The complete solution for this patch requires changes in Dogtag that Ade Lee is working on right now. In order to test, I have provided a couple of files that I have been using:


1. Apply patch, build and install IPA rpms, run ipaserver-install as per usual.
2.  Move the dogtag.conf file into /etc/httpd/conf.d directorys
3. Run the proxy_dogtag.py script to modify the Dogtag instance to accept AJP connections from httpd so httpd can act as a proxy
4. Restart IPA


To test:

1. add a host.
2. Generate a csr: http://freeipa.org/page/Certificate_Authority#Request_a_certificate
3.  request a certificate for the newly added host.
4.  Optionally, Revoke the certificate for the host


#NSS_SSL_ENABLE_RENEGOTIATION 1

ProxyRequests Off

# matches for ee port
<LocationMatch 
"^/ca/ee/*|^/ca/renewal|^/ca/certbasedenrollment|^/ca/ocsp|^/ca/enrollment|^/ca/profileSubmit|^/ca/cgi-bin/pkiclient.exe">
    NSSVerifyClient none
    ProxyPassMatch ajp://127.0.0.1:8009/
    ProxyPassReverse ajp://127.0.0.1:8009/
</LocationMatch>

# matches for admin port 
<LocationMatch 
"^/ca/admin/*|^/ca/auths|^/ca/acl|^/ca/server|^/ca/caadmin|^/ca/caprofile|^/ca/jobsScheduler|^/ca/capublisher|^/ca/log|^/ca/ug">
    NSSVerifyClient none
    ProxyPassMatch ajp://127.0.0.1:8009/
    ProxyPassReverse ajp://127.0.0.1:8009/
</LocationMatch>

# matches for agent port and eeca port
<LocationMatch 
"^/ca/agent/*|^/ca/ca/getCertFromRequest|^/ca/ca/GetBySerial|^/ca/ca/connector|/ca/ca/displayCertFromRequest|^/ca/doRevoke|^/ca/eeca/*">
    NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
    NSSVerifyClient require
    ProxyPassMatch ajp://127.0.0.1:8009/
    ProxyPassReverse ajp://127.0.0.1:8009/
</LocationMatch>

# static content
<LocationMatch "^/graphics/*">
    NSSVerifyClient none
    ProxyPassMatch ajp://127.0.0.1:8009/
    ProxyPassReverse ajp://127.0.0.1:8009/
</LocationMatch>

#!/usr/bin/python
from lxml import etree
import tempfile

#Disabling filters in  web.xml

web_xml_path = '/var/lib/pki-ca/webapps/ca/WEB-INF/web.xml';

print("opening "+web_xml_path)
infile = open(web_xml_path, 'rw')
doc  = etree.parse(infile)
infile.close

init_param_names = doc.xpath('//web-app/filter/init-param/param-name')

print ('init-param_names ')

for name in init_param_names:
    text = name.text
    text.strip
    if (name.text == 'active'):
        values = name.xpath('../param-value')
        for value in values:
            value.text = "false"

ofile = open(web_xml_path, 'w')
doc.write(ofile)

print("saving "+web_xml_path)
ofile.close


#adding  <Connector port="8009" protocol="AJP/1.3" redirectPort="9444" /> to 
server.xml

server_xml_path ="/etc/pki-ca/server.xml"; 

infile = open(server_xml_path, 'rw')
doc  = etree.parse(infile)
infile.close()

catalina =doc.xpath('Service[@name="Catalina"]')

port8009 = catalina[0].xpath('Connector[@port=8009]'  )
if (len(port8009) > 0):
    print ("Port 8009 found " )
else:
    print ("No Port 8009 defined " )
    port8009 = etree.XML(" <Connector port=\"8009\" protocol=\"AJP/1.3\" 
redirectPort=\"9444\" />") 
    catalina[0].append(port8009)

    ofile = open(server_xml_path, 'w')
    doc.write(ofile)
    ofile.close


From 706d0415c714a2f14ced774ace1b6a61eef482a1 Mon Sep 17 00:00:00 2001
From: Adam Young <ayo...@redhat.com>
Date: Wed, 17 Aug 2011 15:36:18 -0400
Subject: [PATCH] enable proxy for dogtag

Dogtag is going to be proxied through httpd.  To make this work, it has to support renegotiation of the SSL
connection.  This patch enables renegotiate in the nss configuration file during during apache configuration,
as well as modifies libnss to set the appropriate optins on the ssl connection in order to  renegotiate.

The IPA install uses the internal ports instead of proxying through
httpd since  httpd is not set up yet.

IPA needs to Request the certificate through a port that uses authentication.  On the Dogtag side, they provide an additional mapping for this:   /ca/eeca/ca as opposed tp /ca/ee/ca  just for this purpose.

https://fedorahosted.org/freeipa/ticket/1334
---
 ipalib/constants.py               |   10 +++++++---
 ipapython/dogtag.py               |    2 +-
 ipapython/nsslib.py               |   15 ++++++++++++++-
 ipaserver/install/certs.py        |    4 ++--
 ipaserver/install/httpinstance.py |    5 +++++
 ipaserver/plugins/dogtag.py       |    2 +-
 6 files changed, 30 insertions(+), 8 deletions(-)

diff --git a/ipalib/constants.py b/ipalib/constants.py
index 026e0735441eabf8dbe63fffa85da69aa151c5d7..244360fe17dee4ff91b561fb6e3f7b5f4e443726 100644
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@@ -136,9 +136,13 @@ DEFAULT_CONFIG = (
 
     # CA plugin:
     ('ca_host', FQDN),  # Set in Env._finalize_core()
-    ('ca_port', 9180),
-    ('ca_agent_port', 9443),
-    ('ca_ee_port', 9444),
+    ('ca_port', 80),
+    ('ca_agent_port', 443),
+    ('ca_ee_port', 443),
+    ('ca_install_port', 9180),
+    ('ca_agent_install_port',9443 ),
+    ('ca_ee_install_port',9444 ),
+
 
     # Special CLI:
     ('prompt_all', False),
diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py
index 969535e4b95d3fc7f7f5202000bb29deef558e32..02f981974e1047a880ed05e428a86b4a4d4a6c21 100644
--- a/ipapython/dogtag.py
+++ b/ipapython/dogtag.py
@@ -34,7 +34,7 @@ def get_ca_certchain(ca_host=None):
     if ca_host is None:
         ca_host = api.env.ca_host
     chain = None
-    conn = httplib.HTTPConnection(ca_host, api.env.ca_port)
+    conn = httplib.HTTPConnection(ca_host, api.env.ca_install_port)
     conn.request("GET", "/ca/ee/ca/getCertChain")
     res = conn.getresponse()
     doc = None
diff --git a/ipapython/nsslib.py b/ipapython/nsslib.py
index e347d217992a4a549413f3e33d9248a403ee68cd..a0c5a8d36921c6eef3bf4320aab0a0c544ce82fd 100644
--- a/ipapython/nsslib.py
+++ b/ipapython/nsslib.py
@@ -208,12 +208,25 @@ class NSSConnection(httplib.HTTPConnection, NSSAddressFamilyFallback):
         self._create_socket()
 
     def _create_socket(self):
+
+        #TODO remove the try block once python-nss is guaranteed to
+	#contain these values
+	try :
+        	ssl_enable_renegotiation  = SSL_ENABLE_RENEGOTIATION   #pylint: disable=E0602
+		ssl_require_safe_negotiation = SSL_REQUIRE_SAFE_NEGOTIATION  #pylint: disable=E0602
+		ssl_renegotiate_requires_xtn = SSL_RENEGOTIATE_REQUIRES_XTN #pylint: disable=E0602
+	except :
+        	ssl_enable_renegotiation  = 20
+		ssl_require_safe_negotiation = 21
+		ssl_renegotiate_requires_xtn = 2
+
         # Create the socket here so we can do things like let the caller
         # override the NSS callbacks
         self.sock = ssl.SSLSocket(family=self.family)
         self.sock.set_ssl_option(ssl.SSL_SECURITY, True)
         self.sock.set_ssl_option(ssl.SSL_HANDSHAKE_AS_CLIENT, True)
-
+	self.sock.set_ssl_option(ssl_require_safe_negotiation, False)
+	self.sock.set_ssl_option(ssl_enable_renegotiation, ssl_renegotiate_requires_xtn)
         # Provide a callback which notifies us when the SSL handshake is complete
         self.sock.set_handshake_callback(self.handshake_callback)
 
diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index 738b329a6edd22501dc21459f89b271d93dc2b2c..6d5231a7eaea29fa94121ad902e84708742c9d99 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -631,7 +631,7 @@ class CertDB(object):
             password = f.readline()
             f.close()
             http_status, http_reason_phrase, http_headers, http_body = \
-                dogtag.https_request(self.host_name, api.env.ca_ee_port, "/ca/ee/ca/profileSubmitSSLClient", self.secdir, password, "ipaCert", **params)
+                dogtag.https_request(self.host_name, api.env.ca_ee_install_port, "/ca/ee/ca/profileSubmitSSLClient", self.secdir, password, "ipaCert", **params)
 
             if http_status != 200:
                 raise CertificateOperationError(error='Unable to communicate with CMS (%s)' % \
@@ -713,7 +713,7 @@ class CertDB(object):
             password = f.readline()
             f.close()
             http_status, http_reason_phrase, http_headers, http_body = \
-                dogtag.https_request(self.host_name, api.env.ca_ee_port, "/ca/ee/ca/profileSubmitSSLClient", self.secdir, password, "ipaCert", **params)
+                dogtag.https_request(self.host_name, api.env.ca_ee_install_port, "/ca/ee/ca/profileSubmitSSLClient", self.secdir, password, "ipaCert", **params)
             if http_status != 200:
                 raise RuntimeError("Unable to submit cert request")
 
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index d2eb27c96eb2dbf6baf5f1b24edf579cd6d0881a..d2654ba671789111fc9185702dbb358a456e5746 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -75,6 +75,7 @@ class HTTPInstance(service.Service):
         self.step("disabling mod_ssl in httpd", self.__disable_mod_ssl)
         self.step("setting mod_nss port to 443", self.__set_mod_nss_port)
         self.step("setting mod_nss password file", self.__set_mod_nss_passwordfile)
+        self.step("enabling mod_nss renegotiate", self.__enable_mod_nss_renegotiate)
         self.step("adding URL rewriting rules", self.__add_include)
         self.step("configuring httpd", self.__configure_http)
         self.step("setting up ssl", self.__setup_ssl)
@@ -160,6 +161,10 @@ class HTTPInstance(service.Service):
     def __set_mod_nss_nickname(self, nickname):
         installutils.set_directive(NSS_CONF, 'NSSNickname', nickname)
 
+    def __enable_mod_nss_renegotiate(self):
+        installutils.set_directive(NSS_CONF, 'NSSRenegotiation', 'on',False)
+        installutils.set_directive(NSS_CONF, 'NSSRequireSafeNegotiation', 'on',False)
+
     def __set_mod_nss_passwordfile(self):
         installutils.set_directive(NSS_CONF, 'NSSPassPhraseDialog', 'file:/etc/httpd/conf/password.conf')
 
diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py
index d1234a0d242339cbd77d2190d3c181fd8e8c94db..23d06abc112c41bbd9bfba5d7173ed2ae84d5752 100644
--- a/ipaserver/plugins/dogtag.py
+++ b/ipaserver/plugins/dogtag.py
@@ -1514,7 +1514,7 @@ class ra(rabase.rabase):
 
         # Call CMS
         http_status, http_reason_phrase, http_headers, http_body = \
-            self._sslget('/ca/ee/ca/profileSubmitSSLClient',
+            self._sslget('/ca/eeca/ca/profileSubmitSSLClient',
                          self.env.ca_ee_port,
                          profileId='caIPAserviceCert',
                          cert_request_type=request_type,
-- 
1.7.6

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to