On 08/26/2011 02:34 PM, Simo Sorce wrote:
On Fri, 2011-08-26 at 14:03 -0400, Simo Sorce wrote:
On Fri, 2011-08-26 at 12:45 -0400, Adam Young wrote:
On 08/25/2011 05:24 PM, Adam Young wrote:
Uses the updated version of pkicreate which makes an ipa specific
proxy config file.
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
The test for the proxy file in /etc/httpd/conf.d was "isfile' but
since the file is actually a symlink, it needs to be "islink". This
one checks for either.
Nack, install fails after configuring the http service.
Restart bails out
using export SYSTEMCL_SKIP_REDIRECT=1 to get systemd out of the way (it
was suppressing the error output) I get an permission denied error
trying to open /etc/httpd/conf.d/proxy-ipa.conf
That's a symlink into /etc/pki-ca/proxy-ipa.conf which is a file owned
by pkiuser:pkiuser with permission 660 (therefore not readable by the
apache user).
Ok it turns out permissions are not the real issue as the file is read
while apache is till root, it's a selinux issue.
Apache starts if I setenforce 0
Still a NAck of course, it needs to work with selinux in enforcing mode
Simo.
This version owns the proxy config file. It works with setenforce 0,
but does not work with SELinux, so, preemptive-nack. But I will be gone
for a week, so if someone wants to pick this up and run with it, start
from here.
From 00b43e83864f9a27b20b1d2e90010c7cee007d19 Mon Sep 17 00:00:00 2001
From: Adam Young <ayo...@redhat.com>
Date: Wed, 17 Aug 2011 15:36:18 -0400
Subject: [PATCH] enable proxy for dogtag
Dogtag is going to be proxied through httpd. To make this work, it has to support renegotiation of the SSL
connection. This patch enables renegotiate in the nss configuration file during during apache configuration,
as well as modifies libnss to set the appropriate optins on the ssl connection in order to renegotiate.
The IPA install uses the internal ports instead of proxying through
httpd since httpd is not set up yet.
IPA needs to Request the certificate through a port that uses authentication. On the Dogtag side, they provide an additional mapping for this: /ca/eeca/ca as opposed tp /ca/ee/ca just for this purpose.
https://fedorahosted.org/freeipa/ticket/1334
add flag to pkicreate in order to enable using proxy.
add the proxy file in /etc/http/conf.d/
---
freeipa.spec.in | 3 +++
install/conf/Makefile.am | 1 +
install/conf/proxy-ipa.conf | 25 +++++++++++++++++++++++++
ipalib/constants.py | 10 +++++++---
ipapython/dogtag.py | 2 +-
ipapython/nsslib.py | 15 ++++++++++++++-
ipaserver/install/cainstance.py | 6 ++++--
ipaserver/install/certs.py | 4 ++--
ipaserver/install/httpinstance.py | 5 +++++
ipaserver/plugins/dogtag.py | 2 +-
10 files changed, 63 insertions(+), 10 deletions(-)
create mode 100644 install/conf/proxy-ipa.conf
diff --git a/freeipa.spec.in b/freeipa.spec.in
index d25aee693591243da2adf01319869c60919d2dd0..c8a125a834a159401c295a0080f371a968435c21 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -304,6 +304,7 @@ ln -s ../../../..%{_sysconfdir}/ipa/html/ipa_error.css \
# So we can own our Apache configuration
mkdir -p %{buildroot}%{_sysconfdir}/httpd/conf.d/
/bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa.conf
+/bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/proxy-ipa.conf
/bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf
mkdir -p %{buildroot}%{_initrddir}
install -m755 ipa.init %{buildroot}%{_initrddir}/ipa
@@ -449,8 +450,10 @@ fi
%config(noreplace) %{_sysconfdir}/ipa/html/hbac-deny-remove.html
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa.conf
+%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/proxy-ipa.conf
%{_usr}/share/ipa/ipa.conf
%{_usr}/share/ipa/ipa-rewrite.conf
+%{_usr}/share/ipa/proxy-ipa.conf
%dir %{_usr}/share/ipa/updates/
%{_usr}/share/ipa/updates/*
%attr(755,root,root) %{plugin_dir}/libipa_pwd_extop.so
diff --git a/install/conf/Makefile.am b/install/conf/Makefile.am
index e00ad618f47b704d3fb6451545fe3fbfaa1b31a9..2055f4e93bf7b884f318315eced8da1208d13a65 100644
--- a/install/conf/Makefile.am
+++ b/install/conf/Makefile.am
@@ -3,6 +3,7 @@ NULL =
appdir = $(IPA_DATA_DIR)
app_DATA = \
ipa.conf \
+ proxy-ipa.conf \
ipa-rewrite.conf \
$(NULL)
diff --git a/install/conf/proxy-ipa.conf b/install/conf/proxy-ipa.conf
new file mode 100644
index 0000000000000000000000000000000000000000..af949209f897c274fce6137e8a4ac6a19da263db
--- /dev/null
+++ b/install/conf/proxy-ipa.conf
@@ -0,0 +1,25 @@
+ProxyRequests Off
+
+# matches for ee port
+<LocationMatch "^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange">
+ NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
+ NSSVerifyClient none
+ ProxyPassMatch ajp://localhost:9447/
+ ProxyPassReverse ajp://localhost:9447/
+</LocationMatch>
+
+# matches for admin port
+<LocationMatch "^/ca/admin/ca/getCertChain|^/ca/admin/ca/getConfigEntries|^/ca/admin/ca/getCookie|^/ca/admin/ca/getStatus|^/ca/admin/ca/securityDomainLogin|^/ca/admin/ca/getDomainXML">
+ NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
+ NSSVerifyClient none
+ ProxyPassMatch ajp://localhost:9447/
+ ProxyPassReverse ajp://localhost:9447/
+</LocationMatch>
+
+# matches for agent port and eeca port
+<LocationMatch "^/ca/agent/ca/displayBySerial|^/ca/agent/ca/doRevoke|^/ca/agent/ca/doUnrevoke|^/ca/agent/ca/updateDomainXML|^/ca/eeca/ca/profileSubmitSSLClient">
+ NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
+ NSSVerifyClient require
+ ProxyPassMatch ajp://localhost:9447/
+ ProxyPassReverse ajp://localhost:9447/
+</LocationMatch>
diff --git a/ipalib/constants.py b/ipalib/constants.py
index 026e0735441eabf8dbe63fffa85da69aa151c5d7..51cf566e1cb5631593f005af5a940cbd5b66f444 100644
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@@ -136,9 +136,13 @@ DEFAULT_CONFIG = (
# CA plugin:
('ca_host', FQDN), # Set in Env._finalize_core()
- ('ca_port', 9180),
- ('ca_agent_port', 9443),
- ('ca_ee_port', 9444),
+ ('ca_port', 80),
+ ('ca_agent_port', 443),
+ ('ca_ee_port', 443),
+ ('ca_install_port', 9180),
+ ('ca_agent_install_port', 9443),
+ ('ca_ee_install_port', 9444),
+
# Special CLI:
('prompt_all', False),
diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py
index 969535e4b95d3fc7f7f5202000bb29deef558e32..02f981974e1047a880ed05e428a86b4a4d4a6c21 100644
--- a/ipapython/dogtag.py
+++ b/ipapython/dogtag.py
@@ -34,7 +34,7 @@ def get_ca_certchain(ca_host=None):
if ca_host is None:
ca_host = api.env.ca_host
chain = None
- conn = httplib.HTTPConnection(ca_host, api.env.ca_port)
+ conn = httplib.HTTPConnection(ca_host, api.env.ca_install_port)
conn.request("GET", "/ca/ee/ca/getCertChain")
res = conn.getresponse()
doc = None
diff --git a/ipapython/nsslib.py b/ipapython/nsslib.py
index e347d217992a4a549413f3e33d9248a403ee68cd..c4d8cdcf60704c0002663f1abb6aff84022c2c55 100644
--- a/ipapython/nsslib.py
+++ b/ipapython/nsslib.py
@@ -208,12 +208,25 @@ class NSSConnection(httplib.HTTPConnection, NSSAddressFamilyFallback):
self._create_socket()
def _create_socket(self):
+
+ #TODO remove the try block once python-nss is guaranteed to
+ #contain these values
+ try :
+ ssl_enable_renegotiation = SSL_ENABLE_RENEGOTIATION #pylint: disable=E0602
+ ssl_require_safe_negotiation = SSL_REQUIRE_SAFE_NEGOTIATION #pylint: disable=E0602
+ ssl_renegotiate_requires_xtn = SSL_RENEGOTIATE_REQUIRES_XTN #pylint: disable=E0602
+ except :
+ ssl_enable_renegotiation = 20
+ ssl_require_safe_negotiation = 21
+ ssl_renegotiate_requires_xtn = 2
+
# Create the socket here so we can do things like let the caller
# override the NSS callbacks
self.sock = ssl.SSLSocket(family=self.family)
self.sock.set_ssl_option(ssl.SSL_SECURITY, True)
self.sock.set_ssl_option(ssl.SSL_HANDSHAKE_AS_CLIENT, True)
-
+ self.sock.set_ssl_option(ssl_require_safe_negotiation, False)
+ self.sock.set_ssl_option(ssl_enable_renegotiation, ssl_renegotiate_requires_xtn)
# Provide a callback which notifies us when the SSL handshake is complete
self.sock.set_handshake_callback(self.handshake_callback)
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 5c6c49e4b1780e5b64815cad2c39c7994d981cd4..01667e960d904f65b989c4ed4bb59001ece4d372 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -70,6 +70,7 @@ EE_CLIENT_AUTH_PORT=9446
UNSECURE_PORT=9180
TOMCAT_SERVER_PORT=9701
+
# We need to reset the template because the CA uses the regular boot
# information
INF_TEMPLATE = """
@@ -557,6 +558,7 @@ class CAInstance(service.Service):
'-tomcat_server_port', str(TOMCAT_SERVER_PORT),
'-redirect', 'conf=/etc/pki-ca',
'-redirect', 'logs=/var/log/pki-ca',
+ '-enable_proxy'
]
ipautil.run(args, env={'PKI_HOSTNAME':self.fqdn})
@@ -658,7 +660,7 @@ class CAInstance(service.Service):
args.append("-sd_hostname")
args.append(self.master_host)
args.append("-sd_admin_port")
- args.append(str(ADMIN_SECURE_PORT))
+ args.append("443")
args.append("-sd_admin_name")
args.append("admin")
args.append("-sd_admin_password")
@@ -666,7 +668,7 @@ class CAInstance(service.Service):
args.append("-clone_start_tls")
args.append("true")
args.append("-clone_uri")
- args.append("https://%s:%d"; % (self.master_host, EE_SECURE_PORT))
+ args.append("https://%s:%d"; % (self.master_host, 443))
else:
args.append("-clone")
args.append("false")
diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index f14efe33fc50b789e63c1e45c40a6c3cfd964e24..d3df1681bbbea67d95d456dd29412444a6f5ab26 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -633,7 +633,7 @@ class CertDB(object):
password = f.readline()
f.close()
http_status, http_reason_phrase, http_headers, http_body = \
- dogtag.https_request(self.host_name, api.env.ca_ee_port, "/ca/ee/ca/profileSubmitSSLClient", self.secdir, password, "ipaCert", **params)
+ dogtag.https_request(self.host_name, api.env.ca_ee_install_port, "/ca/ee/ca/profileSubmitSSLClient", self.secdir, password, "ipaCert", **params)
if http_status != 200:
raise CertificateOperationError(error='Unable to communicate with CMS (%s)' % \
@@ -715,7 +715,7 @@ class CertDB(object):
password = f.readline()
f.close()
http_status, http_reason_phrase, http_headers, http_body = \
- dogtag.https_request(self.host_name, api.env.ca_ee_port, "/ca/ee/ca/profileSubmitSSLClient", self.secdir, password, "ipaCert", **params)
+ dogtag.https_request(self.host_name, api.env.ca_ee_install_port, "/ca/ee/ca/profileSubmitSSLClient", self.secdir, password, "ipaCert", **params)
if http_status != 200:
raise RuntimeError("Unable to submit cert request")
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index fe5f7aa958fe1210c07c3cbe4d7145808e7bdc78..04d1ed402fa9dc96c743772bf40af05fcf55d008 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -75,6 +75,7 @@ class HTTPInstance(service.Service):
self.step("disabling mod_ssl in httpd", self.__disable_mod_ssl)
self.step("setting mod_nss port to 443", self.__set_mod_nss_port)
self.step("setting mod_nss password file", self.__set_mod_nss_passwordfile)
+ self.step("enabling mod_nss renegotiate", self.__enable_mod_nss_renegotiate)
self.step("adding URL rewriting rules", self.__add_include)
self.step("configuring httpd", self.__configure_http)
self.step("setting up ssl", self.__setup_ssl)
@@ -160,6 +161,10 @@ class HTTPInstance(service.Service):
def __set_mod_nss_nickname(self, nickname):
installutils.set_directive(NSS_CONF, 'NSSNickname', nickname)
+ def __enable_mod_nss_renegotiate(self):
+ installutils.set_directive(NSS_CONF, 'NSSRenegotiation', 'on',False)
+ installutils.set_directive(NSS_CONF, 'NSSRequireSafeNegotiation', 'on',False)
+
def __set_mod_nss_passwordfile(self):
installutils.set_directive(NSS_CONF, 'NSSPassPhraseDialog', 'file:/etc/httpd/conf/password.conf')
diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py
index d1234a0d242339cbd77d2190d3c181fd8e8c94db..23d06abc112c41bbd9bfba5d7173ed2ae84d5752 100644
--- a/ipaserver/plugins/dogtag.py
+++ b/ipaserver/plugins/dogtag.py
@@ -1514,7 +1514,7 @@ class ra(rabase.rabase):
# Call CMS
http_status, http_reason_phrase, http_headers, http_body = \
- self._sslget('/ca/ee/ca/profileSubmitSSLClient',
+ self._sslget('/ca/eeca/ca/profileSubmitSSLClient',
self.env.ca_ee_port,
profileId='caIPAserviceCert',
cert_request_type=request_type,
--
1.7.6
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
