.seek(0) named_fd.truncate(0) named_fd.write(pin_so) named_fd.close() # owner must be root os.chmod(paths.DNSSEC_SOFTHSM_PIN_SO, 0400) # initialize SoftHSM command = [ paths.SOFTHSM2_UTIL, '--init-token', '--slot', str(softhsm_slot), '--label', softhsm_token_label, '--pin', pin, '--so-pin', pin_so, ] self.logger.debug("Initializing tokens") os.environ["SOFTHSM2_CONF"] = paths.DNSSEC_SOFTHSM2_CONF ipautil.run(command, nolog=( pin, pin_so, ))
def __set_mod_nss_passwordfile(self): installutils.set_directive(NSS_CONF, 'NSSPassPhraseDialog', 'file:/etc/httpd/conf/password.conf')
def enable_mod_nss_renegotiate(self): installutils.set_directive(NSS_CONF, 'NSSRenegotiation', 'on', False) installutils.set_directive(NSS_CONF, 'NSSRequireSafeNegotiation', 'on', False)