diff --git a/roles/ipareplica/library/ipareplica_enable_ipa.py b/roles/ipareplica/library/ipareplica_enable_ipa.py
index a974165e25b46e994cbd6da35b70d428ddc1e904..87582b81399b8c074acad32e3a1c895da0342e71 100644
--- a/roles/ipareplica/library/ipareplica_enable_ipa.py
+++ b/roles/ipareplica/library/ipareplica_enable_ipa.py
@@ -90,7 +90,7 @@ from ansible.module_utils.ansible_ipa_replica import (
check_imports, AnsibleModuleLog, setup_logging, installer, DN, paths,
gen_env_boostrap_finalize_core, constants, api_bootstrap_finalize,
gen_ReplicaConfig, gen_remote_api, api, redirect_stdout, service,
- find_providing_servers, services
+ find_providing_servers, services, clean_up_hsm_nicknames
)
@@ -168,6 +168,9 @@ def main():
# Everything installed properly, activate ipa service.
services.knownservices.ipa.enable()
+ if options.setup_ca and clean_up_hsm_nicknames is not None:
+ clean_up_hsm_nicknames(api)
+
# Print a warning if CA role is only installed on one server
if len(ca_servers) == 1:
msg = u'''
diff --git a/roles/ipareplica/library/ipareplica_install_ca_certs.py b/roles/ipareplica/library/ipareplica_install_ca_certs.py
index b6d42d6a4363540ce25cfadbd67403f70a8004a0..db0fb54ad7f76688436e0956c08181ab735e03c1 100644
--- a/roles/ipareplica/library/ipareplica_install_ca_certs.py
+++ b/roles/ipareplica/library/ipareplica_install_ca_certs.py
@@ -333,9 +333,7 @@ def main():
# done #
- ansible_module.exit_json(changed=True,
- config_master_host_name=config.master_host_name,
- config_ca_host_name=config.ca_host_name)
+ ansible_module.exit_json(changed=True)
if __name__ == '__main__':
diff --git a/roles/ipareplica/library/ipareplica_prepare.py b/roles/ipareplica/library/ipareplica_prepare.py
index 63f1dcbdc97a74f1319d73dcfac045e351d82cff..d4464a9389c3a5ce24cea700e42fdf6c9f9ae7cb 100644
--- a/roles/ipareplica/library/ipareplica_prepare.py
+++ b/roles/ipareplica/library/ipareplica_prepare.py
@@ -250,6 +250,10 @@ options:
type: bool
default: no
required: no
+ client_configured:
+ description: Was client configured already
+ type: bool
+ required: yes
author:
- Thomas Woerner (@t-woerner)
'''
@@ -275,7 +279,8 @@ from ansible.module_utils.ansible_ipa_replica import (
check_domain_level_is_supported, errors, ScriptError, setup_logging,
logger, check_dns_resolution, service, find_providing_server, ca, kra,
dns, no_matching_interface_for_ip_address_warning, adtrust,
- constants, api, redirect_stdout, replica_conn_check, tasks
+ constants, api, redirect_stdout, replica_conn_check, tasks,
+ install_ca_cert
)
from ansible.module_utils import six
@@ -353,6 +358,7 @@ def main():
skip_conncheck=dict(required=False, type='bool'),
sid_generation_always=dict(required=False, type='bool',
default=False),
+ ipa_client_installed=dict(required=True, type='bool'),
),
supports_check_mode=False,
)
@@ -436,6 +442,7 @@ def main():
# options._random_serial_numbers is generated by ca.install_check and
# later used by ca.install in the _setup_ca module.
options._random_serial_numbers = False
+ ipa_client_installed = ansible_module.params.get('ipa_client_installed')
# init #
@@ -601,10 +608,20 @@ def main():
ansible_log.debug("-- CA_CRT --")
cafile = paths.IPA_CA_CRT
- if not os.path.isfile(cafile):
- ansible_module.fail_json(
- msg="CA cert file is not available! Please reinstall"
- "the client and try again.")
+ if install_ca_cert is not None:
+ if not os.path.isfile(cafile):
+ ansible_module.fail_json(
+ msg="CA cert file is not available! Please reinstall"
+ "the client and try again.")
+ else:
+ if ipa_client_installed:
+ # host was already an IPA client, refresh client cert stores to
+ # ensure we have up to date CA certs.
+ try:
+ ipautil.run([paths.IPA_CERTUPDATE])
+ except ipautil.CalledProcessError:
+ ansible_module.fail_json(
+ msg="ipa-certupdate failed to refresh certs.")
ansible_log.debug("-- REMOTE_API --")
diff --git a/roles/ipareplica/library/ipareplica_test.py b/roles/ipareplica/library/ipareplica_test.py
index 95bd7e32c975ac5b22e23e8ff053044e4af6d0b7..fabb52aa376b7923d2c964f8cdac801277db6a05 100644
--- a/roles/ipareplica/library/ipareplica_test.py
+++ b/roles/ipareplica/library/ipareplica_test.py
@@ -191,7 +191,7 @@ from ansible.module_utils.ansible_ipa_replica import (
paths, sysrestore, ansible_module_get_parsed_ip_addresses, service,
redirect_stdout, create_ipa_conf, ipautil,
x509, validate_domain_name, common_check,
- IPA_PYTHON_VERSION, getargspec, adtrustinstance
+ IPA_PYTHON_VERSION, getargspec, adtrustinstance, install_ca_cert
)
@@ -542,7 +542,8 @@ def main():
# additional
client_enrolled=client_enrolled,
change_master_for_certmonger=change_master_for_certmonger,
- sid_generation_always=sid_generation_always
+ sid_generation_always=sid_generation_always,
+ install_ca_certs=install_ca_cert is not None
)
diff --git a/roles/ipareplica/module_utils/ansible_ipa_replica.py b/roles/ipareplica/module_utils/ansible_ipa_replica.py
index f798833a8a3c54cfcc07c64ba2f2ca12601759d7..c5efa8da3c0c554acb22bddbb8f64c4bbc03a627 100644
--- a/roles/ipareplica/module_utils/ansible_ipa_replica.py
+++ b/roles/ipareplica/module_utils/ansible_ipa_replica.py
@@ -49,7 +49,7 @@ __all__ = ["contextlib", "dnsexception", "dnsresolver", "dnsreversename",
"dnsname", "kernel_keyring", "krbinstance", "getargspec",
"adtrustinstance", "paths", "api", "dsinstance", "ipaldap", "Env",
"ipautil", "installutils", "IPA_PYTHON_VERSION", "NUM_VERSION",
- "ReplicaConfig", "create_api"]
+ "ReplicaConfig", "create_api", "clean_up_hsm_nicknames"]
import sys
import logging
@@ -144,7 +144,7 @@ try:
from ipaserver.install.replication import (
ReplicationManager, replica_conn_check)
from ipaserver.install.server.replicainstall import (
- make_pkcs12_info, install_replica_ds, install_krb, install_ca_cert,
+ make_pkcs12_info, install_replica_ds, install_krb,
install_http, install_dns_records, create_ipa_conf, check_dirsrv,
check_dns_resolution, configure_certmonger,
remove_replica_info_dir,
@@ -157,6 +157,16 @@ try:
# ensure_enrolled,
promotion_check_ipa_domain
)
+ try:
+ from ipaserver.install.server.replicainstall import \
+ install_ca_cert
+ except ImportError:
+ install_ca_cert = None
+ try:
+ from ipaserver.install.server.replicainstall import \
+ clean_up_hsm_nicknames
+ except ImportError:
+ clean_up_hsm_nicknames = None
import SSSDConfig
from subprocess import CalledProcessError
diff --git a/roles/ipareplica/tasks/install.yml b/roles/ipareplica/tasks/install.yml
index 0340737372af42a81cea8858c809c447a5e3be55..076842a38448add1873846d2c06e9e2e0f3ebf16 100644
--- a/roles/ipareplica/tasks/install.yml
+++ b/roles/ipareplica/tasks/install.yml
@@ -209,6 +209,7 @@
server: "{{ result_ipareplica_test.server }}"
skip_conncheck: "{{ ipareplica_skip_conncheck }}"
sid_generation_always: "{{ result_ipareplica_test.sid_generation_always }}"
+ ipa_client_installed: "{{ result_ipareplica_test.client_enrolled }}"
register: result_ipareplica_prepare
- name: Install - Add to ipaservers
@@ -276,6 +277,7 @@
config_ca_host_name: "{{ result_ipareplica_prepare.config_ca_host_name }}"
config_ips: "{{ result_ipareplica_prepare.config_ips }}"
register: result_ipareplica_install_ca_certs
+ when: result_ipareplica_test.install_ca_certs
- name: Install - Setup DS
ipareplica_setup_ds:
@@ -312,7 +314,7 @@
dirman_password: "{{ __derived_dirman_password }}"
config_setup_ca: "{{ result_ipareplica_prepare.config_setup_ca }}"
config_master_host_name:
- "{{ result_ipareplica_install_ca_certs.config_master_host_name }}"
+ "{{ result_ipareplica_prepare.config_master_host_name }}"
config_ca_host_name: "{{ result_ipareplica_prepare.config_ca_host_name }}"
config_ips: "{{ result_ipareplica_prepare.config_ips }}"
register: result_ipareplica_setup_ds
@@ -339,7 +341,7 @@
### additional ###
server: "{{ result_ipareplica_test.server }}"
config_master_host_name:
- "{{ result_ipareplica_install_ca_certs.config_master_host_name }}"
+ "{{ result_ipareplica_prepare.config_master_host_name }}"
config_ca_host_name: "{{ result_ipareplica_prepare.config_ca_host_name }}"
ccache: "{{ result_ipareplica_prepare.ccache }}"
installer_ccache: "{{ result_ipareplica_prepare.installer_ccache }}"
@@ -362,7 +364,7 @@
subject_base: "{{ result_ipareplica_prepare.subject_base }}"
### additional ###
config_master_host_name:
- "{{ result_ipareplica_install_ca_certs.config_master_host_name }}"
+ "{{ result_ipareplica_prepare.config_master_host_name }}"
ccache: "{{ result_ipareplica_prepare.ccache }}"
_pkinit_pkcs12_info: "{{ result_ipareplica_prepare._pkinit_pkcs12_info if result_ipareplica_prepare._pkinit_pkcs12_info != None else omit }}"
_top_dir: "{{ result_ipareplica_prepare._top_dir }}"
@@ -393,7 +395,7 @@
### additional ###
server: "{{ result_ipareplica_test.server }}"
config_master_host_name:
- "{{ result_ipareplica_install_ca_certs.config_master_host_name }}"
+ "{{ result_ipareplica_prepare.config_master_host_name }}"
config_ca_host_name: "{{ result_ipareplica_prepare.config_ca_host_name }}"
ccache: "{{ result_ipareplica_prepare.ccache }}"
installer_ccache: "{{ result_ipareplica_prepare.installer_ccache }}"
@@ -406,7 +408,7 @@
dirman_password: "{{ __derived_dirman_password }}"
setup_ca: "{{ result_ipareplica_prepare.config_setup_ca }}"
master:
- "{{ result_ipareplica_install_ca_certs.config_master_host_name }}"
+ "{{ result_ipareplica_prepare.config_master_host_name }}"
when: result_ipareplica_test.change_master_for_certmonger
- name: Install - DS enable SSL
@@ -420,7 +422,7 @@
subject_base: "{{ result_ipareplica_prepare.subject_base }}"
### additional ###
config_master_host_name:
- "{{ result_ipareplica_install_ca_certs.config_master_host_name }}"
+ "{{ result_ipareplica_prepare.config_master_host_name }}"
ccache: "{{ result_ipareplica_prepare.ccache }}"
_ca_enabled: "{{ result_ipareplica_prepare._ca_enabled }}"
_ca_file: "{{ result_ipareplica_prepare._ca_file }}"
@@ -441,7 +443,7 @@
subject_base: "{{ result_ipareplica_prepare.subject_base }}"
### additional ###
config_master_host_name:
- "{{ result_ipareplica_install_ca_certs.config_master_host_name }}"
+ "{{ result_ipareplica_prepare.config_master_host_name }}"
config_ca_host_name: "{{ result_ipareplica_prepare.config_ca_host_name }}"
ccache: "{{ result_ipareplica_prepare.ccache }}"
_ca_enabled: "{{ result_ipareplica_prepare._ca_enabled }}"
@@ -473,7 +475,7 @@
### additional ###
server: "{{ result_ipareplica_test.server }}"
config_master_host_name:
- "{{ result_ipareplica_install_ca_certs.config_master_host_name }}"
+ "{{ result_ipareplica_prepare.config_master_host_name }}"
config_ca_host_name: "{{ result_ipareplica_prepare.config_ca_host_name }}"
ccache: "{{ result_ipareplica_prepare.ccache }}"
installer_ccache: "{{ result_ipareplica_prepare.installer_ccache }}"
@@ -498,7 +500,7 @@
subject_base: "{{ result_ipareplica_prepare.subject_base }}"
### additional ###
config_master_host_name:
- "{{ result_ipareplica_install_ca_certs.config_master_host_name }}"
+ "{{ result_ipareplica_prepare.config_master_host_name }}"
ccache: "{{ result_ipareplica_prepare.ccache }}"
_ca_file: "{{ result_ipareplica_prepare._ca_file }}"
_top_dir: "{{ result_ipareplica_prepare._top_dir }}"
@@ -549,9 +551,9 @@
dirman_password: "{{ __derived_dirman_password }}"
config_setup_ca: "{{ result_ipareplica_prepare.config_setup_ca }}"
config_master_host_name:
- "{{ result_ipareplica_install_ca_certs.config_master_host_name }}"
+ "{{ result_ipareplica_prepare.config_master_host_name }}"
config_ca_host_name:
- "{{ result_ipareplica_install_ca_certs.config_ca_host_name }}"
+ "{{ result_ipareplica_prepare.config_ca_host_name }}"
config_ips: "{{ result_ipareplica_prepare.config_ips }}"
when: result_ipareplica_prepare._ca_enabled
@@ -565,7 +567,7 @@
subject_base: "{{ result_ipareplica_prepare.subject_base }}"
### additional ###
config_master_host_name:
- "{{ result_ipareplica_install_ca_certs.config_master_host_name }}"
+ "{{ result_ipareplica_prepare.config_master_host_name }}"
ccache: "{{ result_ipareplica_prepare.ccache }}"
_ca_enabled: "{{ result_ipareplica_prepare._ca_enabled }}"
_ca_file: "{{ result_ipareplica_prepare._ca_file }}"
@@ -585,7 +587,7 @@
subject_base: "{{ result_ipareplica_prepare.subject_base }}"
### additional ###
config_master_host_name:
- "{{ result_ipareplica_install_ca_certs.config_master_host_name }}"
+ "{{ result_ipareplica_prepare.config_master_host_name }}"
ccache: "{{ result_ipareplica_prepare.ccache }}"
_ca_enabled: "{{ result_ipareplica_prepare._ca_enabled }}"
_ca_file: "{{ result_ipareplica_prepare._ca_file }}"
@@ -645,7 +647,7 @@
subject_base: "{{ result_ipareplica_prepare.subject_base }}"
### additional ###
config_master_host_name:
- "{{ result_ipareplica_install_ca_certs.config_master_host_name }}"
+ "{{ result_ipareplica_prepare.config_master_host_name }}"
ccache: "{{ result_ipareplica_prepare.ccache }}"
_ca_file: "{{ result_ipareplica_prepare._ca_file }}"
_top_dir: "{{ result_ipareplica_prepare._top_dir }}"
diff --git a/roles/ipaserver/library/ipaserver_prepare.py b/roles/ipaserver/library/ipaserver_prepare.py
index 1c7917565ecee56bf5cc50d8519315eebec226d1..24eccf2389a6c95ea245cb12aefa23fc5ced0109 100644
--- a/roles/ipaserver/library/ipaserver_prepare.py
+++ b/roles/ipaserver/library/ipaserver_prepare.py
@@ -326,6 +326,12 @@ def main():
# ssl certificate
# options.dirsrv_cert_files = ansible_module.params.get(
# 'dirsrv_cert_files')
+ # hsm
+ if hasattr(ca, "hsm_version"):
+ options.token_name = None
+ options.token_library_path = None
+ options.token_password = None
+ options.token_password_file = None
# client
# options.no_ntp = ansible_module.params.get('no_ntp')
# certificate system
diff --git a/roles/ipaserver/library/ipaserver_setup_ca.py b/roles/ipaserver/library/ipaserver_setup_ca.py
index 4003e14d41557645c788aeda6673c530a9f28f0f..1a453e49ad792110c89f56d1d32e32b649b1d449 100644
--- a/roles/ipaserver/library/ipaserver_setup_ca.py
+++ b/roles/ipaserver/library/ipaserver_setup_ca.py
@@ -305,6 +305,12 @@ def main():
options.dirsrv_cert_files = ansible_module.params.get('dirsrv_cert_files')
options._dirsrv_pkcs12_info = ansible_module.params.get(
'_dirsrv_pkcs12_info')
+ # hsm
+ if hasattr(ca, "hsm_version"):
+ options.token_name = None
+ options.token_library_path = None
+ options.token_password = None
+ options.token_password_file = None
# certificate system
options.external_ca = ansible_module.params.get('external_ca')
options.external_ca_type = ansible_module.params.get('external_ca_type')
diff --git a/roles/ipaserver/library/ipaserver_setup_kra.py b/roles/ipaserver/library/ipaserver_setup_kra.py
index 9f05ef5a1da40f3a99c154cc60c8e36e09bdcf3a..4ea9aa6e242a29f8e7b7dc91e967832fdd95359f 100644
--- a/roles/ipaserver/library/ipaserver_setup_kra.py
+++ b/roles/ipaserver/library/ipaserver_setup_kra.py
@@ -74,7 +74,7 @@ RETURN = '''
from ansible.module_utils.basic import AnsibleModule
from ansible.module_utils.ansible_ipa_server import (
check_imports, AnsibleModuleLog, setup_logging, options,
- api_Backend_ldap2, redirect_stdout, api, custodiainstance, kra
+ api_Backend_ldap2, redirect_stdout, api, custodiainstance, kra, ca
)
@@ -106,6 +106,12 @@ def main():
options.pki_config_override = ansible_module.params.get(
'pki_config_override')
options.promote = False # first master, no promotion
+ # hsm
+ if hasattr(ca, "hsm_version"):
+ options.token_name = None
+ options.token_library_path = None
+ options.token_password = None
+ options.token_password_file = None
# init ##########################################################