From 89bb5ed1ebc0b5952a1d5eae34e0f39c5ba540d7 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Nov 11 2016 11:13:56 +0000 Subject: replica install: merge KRA agent cert export into KRA install Merge all KRA agent cert export code paths into a single code path in KRA install. https://fedorahosted.org/freeipa/ticket/6392 Reviewed-By: Stanislav Laznicka --- diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 9bad441..97eb392 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -66,10 +66,7 @@ from ipaserver.install import installutils from ipaserver.install import ldapupdate from ipaserver.install import replication from ipaserver.install import sysupgrade -# pylint: disable=unused-import -from ipaserver.install.dogtaginstance import (export_kra_agent_pem, - DogtagInstance) -# pylint: enable=unused-import +from ipaserver.install.dogtaginstance import DogtagInstance from ipaserver.plugins import ldap2 # We need to reset the template because the CA uses the regular boot diff --git a/ipaserver/install/ipa_kra_install.py b/ipaserver/install/ipa_kra_install.py index fd22288..a545f2b 100644 --- a/ipaserver/install/ipa_kra_install.py +++ b/ipaserver/install/ipa_kra_install.py @@ -203,6 +203,8 @@ class KRAInstaller(KRAInstall): self.options) config.kra_host_name = config.master_host_name + config.setup_kra = True + if config.subject_base is None: attrs = api.Backend.ldap2.get_ipa_config() config.subject_base = attrs.get('ipacertificatesubjectbase')[0] diff --git a/ipaserver/install/kra.py b/ipaserver/install/kra.py index ad67061..17da924 100644 --- a/ipaserver/install/kra.py +++ b/ipaserver/install/kra.py @@ -19,6 +19,9 @@ from ipaserver.install import service def install_check(api, replica_config, options): + if replica_config is not None and not replica_config.setup_kra: + return + kra = krainstance.KRAInstance(api.env.realm) if kra.is_installed(): raise RuntimeError("KRA is already installed.") @@ -68,6 +71,7 @@ def install(api, replica_config, options): pkcs12_info = None master_host = None + ra_only = False promote = False else: krafile = os.path.join(replica_config.dir, 'kracert.p12') @@ -94,6 +98,7 @@ def install(api, replica_config, options): pkcs12_info = (krafile,) master_host = replica_config.kra_host_name + ra_only = not replica_config.setup_kra promote = options.promote kra = krainstance.KRAInstance(realm_name) @@ -101,16 +106,18 @@ def install(api, replica_config, options): subject_base=subject_base, pkcs12_info=pkcs12_info, master_host=master_host, + ra_only=ra_only, promote=promote) service.print_msg("Restarting the directory server") ds = dsinstance.DsInstance() ds.restart() - kra.enable_client_auth_to_db(paths.KRA_CS_CFG_PATH) + if not ra_only: + kra.enable_client_auth_to_db(paths.KRA_CS_CFG_PATH) - # Restart apache for new proxy config file - services.knownservices.httpd.restart(capture_output=True) + # Restart apache for new proxy config file + services.knownservices.httpd.restart(capture_output=True) def uninstall(standalone): diff --git a/ipaserver/install/krainstance.py b/ipaserver/install/krainstance.py index edce4aa..2e804b7 100644 --- a/ipaserver/install/krainstance.py +++ b/ipaserver/install/krainstance.py @@ -79,7 +79,7 @@ class KRAInstance(DogtagInstance): def configure_instance(self, realm_name, host_name, dm_password, admin_password, pkcs12_info=None, master_host=None, - subject_base=None, promote=False): + subject_base=None, ra_only=False, promote=False): """Create a KRA instance. To create a clone, pass in pkcs12_info. @@ -99,35 +99,38 @@ class KRAInstance(DogtagInstance): self.realm = realm_name self.suffix = ipautil.realm_to_suffix(realm_name) - # Confirm that a KRA does not already exist - if self.is_installed(): - raise RuntimeError( - "KRA already installed.") - # Confirm that a Dogtag 10 CA instance already exists - ca = cainstance.CAInstance(self.realm, certs.NSS_DIR) - if not ca.is_installed(): - raise RuntimeError( - "KRA configuration failed. " - "A Dogtag CA must be installed first") - - if promote: - self.step("creating installation admin user", self.setup_admin) - self.step("configuring KRA instance", self.__spawn_instance) - if not self.clone: - self.step("create KRA agent", - self.__create_kra_agent) - if promote: - self.step("destroying installation admin user", self.teardown_admin) - self.step("restarting KRA", self.restart_instance) - self.step("configure certmonger for renewals", - self.configure_certmonger_renewal) - self.step("configure certificate renewals", self.configure_renewal) - self.step("configure HTTP to proxy connections", - self.http_proxy) - self.step("add vault container", self.__add_vault_container) - self.step("apply LDAP updates", self.__apply_updates) - - self.step("enabling KRA instance", self.__enable_instance) + if not ra_only: + # Confirm that a KRA does not already exist + if self.is_installed(): + raise RuntimeError( + "KRA already installed.") + # Confirm that a Dogtag 10 CA instance already exists + ca = cainstance.CAInstance(self.realm, certs.NSS_DIR) + if not ca.is_installed(): + raise RuntimeError( + "KRA configuration failed. " + "A Dogtag CA must be installed first") + + if promote: + self.step("creating installation admin user", self.setup_admin) + self.step("configuring KRA instance", self.__spawn_instance) + if not self.clone: + self.step("create KRA agent", + self.__create_kra_agent) + self.step("exporting KRA agent cert", export_kra_agent_pem) + if not ra_only: + if promote: + self.step("destroying installation admin user", self.teardown_admin) + self.step("restarting KRA", self.restart_instance) + self.step("configure certmonger for renewals", + self.configure_certmonger_renewal) + self.step("configure certificate renewals", self.configure_renewal) + self.step("configure HTTP to proxy connections", + self.http_proxy) + self.step("add vault container", self.__add_vault_container) + self.step("apply LDAP updates", self.__apply_updates) + + self.step("enabling KRA instance", self.__enable_instance) self.start_creation(runtime=126) diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py index 0957231..633a329 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py @@ -36,7 +36,7 @@ from ipalib.util import ( import ipaclient.ipachangeconf import ipaclient.ntpconf from ipaserver.install import ( - bindinstance, ca, cainstance, certs, dns, dsinstance, httpinstance, + bindinstance, ca, certs, dns, dsinstance, httpinstance, installutils, kra, krbinstance, memcacheinstance, ntpinstance, otpdinstance, custodiainstance, service) from ipaserver.install.installutils import ( @@ -713,13 +713,15 @@ def install_check(installer): root_logger.debug('No IPA DNS servers, ' 'skipping forward/reverse resolution check') + kra_enabled = remote_api.Command.kra_is_enabled()['result'] + if ca_enabled: options.realm_name = config.realm_name options.host_name = config.host_name options.subject = config.subject_base ca.install_check(False, config, options) - if config.setup_kra: + if kra_enabled: try: kra.install_check(remote_api, config, options) except RuntimeError as e: @@ -763,6 +765,7 @@ def install_check(installer): ca_cert_file=cafile) installer._ca_enabled = ca_enabled + installer._kra_enabled = kra_enabled installer._remote_api = remote_api installer._fstore = fstore installer._sstore = sstore @@ -773,6 +776,7 @@ def install_check(installer): def install(installer): options = installer ca_enabled = installer._ca_enabled + kra_enabled = installer._kra_enabled fstore = installer._fstore sstore = installer._sstore config = installer._config @@ -835,9 +839,6 @@ def install(installer): otpd.create_instance('OTPD', config.host_name, ipautil.realm_to_suffix(config.realm_name)) - if ca_enabled: - cainstance.export_kra_agent_pem() - custodia = custodiainstance.CustodiaInstance(config.host_name, config.realm_name) custodia.create_instance() @@ -850,11 +851,8 @@ def install(installer): service.print_msg("Applying LDAP updates") ds.apply_updates() - if options.setup_kra: + if kra_enabled: kra.install(api, config, options) - else: - service.print_msg("Restarting the directory server") - ds.restart() service.print_msg("Restarting the KDC") krb.restart() @@ -1276,12 +1274,17 @@ def promote_check(installer): "custom certificates.") raise ScriptError(rval=3) - config.kra_host_name = service.find_providing_server( + kra_host = service.find_providing_server( 'KRA', conn, config.kra_host_name) - if options.setup_kra and config.kra_host_name is None: - root_logger.error("There is no KRA server in the domain, can't " - "setup a KRA clone") - raise ScriptError(rval=3) + if kra_host is not None: + config.kra_host_name = kra_host + kra_enabled = True + else: + if options.setup_kra: + root_logger.error("There is no KRA server in the domain, " + "can't setup a KRA clone") + raise ScriptError(rval=3) + kra_enabled = False if ca_enabled: options.realm_name = config.realm_name @@ -1289,7 +1292,7 @@ def promote_check(installer): options.subject = config.subject_base ca.install_check(False, config, options) - if config.setup_kra: + if kra_enabled: try: kra.install_check(remote_api, config, options) except RuntimeError as e: @@ -1344,6 +1347,7 @@ def promote_check(installer): raise RuntimeError("CA cert file is not available.") installer._ca_enabled = ca_enabled + installer._kra_enabled = kra_enabled installer._fstore = fstore installer._sstore = sstore installer._config = config @@ -1361,6 +1365,7 @@ def promote_check(installer): def promote(installer): options = installer ca_enabled = installer._ca_enabled + kra_enabled = installer._kra_enabled fstore = installer._fstore sstore = installer._sstore config = installer._config @@ -1471,9 +1476,6 @@ def promote(installer): config.realm_name) custodia.create_replica(config.master_host_name) - if installer._ca_enabled: - cainstance.export_kra_agent_pem() - install_krb( config, setup_pkinit=not options.no_pkinit, @@ -1500,7 +1502,7 @@ def promote(installer): options.dm_password = config.dirman_password ca.install(False, config, options) - if options.setup_kra: + if kra_enabled: kra.install(api, config, options) custodia.import_dm_password(config.master_host_name)