|
 |
b38368 |
From 533f2539cbc8fe5b4bb748982a6cfee7d73416e6 Mon Sep 17 00:00:00 2001
|
|
|
b38368 |
From: Fraser Tweedale <ftweedal@redhat.com>
|
|
|
b38368 |
Date: Wed, 9 Aug 2017 12:55:57 +1000
|
|
|
b38368 |
Subject: [PATCH] Restore old version of caIPAserviceCert for upgrade only
|
|
|
b38368 |
|
|
|
b38368 |
The latest version of caIPAserviceCert profile includes a feature
|
|
|
b38368 |
that is not available before Dogtag 10.4, and this version of the
|
|
|
b38368 |
profile is intended for new installs only (otherwise, problems will
|
|
|
b38368 |
arise in topologies containing CA replicas at an earlier version).
|
|
|
b38368 |
But IPA versions before v4.2 did not use LDAP-based profiles, so the
|
|
|
b38368 |
new version of the profile gets imported when upgrading from
|
|
|
b38368 |
pre-v4.2 to v4.5 or later.
|
|
|
b38368 |
|
|
|
b38368 |
We do not yet have a proper version- and topology-aware profile
|
|
|
b38368 |
update mechanism, so to resolve this issue, ship the older version
|
|
|
b38368 |
of the profile alongside the newer version, and make sure we use the
|
|
|
b38368 |
older version when importing the profile in an upgrade context.
|
|
|
b38368 |
|
|
|
b38368 |
https://pagure.io/freeipa/issue/7097
|
|
|
b38368 |
|
|
|
b38368 |
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
|
|
b38368 |
---
|
|
|
b38368 |
install/share/profiles/Makefile.am | 1 +
|
|
|
b38368 |
.../share/profiles/caIPAserviceCert.UPGRADE.cfg | 109 +++++++++++++++++++++
|
|
|
b38368 |
ipaserver/install/cainstance.py | 18 +++-
|
|
|
b38368 |
3 files changed, 126 insertions(+), 2 deletions(-)
|
|
|
b38368 |
create mode 100644 install/share/profiles/caIPAserviceCert.UPGRADE.cfg
|
|
|
b38368 |
|
|
|
b38368 |
diff --git a/install/share/profiles/Makefile.am b/install/share/profiles/Makefile.am
|
|
|
b38368 |
index 640ca0a4a54c574da57b62b2b3c23f6db78df2fb..7f188e3fcac2ad80558399015d49216caa32c14b 100644
|
|
|
b38368 |
--- a/install/share/profiles/Makefile.am
|
|
|
b38368 |
+++ b/install/share/profiles/Makefile.am
|
|
|
b38368 |
@@ -3,6 +3,7 @@ NULL =
|
|
|
b38368 |
appdir = $(IPA_DATA_DIR)/profiles
|
|
|
b38368 |
app_DATA = \
|
|
|
b38368 |
caIPAserviceCert.cfg \
|
|
|
b38368 |
+ caIPAserviceCert.UPGRADE.cfg \
|
|
|
b38368 |
IECUserRoles.cfg \
|
|
|
b38368 |
KDCs_PKINIT_Certs.cfg \
|
|
|
b38368 |
$(NULL)
|
|
|
b38368 |
diff --git a/install/share/profiles/caIPAserviceCert.UPGRADE.cfg b/install/share/profiles/caIPAserviceCert.UPGRADE.cfg
|
|
|
b38368 |
new file mode 100644
|
|
|
b38368 |
index 0000000000000000000000000000000000000000..1efd2066b9f75b4e26c390932353f20141d800b9
|
|
|
b38368 |
--- /dev/null
|
|
|
b38368 |
+++ b/install/share/profiles/caIPAserviceCert.UPGRADE.cfg
|
|
|
b38368 |
@@ -0,0 +1,109 @@
|
|
|
b38368 |
+profileId=caIPAserviceCert
|
|
|
b38368 |
+classId=caEnrollImpl
|
|
|
b38368 |
+desc=This certificate profile is for enrolling server certificates with IPA-RA agent authentication.
|
|
|
b38368 |
+visible=false
|
|
|
b38368 |
+enable=true
|
|
|
b38368 |
+enableBy=admin
|
|
|
b38368 |
+auth.instance_id=raCertAuth
|
|
|
b38368 |
+name=IPA-RA Agent-Authenticated Server Certificate Enrollment
|
|
|
b38368 |
+input.list=i1,i2
|
|
|
b38368 |
+input.i1.class_id=certReqInputImpl
|
|
|
b38368 |
+input.i2.class_id=submitterInfoInputImpl
|
|
|
b38368 |
+output.list=o1
|
|
|
b38368 |
+output.o1.class_id=certOutputImpl
|
|
|
b38368 |
+policyset.list=serverCertSet
|
|
|
b38368 |
+policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11
|
|
|
b38368 |
+policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl
|
|
|
b38368 |
+policyset.serverCertSet.1.constraint.name=Subject Name Constraint
|
|
|
b38368 |
+policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+
|
|
|
b38368 |
+policyset.serverCertSet.1.constraint.params.accept=true
|
|
|
b38368 |
+policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl
|
|
|
b38368 |
+policyset.serverCertSet.1.default.name=Subject Name Default
|
|
|
b38368 |
+policyset.serverCertSet.1.default.params.name=CN=$$request.req_subject_name.cn$$, $SUBJECT_DN_O
|
|
|
b38368 |
+policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl
|
|
|
b38368 |
+policyset.serverCertSet.2.constraint.name=Validity Constraint
|
|
|
b38368 |
+policyset.serverCertSet.2.constraint.params.range=740
|
|
|
b38368 |
+policyset.serverCertSet.2.constraint.params.notBeforeCheck=false
|
|
|
b38368 |
+policyset.serverCertSet.2.constraint.params.notAfterCheck=false
|
|
|
b38368 |
+policyset.serverCertSet.2.default.class_id=validityDefaultImpl
|
|
|
b38368 |
+policyset.serverCertSet.2.default.name=Validity Default
|
|
|
b38368 |
+policyset.serverCertSet.2.default.params.range=731
|
|
|
b38368 |
+policyset.serverCertSet.2.default.params.startTime=0
|
|
|
b38368 |
+policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl
|
|
|
b38368 |
+policyset.serverCertSet.3.constraint.name=Key Constraint
|
|
|
b38368 |
+policyset.serverCertSet.3.constraint.params.keyType=RSA
|
|
|
b38368 |
+policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,8192
|
|
|
b38368 |
+policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl
|
|
|
b38368 |
+policyset.serverCertSet.3.default.name=Key Default
|
|
|
b38368 |
+policyset.serverCertSet.4.constraint.class_id=noConstraintImpl
|
|
|
b38368 |
+policyset.serverCertSet.4.constraint.name=No Constraint
|
|
|
b38368 |
+policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
|
|
|
b38368 |
+policyset.serverCertSet.4.default.name=Authority Key Identifier Default
|
|
|
b38368 |
+policyset.serverCertSet.5.constraint.class_id=noConstraintImpl
|
|
|
b38368 |
+policyset.serverCertSet.5.constraint.name=No Constraint
|
|
|
b38368 |
+policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
|
|
|
b38368 |
+policyset.serverCertSet.5.default.name=AIA Extension Default
|
|
|
b38368 |
+policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true
|
|
|
b38368 |
+policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName
|
|
|
b38368 |
+policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=http://$IPA_CA_RECORD.$DOMAIN/ca/ocsp
|
|
|
b38368 |
+policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
|
|
|
b38368 |
+policyset.serverCertSet.5.default.params.authInfoAccessCritical=false
|
|
|
b38368 |
+policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1
|
|
|
b38368 |
+policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl
|
|
|
b38368 |
+policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint
|
|
|
b38368 |
+policyset.serverCertSet.6.constraint.params.keyUsageCritical=true
|
|
|
b38368 |
+policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true
|
|
|
b38368 |
+policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true
|
|
|
b38368 |
+policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true
|
|
|
b38368 |
+policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true
|
|
|
b38368 |
+policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false
|
|
|
b38368 |
+policyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false
|
|
|
b38368 |
+policyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false
|
|
|
b38368 |
+policyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false
|
|
|
b38368 |
+policyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false
|
|
|
b38368 |
+policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl
|
|
|
b38368 |
+policyset.serverCertSet.6.default.name=Key Usage Default
|
|
|
b38368 |
+policyset.serverCertSet.6.default.params.keyUsageCritical=true
|
|
|
b38368 |
+policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true
|
|
|
b38368 |
+policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true
|
|
|
b38368 |
+policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true
|
|
|
b38368 |
+policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true
|
|
|
b38368 |
+policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false
|
|
|
b38368 |
+policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false
|
|
|
b38368 |
+policyset.serverCertSet.6.default.params.keyUsageCrlSign=false
|
|
|
b38368 |
+policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false
|
|
|
b38368 |
+policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false
|
|
|
b38368 |
+policyset.serverCertSet.7.constraint.class_id=noConstraintImpl
|
|
|
b38368 |
+policyset.serverCertSet.7.constraint.name=No Constraint
|
|
|
b38368 |
+policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
|
|
|
b38368 |
+policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default
|
|
|
b38368 |
+policyset.serverCertSet.7.default.params.exKeyUsageCritical=false
|
|
|
b38368 |
+policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2
|
|
|
b38368 |
+policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl
|
|
|
b38368 |
+policyset.serverCertSet.8.constraint.name=No Constraint
|
|
|
b38368 |
+policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC
|
|
|
b38368 |
+policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl
|
|
|
b38368 |
+policyset.serverCertSet.8.default.name=Signing Alg
|
|
|
b38368 |
+policyset.serverCertSet.8.default.params.signingAlg=-
|
|
|
b38368 |
+policyset.serverCertSet.9.constraint.class_id=noConstraintImpl
|
|
|
b38368 |
+policyset.serverCertSet.9.constraint.name=No Constraint
|
|
|
b38368 |
+policyset.serverCertSet.9.default.class_id=crlDistributionPointsExtDefaultImpl
|
|
|
b38368 |
+policyset.serverCertSet.9.default.name=CRL Distribution Points Extension Default
|
|
|
b38368 |
+policyset.serverCertSet.9.default.params.crlDistPointsCritical=false
|
|
|
b38368 |
+policyset.serverCertSet.9.default.params.crlDistPointsNum=1
|
|
|
b38368 |
+policyset.serverCertSet.9.default.params.crlDistPointsEnable_0=true
|
|
|
b38368 |
+policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0=$CRL_ISSUER
|
|
|
b38368 |
+policyset.serverCertSet.9.default.params.crlDistPointsIssuerType_0=DirectoryName
|
|
|
b38368 |
+policyset.serverCertSet.9.default.params.crlDistPointsPointName_0=http://$IPA_CA_RECORD.$DOMAIN/ipa/crl/MasterCRL.bin
|
|
|
b38368 |
+policyset.serverCertSet.9.default.params.crlDistPointsPointType_0=URIName
|
|
|
b38368 |
+policyset.serverCertSet.9.default.params.crlDistPointsReasons_0=
|
|
|
b38368 |
+policyset.serverCertSet.10.constraint.class_id=noConstraintImpl
|
|
|
b38368 |
+policyset.serverCertSet.10.constraint.name=No Constraint
|
|
|
b38368 |
+policyset.serverCertSet.10.default.class_id=subjectKeyIdentifierExtDefaultImpl
|
|
|
b38368 |
+policyset.serverCertSet.10.default.name=Subject Key Identifier Extension Default
|
|
|
b38368 |
+policyset.serverCertSet.10.default.params.critical=false
|
|
|
b38368 |
+policyset.serverCertSet.11.constraint.class_id=noConstraintImpl
|
|
|
b38368 |
+policyset.serverCertSet.11.constraint.name=No Constraint
|
|
|
b38368 |
+policyset.serverCertSet.11.default.class_id=userExtensionDefaultImpl
|
|
|
b38368 |
+policyset.serverCertSet.11.default.name=User Supplied Extension Default
|
|
|
b38368 |
+policyset.serverCertSet.11.default.params.userExtOID=2.5.29.17
|
|
|
b38368 |
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
|
|
|
b38368 |
index b0e9e8757ec3e3c0d03ed930743ef5a1253b864a..62f79b28000b015edb66f4c39a270097ab3ed666 100644
|
|
|
b38368 |
--- a/ipaserver/install/cainstance.py
|
|
|
b38368 |
+++ b/ipaserver/install/cainstance.py
|
|
|
b38368 |
@@ -1568,8 +1568,22 @@ def __get_profile_config(profile_id):
|
|
|
b38368 |
CRL_ISSUER='CN=Certificate Authority,o=ipaca',
|
|
|
b38368 |
SUBJECT_DN_O=dsinstance.DsInstance().find_subject_base(),
|
|
|
b38368 |
)
|
|
|
b38368 |
- return ipautil.template_file(
|
|
|
b38368 |
- '/usr/share/ipa/profiles/{}.cfg'.format(profile_id), sub_dict)
|
|
|
b38368 |
+
|
|
|
b38368 |
+ # To work around lack of proper profile upgrade system, we ship
|
|
|
b38368 |
+ # two versions of some profiles - one for new installs only, and
|
|
|
b38368 |
+ # the other for upgrading to LDAP-based profiles in an existing
|
|
|
b38368 |
+ # deployment.
|
|
|
b38368 |
+ #
|
|
|
b38368 |
+ # Select UPGRADE version if we are in the 'updates' API context
|
|
|
b38368 |
+ # and an upgrade-specific version of the profile exists.
|
|
|
b38368 |
+ #
|
|
|
b38368 |
+ profile_filename = '/usr/share/ipa/profiles/{}.cfg'.format(profile_id)
|
|
|
b38368 |
+ profile_upg_filename = \
|
|
|
b38368 |
+ '/usr/share/ipa/profiles/{}.UPGRADE.cfg'.format(profile_id)
|
|
|
b38368 |
+ if api.env.context == 'updates' and os.path.isfile(profile_upg_filename):
|
|
|
b38368 |
+ profile_filename = profile_upg_filename
|
|
|
b38368 |
+
|
|
|
b38368 |
+ return ipautil.template_file(profile_filename, sub_dict)
|
|
|
b38368 |
|
|
|
b38368 |
def import_included_profiles():
|
|
|
b38368 |
server_id = installutils.realm_to_serverid(api.env.realm)
|
|
|
b38368 |
--
|
|
|
b38368 |
2.9.4
|
|
|
b38368 |
|