def _call_certmonger(self, certmonger_ca='IPA'): subject = str(DN(('cn', self.fqdn), self.subject_base)) krbtgt = "krbtgt/" + self.realm + "@" + self.realm certpath = (paths.KDC_CERT, paths.KDC_KEY) try: prev_helper = None # on the first CA-ful master without '--no-pkinit', we issue the # certificate by contacting Dogtag directly ca_instances = find_providing_servers( 'CA', conn=self.api.Backend.ldap2, api=self.api) use_dogtag_submit = all( [self.master_fqdn is None, self.pkcs12_info is None, self.config_pkinit, len(ca_instances) == 0]) if use_dogtag_submit: ca_args = [ paths.CERTMONGER_DOGTAG_SUBMIT, '--ee-url', 'https://%s:8443/ca/ee/ca' % self.fqdn, '--certfile', paths.RA_AGENT_PEM, '--keyfile', paths.RA_AGENT_KEY, '--cafile', paths.IPA_CA_CRT, '--agent-submit' ] helper = " ".join(ca_args) prev_helper = certmonger.modify_ca_helper( certmonger_ca, helper ) certmonger.request_and_wait_for_cert( certpath=certpath, subject=subject, principal=krbtgt, ca=certmonger_ca, dns=self.fqdn, storage='FILE', profile=KDC_PROFILE, post_command='renew_kdc_cert', perms=(0o644, 0o600), resubmit_timeout=api.env.replication_wait_timeout ) except dbus.DBusException as e: # if the certificate is already tracked, ignore the error name = e.get_dbus_name() if name != 'org.fedorahosted.certmonger.duplicate': logger.error("Failed to initiate the request: %s", e) return finally: if prev_helper is not None: certmonger.modify_ca_helper(certmonger_ca, prev_helper)
def _call_certmonger(self, certmonger_ca='IPA'): subject = str(DN(('cn', self.fqdn), self.subject_base)) krbtgt = "krbtgt/" + self.realm + "@" + self.realm certpath = (paths.KDC_CERT, paths.KDC_KEY) try: prev_helper = None # on the first CA-ful master without '--no-pkinit', we issue the # certificate by contacting Dogtag directly ca_instances = find_providing_servers( 'CA', conn=self.api.Backend.ldap2, api=self.api) use_dogtag_submit = all( [self.master_fqdn is None, self.pkcs12_info is None, self.config_pkinit, len(ca_instances) == 0]) if use_dogtag_submit: ca_args = [ paths.CERTMONGER_DOGTAG_SUBMIT, '--ee-url', 'https://%s:8443/ca/ee/ca' % self.fqdn, '--certfile', paths.RA_AGENT_PEM, '--keyfile', paths.RA_AGENT_KEY, '--cafile', paths.IPA_CA_CRT, '--agent-submit' ] helper = " ".join(ca_args) prev_helper = certmonger.modify_ca_helper( certmonger_ca, helper ) certmonger.request_and_wait_for_cert( certpath=certpath, subject=subject, principal=krbtgt, ca=certmonger_ca, dns=self.fqdn, storage='FILE', profile=KDC_PROFILE, post_command='renew_kdc_cert', perms=(0o644, 0o600), resubmit_timeout=api.env.certmonger_wait_timeout ) except dbus.DBusException as e: # if the certificate is already tracked, ignore the error name = e.get_dbus_name() if name != 'org.fedorahosted.certmonger.duplicate': logger.error("Failed to initiate the request: %s", e) return finally: if prev_helper is not None: certmonger.modify_ca_helper(certmonger_ca, prev_helper)
def install(installer): options = installer ca_enabled = installer._ca_enabled kra_enabled = installer._kra_enabled fstore = installer._fstore config = installer._config cafile = installer._ca_file dirsrv_pkcs12_info = installer._dirsrv_pkcs12_info http_pkcs12_info = installer._http_pkcs12_info pkinit_pkcs12_info = installer._pkinit_pkcs12_info remote_api = installer._remote_api conn = remote_api.Backend.ldap2 ccache = os.environ['KRB5CCNAME'] if tasks.configure_pkcs11_modules(fstore): print("Disabled p11-kit-proxy") if installer._add_to_ipaservers: try: conn.connect(ccache=installer._ccache) remote_api.Command['hostgroup_add_member']( u'ipaservers', host=[unicode(api.env.host)], ) finally: if conn.isconnected(): conn.disconnect() os.environ['KRB5CCNAME'] = ccache config.dirman_password = ipautil.ipa_generate_password() # FIXME: allow to use passed in certs instead if ca_enabled: configure_certmonger() try: conn.connect(ccache=ccache) # Update and istall updated CA file cafile = install_ca_cert(conn, api.env.basedn, api.env.realm, cafile) install_ca_cert(conn, api.env.basedn, api.env.realm, cafile, destfile=paths.KDC_CA_BUNDLE_PEM) install_ca_cert(conn, api.env.basedn, api.env.realm, cafile, destfile=paths.CA_BUNDLE_PEM) # Configure dirsrv ds = install_replica_ds(config, options, ca_enabled, remote_api, ca_file=cafile, pkcs12_info=dirsrv_pkcs12_info, fstore=fstore) # Always try to install DNS records install_dns_records(config, options, remote_api, fstore=fstore) finally: if conn.isconnected(): conn.disconnect() # Create the management framework config file. Do this irregardless # of the state of DS installation. Even if it fails, # we need to have master-like configuration in order to perform a # successful uninstallation # The configuration creation has to be here otherwise previous call # To config certmonger would try to connect to local server create_ipa_conf(fstore, config, ca_enabled) krb = install_krb( config, setup_pkinit=not options.no_pkinit, pkcs12_info=pkinit_pkcs12_info, fstore=fstore) # We need to point to the master when certmonger asks for # a DS or HTTP certificate. # During http installation, the <service>/hostname principal is # created locally then the installer waits for the entry to appear # on the master selected for the installation. # In a later step, the installer requests a SSL certificate through # Certmonger (and the op adds the principal if it does not exist yet). # If xmlrpc_uri points to the soon-to-be replica, # the httpd service is not ready yet to handle certmonger requests # and certmonger tries to find another master. The master can be # different from the one selected for the installation, and it is # possible that the principal has not been replicated yet. This # may lead to a replication conflict. # This is why we need to force the use of the same master by # setting xmlrpc_uri create_ipa_conf(fstore, config, ca_enabled, master=config.master_host_name) # we now need to enable ssl on the ds ds.enable_ssl() install_http( config, auto_redirect=not options.no_ui_redirect, pkcs12_info=http_pkcs12_info, ca_is_configured=ca_enabled, ca_file=cafile, fstore=fstore) # Need to point back to ourself after the cert for HTTP is obtained create_ipa_conf(fstore, config, ca_enabled) otpd = otpdinstance.OtpdInstance() otpd.create_instance('OTPD', config.host_name, ipautil.realm_to_suffix(config.realm_name)) if kra_enabled: # A KRA peer always provides a CA, too. mode = custodiainstance.CustodiaModes.KRA_PEER elif ca_enabled: mode = custodiainstance.CustodiaModes.CA_PEER else: mode = custodiainstance.CustodiaModes.MASTER_PEER custodia = custodiainstance.get_custodia_instance(config, mode) custodia.create_instance() if ca_enabled: options.realm_name = config.realm_name options.domain_name = config.domain_name options.host_name = config.host_name options.dm_password = config.dirman_password ca.install(False, config, options, custodia=custodia) # configure PKINIT now that all required services are in place krb.enable_ssl() # Apply any LDAP updates. Needs to be done after the replica is synced-up service.print_msg("Applying LDAP updates") ds.apply_updates() service.print_msg("Finalize replication settings") ds.finalize_replica_config() if kra_enabled: kra.install(api, config, options, custodia=custodia) service.print_msg("Restarting the KDC") krb.restart() custodia.import_dm_password() promote_sssd(config.host_name) promote_openldap_conf(config.host_name, config.master_host_name) if options.setup_dns: dns.install(False, True, options, api) if options.setup_adtrust: adtrust.install(False, options, fstore, api) if options.hidden_replica: # Set services to hidden service.hide_services(config.host_name) else: # Enable configured services service.enable_services(config.host_name) # update DNS SRV records. Although it's only really necessary in # enabled-service case, also perform update in hidden replica case. api.Command.dns_update_system_records() ca_servers = find_providing_servers('CA', api.Backend.ldap2, api=api) api.Backend.ldap2.disconnect() # Everything installed properly, activate ipa service. services.knownservices.ipa.enable() # Print a warning if CA role is only installed on one server if len(ca_servers) == 1: msg = textwrap.dedent(u''' WARNING: The CA service is only installed on one server ({}). It is strongly recommended to install it on another server. Run ipa-ca-install(1) on another master to accomplish this. '''.format(ca_servers[0])) print(msg, file=sys.stderr)
def install(installer): options = installer ca_enabled = installer._ca_enabled kra_enabled = installer._kra_enabled fstore = installer._fstore config = installer._config cafile = installer._ca_file dirsrv_pkcs12_info = installer._dirsrv_pkcs12_info http_pkcs12_info = installer._http_pkcs12_info pkinit_pkcs12_info = installer._pkinit_pkcs12_info remote_api = installer._remote_api conn = remote_api.Backend.ldap2 ccache = os.environ['KRB5CCNAME'] if installer._add_to_ipaservers: try: conn.connect(ccache=installer._ccache) remote_api.Command['hostgroup_add_member']( u'ipaservers', host=[unicode(api.env.host)], ) finally: if conn.isconnected(): conn.disconnect() os.environ['KRB5CCNAME'] = ccache config.dirman_password = ipautil.ipa_generate_password() # FIXME: allow to use passed in certs instead if ca_enabled: configure_certmonger() try: conn.connect(ccache=ccache) # Update and istall updated CA file cafile = install_ca_cert(conn, api.env.basedn, api.env.realm, cafile) install_ca_cert(conn, api.env.basedn, api.env.realm, cafile, destfile=paths.KDC_CA_BUNDLE_PEM) install_ca_cert(conn, api.env.basedn, api.env.realm, cafile, destfile=paths.CA_BUNDLE_PEM) # Configure dirsrv ds = install_replica_ds(config, options, ca_enabled, remote_api, ca_file=cafile, pkcs12_info=dirsrv_pkcs12_info, fstore=fstore) # Always try to install DNS records install_dns_records(config, options, remote_api, fstore=fstore) finally: if conn.isconnected(): conn.disconnect() # Create the management framework config file. Do this irregardless # of the state of DS installation. Even if it fails, # we need to have master-like configuration in order to perform a # successful uninstallation # The configuration creation has to be here otherwise previous call # To config certmonger would try to connect to local server create_ipa_conf(fstore, config, ca_enabled) krb = install_krb(config, setup_pkinit=not options.no_pkinit, pkcs12_info=pkinit_pkcs12_info, fstore=fstore) # We need to point to the master when certmonger asks for # a DS or HTTP certificate. # During http installation, the <service>/hostname principal is # created locally then the installer waits for the entry to appear # on the master selected for the installation. # In a later step, the installer requests a SSL certificate through # Certmonger (and the op adds the principal if it does not exist yet). # If xmlrpc_uri points to the soon-to-be replica, # the httpd service is not ready yet to handle certmonger requests # and certmonger tries to find another master. The master can be # different from the one selected for the installation, and it is # possible that the principal has not been replicated yet. This # may lead to a replication conflict. # This is why we need to force the use of the same master by # setting xmlrpc_uri create_ipa_conf(fstore, config, ca_enabled, master=config.master_host_name) # we now need to enable ssl on the ds ds.enable_ssl() install_http(config, auto_redirect=not options.no_ui_redirect, pkcs12_info=http_pkcs12_info, ca_is_configured=ca_enabled, ca_file=cafile, fstore=fstore) # Need to point back to ourself after the cert for HTTP is obtained create_ipa_conf(fstore, config, ca_enabled) otpd = otpdinstance.OtpdInstance() otpd.create_instance('OTPD', config.host_name, ipautil.realm_to_suffix(config.realm_name)) if kra_enabled: # A KRA peer always provides a CA, too. mode = custodiainstance.CustodiaModes.KRA_PEER elif ca_enabled: mode = custodiainstance.CustodiaModes.CA_PEER else: mode = custodiainstance.CustodiaModes.MASTER_PEER custodia = custodiainstance.get_custodia_instance(config, mode) custodia.create_instance() if ca_enabled: options.realm_name = config.realm_name options.domain_name = config.domain_name options.host_name = config.host_name options.dm_password = config.dirman_password ca.install(False, config, options, custodia=custodia) # configure PKINIT now that all required services are in place krb.enable_ssl() # Apply any LDAP updates. Needs to be done after the replica is synced-up service.print_msg("Applying LDAP updates") ds.apply_updates() service.print_msg("Finalize replication settings") ds.finalize_replica_config() if kra_enabled: kra.install(api, config, options, custodia=custodia) service.print_msg("Restarting the KDC") krb.restart() custodia.import_dm_password() promote_sssd(config.host_name) promote_openldap_conf(config.host_name, config.master_host_name) if options.setup_dns: dns.install(False, True, options, api) if options.setup_adtrust: adtrust.install(False, options, fstore, api) # Enable configured services and update DNS SRV records service.enable_services(config.host_name) api.Command.dns_update_system_records() ca_servers = find_providing_servers('CA', api.Backend.ldap2, api=api) api.Backend.ldap2.disconnect() # Everything installed properly, activate ipa service. services.knownservices.ipa.enable() # Print a warning if CA role is only installed on one server if len(ca_servers) == 1: msg = textwrap.dedent(u''' WARNING: The CA service is only installed on one server ({}). It is strongly recommended to install it on another server. Run ipa-ca-install(1) on another master to accomplish this. '''.format(ca_servers[0])) print(msg, file=sys.stderr)