Re: [Freeipa-devel] [PATCH] 0283-enable-proxy-for-dogtag
On 08/29/2011 05:58 PM, Simo Sorce wrote: On Fri, 2011-08-26 at 22:28 -0400, Adam Young wrote: On 08/26/2011 08:57 PM, Adam Young wrote: On 08/26/2011 06:30 PM, Simo Sorce wrote: On Fri, 2011-08-26 at 17:41 -0400, Adam Young wrote: On 08/26/2011 02:34 PM, Simo Sorce wrote: On Fri, 2011-08-26 at 14:03 -0400, Simo Sorce wrote: On Fri, 2011-08-26 at 12:45 -0400, Adam Young wrote: On 08/25/2011 05:24 PM, Adam Young wrote: Uses the updated version of pkicreate which makes an ipa specific proxy config file. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel The test for the proxy file in /etc/httpd/conf.d was isfile' but since the file is actually a symlink, it needs to be islink. This one checks for either. Nack, install fails after configuring the http service. Restart bails out using export SYSTEMCL_SKIP_REDIRECT=1 to get systemd out of the way (it was suppressing the error output) I get an permission denied error trying to open /etc/httpd/conf.d/proxy-ipa.conf That's a symlink into /etc/pki-ca/proxy-ipa.conf which is a file owned by pkiuser:pkiuser with permission 660 (therefore not readable by the apache user). Ok it turns out permissions are not the real issue as the file is read while apache is till root, it's a selinux issue. Apache starts if I setenforce 0 Still a NAck of course, it needs to work with selinux in enforcing mode Simo. This version owns the proxy config file. It works with setenforce 0, but does not work with SELinux, so, preemptive-nack. But I will be gone for a week, so if someone wants to pick this up and run with it, start from here. The previous patch with the corrected isfile vs islink issue works fine as long as the SELinux policy is fixed to allow access to /etc/pki-ca/proxy-ipa.conf I have tested a mastyer and then replica install with no issues after I loaded a custom SeLinux policy that allow that. So tentative ACK to the former patch. I will discuss with Ade how to resolve the SELinux issue and willpush to master once that is solved. Simo. Previous patch is based on a change for PKI-CA that we are not going to push, so we can't go with that. The file /etc/pki-ca/proxy-ipa.conf will not be available for IPA to use. Whatever the issue is with this patch it has to be fairly minor. The difference in approach is that this one includes the conf file and places it in /etc/httpd/conf.d. The problem is possibly the fact that this one uses localhost instead of the FQDN, although I did test it both ways prior to adding it to the RPM, and it worked with localhost and SELinux in enforcing mode. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Failure seems to be from this step in the install log: After configuration, the server can be operated by the command: /sbin/service pki-cad restart pki-ca 2011-08-26 21:51:47,114 DEBUG stderr=[error] FAILED run_command(/sbin/service p ki-cad restart pki-ca), exit status=126 output=Stopping pki-ca: [ OK ] /usr/bin/runcon: /var/lib/pki-ca/pki-ca: Permission denied And in the Audit log: type=AVC msg=audit(1314409907.089:2397): avc: denied { transition } for pid=21040 comm=runcon path=/etc/rc.d/init.d/tomcat6 dev=dm-0 ino=35449 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:pki_ca_script_t:s0 tclass=process type=AVC msg=audit(1314410048.272:2398): avc: denied { transition } for pid=21124 comm=runcon path=/etc/rc.d/init.d/tomcat6 dev=dm-0 ino=35449 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:pki_ca_script_t:s0 tclass=process I guess these AVCs were due to mislabeling of your development system. I tried multiple times w/o any issues. I added a few minor corrections. a) actually copying the file to /etc/httpd/conf.d was missing, I do that as an additional final configuration step in cainstance.py b) renamed the file to ipa-pki-proxy.conf, the orginal name was fine as a dogtag file, but as an ipa file it lacked context c) I added an httpd server restart in ipa-ca-install as that script does not otherwise restart apache and we need it to read the new conf file that was just dropped down. This was tested and pushed to master. Simo. Thanks Simo. Considering that this happend a few days back, I'm guessing that it hasn't blown up on anyone yet. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0283-enable-proxy-for-dogtag
Simo Sorce wrote: On Fri, 2011-08-26 at 22:28 -0400, Adam Young wrote: On 08/26/2011 08:57 PM, Adam Young wrote: On 08/26/2011 06:30 PM, Simo Sorce wrote: On Fri, 2011-08-26 at 17:41 -0400, Adam Young wrote: On 08/26/2011 02:34 PM, Simo Sorce wrote: On Fri, 2011-08-26 at 14:03 -0400, Simo Sorce wrote: On Fri, 2011-08-26 at 12:45 -0400, Adam Young wrote: On 08/25/2011 05:24 PM, Adam Young wrote: Uses the updated version of pkicreate which makes an ipa specific proxy config file. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel The test for the proxy file in /etc/httpd/conf.d was isfile' but since the file is actually a symlink, it needs to be islink. This one checks for either. Nack, install fails after configuring the http service. Restart bails out using export SYSTEMCL_SKIP_REDIRECT=1 to get systemd out of the way (it was suppressing the error output) I get an permission denied error trying to open /etc/httpd/conf.d/proxy-ipa.conf That's a symlink into /etc/pki-ca/proxy-ipa.conf which is a file owned by pkiuser:pkiuser with permission 660 (therefore not readable by the apache user). Ok it turns out permissions are not the real issue as the file is read while apache is till root, it's a selinux issue. Apache starts if I setenforce 0 Still a NAck of course, it needs to work with selinux in enforcing mode Simo. This version owns the proxy config file. It works with setenforce 0, but does not work with SELinux, so, preemptive-nack. But I will be gone for a week, so if someone wants to pick this up and run with it, start from here. The previous patch with the corrected isfile vs islink issue works fine as long as the SELinux policy is fixed to allow access to /etc/pki-ca/proxy-ipa.conf I have tested a mastyer and then replica install with no issues after I loaded a custom SeLinux policy that allow that. So tentative ACK to the former patch. I will discuss with Ade how to resolve the SELinux issue and willpush to master once that is solved. Simo. Previous patch is based on a change for PKI-CA that we are not going to push, so we can't go with that. The file /etc/pki-ca/proxy-ipa.conf will not be available for IPA to use. Whatever the issue is with this patch it has to be fairly minor. The difference in approach is that this one includes the conf file and places it in /etc/httpd/conf.d. The problem is possibly the fact that this one uses localhost instead of the FQDN, although I did test it both ways prior to adding it to the RPM, and it worked with localhost and SELinux in enforcing mode. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Failure seems to be from this step in the install log: After configuration, the server can be operated by the command: /sbin/service pki-cad restart pki-ca 2011-08-26 21:51:47,114 DEBUG stderr=[error] FAILED run_command(/sbin/service p ki-cad restart pki-ca), exit status=126 output=Stopping pki-ca: [ OK ] /usr/bin/runcon: /var/lib/pki-ca/pki-ca: Permission denied And in the Audit log: type=AVC msg=audit(1314409907.089:2397): avc: denied { transition } for pid=21040 comm=runcon path=/etc/rc.d/init.d/tomcat6 dev=dm-0 ino=35449 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:pki_ca_script_t:s0 tclass=process type=AVC msg=audit(1314410048.272:2398): avc: denied { transition } for pid=21124 comm=runcon path=/etc/rc.d/init.d/tomcat6 dev=dm-0 ino=35449 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:pki_ca_script_t:s0 tclass=process I guess these AVCs were due to mislabeling of your development system. I tried multiple times w/o any issues. I added a few minor corrections. a) actually copying the file to /etc/httpd/conf.d was missing, I do that as an additional final configuration step in cainstance.py b) renamed the file to ipa-pki-proxy.conf, the orginal name was fine as a dogtag file, but as an ipa file it lacked context c) I added an httpd server restart in ipa-ca-install as that script does not otherwise restart apache and we need it to read the new conf file that was just dropped down. This was tested and pushed to master. Simo. I pushed it to ipa-2-1. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0283-enable-proxy-for-dogtag
On Fri, 2011-08-26 at 22:28 -0400, Adam Young wrote: On 08/26/2011 08:57 PM, Adam Young wrote: On 08/26/2011 06:30 PM, Simo Sorce wrote: On Fri, 2011-08-26 at 17:41 -0400, Adam Young wrote: On 08/26/2011 02:34 PM, Simo Sorce wrote: On Fri, 2011-08-26 at 14:03 -0400, Simo Sorce wrote: On Fri, 2011-08-26 at 12:45 -0400, Adam Young wrote: On 08/25/2011 05:24 PM, Adam Young wrote: Uses the updated version of pkicreate which makes an ipa specific proxy config file. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel The test for the proxy file in /etc/httpd/conf.d was isfile' but since the file is actually a symlink, it needs to be islink. This one checks for either. Nack, install fails after configuring the http service. Restart bails out using export SYSTEMCL_SKIP_REDIRECT=1 to get systemd out of the way (it was suppressing the error output) I get an permission denied error trying to open /etc/httpd/conf.d/proxy-ipa.conf That's a symlink into /etc/pki-ca/proxy-ipa.conf which is a file owned by pkiuser:pkiuser with permission 660 (therefore not readable by the apache user). Ok it turns out permissions are not the real issue as the file is read while apache is till root, it's a selinux issue. Apache starts if I setenforce 0 Still a NAck of course, it needs to work with selinux in enforcing mode Simo. This version owns the proxy config file. It works with setenforce 0, but does not work with SELinux, so, preemptive-nack. But I will be gone for a week, so if someone wants to pick this up and run with it, start from here. The previous patch with the corrected isfile vs islink issue works fine as long as the SELinux policy is fixed to allow access to /etc/pki-ca/proxy-ipa.conf I have tested a mastyer and then replica install with no issues after I loaded a custom SeLinux policy that allow that. So tentative ACK to the former patch. I will discuss with Ade how to resolve the SELinux issue and willpush to master once that is solved. Simo. Previous patch is based on a change for PKI-CA that we are not going to push, so we can't go with that. The file /etc/pki-ca/proxy-ipa.conf will not be available for IPA to use. Whatever the issue is with this patch it has to be fairly minor. The difference in approach is that this one includes the conf file and places it in /etc/httpd/conf.d. The problem is possibly the fact that this one uses localhost instead of the FQDN, although I did test it both ways prior to adding it to the RPM, and it worked with localhost and SELinux in enforcing mode. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Failure seems to be from this step in the install log: After configuration, the server can be operated by the command: /sbin/service pki-cad restart pki-ca 2011-08-26 21:51:47,114 DEBUG stderr=[error] FAILED run_command(/sbin/service p ki-cad restart pki-ca), exit status=126 output=Stopping pki-ca: [ OK ] /usr/bin/runcon: /var/lib/pki-ca/pki-ca: Permission denied And in the Audit log: type=AVC msg=audit(1314409907.089:2397): avc: denied { transition } for pid=21040 comm=runcon path=/etc/rc.d/init.d/tomcat6 dev=dm-0 ino=35449 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:pki_ca_script_t:s0 tclass=process type=AVC msg=audit(1314410048.272:2398): avc: denied { transition } for pid=21124 comm=runcon path=/etc/rc.d/init.d/tomcat6 dev=dm-0 ino=35449 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:pki_ca_script_t:s0 tclass=process I guess these AVCs were due to mislabeling of your development system. I tried multiple times w/o any issues. I added a few minor corrections. a) actually copying the file to /etc/httpd/conf.d was missing, I do that as an additional final configuration step in cainstance.py b) renamed the file to ipa-pki-proxy.conf, the orginal name was fine as a dogtag file, but as an ipa file it lacked context c) I added an httpd server restart in ipa-ca-install as that script does not otherwise restart apache and we need it to read the new conf file that was just dropped down. This was tested and pushed to master. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0283-enable-proxy-for-dogtag
On Fri, 2011-08-26 at 12:45 -0400, Adam Young wrote: On 08/25/2011 05:24 PM, Adam Young wrote: Uses the updated version of pkicreate which makes an ipa specific proxy config file. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel The test for the proxy file in /etc/httpd/conf.d was isfile' but since the file is actually a symlink, it needs to be islink. This one checks for either. Nack, install fails after configuring the http service. Restart bails out using export SYSTEMCL_SKIP_REDIRECT=1 to get systemd out of the way (it was suppressing the error output) I get an permission denied error trying to open /etc/httpd/conf.d/proxy-ipa.conf That's a symlink into /etc/pki-ca/proxy-ipa.conf which is a file owned by pkiuser:pkiuser with permission 660 (therefore not readable by the apache user). Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0283-enable-proxy-for-dogtag
On Fri, 2011-08-26 at 14:03 -0400, Simo Sorce wrote: On Fri, 2011-08-26 at 12:45 -0400, Adam Young wrote: On 08/25/2011 05:24 PM, Adam Young wrote: Uses the updated version of pkicreate which makes an ipa specific proxy config file. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel The test for the proxy file in /etc/httpd/conf.d was isfile' but since the file is actually a symlink, it needs to be islink. This one checks for either. Nack, install fails after configuring the http service. Restart bails out using export SYSTEMCL_SKIP_REDIRECT=1 to get systemd out of the way (it was suppressing the error output) I get an permission denied error trying to open /etc/httpd/conf.d/proxy-ipa.conf That's a symlink into /etc/pki-ca/proxy-ipa.conf which is a file owned by pkiuser:pkiuser with permission 660 (therefore not readable by the apache user). Ok it turns out permissions are not the real issue as the file is read while apache is till root, it's a selinux issue. Apache starts if I setenforce 0 Still a NAck of course, it needs to work with selinux in enforcing mode Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0283-enable-proxy-for-dogtag
On 08/26/2011 02:34 PM, Simo Sorce wrote: On Fri, 2011-08-26 at 14:03 -0400, Simo Sorce wrote: On Fri, 2011-08-26 at 12:45 -0400, Adam Young wrote: On 08/25/2011 05:24 PM, Adam Young wrote: Uses the updated version of pkicreate which makes an ipa specific proxy config file. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel The test for the proxy file in /etc/httpd/conf.d was isfile' but since the file is actually a symlink, it needs to be islink. This one checks for either. Nack, install fails after configuring the http service. Restart bails out using export SYSTEMCL_SKIP_REDIRECT=1 to get systemd out of the way (it was suppressing the error output) I get an permission denied error trying to open /etc/httpd/conf.d/proxy-ipa.conf That's a symlink into /etc/pki-ca/proxy-ipa.conf which is a file owned by pkiuser:pkiuser with permission 660 (therefore not readable by the apache user). Ok it turns out permissions are not the real issue as the file is read while apache is till root, it's a selinux issue. Apache starts if I setenforce 0 Still a NAck of course, it needs to work with selinux in enforcing mode Simo. This version owns the proxy config file. It works with setenforce 0, but does not work with SELinux, so, preemptive-nack. But I will be gone for a week, so if someone wants to pick this up and run with it, start from here. From 00b43e83864f9a27b20b1d2e90010c7cee007d19 Mon Sep 17 00:00:00 2001 From: Adam Young ayo...@redhat.com Date: Wed, 17 Aug 2011 15:36:18 -0400 Subject: [PATCH] enable proxy for dogtag Dogtag is going to be proxied through httpd. To make this work, it has to support renegotiation of the SSL connection. This patch enables renegotiate in the nss configuration file during during apache configuration, as well as modifies libnss to set the appropriate optins on the ssl connection in order to renegotiate. The IPA install uses the internal ports instead of proxying through httpd since httpd is not set up yet. IPA needs to Request the certificate through a port that uses authentication. On the Dogtag side, they provide an additional mapping for this: /ca/eeca/ca as opposed tp /ca/ee/ca just for this purpose. https://fedorahosted.org/freeipa/ticket/1334 add flag to pkicreate in order to enable using proxy. add the proxy file in /etc/http/conf.d/ --- freeipa.spec.in |3 +++ install/conf/Makefile.am |1 + install/conf/proxy-ipa.conf | 25 + ipalib/constants.py | 10 +++--- ipapython/dogtag.py |2 +- ipapython/nsslib.py | 15 ++- ipaserver/install/cainstance.py |6 -- ipaserver/install/certs.py|4 ++-- ipaserver/install/httpinstance.py |5 + ipaserver/plugins/dogtag.py |2 +- 10 files changed, 63 insertions(+), 10 deletions(-) create mode 100644 install/conf/proxy-ipa.conf diff --git a/freeipa.spec.in b/freeipa.spec.in index d25aee693591243da2adf01319869c60919d2dd0..c8a125a834a159401c295a0080f371a968435c21 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -304,6 +304,7 @@ ln -s ../../../..%{_sysconfdir}/ipa/html/ipa_error.css \ # So we can own our Apache configuration mkdir -p %{buildroot}%{_sysconfdir}/httpd/conf.d/ /bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa.conf +/bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/proxy-ipa.conf /bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf mkdir -p %{buildroot}%{_initrddir} install -m755 ipa.init %{buildroot}%{_initrddir}/ipa @@ -449,8 +450,10 @@ fi %config(noreplace) %{_sysconfdir}/ipa/html/hbac-deny-remove.html %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa.conf +%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/proxy-ipa.conf %{_usr}/share/ipa/ipa.conf %{_usr}/share/ipa/ipa-rewrite.conf +%{_usr}/share/ipa/proxy-ipa.conf %dir %{_usr}/share/ipa/updates/ %{_usr}/share/ipa/updates/* %attr(755,root,root) %{plugin_dir}/libipa_pwd_extop.so diff --git a/install/conf/Makefile.am b/install/conf/Makefile.am index e00ad618f47b704d3fb6451545fe3fbfaa1b31a9..2055f4e93bf7b884f318315eced8da1208d13a65 100644 --- a/install/conf/Makefile.am +++ b/install/conf/Makefile.am @@ -3,6 +3,7 @@ NULL = appdir = $(IPA_DATA_DIR) app_DATA = \ ipa.conf \ + proxy-ipa.conf \ ipa-rewrite.conf \ $(NULL) diff --git a/install/conf/proxy-ipa.conf b/install/conf/proxy-ipa.conf new file mode 100644 index ..af949209f897c274fce6137e8a4ac6a19da263db --- /dev/null +++ b/install/conf/proxy-ipa.conf @@ -0,0 +1,25 @@ +ProxyRequests Off + +# matches for ee port +LocationMatch
Re: [Freeipa-devel] [PATCH] 0283-enable-proxy-for-dogtag
On Fri, 2011-08-26 at 17:41 -0400, Adam Young wrote: On 08/26/2011 02:34 PM, Simo Sorce wrote: On Fri, 2011-08-26 at 14:03 -0400, Simo Sorce wrote: On Fri, 2011-08-26 at 12:45 -0400, Adam Young wrote: On 08/25/2011 05:24 PM, Adam Young wrote: Uses the updated version of pkicreate which makes an ipa specific proxy config file. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel The test for the proxy file in /etc/httpd/conf.d was isfile' but since the file is actually a symlink, it needs to be islink. This one checks for either. Nack, install fails after configuring the http service. Restart bails out using export SYSTEMCL_SKIP_REDIRECT=1 to get systemd out of the way (it was suppressing the error output) I get an permission denied error trying to open /etc/httpd/conf.d/proxy-ipa.conf That's a symlink into /etc/pki-ca/proxy-ipa.conf which is a file owned by pkiuser:pkiuser with permission 660 (therefore not readable by the apache user). Ok it turns out permissions are not the real issue as the file is read while apache is till root, it's a selinux issue. Apache starts if I setenforce 0 Still a NAck of course, it needs to work with selinux in enforcing mode Simo. This version owns the proxy config file. It works with setenforce 0, but does not work with SELinux, so, preemptive-nack. But I will be gone for a week, so if someone wants to pick this up and run with it, start from here. The previous patch with the corrected isfile vs islink issue works fine as long as the SELinux policy is fixed to allow access to /etc/pki-ca/proxy-ipa.conf I have tested a mastyer and then replica install with no issues after I loaded a custom SeLinux policy that allow that. So tentative ACK to the former patch. I will discuss with Ade how to resolve the SELinux issue and willpush to master once that is solved. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0283-enable-proxy-for-dogtag
On 08/26/2011 06:30 PM, Simo Sorce wrote: On Fri, 2011-08-26 at 17:41 -0400, Adam Young wrote: On 08/26/2011 02:34 PM, Simo Sorce wrote: On Fri, 2011-08-26 at 14:03 -0400, Simo Sorce wrote: On Fri, 2011-08-26 at 12:45 -0400, Adam Young wrote: On 08/25/2011 05:24 PM, Adam Young wrote: Uses the updated version of pkicreate which makes an ipa specific proxy config file. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel The test for the proxy file in /etc/httpd/conf.d was isfile' but since the file is actually a symlink, it needs to be islink. This one checks for either. Nack, install fails after configuring the http service. Restart bails out using export SYSTEMCL_SKIP_REDIRECT=1 to get systemd out of the way (it was suppressing the error output) I get an permission denied error trying to open /etc/httpd/conf.d/proxy-ipa.conf That's a symlink into /etc/pki-ca/proxy-ipa.conf which is a file owned by pkiuser:pkiuser with permission 660 (therefore not readable by the apache user). Ok it turns out permissions are not the real issue as the file is read while apache is till root, it's a selinux issue. Apache starts if I setenforce 0 Still a NAck of course, it needs to work with selinux in enforcing mode Simo. This version owns the proxy config file. It works with setenforce 0, but does not work with SELinux, so, preemptive-nack. But I will be gone for a week, so if someone wants to pick this up and run with it, start from here. The previous patch with the corrected isfile vs islink issue works fine as long as the SELinux policy is fixed to allow access to /etc/pki-ca/proxy-ipa.conf I have tested a mastyer and then replica install with no issues after I loaded a custom SeLinux policy that allow that. So tentative ACK to the former patch. I will discuss with Ade how to resolve the SELinux issue and willpush to master once that is solved. Simo. Previous patch is based on a change for PKI-CA that we are not going to push, so we can't go with that. The file /etc/pki-ca/proxy-ipa.conf will not be available for IPA to use. Whatever the issue is with this patch it has to be fairly minor. The difference in approach is that this one includes the conf file and places it in /etc/httpd/conf.d. The problem is possibly the fact that this one uses localhost instead of the FQDN, although I did test it both ways prior to adding it to the RPM, and it worked with localhost and SELinux in enforcing mode. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0283-enable-proxy-for-dogtag
On 08/26/2011 08:57 PM, Adam Young wrote: On 08/26/2011 06:30 PM, Simo Sorce wrote: On Fri, 2011-08-26 at 17:41 -0400, Adam Young wrote: On 08/26/2011 02:34 PM, Simo Sorce wrote: On Fri, 2011-08-26 at 14:03 -0400, Simo Sorce wrote: On Fri, 2011-08-26 at 12:45 -0400, Adam Young wrote: On 08/25/2011 05:24 PM, Adam Young wrote: Uses the updated version of pkicreate which makes an ipa specific proxy config file. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel The test for the proxy file in /etc/httpd/conf.d was isfile' but since the file is actually a symlink, it needs to be islink. This one checks for either. Nack, install fails after configuring the http service. Restart bails out using export SYSTEMCL_SKIP_REDIRECT=1 to get systemd out of the way (it was suppressing the error output) I get an permission denied error trying to open /etc/httpd/conf.d/proxy-ipa.conf That's a symlink into /etc/pki-ca/proxy-ipa.conf which is a file owned by pkiuser:pkiuser with permission 660 (therefore not readable by the apache user). Ok it turns out permissions are not the real issue as the file is read while apache is till root, it's a selinux issue. Apache starts if I setenforce 0 Still a NAck of course, it needs to work with selinux in enforcing mode Simo. This version owns the proxy config file. It works with setenforce 0, but does not work with SELinux, so, preemptive-nack. But I will be gone for a week, so if someone wants to pick this up and run with it, start from here. The previous patch with the corrected isfile vs islink issue works fine as long as the SELinux policy is fixed to allow access to /etc/pki-ca/proxy-ipa.conf I have tested a mastyer and then replica install with no issues after I loaded a custom SeLinux policy that allow that. So tentative ACK to the former patch. I will discuss with Ade how to resolve the SELinux issue and willpush to master once that is solved. Simo. Previous patch is based on a change for PKI-CA that we are not going to push, so we can't go with that. The file /etc/pki-ca/proxy-ipa.conf will not be available for IPA to use. Whatever the issue is with this patch it has to be fairly minor. The difference in approach is that this one includes the conf file and places it in /etc/httpd/conf.d. The problem is possibly the fact that this one uses localhost instead of the FQDN, although I did test it both ways prior to adding it to the RPM, and it worked with localhost and SELinux in enforcing mode. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Failure seems to be from this step in the install log: After configuration, the server can be operated by the command: /sbin/service pki-cad restart pki-ca 2011-08-26 21:51:47,114 DEBUG stderr=[error] FAILED run_command(/sbin/service p ki-cad restart pki-ca), exit status=126 output=Stopping pki-ca: [ OK ] /usr/bin/runcon: /var/lib/pki-ca/pki-ca: Permission denied And in the Audit log: type=AVC msg=audit(1314409907.089:2397): avc: denied { transition } for pid=21040 comm=runcon path=/etc/rc.d/init.d/tomcat6 dev=dm-0 ino=35449 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:pki_ca_script_t:s0 tclass=process type=AVC msg=audit(1314410048.272:2398): avc: denied { transition } for pid=21124 comm=runcon path=/etc/rc.d/init.d/tomcat6 dev=dm-0 ino=35449 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:pki_ca_script_t:s0 tclass=process ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0283-enable-proxy-for-dogtag
Uses the updated version of pkicreate which makes an ipa specific proxy config file. From 585eec7bf70f9785742f488334fc7aaa7a1cbdf6 Mon Sep 17 00:00:00 2001 From: Adam Young ayo...@redhat.com Date: Wed, 17 Aug 2011 15:36:18 -0400 Subject: [PATCH] enable proxy for dogtag Dogtag is going to be proxied through httpd. To make this work, it has to support renegotiation of the SSL connection. This patch enables renegotiate in the nss configuration file during during apache configuration, as well as modifies libnss to set the appropriate optins on the ssl connection in order to renegotiate. The IPA install uses the internal ports instead of proxying through httpd since httpd is not set up yet. IPA needs to Request the certificate through a port that uses authentication. On the Dogtag side, they provide an additional mapping for this: /ca/eeca/ca as opposed tp /ca/ee/ca just for this purpose. https://fedorahosted.org/freeipa/ticket/1334 add flag to pkicreate in order to enable using proxy. adding /etc/http/conf.d/ symlink to /etc/pki-ca/proxy.conf, and cleans it up on uninstall --- ipalib/constants.py | 10 +++--- ipapython/dogtag.py |2 +- ipapython/nsslib.py | 15 ++- ipaserver/install/cainstance.py | 20 ++-- ipaserver/install/certs.py|4 ++-- ipaserver/install/httpinstance.py |5 + ipaserver/plugins/dogtag.py |2 +- 7 files changed, 48 insertions(+), 10 deletions(-) diff --git a/ipalib/constants.py b/ipalib/constants.py index 026e0735441eabf8dbe63fffa85da69aa151c5d7..244360fe17dee4ff91b561fb6e3f7b5f4e443726 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -136,9 +136,13 @@ DEFAULT_CONFIG = ( # CA plugin: ('ca_host', FQDN), # Set in Env._finalize_core() -('ca_port', 9180), -('ca_agent_port', 9443), -('ca_ee_port', 9444), +('ca_port', 80), +('ca_agent_port', 443), +('ca_ee_port', 443), +('ca_install_port', 9180), +('ca_agent_install_port',9443 ), +('ca_ee_install_port',9444 ), + # Special CLI: ('prompt_all', False), diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py index 969535e4b95d3fc7f7f5202000bb29deef558e32..02f981974e1047a880ed05e428a86b4a4d4a6c21 100644 --- a/ipapython/dogtag.py +++ b/ipapython/dogtag.py @@ -34,7 +34,7 @@ def get_ca_certchain(ca_host=None): if ca_host is None: ca_host = api.env.ca_host chain = None -conn = httplib.HTTPConnection(ca_host, api.env.ca_port) +conn = httplib.HTTPConnection(ca_host, api.env.ca_install_port) conn.request(GET, /ca/ee/ca/getCertChain) res = conn.getresponse() doc = None diff --git a/ipapython/nsslib.py b/ipapython/nsslib.py index e347d217992a4a549413f3e33d9248a403ee68cd..a0c5a8d36921c6eef3bf4320aab0a0c544ce82fd 100644 --- a/ipapython/nsslib.py +++ b/ipapython/nsslib.py @@ -208,12 +208,25 @@ class NSSConnection(httplib.HTTPConnection, NSSAddressFamilyFallback): self._create_socket() def _create_socket(self): + +#TODO remove the try block once python-nss is guaranteed to + #contain these values + try : + ssl_enable_renegotiation = SSL_ENABLE_RENEGOTIATION #pylint: disable=E0602 + ssl_require_safe_negotiation = SSL_REQUIRE_SAFE_NEGOTIATION #pylint: disable=E0602 + ssl_renegotiate_requires_xtn = SSL_RENEGOTIATE_REQUIRES_XTN #pylint: disable=E0602 + except : + ssl_enable_renegotiation = 20 + ssl_require_safe_negotiation = 21 + ssl_renegotiate_requires_xtn = 2 + # Create the socket here so we can do things like let the caller # override the NSS callbacks self.sock = ssl.SSLSocket(family=self.family) self.sock.set_ssl_option(ssl.SSL_SECURITY, True) self.sock.set_ssl_option(ssl.SSL_HANDSHAKE_AS_CLIENT, True) - + self.sock.set_ssl_option(ssl_require_safe_negotiation, False) + self.sock.set_ssl_option(ssl_enable_renegotiation, ssl_renegotiate_requires_xtn) # Provide a callback which notifies us when the SSL handshake is complete self.sock.set_handshake_callback(self.handshake_callback) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 5c6c49e4b1780e5b64815cad2c39c7994d981cd4..b9fdd3ea63f7ba129a106442e3ab500e7afc25bd 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -69,6 +69,8 @@ ADMIN_SECURE_PORT=9445 EE_CLIENT_AUTH_PORT=9446 UNSECURE_PORT=9180 TOMCAT_SERVER_PORT=9701 +PKI_PROXY_FILE=/etc/pki-ca/proxy-ipa.conf +PKI_PROXY_LINK=/etc/httpd/conf.d/proxy-ipa.conf # We need to reset the template because the CA uses the regular boot # information @@ -257,6 +259,7 @@ class CADSInstance(service.Service): self.step(creating directory server user, self.__create_ds_user) self.step(creating directory server instance, self.__create_instance) + self.step(restarting directory server, self.restart_instance)
Re: [Freeipa-devel] [PATCH] 0283-enable-proxy-for-dogtag
This version tells pkisilent to use the remote ports for cloning. From fb492c384c7979e93055f9a2e9b27a7856e8b45a Mon Sep 17 00:00:00 2001 From: Adam Young ayo...@redhat.com Date: Wed, 17 Aug 2011 15:36:18 -0400 Subject: [PATCH] enable proxy for dogtag Dogtag is going to be proxied through httpd. To make this work, it has to support renegotiation of the SSL connection. This patch enables renegotiate in the nss configuration file during during apache configuration, as well as modifies libnss to set the appropriate optins on the ssl connection in order to renegotiate. The IPA install uses the internal ports instead of proxying through httpd since httpd is not set up yet. IPA needs to Request the certificate through a port that uses authentication. On the Dogtag side, they provide an additional mapping for this: /ca/eeca/ca as opposed tp /ca/ee/ca just for this purpose. https://fedorahosted.org/freeipa/ticket/1334 add flag to pkicreate in order to enable using proxy. adding /etc/http/conf.d/ symlink to /etc/pki-ca/proxy.conf. and cleanit up on uninstall --- ipalib/constants.py | 10 +++--- ipapython/dogtag.py |2 +- ipapython/nsslib.py | 15 ++- ipaserver/install/cainstance.py | 17 +++-- ipaserver/install/certs.py|4 ++-- ipaserver/install/httpinstance.py |5 + ipaserver/plugins/dogtag.py |2 +- 7 files changed, 45 insertions(+), 10 deletions(-) diff --git a/ipalib/constants.py b/ipalib/constants.py index 026e0735441eabf8dbe63fffa85da69aa151c5d7..244360fe17dee4ff91b561fb6e3f7b5f4e443726 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -136,9 +136,13 @@ DEFAULT_CONFIG = ( # CA plugin: ('ca_host', FQDN), # Set in Env._finalize_core() -('ca_port', 9180), -('ca_agent_port', 9443), -('ca_ee_port', 9444), +('ca_port', 80), +('ca_agent_port', 443), +('ca_ee_port', 443), +('ca_install_port', 9180), +('ca_agent_install_port',9443 ), +('ca_ee_install_port',9444 ), + # Special CLI: ('prompt_all', False), diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py index 969535e4b95d3fc7f7f5202000bb29deef558e32..02f981974e1047a880ed05e428a86b4a4d4a6c21 100644 --- a/ipapython/dogtag.py +++ b/ipapython/dogtag.py @@ -34,7 +34,7 @@ def get_ca_certchain(ca_host=None): if ca_host is None: ca_host = api.env.ca_host chain = None -conn = httplib.HTTPConnection(ca_host, api.env.ca_port) +conn = httplib.HTTPConnection(ca_host, api.env.ca_install_port) conn.request(GET, /ca/ee/ca/getCertChain) res = conn.getresponse() doc = None diff --git a/ipapython/nsslib.py b/ipapython/nsslib.py index e347d217992a4a549413f3e33d9248a403ee68cd..a0c5a8d36921c6eef3bf4320aab0a0c544ce82fd 100644 --- a/ipapython/nsslib.py +++ b/ipapython/nsslib.py @@ -208,12 +208,25 @@ class NSSConnection(httplib.HTTPConnection, NSSAddressFamilyFallback): self._create_socket() def _create_socket(self): + +#TODO remove the try block once python-nss is guaranteed to + #contain these values + try : + ssl_enable_renegotiation = SSL_ENABLE_RENEGOTIATION #pylint: disable=E0602 + ssl_require_safe_negotiation = SSL_REQUIRE_SAFE_NEGOTIATION #pylint: disable=E0602 + ssl_renegotiate_requires_xtn = SSL_RENEGOTIATE_REQUIRES_XTN #pylint: disable=E0602 + except : + ssl_enable_renegotiation = 20 + ssl_require_safe_negotiation = 21 + ssl_renegotiate_requires_xtn = 2 + # Create the socket here so we can do things like let the caller # override the NSS callbacks self.sock = ssl.SSLSocket(family=self.family) self.sock.set_ssl_option(ssl.SSL_SECURITY, True) self.sock.set_ssl_option(ssl.SSL_HANDSHAKE_AS_CLIENT, True) - + self.sock.set_ssl_option(ssl_require_safe_negotiation, False) + self.sock.set_ssl_option(ssl_enable_renegotiation, ssl_renegotiate_requires_xtn) # Provide a callback which notifies us when the SSL handshake is complete self.sock.set_handshake_callback(self.handshake_callback) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 5c6c49e4b1780e5b64815cad2c39c7994d981cd4..cb542b874c5a103f823f08618d2ecd8e98267255 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -257,6 +257,7 @@ class CADSInstance(service.Service): self.step(creating directory server user, self.__create_ds_user) self.step(creating directory server instance, self.__create_instance) + self.step(restarting directory server, self.restart_instance) self.start_creation(Configuring directory server for the CA, 30) @@ -476,6 +477,7 @@ class CAInstance(service.Service): return os.path.exists(self.server_root + '/' + PKI_INSTANCE_NAME) + def configure_instance(self, host_name, dm_password, admin_password,
Re: [Freeipa-devel] [PATCH] 0283-enable-proxy-for-dogtag
NACK. Replicate uses the install code, which grabs the local constants. Need to extend it to use the local constants for a base install, but the remote constants for the replica installs. On 08/19/2011 01:57 PM, Dmitri Pal wrote: On 08/19/2011 01:19 PM, Adam Young wrote: The complete solution for this patch requires changes in Dogtag that Ade Lee is working on right now. In order to test, I have provided a couple of files that I have been using: 1. Apply patch, build and install IPA rpms, run ipaserver-install as per usual. 2. Move the dogtag.conf file into /etc/httpd/conf.d directorys 3. Run the proxy_dogtag.py script to modify the Dogtag instance to accept AJP connections from httpd so httpd can act as a proxy 4. Restart IPA To test: 1. add a host. 2. Generate a csr: http://freeipa.org/page/Certificate_Authority#Request_a_certificate 3. request a certificate for the newly added host. 4. Optionally, Revoke the certificate for the host Please do not forget to test the proxy test when replica does not have the CA installed and has to forward the request to the one that has. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0283-enable-proxy-for-dogtag
With this version, and Ade's patch posted to the PKI list, we have a functioning proxy. I still need to do some cleanup in the /etc/httpd/conf.d directory: the modifications to nss.conf are not removed in uninstall, nor is the symlink to /etc/pki-ca/proxy.conf. We also need to limit the number of suburls of the PKI CA that the proxy exposes. This version exposes all of the. I think we need a very limited subset. I've created a replica --no-pki and successfully requested a certificate on it. On 08/19/2011 01:57 PM, Dmitri Pal wrote: On 08/19/2011 01:19 PM, Adam Young wrote: The complete solution for this patch requires changes in Dogtag that Ade Lee is working on right now. In order to test, I have provided a couple of files that I have been using: 1. Apply patch, build and install IPA rpms, run ipaserver-install as per usual. 2. Move the dogtag.conf file into /etc/httpd/conf.d directorys 3. Run the proxy_dogtag.py script to modify the Dogtag instance to accept AJP connections from httpd so httpd can act as a proxy 4. Restart IPA To test: 1. add a host. 2. Generate a csr: http://freeipa.org/page/Certificate_Authority#Request_a_certificate 3. request a certificate for the newly added host. 4. Optionally, Revoke the certificate for the host Please do not forget to test the proxy test when replica does not have the CA installed and has to forward the request to the one that has. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel From 3f0997d97a5815244ea7038b0f207e31d2b857cb Mon Sep 17 00:00:00 2001 From: Adam Young ayo...@redhat.com Date: Wed, 17 Aug 2011 15:36:18 -0400 Subject: [PATCH] enable proxy for dogtag Dogtag is going to be proxied through httpd. To make this work, it has to support renegotiation of the SSL connection. This patch enables renegotiate in the nss configuration file during during apache configuration, as well as modifies libnss to set the appropriate optins on the ssl connection in order to renegotiate. The IPA install uses the internal ports instead of proxying through httpd since httpd is not set up yet. IPA needs to Request the certificate through a port that uses authentication. On the Dogtag side, they provide an additional mapping for this: /ca/eeca/ca as opposed tp /ca/ee/ca just for this purpose. https://fedorahosted.org/freeipa/ticket/1334 add flag to pkicreate in order to enable using proxy. adding /etc/http/conf.d/ symlink to /etc/pki-ca/proxy.conf. --- ipalib/constants.py | 10 +++--- ipapython/dogtag.py |2 +- ipapython/nsslib.py | 15 ++- ipaserver/install/cainstance.py |7 +++ ipaserver/install/certs.py|4 ++-- ipaserver/install/httpinstance.py |5 + ipaserver/plugins/dogtag.py |2 +- 7 files changed, 37 insertions(+), 8 deletions(-) diff --git a/ipalib/constants.py b/ipalib/constants.py index 026e0735441eabf8dbe63fffa85da69aa151c5d7..244360fe17dee4ff91b561fb6e3f7b5f4e443726 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -136,9 +136,13 @@ DEFAULT_CONFIG = ( # CA plugin: ('ca_host', FQDN), # Set in Env._finalize_core() -('ca_port', 9180), -('ca_agent_port', 9443), -('ca_ee_port', 9444), +('ca_port', 80), +('ca_agent_port', 443), +('ca_ee_port', 443), +('ca_install_port', 9180), +('ca_agent_install_port',9443 ), +('ca_ee_install_port',9444 ), + # Special CLI: ('prompt_all', False), diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py index 969535e4b95d3fc7f7f5202000bb29deef558e32..02f981974e1047a880ed05e428a86b4a4d4a6c21 100644 --- a/ipapython/dogtag.py +++ b/ipapython/dogtag.py @@ -34,7 +34,7 @@ def get_ca_certchain(ca_host=None): if ca_host is None: ca_host = api.env.ca_host chain = None -conn = httplib.HTTPConnection(ca_host, api.env.ca_port) +conn = httplib.HTTPConnection(ca_host, api.env.ca_install_port) conn.request(GET, /ca/ee/ca/getCertChain) res = conn.getresponse() doc = None diff --git a/ipapython/nsslib.py b/ipapython/nsslib.py index e347d217992a4a549413f3e33d9248a403ee68cd..a0c5a8d36921c6eef3bf4320aab0a0c544ce82fd 100644 --- a/ipapython/nsslib.py +++ b/ipapython/nsslib.py @@ -208,12 +208,25 @@ class NSSConnection(httplib.HTTPConnection, NSSAddressFamilyFallback): self._create_socket() def _create_socket(self): + +#TODO remove the try block once python-nss is guaranteed to + #contain these values + try : +
[Freeipa-devel] [PATCH] 0283-enable-proxy-for-dogtag
The complete solution for this patch requires changes in Dogtag that Ade Lee is working on right now. In order to test, I have provided a couple of files that I have been using: 1. Apply patch, build and install IPA rpms, run ipaserver-install as per usual. 2. Move the dogtag.conf file into /etc/httpd/conf.d directorys 3. Run the proxy_dogtag.py script to modify the Dogtag instance to accept AJP connections from httpd so httpd can act as a proxy 4. Restart IPA To test: 1. add a host. 2. Generate a csr: http://freeipa.org/page/Certificate_Authority#Request_a_certificate 3. request a certificate for the newly added host. 4. Optionally, Revoke the certificate for the host #NSS_SSL_ENABLE_RENEGOTIATION 1 ProxyRequests Off # matches for ee port LocationMatch ^/ca/ee/*|^/ca/renewal|^/ca/certbasedenrollment|^/ca/ocsp|^/ca/enrollment|^/ca/profileSubmit|^/ca/cgi-bin/pkiclient.exe NSSVerifyClient none ProxyPassMatch ajp://127.0.0.1:8009/ ProxyPassReverse ajp://127.0.0.1:8009/ /LocationMatch # matches for admin port LocationMatch ^/ca/admin/*|^/ca/auths|^/ca/acl|^/ca/server|^/ca/caadmin|^/ca/caprofile|^/ca/jobsScheduler|^/ca/capublisher|^/ca/log|^/ca/ug NSSVerifyClient none ProxyPassMatch ajp://127.0.0.1:8009/ ProxyPassReverse ajp://127.0.0.1:8009/ /LocationMatch # matches for agent port and eeca port LocationMatch ^/ca/agent/*|^/ca/ca/getCertFromRequest|^/ca/ca/GetBySerial|^/ca/ca/connector|/ca/ca/displayCertFromRequest|^/ca/doRevoke|^/ca/eeca/* NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate NSSVerifyClient require ProxyPassMatch ajp://127.0.0.1:8009/ ProxyPassReverse ajp://127.0.0.1:8009/ /LocationMatch # static content LocationMatch ^/graphics/* NSSVerifyClient none ProxyPassMatch ajp://127.0.0.1:8009/ ProxyPassReverse ajp://127.0.0.1:8009/ /LocationMatch #!/usr/bin/python from lxml import etree import tempfile #Disabling filters in web.xml web_xml_path = '/var/lib/pki-ca/webapps/ca/WEB-INF/web.xml'; print(opening +web_xml_path) infile = open(web_xml_path, 'rw') doc = etree.parse(infile) infile.close init_param_names = doc.xpath('//web-app/filter/init-param/param-name') print ('init-param_names ') for name in init_param_names: text = name.text text.strip if (name.text == 'active'): values = name.xpath('../param-value') for value in values: value.text = false ofile = open(web_xml_path, 'w') doc.write(ofile) print(saving +web_xml_path) ofile.close #adding Connector port=8009 protocol=AJP/1.3 redirectPort=9444 / to server.xml server_xml_path =/etc/pki-ca/server.xml; infile = open(server_xml_path, 'rw') doc = etree.parse(infile) infile.close() catalina =doc.xpath('Service[@name=Catalina]') port8009 = catalina[0].xpath('Connector[@port=8009]' ) if (len(port8009) 0): print (Port 8009 found ) else: print (No Port 8009 defined ) port8009 = etree.XML( Connector port=\8009\ protocol=\AJP/1.3\ redirectPort=\9444\ /) catalina[0].append(port8009) ofile = open(server_xml_path, 'w') doc.write(ofile) ofile.close From 706d0415c714a2f14ced774ace1b6a61eef482a1 Mon Sep 17 00:00:00 2001 From: Adam Young ayo...@redhat.com Date: Wed, 17 Aug 2011 15:36:18 -0400 Subject: [PATCH] enable proxy for dogtag Dogtag is going to be proxied through httpd. To make this work, it has to support renegotiation of the SSL connection. This patch enables renegotiate in the nss configuration file during during apache configuration, as well as modifies libnss to set the appropriate optins on the ssl connection in order to renegotiate. The IPA install uses the internal ports instead of proxying through httpd since httpd is not set up yet. IPA needs to Request the certificate through a port that uses authentication. On the Dogtag side, they provide an additional mapping for this: /ca/eeca/ca as opposed tp /ca/ee/ca just for this purpose. https://fedorahosted.org/freeipa/ticket/1334 --- ipalib/constants.py | 10 +++--- ipapython/dogtag.py |2 +- ipapython/nsslib.py | 15 ++- ipaserver/install/certs.py|4 ++-- ipaserver/install/httpinstance.py |5 + ipaserver/plugins/dogtag.py |2 +- 6 files changed, 30 insertions(+), 8 deletions(-) diff --git a/ipalib/constants.py b/ipalib/constants.py index 026e0735441eabf8dbe63fffa85da69aa151c5d7..244360fe17dee4ff91b561fb6e3f7b5f4e443726 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -136,9 +136,13 @@ DEFAULT_CONFIG = ( # CA plugin: ('ca_host', FQDN), # Set in Env._finalize_core() -('ca_port', 9180), -('ca_agent_port', 9443), -('ca_ee_port', 9444), +('ca_port', 80), +('ca_agent_port', 443), +('ca_ee_port', 443), +('ca_install_port', 9180), +('ca_agent_install_port',9443 ), +('ca_ee_install_port',9444 ), + # Special CLI: ('prompt_all',
Re: [Freeipa-devel] [PATCH] 0283-enable-proxy-for-dogtag
On 08/19/2011 01:19 PM, Adam Young wrote: The complete solution for this patch requires changes in Dogtag that Ade Lee is working on right now. In order to test, I have provided a couple of files that I have been using: 1. Apply patch, build and install IPA rpms, run ipaserver-install as per usual. 2. Move the dogtag.conf file into /etc/httpd/conf.d directorys 3. Run the proxy_dogtag.py script to modify the Dogtag instance to accept AJP connections from httpd so httpd can act as a proxy 4. Restart IPA To test: 1. add a host. 2. Generate a csr: http://freeipa.org/page/Certificate_Authority#Request_a_certificate 3. request a certificate for the newly added host. 4. Optionally, Revoke the certificate for the host Please do not forget to test the proxy test when replica does not have the CA installed and has to forward the request to the one that has. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel