Re: [Freeipa-devel] [PATCH] 352 Fixed KRA backend.

2014-10-30 Thread Petr Viktorin

On 10/29/2014 08:10 PM, Endi Sukma Dewata wrote:

New patch attached.

On 10/29/2014 7:58 AM, Petr Viktorin wrote:

Dependency is bumped to 10.2.1-0.1 which is available from my
COPR repo:

   dnf copr enable edewata/pki


OK. We should get that to an IPA COPR before merging this.


How do we do that? Here is the SRPM:
https://edewata.fedorapeople.org/pki/copr/pki-core-10.2.1-0.1.fc20.src.rpm


Martin and I will handle this today.


How can I do some basic smoke check on this? Is there something I still
need to to besides ipa-kra-istall? Any other patches?

[...]


The simplest test is probably this:

from ipalib import api

api.bootstrap(context='server')
api.finalize()

kra_client = api.Backend.kra.get_client()
transport_cert = kra_client.system_certs.get_transport_cert()

print Serial number: %s % transport_cert.serial_number
print Issuer DN: %s % transport_cert.issuer_dn
print Subject DN: %s % transport_cert.subject_dn

print transport_cert.encoded


Thanks! Works here; the rest is for other patches.

ACK, to be pushed when the COPR is ready.


--
Petr³

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


Re: [Freeipa-devel] [PATCH] 352 Fixed KRA backend.

2014-10-29 Thread Petr Viktorin

On 10/28/2014 10:51 PM, Endi Sukma Dewata wrote:

Thanks for the review. New patch attached.

On 10/23/2014 3:59 AM, Petr Viktorin wrote:

In IPA we usually include the full ticket URL, not just the number.


Fixed.


The build fails with a lint message:
* Module ipaserver.plugins.dogtag
ipaserver/plugins/dogtag.py:1903: [E1123(unexpected-keyword-arg),
kra.get_client] Unexpected keyword argument 'password_file' in
constructor call)
ipaserver/plugins/dogtag.py:1903: [E1120(no-value-for-parameter),
kra.get_client] No value for argument 'certdb_password' in constructor
call)

I have pki-base-10.2.0-3.fc21.noarch, where NSSCryptoProvider indeed
takes password and not password_file. If a newer version is required you
should put it in the spec.


Fixed. Dependency is bumped to 10.2.1-0.1 which is available from my
COPR repo:

   dnf copr enable edewata/pki


OK. We should get that to an IPA COPR before merging this.


ipaserver.install.certs.CertDB.install_pem_from_p12:
If p12_passwd is missing and pwd_fname is None, this will crash.
Please document how the method should be called. And assert that exactly
one of p12_passwd and pwd_fname is given.


I reverted this change because the KRA backend actually no longer uses
install_pem_from_p12(). The KRA backend is now using the CLI from the
new Dogtag which generates the proper PEM format for client
authentication, so I'll leave install_pem_from_p12() unmodified because
it's still used by KrbInstance.


ipaserver.plugins.dogtag.kra.get_client:
Should every caller check if this returns None?
If not, raise an exception instead.
If yes, at least mention it in a docstring.


Fixed. It's now raising a generic exception.

Is there an existing exception that is more appropriate for backend
issues like this?


I'd go for RuntimeError.
Don't use translatable strings (the _ function) if you're not using 
ipalib.PublicError subclasses.





Typo in commit message: modified to use Dogtag's CLI *go* create


Fixed.




How can I do some basic smoke check on this? Is there something I still 
need to to besides ipa-kra-istall? Any other patches?

I tried:

from ipalib import api
from pki.key import KeyClient
api.bootstrap(context='server')
api.finalize()
keyclient = api.Backend.kra.get_client()
keyclient.keys.archive_key('test3', KeyClient.PASS_PHRASE_TYPE, 'tkey')

which gives me:

Traceback (most recent call last):
  File stdin, line 1, in module
  File /usr/lib/python2.7/site-packages/pki/__init__.py, line 295, in 
handler

return fn_call(inst, *args, **kwargs)
  File /usr/lib/python2.7/site-packages/pki/key.py, line 687, in 
archive_key

nonce_iv = self.crypto.generate_nonce_iv()
  File /usr/lib/python2.7/site-packages/pki/crypto.py, line 176, in 
generate_nonce_iv

iv_data = nss.generate_random(iv_length)
nss.error.NSPRError: (SEC_ERROR_NO_TOKEN) The security card or token 
does not exist, needs to be initialized, or has been removed.



--
Petr³

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


Re: [Freeipa-devel] [PATCH] 352 Fixed KRA backend.

2014-10-29 Thread Endi Sukma Dewata

New patch attached.

On 10/29/2014 7:58 AM, Petr Viktorin wrote:

Dependency is bumped to 10.2.1-0.1 which is available from my
COPR repo:

   dnf copr enable edewata/pki


OK. We should get that to an IPA COPR before merging this.


How do we do that? Here is the SRPM:
https://edewata.fedorapeople.org/pki/copr/pki-core-10.2.1-0.1.fc20.src.rpm


ipaserver.plugins.dogtag.kra.get_client:
Should every caller check if this returns None?
If not, raise an exception instead.
If yes, at least mention it in a docstring.


Fixed. It's now raising a generic exception.

Is there an existing exception that is more appropriate for backend
issues like this?


I'd go for RuntimeError.


Fixed.


Don't use translatable strings (the _ function) if you're not using
ipalib.PublicError subclasses.


Fixed.


How can I do some basic smoke check on this? Is there something I still
need to to besides ipa-kra-istall? Any other patches?
I tried:

from ipalib import api
from pki.key import KeyClient
api.bootstrap(context='server')
api.finalize()
keyclient = api.Backend.kra.get_client()
keyclient.keys.archive_key('test3', KeyClient.PASS_PHRASE_TYPE, 'tkey')

which gives me:

Traceback (most recent call last):
   File stdin, line 1, in module
   File /usr/lib/python2.7/site-packages/pki/__init__.py, line 295, in
handler
 return fn_call(inst, *args, **kwargs)
   File /usr/lib/python2.7/site-packages/pki/key.py, line 687, in
archive_key
 nonce_iv = self.crypto.generate_nonce_iv()
   File /usr/lib/python2.7/site-packages/pki/crypto.py, line 176, in
generate_nonce_iv
 iv_data = nss.generate_random(iv_length)
nss.error.NSPRError: (SEC_ERROR_NO_TOKEN) The security card or token
does not exist, needs to be initialized, or has been removed.


The simplest test is probably this:

from ipalib import api

api.bootstrap(context='server')
api.finalize()

kra_client = api.Backend.kra.get_client()
transport_cert = kra_client.system_certs.get_transport_cert()

print Serial number: %s % transport_cert.serial_number
print Issuer DN: %s % transport_cert.issuer_dn
print Subject DN: %s % transport_cert.subject_dn

print transport_cert.encoded

If you want to test the key archival it would require installing a 
transport certificate and add some authentication operations. A better 
way to do that is to install patch #354-1, #353-3, #355-1, and #356-1 
and test the vault-archive command. It will install the transport cert 
automatically and perform the required authentication.


--
Endi S. Dewata
From 7b68ff1c93554975abd75e6d672ee18a7a0bcf04 Mon Sep 17 00:00:00 2001
From: Endi S. Dewata edew...@redhat.com
Date: Wed, 1 Oct 2014 14:59:46 -0400
Subject: [PATCH] Fixed KRA backend.

The KRA backend has been simplified since most of the tasks have
been moved somewhere else. The transport certificate will be
installed on the client, and it is not needed by KRA backend. The
KRA agent's PEM certificate is now generated during installation
due to permission issue. The kra_host() for now is removed since
the current ldap_enable() cannot register the KRA service, so it
is using the kra_host environment variable.

The KRA installer has been modified to use Dogtag's CLI to create
KRA agent and setup the client authentication.

The proxy settings have been updated to include KRA's URLs.

Some constants have been renamed for clarity. The DOGTAG_AGENT_P12
has been renamed to DOGTAG_ADMIN_P12 since file actually contains
the Dogtag admin's certificate and private key and it can be used
to access both CA and KRA. The DOGTAG_AGENT_PEM has been renamed
to KRA_AGENT_PEM since it can only be used for KRA.

The Dogtag dependency has been updated to 10.2.1-0.1.

https://fedorahosted.org/freeipa/ticket/4503
---
 freeipa.spec.in  |   4 +-
 install/conf/ipa-pki-proxy.conf  |   2 +-
 ipaplatform/base/paths.py|   4 +-
 ipaserver/install/cainstance.py  |   4 +-
 ipaserver/install/ipa_backup.py  |   3 +-
 ipaserver/install/krainstance.py |  83 +++---
 ipaserver/plugins/dogtag.py  | 122 ++-
 7 files changed, 101 insertions(+), 121 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 
8fcb535e229db4f7a8eaaee3c99b18446eef7f1e..dc04be48b2bb52ff05f9fab371c4b333a15d24ca
 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -130,8 +130,8 @@ Requires(post): systemd-units
 Requires: selinux-policy = %{selinux_policy_version}
 Requires(post): selinux-policy-base
 Requires: slapi-nis = 0.54-1
-Requires: pki-ca = 10.2.0-3
-Requires: pki-kra = 10.2.0
+Requires: pki-ca = 10.2.1-0.1
+Requires: pki-kra = 10.2.1-0.1
 %if 0%{?rhel}
 Requires: subscription-manager
 %endif
diff --git a/install/conf/ipa-pki-proxy.conf b/install/conf/ipa-pki-proxy.conf
index 
2370b4d7a7467a7e47c0d223915e018c9a009e83..5d21156848f3b5ddf14c42d92a26a30a9f94af36
 100644
--- a/install/conf/ipa-pki-proxy.conf
+++ b/install/conf/ipa-pki-proxy.conf
@@ -19,7 +19,7 @@ ProxyRequests Off
 /LocationMatch
 
 # matches for agent 

Re: [Freeipa-devel] [PATCH] 352 Fixed KRA backend.

2014-10-28 Thread Endi Sukma Dewata

Thanks for the review. New patch attached.

On 10/23/2014 3:59 AM, Petr Viktorin wrote:

In IPA we usually include the full ticket URL, not just the number.


Fixed.


The build fails with a lint message:
* Module ipaserver.plugins.dogtag
ipaserver/plugins/dogtag.py:1903: [E1123(unexpected-keyword-arg),
kra.get_client] Unexpected keyword argument 'password_file' in
constructor call)
ipaserver/plugins/dogtag.py:1903: [E1120(no-value-for-parameter),
kra.get_client] No value for argument 'certdb_password' in constructor
call)

I have pki-base-10.2.0-3.fc21.noarch, where NSSCryptoProvider indeed
takes password and not password_file. If a newer version is required you
should put it in the spec.


Fixed. Dependency is bumped to 10.2.1-0.1 which is available from my 
COPR repo:


  dnf copr enable edewata/pki


ipaserver.install.certs.CertDB.install_pem_from_p12:
If p12_passwd is missing and pwd_fname is None, this will crash.
Please document how the method should be called. And assert that exactly
one of p12_passwd and pwd_fname is given.


I reverted this change because the KRA backend actually no longer uses 
install_pem_from_p12(). The KRA backend is now using the CLI from the 
new Dogtag which generates the proper PEM format for client 
authentication, so I'll leave install_pem_from_p12() unmodified because 
it's still used by KrbInstance.



ipaserver.plugins.dogtag.kra.get_client:
Should every caller check if this returns None?
If not, raise an exception instead.
If yes, at least mention it in a docstring.


Fixed. It's now raising a generic exception.

Is there an existing exception that is more appropriate for backend 
issues like this?



Typo in commit message: modified to use Dogtag's CLI *go* create


Fixed.

--
Endi S. Dewata
From 6f1f289f32dd68c85c09a41422e5b2e0c204ee4c Mon Sep 17 00:00:00 2001
From: Endi S. Dewata edew...@redhat.com
Date: Wed, 1 Oct 2014 14:59:46 -0400
Subject: [PATCH] Fixed KRA backend.

The KRA backend has been simplified since most of the tasks have
been moved somewhere else. The transport certificate will be
installed on the client, and it is not needed by KRA backend. The
KRA agent's PEM certificate is now generated during installation
due to permission issue. The kra_host() for now is removed since
the current ldap_enable() cannot register the KRA service, so it
is using the kra_host environment variable.

The KRA installer has been modified to use Dogtag's CLI to create
KRA agent and setup the client authentication.

The proxy settings have been updated to include KRA's URLs.

Some constants have been renamed for clarity. The DOGTAG_AGENT_P12
has been renamed to DOGTAG_ADMIN_P12 since file actually contains
the Dogtag admin's certificate and private key and it can be used
to access both CA and KRA. The DOGTAG_AGENT_PEM has been renamed
to KRA_AGENT_PEM since it can only be used for KRA.

The Dogtag dependency has been updated to 10.2.1-0.1.

https://fedorahosted.org/freeipa/ticket/4503
---
 freeipa.spec.in  |   4 +-
 install/conf/ipa-pki-proxy.conf  |   2 +-
 ipaplatform/base/paths.py|   4 +-
 ipaserver/install/cainstance.py  |   4 +-
 ipaserver/install/ipa_backup.py  |   3 +-
 ipaserver/install/krainstance.py |  83 +++---
 ipaserver/plugins/dogtag.py  | 122 ++-
 7 files changed, 101 insertions(+), 121 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 
8fcb535e229db4f7a8eaaee3c99b18446eef7f1e..dc04be48b2bb52ff05f9fab371c4b333a15d24ca
 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -130,8 +130,8 @@ Requires(post): systemd-units
 Requires: selinux-policy = %{selinux_policy_version}
 Requires(post): selinux-policy-base
 Requires: slapi-nis = 0.54-1
-Requires: pki-ca = 10.2.0-3
-Requires: pki-kra = 10.2.0
+Requires: pki-ca = 10.2.1-0.1
+Requires: pki-kra = 10.2.1-0.1
 %if 0%{?rhel}
 Requires: subscription-manager
 %endif
diff --git a/install/conf/ipa-pki-proxy.conf b/install/conf/ipa-pki-proxy.conf
index 
2370b4d7a7467a7e47c0d223915e018c9a009e83..5d21156848f3b5ddf14c42d92a26a30a9f94af36
 100644
--- a/install/conf/ipa-pki-proxy.conf
+++ b/install/conf/ipa-pki-proxy.conf
@@ -19,7 +19,7 @@ ProxyRequests Off
 /LocationMatch
 
 # matches for agent port and eeca port
-LocationMatch 
^/ca/agent/ca/displayBySerial|^/ca/agent/ca/doRevoke|^/ca/agent/ca/doUnrevoke|^/ca/agent/ca/updateDomainXML|^/ca/eeca/ca/profileSubmitSSLClient|^/kra/agent/kra/connector|^/kra/rest/agent/keyrequests|^/kra/rest/agent/keys|^/ca/rest/admin/kraconnector/remove
+LocationMatch 
^/ca/agent/ca/displayBySerial|^/ca/agent/ca/doRevoke|^/ca/agent/ca/doUnrevoke|^/ca/agent/ca/updateDomainXML|^/ca/eeca/ca/profileSubmitSSLClient|^/kra/agent/kra/connector|^/kra/rest/account|^/kra/rest/agent/keyrequests|^/kra/rest/agent/keys|^/ca/rest/admin/kraconnector/remove
 NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
 NSSVerifyClient require
 ProxyPassMatch 

Re: [Freeipa-devel] [PATCH] 352 Fixed KRA backend.

2014-10-23 Thread Petr Viktorin

On 10/22/2014 04:34 PM, Endi Sukma Dewata wrote:

On 10/15/2014 10:59 PM, Endi Sukma Dewata wrote:

The KRA backend has been simplified since most of the tasks have
been moved somewhere else. The transport certificate will be
installed on the client, and it is not needed by KRA backend. The
KRA agent's PEM certificate is now generated during installation
due to permission issue. The kra_host() for now is removed since
the current ldap_enable() cannot register the KRA service, so it
is using the kra_host environment variable.

The KRA installer has been modified to use Dogtag's CLI go create
KRA agent and setup the client authentication.

The proxy settings have been updated to include KRA's URLs.

The certs.install_pem_from_p12() has been updated to generate the
proper client certificate using the -clcerts option and also take
a password file.

Some constants have been renamed for clarity. The DOGTAG_AGENT_P12
has been renamed to DOGTAG_ADMIN_P12 since file actually contains
the Dogtag admin's certificate and private key and it can be used
to access both CA and KRA. The DOGTAG_AGENT_PEM has been renamed
to KRA_AGENT_PEM since it can only be used for KRA.

Ticket #3872


New patch attached. It's identical to the previous one except I changed
the ticket number to #4503.


In IPA we usually include the full ticket URL, not just the number.

The build fails with a lint message:
* Module ipaserver.plugins.dogtag
ipaserver/plugins/dogtag.py:1903: [E1123(unexpected-keyword-arg), 
kra.get_client] Unexpected keyword argument 'password_file' in 
constructor call)
ipaserver/plugins/dogtag.py:1903: [E1120(no-value-for-parameter), 
kra.get_client] No value for argument 'certdb_password' in constructor call)


I have pki-base-10.2.0-3.fc21.noarch, where NSSCryptoProvider indeed 
takes password and not password_file. If a newer version is required you 
should put it in the spec.



ipaserver.install.certs.CertDB.install_pem_from_p12:
If p12_passwd is missing and pwd_fname is None, this will crash.
Please document how the method should be called. And assert that exactly 
one of p12_passwd and pwd_fname is given.



ipaserver.plugins.dogtag.kra.get_client:
Should every caller check if this returns None?
If not, raise an exception instead.
If yes, at least mention it in a docstring.

Typo in commit message: modified to use Dogtag's CLI *go* create

--
Petr³

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


Re: [Freeipa-devel] [PATCH] 352 Fixed KRA backend.

2014-10-22 Thread Endi Sukma Dewata

On 10/15/2014 10:59 PM, Endi Sukma Dewata wrote:

The KRA backend has been simplified since most of the tasks have
been moved somewhere else. The transport certificate will be
installed on the client, and it is not needed by KRA backend. The
KRA agent's PEM certificate is now generated during installation
due to permission issue. The kra_host() for now is removed since
the current ldap_enable() cannot register the KRA service, so it
is using the kra_host environment variable.

The KRA installer has been modified to use Dogtag's CLI go create
KRA agent and setup the client authentication.

The proxy settings have been updated to include KRA's URLs.

The certs.install_pem_from_p12() has been updated to generate the
proper client certificate using the -clcerts option and also take
a password file.

Some constants have been renamed for clarity. The DOGTAG_AGENT_P12
has been renamed to DOGTAG_ADMIN_P12 since file actually contains
the Dogtag admin's certificate and private key and it can be used
to access both CA and KRA. The DOGTAG_AGENT_PEM has been renamed
to KRA_AGENT_PEM since it can only be used for KRA.

Ticket #3872


New patch attached. It's identical to the previous one except I changed 
the ticket number to #4503.


--
Endi S. Dewata
From a3e5c4f872fade7e88f954452a64c310ba4ae380 Mon Sep 17 00:00:00 2001
From: Endi S. Dewata edew...@redhat.com
Date: Wed, 1 Oct 2014 14:59:46 -0400
Subject: [PATCH] Fixed KRA backend.

The KRA backend has been simplified since most of the tasks have
been moved somewhere else. The transport certificate will be
installed on the client, and it is not needed by KRA backend. The
KRA agent's PEM certificate is now generated during installation
due to permission issue. The kra_host() for now is removed since
the current ldap_enable() cannot register the KRA service, so it
is using the kra_host environment variable.

The KRA installer has been modified to use Dogtag's CLI go create
KRA agent and setup the client authentication.

The proxy settings have been updated to include KRA's URLs.

The certs.install_pem_from_p12() has been updated to generate the
proper client certificate using the -clcerts option and also take
a password file.

Some constants have been renamed for clarity. The DOGTAG_AGENT_P12
has been renamed to DOGTAG_ADMIN_P12 since file actually contains
the Dogtag admin's certificate and private key and it can be used
to access both CA and KRA. The DOGTAG_AGENT_PEM has been renamed
to KRA_AGENT_PEM since it can only be used for KRA.

Ticket #4503
---
 install/conf/ipa-pki-proxy.conf  |   2 +-
 ipaplatform/base/paths.py|   4 +-
 ipaserver/install/cainstance.py  |   4 +-
 ipaserver/install/certs.py   |  10 ++--
 ipaserver/install/ipa_backup.py  |   3 +-
 ipaserver/install/krainstance.py |  83 ---
 ipaserver/plugins/dogtag.py  | 120 +--
 7 files changed, 100 insertions(+), 126 deletions(-)

diff --git a/install/conf/ipa-pki-proxy.conf b/install/conf/ipa-pki-proxy.conf
index 
2370b4d7a7467a7e47c0d223915e018c9a009e83..5d21156848f3b5ddf14c42d92a26a30a9f94af36
 100644
--- a/install/conf/ipa-pki-proxy.conf
+++ b/install/conf/ipa-pki-proxy.conf
@@ -19,7 +19,7 @@ ProxyRequests Off
 /LocationMatch
 
 # matches for agent port and eeca port
-LocationMatch 
^/ca/agent/ca/displayBySerial|^/ca/agent/ca/doRevoke|^/ca/agent/ca/doUnrevoke|^/ca/agent/ca/updateDomainXML|^/ca/eeca/ca/profileSubmitSSLClient|^/kra/agent/kra/connector|^/kra/rest/agent/keyrequests|^/kra/rest/agent/keys|^/ca/rest/admin/kraconnector/remove
+LocationMatch 
^/ca/agent/ca/displayBySerial|^/ca/agent/ca/doRevoke|^/ca/agent/ca/doUnrevoke|^/ca/agent/ca/updateDomainXML|^/ca/eeca/ca/profileSubmitSSLClient|^/kra/agent/kra/connector|^/kra/rest/account|^/kra/rest/agent/keyrequests|^/kra/rest/agent/keys|^/ca/rest/admin/kraconnector/remove
 NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
 NSSVerifyClient require
 ProxyPassMatch ajp://localhost:$DOGTAG_PORT
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index 
bbe6eed76ccb3c5f325fd368694ac6a2afbb72f0..01505594a7af926c860f867b817bd397c54efff5
 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -138,8 +138,8 @@ class BasePathNamespace(object):
 HOME_DIR = /home
 ROOT_IPA_CACHE = /root/.ipa_cache
 ROOT_PKI = /root/.pki
-DOGTAG_AGENT_P12 = /root/ca-agent.p12
-DOGTAG_AGENT_PEM = /etc/httpd/alias/agent.pem
+DOGTAG_ADMIN_P12 = /root/ca-agent.p12
+KRA_AGENT_PEM = /etc/httpd/alias/kra-agent.pem
 CACERT_P12 = /root/cacert.p12
 ROOT_IPA_CSR = /root/ipa.csr
 ROOT_TMP_CA_P12 = /root/tmp-ca.p12
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 
1ae39639ac9702651851e6c3964faa69788db31e..fe95201517a577b9f6dba7642afe09b4eef2328d
 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -514,7 +514,7 @@ class CAInstance(DogtagInstance):
  

[Freeipa-devel] [PATCH] 352 Fixed KRA backend.

2014-10-15 Thread Endi Sukma Dewata

The KRA backend has been simplified since most of the tasks have
been moved somewhere else. The transport certificate will be
installed on the client, and it is not needed by KRA backend. The
KRA agent's PEM certificate is now generated during installation
due to permission issue. The kra_host() for now is removed since
the current ldap_enable() cannot register the KRA service, so it
is using the kra_host environment variable.

The KRA installer has been modified to use Dogtag's CLI go create
KRA agent and setup the client authentication.

The proxy settings have been updated to include KRA's URLs.

The certs.install_pem_from_p12() has been updated to generate the
proper client certificate using the -clcerts option and also take
a password file.

Some constants have been renamed for clarity. The DOGTAG_AGENT_P12
has been renamed to DOGTAG_ADMIN_P12 since file actually contains
the Dogtag admin's certificate and private key and it can be used
to access both CA and KRA. The DOGTAG_AGENT_PEM has been renamed
to KRA_AGENT_PEM since it can only be used for KRA.

Ticket #3872

--
Endi S. Dewata
From 018d849db0f08285aeeb26e3fc886c8c161b3f33 Mon Sep 17 00:00:00 2001
From: Endi S. Dewata edew...@redhat.com
Date: Wed, 1 Oct 2014 14:59:46 -0400
Subject: [PATCH] Fixed KRA backend.

The KRA backend has been simplified since most of the tasks have
been moved somewhere else. The transport certificate will be
installed on the client, and it is not needed by KRA backend. The
KRA agent's PEM certificate is now generated during installation
due to permission issue. The kra_host() for now is removed since
the current ldap_enable() cannot register the KRA service, so it
is using the kra_host environment variable.

The KRA installer has been modified to use Dogtag's CLI go create
KRA agent and setup the client authentication.

The proxy settings have been updated to include KRA's URLs.

The certs.install_pem_from_p12() has been updated to generate the
proper client certificate using the -clcerts option and also take
a password file.

Some constants have been renamed for clarity. The DOGTAG_AGENT_P12
has been renamed to DOGTAG_ADMIN_P12 since file actually contains
the Dogtag admin's certificate and private key and it can be used
to access both CA and KRA. The DOGTAG_AGENT_PEM has been renamed
to KRA_AGENT_PEM since it can only be used for KRA.

Ticket #3872
---
 install/conf/ipa-pki-proxy.conf  |   2 +-
 ipaplatform/base/paths.py|   4 +-
 ipaserver/install/cainstance.py  |   4 +-
 ipaserver/install/certs.py   |  10 ++--
 ipaserver/install/ipa_backup.py  |   3 +-
 ipaserver/install/krainstance.py |  83 ---
 ipaserver/plugins/dogtag.py  | 120 +--
 7 files changed, 100 insertions(+), 126 deletions(-)

diff --git a/install/conf/ipa-pki-proxy.conf b/install/conf/ipa-pki-proxy.conf
index 
2370b4d7a7467a7e47c0d223915e018c9a009e83..5d21156848f3b5ddf14c42d92a26a30a9f94af36
 100644
--- a/install/conf/ipa-pki-proxy.conf
+++ b/install/conf/ipa-pki-proxy.conf
@@ -19,7 +19,7 @@ ProxyRequests Off
 /LocationMatch
 
 # matches for agent port and eeca port
-LocationMatch 
^/ca/agent/ca/displayBySerial|^/ca/agent/ca/doRevoke|^/ca/agent/ca/doUnrevoke|^/ca/agent/ca/updateDomainXML|^/ca/eeca/ca/profileSubmitSSLClient|^/kra/agent/kra/connector|^/kra/rest/agent/keyrequests|^/kra/rest/agent/keys|^/ca/rest/admin/kraconnector/remove
+LocationMatch 
^/ca/agent/ca/displayBySerial|^/ca/agent/ca/doRevoke|^/ca/agent/ca/doUnrevoke|^/ca/agent/ca/updateDomainXML|^/ca/eeca/ca/profileSubmitSSLClient|^/kra/agent/kra/connector|^/kra/rest/account|^/kra/rest/agent/keyrequests|^/kra/rest/agent/keys|^/ca/rest/admin/kraconnector/remove
 NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
 NSSVerifyClient require
 ProxyPassMatch ajp://localhost:$DOGTAG_PORT
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index 
0ba6b46c562a3d3f97e3631fd9dc0f27536bc6bc..3652a3213d2d116b34d7c4239964c511f572ed6b
 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -127,8 +127,8 @@ class BasePathNamespace(object):
 HOME_DIR = /home
 ROOT_IPA_CACHE = /root/.ipa_cache
 ROOT_PKI = /root/.pki
-DOGTAG_AGENT_P12 = /root/ca-agent.p12
-DOGTAG_AGENT_PEM = /etc/httpd/alias/agent.pem
+DOGTAG_ADMIN_P12 = /root/ca-agent.p12
+KRA_AGENT_PEM = /etc/httpd/alias/kra-agent.pem
 CACERT_P12 = /root/cacert.p12
 ROOT_IPA_CSR = /root/ipa.csr
 ROOT_TMP_CA_P12 = /root/tmp-ca.p12
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 
2c912206a37accfdf217c955755b82ed0d2056af..aa6de498726e779e62cd96ec13d9e52cd1262714
 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -514,7 +514,7 @@ class CAInstance(DogtagInstance):
 config.set(CA, pki_admin_nickname, ipa-ca-agent)
 config.set(CA, pki_admin_subject_dn,
 str(DN(('cn', 'ipa-ca-agent'),