--
David Kupka
From b5218e9c0101f852e25945cc7e64ff061a04ff4b Mon Sep 17 00:00:00 2001
From: David Kupka <dku...@redhat.com>
Date: Wed, 3 Jun 2015 17:43:27 +0200
Subject: [PATCH] Move CA installation code into single module.

---
 install/tools/ipa-ca-install               | 185 ++-----------------
 ipaserver/install/ca.py                    | 278 +++++++++++++++++++++++++++++
 ipaserver/install/server/install.py        |  92 +---------
 ipaserver/install/server/replicainstall.py |  34 +---
 4 files changed, 302 insertions(+), 287 deletions(-)
 create mode 100644 ipaserver/install/ca.py

diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install
index f087d2d6a5138915008395cde4c461fc7602811b..c7339622c5f862a282f803f2254bc736b8c18b62 100755
--- a/install/tools/ipa-ca-install
+++ b/install/tools/ipa-ca-install
@@ -42,6 +42,7 @@ from ipapython import certdb
 from ipapython.ipa_log_manager import *
 from ipaplatform import services
 from ipaplatform.paths import paths
+from ipaserver.install import ca as newca
 
 log_file_name = paths.IPAREPLICA_CA_INSTALL_LOG
 REPLICA_INFO_TOP_DIR = None
@@ -106,31 +107,6 @@ def get_dirman_password():
         "Directory Manager (existing master)", confirm=False, validate=False)
 
 
-def check_ca():
-    if not cainstance.check_port():
-        print "IPA requires port 8443 for PKI but it is currently in use."
-        sys.exit(1)
-
-def install_dns_records(config, options):
-
-    if not bindinstance.dns_container_exists(config.master_host_name,
-                                             ipautil.realm_to_suffix(config.realm_name),
-                                             dm_password=config.dirman_password):
-        return
-
-    bind = bindinstance.BindInstance(dm_password=config.dirman_password)
-    disconnect = False
-    try:
-        if not api.Backend.ldap2.isconnected():
-            api.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')),
-                                      bind_pw=config.dirman_password)
-            disconnect = True
-        bind.add_ipa_ca_dns_records(config.host_name, config.domain_name)
-    finally:
-        if api.Backend.ldap2.isconnected() and disconnect:
-            api.Backend.ldap2.disconnect()
-
-
 def install_replica(safe_options, options, filename):
     standard_logging_setup(log_file_name, debug=options.debug)
 
@@ -183,39 +159,14 @@ def install_replica(safe_options, options, filename):
             config.master_host_name, config.host_name, config.realm_name, True,
             config.ca_ds_port, options.admin_password)
 
-    if options.skip_schema_check:
-        root_logger.info("Skipping CA DS schema check")
-    else:
-        cainstance.replica_ca_install_check(config)
+    newca.check(options, config, options.subject, filename)
 
-    check_ca()
-
-    # Configure the CA if necessary
-    CA = cainstance.install_replica_ca(config, postinstall=True)
-
-    # We need to ldap_enable the CA now that DS is up and running
-    CA.ldap_enable('CA', config.host_name, config.dirman_password,
-                   ipautil.realm_to_suffix(config.realm_name))
-
-    # This is done within stopped_service context, which restarts CA
-    CA.enable_client_auth_to_db(CA.dogtag_constants.CS_CFG_PATH)
-
-    # Install CA DNS records
-    install_dns_records(config, options)
+    newca.install_on_replica_step_0(config, options)
 
     # We need to restart apache as we drop a new config file in there
     services.knownservices.httpd.restart(capture_output=True)
 
-    #update dogtag version in config file
-    try:
-        fd = open(paths.IPA_DEFAULT_CONF, "a")
-        fd.write(
-            "dogtag_version=%s\n" % dogtag.install_constants.DOGTAG_VERSION)
-        fd.close()
-    except IOError, e:
-        print "Failed to update /etc/ipa/default.conf"
-        root_logger.error(str(e))
-        sys.exit(1)
+    newca.install_on_replica_step_1(config, options)
 
 
 def install_master(safe_options, options):
@@ -254,127 +205,20 @@ def install_master(safe_options, options):
     config = api.Command['config_show']()['result']
     subject_base = config['ipacertificatesubjectbase'][0]
 
-    if options.external_ca:
-        if cainstance.is_step_one_done():
-            print ("CA is already installed.\nRun the installer with "
-                   "--external-cert-file.")
-            sys.exit(1)
-    elif options.external_cert_files:
-        if not cainstance.is_step_one_done():
-            print ("CA is not installed yet. To install with an external CA "
-                   "is a two-stage process.\nFirst run the installer with "
-                   "--external-ca.")
-            sys.exit(1)
-
-        external_cert_file, external_ca_file = load_external_cert(
-            options.external_cert_files, subject_base)
-
-    if options.external_cert_files:
-        external = 2
-    elif options.external_ca:
-        external = 1
-    else:
-        external = 0
-
     realm_name = api.env.realm
     domain_name = api.env.domain
     host_name = api.env.host
 
-    if external != 2:
-        check_ca()
+    if not options.external_cert_files:
+        newca.check(options, subject_base=subject_base)
 
-    dirname = dsinstance.config_dirname(
-        installutils.realm_to_serverid(realm_name))
-    cadb = certs.CertDB(realm_name, subject_base=subject_base)
-    dsdb = certs.CertDB(realm_name, nssdir=dirname, subject_base=subject_base)
-
-    for db in (cadb, dsdb):
-        for nickname, trust_flags in db.list_certs():
-            if nickname in (certdb.get_ca_nickname(realm_name),
-                            'ipaCert',
-                            'Signing-Cert'):
-                print ("Certificate with nickname %s is present in %s, "
-                       "cannot continue." % (nickname, db.secdir))
-                sys.exit(1)
-
-            cert = db.get_cert_from_db(nickname)
-            if not cert:
-                continue
-            subject = DN(str(x509.get_subject(cert)))
-            if subject in (DN('CN=Certificate Authority', subject_base),
-                           DN('CN=IPA RA', subject_base),
-                           DN('CN=Object Signing Cert', subject_base)):
-                print ("Certificate with subject %s is present in %s, "
-                       "cannot continue." % (subject, db.secdir))
-                sys.exit(1)
-
-    ca = cainstance.CAInstance(
-        realm_name, certs.NSS_DIR,
-        dogtag_constants=dogtag.install_constants)
-    ca.create_ra_agent_db = False
-    if external == 0:
-        ca.configure_instance(host_name, domain_name, dm_password,
-                              dm_password, subject_base=subject_base,
-                              ca_signing_algorithm=options.ca_signing_algorithm)
-    elif external == 1:
-        ca.configure_instance(host_name, domain_name, dm_password,
-                              dm_password, csr_file=paths.ROOT_IPA_CSR,
-                              subject_base=subject_base,
-                              ca_signing_algorithm=options.ca_signing_algorithm,
-                              ca_type=options.external_ca_type)
-    else:
-        ca.configure_instance(host_name, domain_name, dm_password,
-                              dm_password,
-                              cert_file=external_cert_file.name,
-                              cert_chain_file=external_ca_file.name,
-                              subject_base=subject_base,
-                              ca_signing_algorithm=options.ca_signing_algorithm)
-
-    ca.stop(ca.dogtag_constants.PKI_INSTANCE_NAME)
-
-    ca.ldap_enable('CA', host_name, dm_password,
-                   ipautil.realm_to_suffix(realm_name), ['caRenewalMaster'])
-
-    ca.enable_client_auth_to_db(ca.dogtag_constants.CS_CFG_PATH)
-
-    # Install CA DNS records
-    config = ReplicaConfig()
-    config.realm_name = realm_name
-    config.domain_name = domain_name
-    config.host_name = config.master_host_name = host_name
-    config.dirman_password = dm_password
-    install_dns_records(config, options)
+    newca.install_step_0(host_name, realm_name, domain_name, dm_password, subject_base, options)
+    newca.install_step_1(host_name, realm_name, domain_name, dm_password, options)
 
     # We need to restart apache as we drop a new config file in there
     services.knownservices.httpd.restart(capture_output=True)
 
-    # Update config file
-    parser = RawConfigParser()
-    parser.read(paths.IPA_DEFAULT_CONF)
-    parser.set('global', 'enable_ra', 'True')
-    parser.set('global', 'ra_plugin', 'dogtag')
-    parser.set('global', 'dogtag_version',
-               str(ca.dogtag_constants.DOGTAG_VERSION))
-    with open(paths.IPA_DEFAULT_CONF, 'w') as f:
-        parser.write(f)
-
-    # Store the new IPA CA cert chain in DS NSS database and LDAP
-    cadb = certs.CertDB(realm_name, subject_base=subject_base)
-    dsdb = certs.CertDB(realm_name, nssdir=dirname, subject_base=subject_base)
-    trust_flags = dict(reversed(cadb.list_certs()))
-    trust_chain = cadb.find_root_cert('ipaCert')[:-1]
-    for nickname in trust_chain[:-1]:
-        cert = cadb.get_cert_from_db(nickname, pem=False)
-        dsdb.add_cert(cert, nickname, trust_flags[nickname])
-        certstore.put_ca_cert_nss(api.Backend.ldap2, api.env.basedn,
-                                  cert, nickname, trust_flags[nickname])
-
-    nickname = trust_chain[-1]
-    cert = cadb.get_cert_from_db(nickname, pem=False)
-    dsdb.add_cert(cert, nickname, trust_flags[nickname])
-    certstore.put_ca_cert_nss(api.Backend.ldap2, api.env.basedn,
-                              cert, nickname, trust_flags[nickname],
-                              config_ipa=True, config_compat=True)
+    newca.install_on_ca_3(host_name, realm_name, domain_name, dm_password, options, subject_base)
 
     # Restart DS
     ds = dsinstance.DsInstance()
@@ -382,16 +226,7 @@ def install_master(safe_options, options):
                  1101, 1100, None)
     ds.restart(ds.serverid)
 
-    # Store DS CA cert in Dogtag NSS database
-    dogtagdb = certs.CertDB(realm_name, nssdir=ca.dogtag_constants.ALIAS_DIR)
-    trust_flags = dict(reversed(dsdb.list_certs()))
-    server_certs = dsdb.find_server_certs()
-    trust_chain = dsdb.find_root_cert(server_certs[0][0])[:-1]
-    nickname = trust_chain[-1]
-    cert = dsdb.get_cert_from_db(nickname)
-    dogtagdb.add_cert(cert, nickname, trust_flags[nickname])
-
-    ca.start(ca.dogtag_constants.PKI_INSTANCE_NAME)
+    newca.install_on_ca_4(host_name, realm_name, domain_name, dm_password, options, subject_base)
 
 
 def main():
diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py
new file mode 100644
index 0000000000000000000000000000000000000000..482896b512f5613534e5fbb4c32d4133cb02b8e9
--- /dev/null
+++ b/ipaserver/install/ca.py
@@ -0,0 +1,278 @@
+#! /usr/bin/python2 -E
+
+import sys
+import os.path
+
+from ipaserver.install import cainstance, dsinstance, bindinstance
+from ipalib.constants import CACERT
+from ipapython import dogtag, ipautil, certdb
+from ipaplatform.paths import paths
+from ipaserver.install import installutils, certs, service
+from ipalib import api, certstore, x509
+from ConfigParser import RawConfigParser
+from ipapython.dn import DN
+from ipapython.ipa_log_manager import root_logger
+
+
+external = 0
+script = ""
+
+def check(options, config=None, subject_base=None, replicafile=None):
+    global external
+    global external_cert_file
+    global external_ca_file
+    global script
+
+    if os.path.basename(sys.argv[0]) == "ipa-server-install":
+        script = "server"
+    elif os.path.basename(sys.argv[0]) == "ipa-replica-install":
+        script = "replica"
+    elif os.path.basename(sys.argv[0]) == "ipa-ca-install":
+        script = "ca"
+    else:
+        raise RuntimeError()
+
+    if not cainstance.check_port():
+        print ("IPA requires port 8443 for PKI but it is currently in use.")
+        sys.exit("Aborting installation")
+
+    if not replicafile:
+        if options.external_ca:
+            if cainstance.is_step_one_done():
+                print("CA is already installed.\nRun the installer with "
+                      "--external-cert-file.")
+                sys.exit(1)
+            if ipautil.file_exists(paths.ROOT_IPA_CSR):
+                print("CA CSR file %s already exists.\nIn order to continue "
+                      "remove the file and run the installer again." %
+                      paths.ROOT_IPA_CSR)
+                sys.exit(1)
+        elif options.external_cert_files:
+            if not cainstance.is_step_one_done():
+                # This can happen if someone passes external_ca_file without
+                # already having done the first stage of the CA install.
+                print("CA is not installed yet. To install with an external CA "
+                      "is a two-stage process.\nFirst run the installer with "
+                      "--external-ca.")
+                sys.exit(1)
+
+        if options.external_cert_files:
+            external = 2
+            external_cert_file, external_ca_file = installutils.load_external_cert(
+                options.external_cert_files, subject_base)
+        elif options.external_ca:
+            external = 1
+        else:
+            external = 0
+    else:
+        if options.skip_schema_check:
+            root_logger.info("Skipping CA DS schema check")
+        else:
+            cainstance.replica_ca_install_check(config)
+
+
+
+
+def install_step_0(host_name, realm_name, domain_name, dm_password, subject_base, options):
+    global ca
+    global external_cert_file
+    global external_ca_file
+    global script
+    global dirname
+    global external
+
+    if script == "ca":
+        dirname = dsinstance.config_dirname(
+            installutils.realm_to_serverid(realm_name))
+        cadb = certs.CertDB(realm_name, subject_base=subject_base)
+        dsdb = certs.CertDB(realm_name, nssdir=dirname, subject_base=subject_base)
+
+        for db in (cadb, dsdb):
+            for nickname, trust_flags in db.list_certs():
+                if nickname in (certdb.get_ca_nickname(realm_name),
+                                'ipaCert',
+                                'Signing-Cert'):
+                    print ("Certificate with nickname %s is present in %s, "
+                           "cannot continue." % (nickname, db.secdir))
+                    sys.exit(1)
+
+                cert = db.get_cert_from_db(nickname)
+                if not cert:
+                    continue
+                subject = DN(str(x509.get_subject(cert)))
+                if subject in (DN('CN=Certificate Authority', subject_base),
+                               DN('CN=IPA RA', subject_base),
+                               DN('CN=Object Signing Cert', subject_base)):
+                    print ("Certificate with subject %s is present in %s, "
+                           "cannot continue." % (subject, db.secdir))
+                    sys.exit(1)
+
+    ca = cainstance.CAInstance(realm_name, certs.NSS_DIR,
+        dogtag_constants=dogtag.install_constants)
+    if script == "ca":
+        ca.create_ra_agent_db = False
+    if external == 0:
+        ca.configure_instance(host_name, domain_name, dm_password,
+                              dm_password, subject_base=subject_base,
+                              ca_signing_algorithm=options.ca_signing_algorithm)
+    elif external == 1:
+        ca.configure_instance(host_name, domain_name, dm_password,
+                              dm_password, csr_file=paths.ROOT_IPA_CSR,
+                              subject_base=subject_base,
+                              ca_signing_algorithm=options.ca_signing_algorithm,
+                              ca_type=options.external_ca_type)
+    else:
+        ca.configure_instance(host_name, domain_name, dm_password,
+                              dm_password,
+                              cert_file=external_cert_file.name,
+                              cert_chain_file=external_ca_file.name,
+                              subject_base=subject_base,
+                              ca_signing_algorithm=options.ca_signing_algorithm)
+
+    if script == "server":
+        # Now put the CA cert where other instances exepct it
+        ca.publish_ca_cert(CACERT)
+
+
+def install_step_1(host_name, realm_name, domain_name, dm_password, options):
+    global ca
+    global script
+
+    if script == "ca":
+        ca.stop(ca.dogtag_constants.PKI_INSTANCE_NAME)
+
+    # We need to ldap_enable the CA now that DS is up and running
+    ca.ldap_enable('CA', host_name, dm_password,
+                   ipautil.realm_to_suffix(realm_name), ['caRenewalMaster'])
+
+    # This is done within stopped_service context, which restarts CA
+    ca.enable_client_auth_to_db(ca.dogtag_constants.CS_CFG_PATH)
+
+    if script == "ca":
+        # Install CA DNS records
+        config = installutils.ReplicaConfig()
+        config.realm_name = realm_name
+        config.domain_name = domain_name
+        config.host_name = config.master_host_name = host_name
+        config.dirman_password = dm_password
+        install_dns_records(config, options)
+
+def install_on_server_2():
+    global ca
+    if ca:
+        service.print_msg("Restarting the certificate server")
+        ca.restart(dogtag.configured_constants().PKI_INSTANCE_NAME)
+        del(ca)
+
+
+def install_dns_records(config, options):
+
+    if not bindinstance.dns_container_exists(config.master_host_name,
+                                             ipautil.realm_to_suffix(config.realm_name),
+                                             dm_password=config.dirman_password):
+        return
+
+    bind = bindinstance.BindInstance(dm_password=config.dirman_password)
+    disconnect = False
+    try:
+        if not api.Backend.ldap2.isconnected():
+            api.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')),
+                                      bind_pw=config.dirman_password)
+            disconnect = True
+        bind.add_ipa_ca_dns_records(config.host_name, config.domain_name)
+    finally:
+        if api.Backend.ldap2.isconnected() and disconnect:
+            api.Backend.ldap2.disconnect()
+
+
+def install_on_ca_3(host_name, realm_name, domain_name, dm_password, options, subject_base):
+    global ca
+    global dsdb
+    # Update config file
+    parser = RawConfigParser()
+    parser.read(paths.IPA_DEFAULT_CONF)
+    parser.set('global', 'enable_ra', 'True')
+    parser.set('global', 'ra_plugin', 'dogtag')
+    parser.set('global', 'dogtag_version',
+               str(ca.dogtag_constants.DOGTAG_VERSION))
+    with open(paths.IPA_DEFAULT_CONF, 'w') as f:
+        parser.write(f)
+
+    # Store the new IPA CA cert chain in DS NSS database and LDAP
+    cadb = certs.CertDB(realm_name, subject_base=subject_base)
+    dsdb = certs.CertDB(realm_name, nssdir=dirname, subject_base=subject_base)
+    trust_flags = dict(reversed(cadb.list_certs()))
+    trust_chain = cadb.find_root_cert('ipaCert')[:-1]
+    for nickname in trust_chain[:-1]:
+        cert = cadb.get_cert_from_db(nickname, pem=False)
+        dsdb.add_cert(cert, nickname, trust_flags[nickname])
+        certstore.put_ca_cert_nss(api.Backend.ldap2, api.env.basedn,
+                                  cert, nickname, trust_flags[nickname])
+
+    nickname = trust_chain[-1]
+    cert = cadb.get_cert_from_db(nickname, pem=False)
+    dsdb.add_cert(cert, nickname, trust_flags[nickname])
+    certstore.put_ca_cert_nss(api.Backend.ldap2, api.env.basedn,
+                              cert, nickname, trust_flags[nickname],
+                              config_ipa=True, config_compat=True)
+
+def install_on_ca_4(host_name, realm_name, domain_name, dm_password, options, subject_base):
+    global ca
+    global dsdb
+
+    # Store DS CA cert in Dogtag NSS database
+    dogtagdb = certs.CertDB(realm_name, nssdir=ca.dogtag_constants.ALIAS_DIR)
+    trust_flags = dict(reversed(dsdb.list_certs()))
+    server_certs = dsdb.find_server_certs()
+    trust_chain = dsdb.find_root_cert(server_certs[0][0])[:-1]
+    nickname = trust_chain[-1]
+    cert = dsdb.get_cert_from_db(nickname)
+    dogtagdb.add_cert(cert, nickname, trust_flags[nickname])
+
+    ca.start(ca.dogtag_constants.PKI_INSTANCE_NAME)
+    del(ca)
+
+
+def install_on_replica_step_0(config, options):
+    global ca
+    global script
+    # Configure the CA if necessary
+    if script == "ca":
+        postinstall = True
+    else:
+        postinstall = False
+    ca = cainstance.install_replica_ca(config, postinstall)
+
+    if ca and config.setup_ca:
+        # We need to ldap_enable the CA now that DS is up and running
+        ca.ldap_enable('CA', config.host_name, config.dirman_password,
+                       ipautil.realm_to_suffix(config.realm_name))
+
+        # This is done within stopped_service context, which restarts CA
+        ca.enable_client_auth_to_db(ca.dogtag_constants.CS_CFG_PATH)
+
+        # Install CA DNS records
+        install_dns_records(config, options)
+
+def install_on_replica_step_1(config, options):
+    #update dogtag version in config file
+    try:
+        fd = open(paths.IPA_DEFAULT_CONF, "a")
+        fd.write(
+            "dogtag_version=%s\n" % dogtag.install_constants.DOGTAG_VERSION)
+        fd.close()
+    except IOError, e:
+        print "Failed to update /etc/ipa/default.conf"
+        root_logger.error(str(e))
+        sys.exit(1)
+
+def install_on_replica_step_2(config, options):
+    global ca
+
+    if ca:
+        ca.configure_certmonger_renewal()
+        ca.import_ra_cert(config.dir + "/ra.p12")
+        ca.fix_ra_perms()
+    if not config.setup_ca:
+        del(ca)
+
diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
index aea1f9915f16a55c44183b0cebb41c04622be503..5d4cdb52153b2c52868c9b60d68575434f753221 100644
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@@ -31,6 +31,7 @@ from ipaserver.install.installutils import (
     is_ipa_configured, load_external_cert, load_pkcs12, private_ccache,
     read_password, verify_fqdn)
 from ipaserver.plugins.ldap2 import ldap2
+from ipaserver.install import ca as newca
 try:
     from ipaserver.install import adtrustinstance
     _server_trust_ad_installed = True
@@ -360,25 +361,6 @@ def install_check(options):
     global sstore
     sstore = sysrestore.StateFile(SYSRESTORE_DIR_PATH)
 
-    if options.external_ca:
-        if cainstance.is_step_one_done():
-            print("CA is already installed.\nRun the installer with "
-                  "--external-cert-file.")
-            sys.exit(1)
-        if ipautil.file_exists(paths.ROOT_IPA_CSR):
-            print("CA CSR file %s already exists.\nIn order to continue "
-                  "remove the file and run the installer again." %
-                  paths.ROOT_IPA_CSR)
-            sys.exit(1)
-    elif options.external_cert_files:
-        if not cainstance.is_step_one_done():
-            # This can happen if someone passes external_ca_file without
-            # already having done the first stage of the CA install.
-            print("CA is not installed yet. To install with an external CA "
-                  "is a two-stage process.\nFirst run the installer with "
-                  "--external-ca.")
-            sys.exit(1)
-
     # This will override any settings passed in on the cmdline
     if ipautil.file_exists(paths.ROOT_IPA_CACHE):
         if options.dm_password is not None:
@@ -392,10 +374,6 @@ def install_check(options):
         except Exception, e:
             sys.exit("Cannot process the cache file: %s" % str(e))
 
-    if options.external_cert_files:
-        external_cert_file, external_ca_file = load_external_cert(
-            options.external_cert_files, options.subject)
-
     # We only set up the CA if the PKCS#12 options are not given.
     if options.dirsrv_cert_files:
         setup_ca = False
@@ -441,12 +419,7 @@ def install_check(options):
     if not options.external_cert_files:
         # Make sure the 389-ds ports are available
         check_dirsrv(options.unattended)
-
-        if setup_ca:
-            if not cainstance.check_port():
-                print("IPA requires port 8443 for PKI but it is currently in "
-                      "use.")
-                sys.exit("Aborting installation")
+        newca.check(options, subject_base=options.subject)
 
     if options.conf_ntp:
         try:
@@ -696,15 +669,6 @@ def install(options):
         debug=options.debug
     )
 
-    # Figure out what external CA step we're in. See cainstance.py for more
-    # info on the 3 states.
-    if options.external_cert_files:
-        external = 2
-    elif options.external_ca:
-        external = 1
-    else:
-        external = 0
-
     # Create the management framework config file and finalize api
     target_fname = paths.IPA_DEFAULT_CONF
     fd = open(target_fname, "w")
@@ -754,7 +718,7 @@ def install(options):
     dsinstance.create_ds_user()
 
     # Create a directory server instance
-    if external != 2:
+    if newca.external != 2:
         # Configure ntpd
         if options.conf_ntp:
             ipaclient.ntpconf.force_ntpd(sstore)
@@ -786,42 +750,8 @@ def install(options):
             options.subject, 1101, 1100, None)
 
     if setup_ca:
-        ca = cainstance.CAInstance(realm_name, certs.NSS_DIR,
-                                   dogtag_constants=dogtag.install_constants)
-        if external == 0:
-            ca.configure_instance(
-                host_name, domain_name, dm_password, dm_password,
-                subject_base=options.subject,
-                ca_signing_algorithm=options.ca_signing_algorithm)
-        elif external == 1:
-            # stage 1 of external CA installation
-            options.realm_name = realm_name
-            options.domain_name = domain_name
-            options.master_password = master_password
-            options.dm_password = dm_password
-            options.admin_password = admin_password
-            options.host_name = host_name
-            options.unattended = True
-            options.forwarders = dns.dns_forwarders
-            options.reverse_zones = dns.reverse_zones
-            write_cache(vars(options))
-            ca.configure_instance(
-                host_name, domain_name, dm_password, dm_password,
-                csr_file=paths.ROOT_IPA_CSR,
-                subject_base=options.subject,
-                ca_signing_algorithm=options.ca_signing_algorithm,
-                ca_type=options.external_ca_type)
-        else:
-            # stage 2 of external CA installation
-            ca.configure_instance(
-                host_name, domain_name, dm_password, dm_password,
-                cert_file=external_cert_file.name,
-                cert_chain_file=external_ca_file.name,
-                subject_base=options.subject,
-                ca_signing_algorithm=options.ca_signing_algorithm)
-
-        # Now put the CA cert where other instances exepct it
-        ca.publish_ca_cert(CACERT)
+        newca.install_step_0(host_name, realm_name, domain_name, dm_password,
+                             options.subject, options)
     else:
         # Put the CA cert where other instances expect it
         x509.write_certificate(http_ca_cert, CACERT)
@@ -831,13 +761,8 @@ def install(options):
     ds.enable_ssl()
 
     if setup_ca:
-        # We need to ldap_enable the CA now that DS is up and running
-        ca.ldap_enable('CA', host_name, dm_password,
-                       ipautil.realm_to_suffix(realm_name),
-                       ['caRenewalMaster'])
-
-        # This is done within stopped_service context, which restarts CA
-        ca.enable_client_auth_to_db(ca.dogtag_constants.CS_CFG_PATH)
+        newca.install_step_1(host_name, realm_name, domain_name, dm_password,
+                             options)
 
     krb = krbinstance.KrbInstance(fstore)
     if options.pkinit_cert_files:
@@ -900,8 +825,7 @@ def install(options):
     krb.restart()
 
     if setup_ca:
-        service.print_msg("Restarting the certificate server")
-        ca.restart(dogtag.configured_constants().PKI_INSTANCE_NAME)
+        newca.install_on_server_2()
 
     if options.setup_dns:
         api.Backend.ldap2.connect(autobind=True)
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index dc8efd48d1ad673070b920d8b5bd9c98221a529e..e7a25aad02b9c7605f584bb8455d70dd3008411b 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -27,6 +27,7 @@ from ipaserver.install.replication import (
     ReplicationManager, replica_conn_check)
 from ipaserver.install.server.install import (
     init_private_ccache, destroy_private_ccache)
+from ipaserver.install import ca as newca
 
 DIRMAN_DN = DN(('cn', 'directory manager'))
 
@@ -327,9 +328,7 @@ def install_check(filename, options):
     check_dirsrv()
 
     if options.setup_ca:
-        if not cainstance.check_port():
-            print "IPA requires port 8443 for PKI but it is currently in use."
-            sys.exit("Aborting installation")
+        newca.check(options, replicafile=filename)
 
     if options.conf_ntp:
         try:
@@ -538,11 +537,6 @@ def install(filename, options):
             if replman and replman.conn:
                 replman.conn.unbind()
 
-        if options.skip_schema_check:
-            root_logger.info("Skipping CA DS schema check")
-        else:
-            cainstance.replica_ca_install_check(config)
-
         # Configure ntpd
         if options.conf_ntp:
             ipaclient.ntpconf.force_ntpd(sstore)
@@ -551,23 +545,11 @@ def install(filename, options):
 
         # Configure dirsrv
         ds = install_replica_ds(config)
-
-        # Configure the CA if necessary
-        CA = cainstance.install_replica_ca(config)
-
-        # Always try to install DNS records
-        install_dns_records(config, options, remote_api)
     finally:
         if conn.isconnected():
             conn.disconnect()
 
-    # We need to ldap_enable the CA now that DS is up and running
-    if CA and config.setup_ca:
-        CA.ldap_enable('CA', config.host_name, config.dirman_password,
-                       ipautil.realm_to_suffix(config.realm_name))
-
-        # This is done within stopped_service context, which restarts CA
-        CA.enable_client_auth_to_db(CA.dogtag_constants.CS_CFG_PATH)
+    newca.install_on_replica_step_0(config, options)
 
     krb = install_krb(config, setup_pkinit=options.setup_pkinit)
     http = install_http(config, auto_redirect=options.ui_redirect)
@@ -576,10 +558,7 @@ def install(filename, options):
     otpd.create_instance('OTPD', config.host_name, config.dirman_password,
                          ipautil.realm_to_suffix(config.realm_name))
 
-    if CA:
-        CA.configure_certmonger_renewal()
-        CA.import_ra_cert(config.dir + "/ra.p12")
-        CA.fix_ra_perms()
+    newca.install_on_replica_step_2(config, options)
 
     # The DS instance is created before the keytab, add the SSL cert we
     # generated
@@ -598,9 +577,8 @@ def install(filename, options):
     service.print_msg("Restarting the KDC")
     krb.restart()
 
-    if CA and config.setup_ca:
-        service.print_msg("Restarting the certificate server")
-        CA.restart(dogtag.configured_constants().PKI_INSTANCE_NAME)
+    if config.setup_ca:
+        newca.install_on_server_2()
 
     if options.setup_dns:
         api.Backend.ldap2.connect(autobind=True)
-- 
2.3.5

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to