From a7ae2dbc5ffa22d309d08ddb67b3e1ab24bc4cdc Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Dec 15 2017 07:45:38 +0000 Subject: Enable ephemeral KRA requests Enabling ephemeral KRA requests will reduce the amount of LDAP write operations and improve overall performance. Re-order some imports and shorten some lines to make pep8 happy. Fixes: https://pagure.io/freeipa/issue/6703 Signed-off-by: Rob Crittenden Reviewed-By: Fraser Tweedale --- diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index ca61c52..3176742 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -396,14 +396,18 @@ class CAInstance(DogtagInstance): self.__spawn_instance) self.step("exporting Dogtag certificate store pin", self.create_certstore_passwdfile) - self.step("stopping certificate server instance to update CS.cfg", self.stop_instance) - self.step("backing up CS.cfg", self.backup_config) + self.step("stopping certificate server instance to update CS.cfg", + self.stop_instance) + self.step("backing up CS.cfg", self.safe_backup_config) self.step("disabling nonces", self.__disable_nonce) self.step("set up CRL publishing", self.__enable_crl_publish) - self.step("enable PKIX certificate path discovery and validation", self.enable_pkix) + self.step("enable PKIX certificate path discovery and validation", + self.enable_pkix) if promote: - self.step("destroying installation admin user", self.teardown_admin) - self.step("starting certificate server instance", self.start_instance) + self.step("destroying installation admin user", + self.teardown_admin) + self.step("starting certificate server instance", + self.start_instance) # Step 1 of external is getting a CSR so we don't need to do these # steps until we get a cert back from the external CA. if self.external != 1: @@ -641,9 +645,16 @@ class CAInstance(DogtagInstance): logger.debug("completed creating ca instance") - def backup_config(self): + def safe_backup_config(self): + """ + Safely handle exceptions if backup_config fails + + The parent class raises an exception if the configuration + cannot be backed up. Catch that and log the message but + don't stop the current installer. + """ try: - backup_config() + super(CAInstance, self).backup_config() except Exception as e: logger.warning("Failed to backup CS.cfg: %s", e) @@ -1177,7 +1188,7 @@ class CAInstance(DogtagInstance): 'Server-Cert cert-pki-ca': 'ca.sslserver.cert'} try: - backup_config() + self.backup_config() except Exception as e: syslog.syslog(syslog.LOG_ERR, "Failed to backup CS.cfg: %s" % e) @@ -1353,16 +1364,6 @@ def replica_ca_install_check(config, promote): exit('IPA schema missing on master CA directory server') -def backup_config(): - """ - Create a backup copy of CS.cfg - """ - path = paths.CA_CS_CFG_PATH - if services.knownservices['pki_tomcatd'].is_running('pki-tomcat'): - raise RuntimeError( - "Dogtag must be stopped when creating backup of %s" % path) - shutil.copy(path, path + '.ipabkp') - def __update_entry_from_cert(make_filter, make_entry, cert): """ Given a certificate and functions to make a filter based on the diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py index eeeae8f..add7cbd 100644 --- a/ipaserver/install/dogtaginstance.py +++ b/ipaserver/install/dogtaginstance.py @@ -463,3 +463,13 @@ class DogtagInstance(service.Service): config.set(self.subsystem, "pki_ds_secure_connection", "True") config.set(self.subsystem, "pki_ds_secure_connection_ca_pem_file", ds_cacert) + + def backup_config(self): + """ + Create a backup copy of CS.cfg + """ + path = self.config + if services.knownservices['pki_tomcatd'].is_running('pki-tomcat'): + raise RuntimeError( + "Dogtag must be stopped when creating backup of %s" % path) + shutil.copy(path, path + '.ipabkp') diff --git a/ipaserver/install/krainstance.py b/ipaserver/install/krainstance.py index ba5b889..9fd78ed 100644 --- a/ipaserver/install/krainstance.py +++ b/ipaserver/install/krainstance.py @@ -121,6 +121,7 @@ class KRAInstance(DogtagInstance): if promote: self.step("destroying installation admin user", self.teardown_admin) + self.step("enabling ephemeral requests", self.enable_ephemeral) self.step("restarting KRA", self.restart_instance) self.step("configure certmonger for renewals", self.configure_certmonger_renewal) diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 5c03392..07cc18a 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -11,19 +11,8 @@ import shutil import pwd import fileinput import sys - from augeas import Augeas import dns.exception - -import six -# pylint: disable=import-error -if six.PY3: - # The SafeConfigParser class has been renamed to ConfigParser in Py3 - from configparser import ConfigParser as SafeConfigParser -else: - from ConfigParser import SafeConfigParser -# pylint: enable=import-error - from ipalib import api from ipalib.install import certmonger, sysrestore import SSSDConfig @@ -44,6 +33,7 @@ from ipaserver.install import ntpinstance from ipaserver.install import bindinstance from ipaserver.install import service from ipaserver.install import cainstance +from ipaserver.install import krainstance from ipaserver.install import certs from ipaserver.install import otpdinstance from ipaserver.install import schemaupdate @@ -56,6 +46,15 @@ from ipaserver.install import adtrustinstance from ipaserver.install.upgradeinstance import IPAUpgrade from ipaserver.install.ldapupdate import BadSyntax +import six +# pylint: disable=import-error +if six.PY3: + # The SafeConfigParser class has been renamed to ConfigParser in Py3 + from configparser import ConfigParser as SafeConfigParser +else: + from ConfigParser import SafeConfigParser +# pylint: enable=import-error + if six.PY3: unicode = str @@ -1668,6 +1667,8 @@ def upgrade_configuration(): api.env.realm, host_name=api.env.host) ca_running = ca.is_running() + kra = krainstance.KRAInstance(api.env.realm) + # create passswd.txt file in PKI_TOMCAT_ALIAS_DIR if it does not exist # this file will be required on most actions over this NSS DB in FIPS if ca.is_configured() and not os.path.exists(os.path.join( @@ -1709,11 +1710,27 @@ def upgrade_configuration(): ) upgrade_pki(ca, fstore) + if kra.is_configured(): + logger.info('[Ensuring ephemeralRequest is enabled in KRA]') + kra.backup_config() + value = installutils.get_directive( + paths.KRA_CS_CFG_PATH, + 'kra.ephemeralRequests', + separator='=') + if value is None or value.lower() != 'true': + logger.info('Enabling ephemeralRequest') + kra.enable_ephemeral() + else: + logger.info('ephemeralRequest is already enabled') + # several upgrade steps require running CA. If CA is configured, # always run ca.start() because we need to wait until CA is really ready # by checking status using http if ca.is_configured(): ca.start('pki-tomcat') + if kra.is_configured() and not kra.is_running(): + # This is for future-proofing in case the KRA is ever standalone. + kra.start('pki-tomcat') certmonger_service = services.knownservices.certmonger if ca.is_configured() and not certmonger_service.is_running():