[Pki-devel] [Freeipa-devel] [PATCH] - Add DRM to IPA

Fri Jul 18 20:32:05 UTC 2014

Ade Lee wrote:
> Hi all, 
> 
> I have rebased all the previous patches against master, and have squashed them all into a single patch.
> Its a large patch, but as many folks have already reviewed the constituent precursor patches, most if it
> should be familiar and easier to review.
> 
> The main difference with what was specified before is that the DRM database is installed as a subtree
> to o=ipaca.  This means that no new replication agreements will be needed to replicate DRM data.  
> Replication agreements set up for the Dogtag CA will automatically replicate DRM data.
> 
> In order for this patch to work, a new 10.2 build of Dogtag 10.2 is needed - with specific changes to
> allow the ability to install a database as a subtree of an existing tree.  At this time, these
> changes have not yet been checked into the dogtag source.   You can obtain such a build from:
> 
> http://copr.fedoraproject.org/coprs/vakwetu/dogtag/build/21936/
> 
> Please review,

The BuildRequires needs to be updated to avoid a bunch of lint errors:

./make-lint
************* Module ipaserver.plugins.dogtag
ipaserver/plugins/dogtag.py:249: [E0611(no-name-in-module), ] No name
'crypto' in module 'pki')
ipaserver/plugins/dogtag.py:250: [E0611(no-name-in-module), ] No name
'key' in module 'pki')
ipaserver/plugins/dogtag.py:251: [E0611(no-name-in-module), ] No name
'kra' in module 'pki')
ipaserver/plugins/dogtag.py:1952: [E1101(no-member), drm._setup]
Instance of 'PKIConnection' has no 'set_authentication_cert' member)
ipaserver/plugins/dogtag.py:1963: [E1101(no-member), drm._setup] Module
'pki' has no 'CERT_HEADER' member)
ipaserver/plugins/dogtag.py:1964: [E1101(no-member), drm._setup] Module
'pki' has no 'CERT_FOOTER' member)
************* Module ipaserver.install.dogtaginstance
ipaserver/install/dogtaginstance.py:71: [E1101(no-member),
get_security_domain] Instance of 'SecurityDomainClient' has no
'get_security_domain_info' member)

I forget what back and forth we had on DRM vs no DRM by default, but is
it right to have no option at all to add one at install time, ala DNS?

My first install failed:

Jul 18 15:38:36 ipa.example.com pkidaemon[16516]: ln: failed to create
symbolic link ‘/var/lib/pki/pki-tomcat/conf/ca/CS.cfg.bak’: Permission
denied
Jul 18 15:38:36 ipa.example.com pkidaemon[16516]: SUCCESS:  Successfully
archived
'/var/lib/pki/pki-tomcat/conf/ca/archives/CS.cfg.bak.20140718153836'
Jul 18 15:38:36 ipa.example.com pkidaemon[16516]: WARNING:  Failed to
backup '/var/lib/pki/pki-tomcat/conf/ca/CS.cfg' to
'/var/lib/pki/pki-tomcat/conf/ca/CS.cfg.bak'!
Jul 18 15:38:36 ipa.example.com pkidaemon[16516]:
/usr/share/pki/scripts/operations: line 1579: 0: command not found
Jul 18 15:38:36 ipa.example.com systemd[1]:
pki-tomcatd at pki-tomcat.service: control process exited, code=exited status=1
Jul 18 15:38:36 ipa.example.com systemd[1]: Failed to start PKI Tomcat
Server pki-tomcat.

This is due to SELinux issues:

type=AVC msg=audit(1405712316.049:1656): avc:  denied  { setfscreate }
for  pid=16702 comm="cp" scontext=system_u:system_r:pki_tomcat_t:s0
tcontext=system_u:system_r:pki_tomcat_t:s0 tclass=process
type=AVC msg=audit(1405712316.049:1657): avc:  denied  { relabelfrom }
for  pid=16702 comm="cp" name="CS.cfg.bak.20140718153836" dev="dm-0"
ino=431097 scontext=system_u:system_r:pki_tomcat_t:s0
tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file
type=AVC msg=audit(1405712316.050:1658): avc:  denied  { create } for
pid=16703 comm="ln" name="CS.cfg.bak"
scontext=system_u:system_r:pki_tomcat_t:s0
tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=lnk_file

I put it into permissive and continued.

The installer still references backing up /root/drmcert.p12 but it isn't
created by default.

The estimate for configuring the DRM seems off. On my VM it took 126
seconds, not 210. Mileage may vary but since my box was the source for
all the other timings :-)

On the plus side the DRM seems to work. I used the ca-agent cert and was
able to follow the steps at
https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Testing_the_Key_Archival_and_Recovery_Setup.html
to issue and recover a key.

rob