On 12/07/2012 10:05 AM, Petr Viktorin wrote:
On 12/05/2012 01:54 PM, Petr Viktorin wrote:
On 12/04/2012 10:51 PM, Endi Sukma Dewata wrote:
On 12/4/2012 3:16 PM, Endi Sukma Dewata wrote:
The configuration code has been modified to use the ConfigParser to
set the parameters in the CA section in the deployment configuration.
This allows IPA to define additional PKI subsystems in the same
configuration file.
PKI Ticket #399 (https://fedorahosted.org/pki/ticket/399)
New patch attached. Bumped the minimum pki-ca version.
Note that the path to the ca_admin_cert.p12 is hardcoded due to this
bug: https://fedorahosted.org/pki/ticket/437
ACK
Attaching an additional patch that uses our DN objects, instead of
strings, for the DN operations. I've overlooked that in the original
Dogtag 10 patches (or the DN work overlapped with them, I forget).
Until the new Dogtag hits official repos, you will need to use daily
builds from http://nkinder.fedorapeople.org/dogtag-devel/fedora/
Here is a rebased version of Endi's patch.
And another rebase
--
PetrĀ³
From e393787d299e2732e677e44defbec8b3d27e103d Mon Sep 17 00:00:00 2001
From: Endi Sukma Dewata <[email protected]>
Date: Wed, 28 Nov 2012 03:05:53 -0500
Subject: [PATCH] Configuring CA with ConfigParser.
The configuration code has been modified to use the ConfigParser to
set the parameters in the CA section in the deployment configuration.
This allows IPA to define additional PKI subsystems in the same
configuration file.
PKI Ticket #399 (https://fedorahosted.org/pki/ticket/399)
---
freeipa.spec.in | 5 +-
ipaserver/install/cainstance.py | 156 ++++++++++++++++++++-------------------
2 files changed, 84 insertions(+), 77 deletions(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index efaf95960394aab62c33c33d232bc37d8095f511..f1c45b6cce0ba109638bd538aa468c47d2024652 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -114,7 +114,7 @@ Requires(post): systemd-units
Requires: selinux-policy >= 3.11.1-60
Requires(post): selinux-policy-base
Requires: slapi-nis >= 0.44
-Requires: pki-ca >= 10.0.0-0.52.b3
+Requires: pki-ca >= 10.0.0-0.54.b3
Requires: dogtag-pki-server-theme
%if 0%{?rhel}
Requires: subscription-manager
@@ -752,6 +752,9 @@ fi
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt
%changelog
+* Fri Dec 7 2012 Endi S. Dewata <[email protected]> - 3.0.99-9
+- Bump minimum version of pki-ca to 10.0.0-0.54.b3
+
* Fri Dec 7 2012 Martin Kosek <[email protected]> - 3.0.99-8
- Bump minimum version of 389-ds-base to 1.3.0 to get transaction support
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 18c787769e4941bf00a64c3dc61a4ed12cc0fb2e..e2112a282652431b401f9d78cac6b745a6080585 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -35,6 +35,7 @@ import urllib
import xml.dom.minidom
import stat
import socket
+import ConfigParser
from ipapython import dogtag
from ipapython.certdb import get_ca_nickname
from ipapython import certmonger
@@ -620,96 +621,99 @@ class CAInstance(service.Service):
def __spawn_instance(self):
"""
- Create and configure a new instance using pkispawn.
- pkispawn requires a configuration file with the appropriate
- values substituted in.
+ Create and configure a new CA instance using pkispawn.
+ pkispawn requires a configuration file with IPA-specific
+ parameters.
"""
- # create a new config file for this installation
+ # Create an empty and secured file
(cfg_fd, cfg_file) = tempfile.mkstemp()
os.close(cfg_fd)
- shutil.copy("/usr/share/pki/deployment/config/pkideployment.cfg",
- cfg_file)
pent = pwd.getpwnam(PKI_USER)
- os.chown(cfg_file, pent.pw_uid, pent.pw_gid )
- replacevars = {
- "pki_enable_proxy": "True",
- "pki_restart_configured_instance": "False",
- "pki_client_database_dir": self.ca_agent_db,
- "pki_client_database_password": self.admin_password,
- "pki_client_database_purge": "False",
- "pki_client_pkcs12_password": self.admin_password,
- "pki_security_domain_name": self.security_domain_name,
- "pki_admin_name": "admin",
- "pki_admin_uid": "admin",
- "pki_admin_email": "root@localhost",
- "pki_admin_password": self.admin_password,
- "pki_admin_nickname": "ipa-ca-agent",
- "pki_admin_subject_dn": "CN=ipa-ca-agent,%s" % self.subject_base,
- "pki_ds_ldap_port": str(self.ds_port),
- "pki_ds_password": self.dm_password,
- "pki_ds_base_dn": self.basedn,
- "pki_ds_database": "ipaca",
- "pki_backup_keys": "True",
- "pki_backup_password": self.admin_password,
- "pki_subsystem_subject_dn": \
- "CN=CA Subsystem,%s" % self.subject_base,
- "pki_ocsp_signing_subject_dn": \
- "CN=OCSP Subsystem,%s" % self.subject_base,
- "pki_ssl_server_subject_dn": \
- "CN=%s,%s" % (self.fqdn, self.subject_base),
- "pki_audit_signing_subject_dn": \
- "CN=CA Audit,%s" % self.subject_base,
- "pki_ca_signing_subject_dn": \
- "CN=Certificate Authority,%s" % self.subject_base,
- "pki_subsystem_nickname": "subsystemCert cert-pki-ca",
- "pki_ocsp_signing_nickname": "ocspSigningCert cert-pki-ca",
- "pki_ssl_server_nickname": "Server-Cert cert-pki-ca",
- "pki_audit_signing_nickname": "auditSigningCert cert-pki-ca",
- "pki_ca_signing_nickname": "caSigningCert cert-pki-ca"
- }
+ os.chown(cfg_file, pent.pw_uid, pent.pw_gid)
+
+ # Create CA configuration
+ config = ConfigParser.ConfigParser()
+ config.optionxform = str
+ config.add_section("CA")
+
+ # Server
+ config.set("CA", "pki_security_domain_name", self.security_domain_name)
+ config.set("CA", "pki_enable_proxy", "True")
+ config.set("CA", "pki_restart_configured_instance", "False")
+ config.set("CA", "pki_backup_keys", "True")
+ config.set("CA", "pki_backup_password", self.admin_password)
+
+ # Client security database
+ config.set("CA", "pki_client_database_dir", self.ca_agent_db)
+ config.set("CA", "pki_client_database_password", self.admin_password)
+ config.set("CA", "pki_client_database_purge", "False")
+ config.set("CA", "pki_client_pkcs12_password", self.admin_password)
+
+ # Administrator
+ config.set("CA", "pki_admin_name", "admin")
+ config.set("CA", "pki_admin_uid", "admin")
+ config.set("CA", "pki_admin_email", "root@localhost")
+ config.set("CA", "pki_admin_password", self.admin_password)
+ config.set("CA", "pki_admin_nickname", "ipa-ca-agent")
+ config.set("CA", "pki_admin_subject_dn", "CN=ipa-ca-agent,%s" % self.subject_base)
+
+ # Directory server
+ config.set("CA", "pki_ds_ldap_port", str(self.ds_port))
+ config.set("CA", "pki_ds_password", self.dm_password)
+ config.set("CA", "pki_ds_base_dn", self.basedn)
+ config.set("CA", "pki_ds_database", "ipaca")
+
+ # Certificate subject DN's
+ config.set("CA", "pki_subsystem_subject_dn", "CN=CA Subsystem,%s" % self.subject_base)
+ config.set("CA", "pki_ocsp_signing_subject_dn", "CN=OCSP Subsystem,%s" % self.subject_base)
+ config.set("CA", "pki_ssl_server_subject_dn", "CN=%s,%s" % (self.fqdn, self.subject_base))
+ config.set("CA", "pki_audit_signing_subject_dn", "CN=CA Audit,%s" % self.subject_base)
+ config.set("CA", "pki_ca_signing_subject_dn", "CN=Certificate Authority,%s" % self.subject_base)
+
+ # Certificate nicknames
+ config.set("CA", "pki_subsystem_nickname", "subsystemCert cert-pki-ca")
+ config.set("CA", "pki_ocsp_signing_nickname", "ocspSigningCert cert-pki-ca")
+ config.set("CA", "pki_ssl_server_nickname", "Server-Cert cert-pki-ca")
+ config.set("CA", "pki_audit_signing_nickname", "auditSigningCert cert-pki-ca")
+ config.set("CA", "pki_ca_signing_nickname", "caSigningCert cert-pki-ca")
if (self.clone):
cafile = self.pkcs12_info[0]
shutil.copy(cafile, "/tmp/ca.p12")
pent = pwd.getpwnam(PKI_USER)
- os.chown("/tmp/ca.p12", pent.pw_uid, pent.pw_gid )
+ os.chown("/tmp/ca.p12", pent.pw_uid, pent.pw_gid)
- clone_vars = {
- "pki_clone_pkcs12_password": self.dm_password,
- "pki_clone": "True",
- "pki_clone_pkcs12_path": "/tmp/ca.p12",
- "pki_security_domain_hostname": self.master_host,
- "pki_security_domain_https_port": "443",
- "pki_security_domain_user": "admin",
- "pki_security_domain_password": self.admin_password,
- "pki_clone_replication_security": "TLS",
- "pki_clone_replication_master_port":
- str(self.master_replication_port),
- "pki_clone_replication_clone_port":
- dogtag.install_constants.DS_PORT,
- "pki_clone_replicate_schema": "False",
- "pki_clone_uri":
- "https://%s"; % ipautil.format_netloc(self.master_host, 443)
- }
- replacevars.update(clone_vars)
+ # Security domain registration
+ config.set("CA", "pki_security_domain_hostname", self.master_host)
+ config.set("CA", "pki_security_domain_https_port", "443")
+ config.set("CA", "pki_security_domain_user", "admin")
+ config.set("CA", "pki_security_domain_password", self.admin_password)
+ # Clone
+ config.set("CA", "pki_clone", "True")
+ config.set("CA", "pki_clone_pkcs12_path", "/tmp/ca.p12")
+ config.set("CA", "pki_clone_pkcs12_password", self.dm_password)
+ config.set("CA", "pki_clone_replication_security", "TLS")
+ config.set("CA", "pki_clone_replication_master_port", str(self.master_replication_port))
+ config.set("CA", "pki_clone_replication_clone_port", dogtag.install_constants.DS_PORT)
+ config.set("CA", "pki_clone_replicate_schema", "False")
+ config.set("CA", "pki_clone_uri", "https://%s"; % ipautil.format_netloc(self.master_host, 443))
+
+ # External CA
if self.external == 1:
- external_vars = {
- "pki_external": "True",
- "pki_external_csr_path": self.csr_file
- }
- replacevars.update(external_vars)
+ config.set("CA", "pki_external", "True")
+ config.set("CA", "pki_external_csr_path", self.csr_file)
+
elif self.external == 2:
- external_vars = {
- "pki_external": "True",
- "pki_external_ca_cert_path": self.cert_file,
- "pki_external_ca_cert_chain_path": self.cert_chain_file,
- "pki_external_step_two": "True"
- }
- replacevars.update(external_vars)
+ config.set("CA", "pki_external", "True")
+ config.set("CA", "pki_external_ca_cert_path", self.cert_file)
+ config.set("CA", "pki_external_ca_cert_chain_path", self.cert_chain_file)
+ config.set("CA", "pki_external_step_two", "True")
- ipautil.config_replace_variables(cfg_file, replacevars=replacevars)
+ # Generate configuration file
+ with open(cfg_file, "wb") as f:
+ config.write(f)
# Define the things we don't want logged
nolog = (self.admin_password, self.dm_password,)
@@ -730,7 +734,7 @@ class CAInstance(service.Service):
os.remove(cfg_file)
if not self.clone:
- shutil.move("/var/lib/pki/pki-tomcat/alias/ca_admin_cert.p12", \
+ shutil.move("/root/.pki/pki-tomcat/ca_admin_cert.p12", \
"/root/ca-agent.p12")
shutil.move("/var/lib/pki/pki-tomcat/alias/ca_backup_keys.p12", \
"/root/cacert.p12")
--
1.7.7.6
_______________________________________________
Freeipa-devel mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-devel
