diff --git a/roles/ipareplica/library/ipareplica_enable_ipa.py b/roles/ipareplica/library/ipareplica_enable_ipa.py
index a974165e25b46e994cbd6da35b70d428ddc1e904..87582b81399b8c074acad32e3a1c895da0342e71 100644
--- a/roles/ipareplica/library/ipareplica_enable_ipa.py
+++ b/roles/ipareplica/library/ipareplica_enable_ipa.py
@@ -90,7 +90,7 @@ from ansible.module_utils.ansible_ipa_replica import (
check_imports, AnsibleModuleLog, setup_logging, installer, DN, paths,
gen_env_boostrap_finalize_core, constants, api_bootstrap_finalize,
gen_ReplicaConfig, gen_remote_api, api, redirect_stdout, service,
- find_providing_servers, services
+ find_providing_servers, services, clean_up_hsm_nicknames
)
@@ -168,6 +168,9 @@ def main():
# Everything installed properly, activate ipa service.
services.knownservices.ipa.enable()
+ if options.setup_ca and clean_up_hsm_nicknames is not None:
+ clean_up_hsm_nicknames(api)
+
# Print a warning if CA role is only installed on one server
if len(ca_servers) == 1:
msg = u'''
diff --git a/roles/ipareplica/module_utils/ansible_ipa_replica.py b/roles/ipareplica/module_utils/ansible_ipa_replica.py
index c244e288589246e22125eaa557016ca287b4e163..c5efa8da3c0c554acb22bddbb8f64c4bbc03a627 100644
--- a/roles/ipareplica/module_utils/ansible_ipa_replica.py
+++ b/roles/ipareplica/module_utils/ansible_ipa_replica.py
@@ -49,7 +49,7 @@ __all__ = ["contextlib", "dnsexception", "dnsresolver", "dnsreversename",
"dnsname", "kernel_keyring", "krbinstance", "getargspec",
"adtrustinstance", "paths", "api", "dsinstance", "ipaldap", "Env",
"ipautil", "installutils", "IPA_PYTHON_VERSION", "NUM_VERSION",
- "ReplicaConfig", "create_api"]
+ "ReplicaConfig", "create_api", "clean_up_hsm_nicknames"]
import sys
import logging
@@ -162,6 +162,11 @@ try:
install_ca_cert
except ImportError:
install_ca_cert = None
+ try:
+ from ipaserver.install.server.replicainstall import \
+ clean_up_hsm_nicknames
+ except ImportError:
+ clean_up_hsm_nicknames = None
import SSSDConfig
from subprocess import CalledProcessError