Re: [Freeipa-devel] [PATCH] 0283-enable-proxy-for-dogtag
On 08/29/2011 05:58 PM, Simo Sorce wrote:
On Fri, 2011-08-26 at 22:28 -0400, Adam Young wrote:
On 08/26/2011 08:57 PM, Adam Young wrote:
On 08/26/2011 06:30 PM, Simo Sorce wrote:
On Fri, 2011-08-26 at 17:41 -0400, Adam Young wrote:
On 08/26/2011 02:34 PM, Simo Sorce wrote:
On Fri, 2011-08-26 at 14:03 -0400, Simo Sorce wrote:
On Fri, 2011-08-26 at 12:45 -0400, Adam Young wrote:
On 08/25/2011 05:24 PM, Adam Young wrote:
Uses the updated version of pkicreate which makes an ipa specific
proxy config file.
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
The test for the proxy file in /etc/httpd/conf.d was isfile' but
since the file is actually a symlink, it needs to be islink.
This
one checks for either.
Nack, install fails after configuring the http service.
Restart bails out
using export SYSTEMCL_SKIP_REDIRECT=1 to get systemd out of the
way (it
was suppressing the error output) I get an permission denied error
trying to open /etc/httpd/conf.d/proxy-ipa.conf
That's a symlink into /etc/pki-ca/proxy-ipa.conf which is a file
owned
by pkiuser:pkiuser with permission 660 (therefore not readable by the
apache user).
Ok it turns out permissions are not the real issue as the file is read
while apache is till root, it's a selinux issue.
Apache starts if I setenforce 0
Still a NAck of course, it needs to work with selinux in enforcing
mode
Simo.
This version owns the proxy config file. It works with setenforce 0,
but does not work with SELinux, so, preemptive-nack. But I will be gone
for a week, so if someone wants to pick this up and run with it, start
from here.
The previous patch with the corrected isfile vs islink issue works fine
as long as the SELinux policy is fixed to allow access
to /etc/pki-ca/proxy-ipa.conf
I have tested a mastyer and then replica install with no issues after I
loaded a custom SeLinux policy that allow that.
So tentative ACK to the former patch.
I will discuss with Ade how to resolve the SELinux issue and willpush to
master once that is solved.
Simo.
Previous patch is based on a change for PKI-CA that we are not going
to push, so we can't go with that. The file
/etc/pki-ca/proxy-ipa.conf will not be available for IPA to use.
Whatever the issue is with this patch it has to be fairly minor. The
difference in approach is that this one includes the conf file and
places it in /etc/httpd/conf.d. The problem is possibly the fact that
this one uses localhost instead of the FQDN, although I did test it
both ways prior to adding it to the RPM, and it worked with localhost
and SELinux in enforcing mode.
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Failure seems to be from this step in the install log:
After configuration, the server can be operated by the command:
/sbin/service pki-cad restart pki-ca
2011-08-26 21:51:47,114 DEBUG stderr=[error] FAILED
run_command(/sbin/service p
ki-cad restart pki-ca), exit status=126 output=Stopping pki-ca: [ OK ]
/usr/bin/runcon: /var/lib/pki-ca/pki-ca: Permission denied
And in the Audit log:
type=AVC msg=audit(1314409907.089:2397): avc: denied { transition }
for pid=21040 comm=runcon path=/etc/rc.d/init.d/tomcat6 dev=dm-0
ino=35449 scontext=system_u:system_r:kernel_t:s0
tcontext=system_u:system_r:pki_ca_script_t:s0 tclass=process
type=AVC msg=audit(1314410048.272:2398): avc: denied { transition }
for pid=21124 comm=runcon path=/etc/rc.d/init.d/tomcat6 dev=dm-0
ino=35449 scontext=system_u:system_r:kernel_t:s0
tcontext=system_u:system_r:pki_ca_script_t:s0 tclass=process
I guess these AVCs were due to mislabeling of your development system.
I tried multiple times w/o any issues.
I added a few minor corrections.
a) actually copying the file to /etc/httpd/conf.d was missing, I do that
as an additional final configuration step in cainstance.py
b) renamed the file to ipa-pki-proxy.conf, the orginal name was fine as
a dogtag file, but as an ipa file it lacked context
c) I added an httpd server restart in ipa-ca-install as that script does
not otherwise restart apache and we need it to read the new conf file
that was just dropped down.
This was tested and pushed to master.
Simo.
Thanks Simo. Considering that this happend a few days back, I'm
guessing that it hasn't blown up on anyone yet.
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0283-enable-proxy-for-dogtag
Simo Sorce wrote:
On Fri, 2011-08-26 at 22:28 -0400, Adam Young wrote:
On 08/26/2011 08:57 PM, Adam Young wrote:
On 08/26/2011 06:30 PM, Simo Sorce wrote:
On Fri, 2011-08-26 at 17:41 -0400, Adam Young wrote:
On 08/26/2011 02:34 PM, Simo Sorce wrote:
On Fri, 2011-08-26 at 14:03 -0400, Simo Sorce wrote:
On Fri, 2011-08-26 at 12:45 -0400, Adam Young wrote:
On 08/25/2011 05:24 PM, Adam Young wrote:
Uses the updated version of pkicreate which makes an ipa specific
proxy config file.
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
The test for the proxy file in /etc/httpd/conf.d was isfile' but
since the file is actually a symlink, it needs to be islink.
This
one checks for either.
Nack, install fails after configuring the http service.
Restart bails out
using export SYSTEMCL_SKIP_REDIRECT=1 to get systemd out of the
way (it
was suppressing the error output) I get an permission denied error
trying to open /etc/httpd/conf.d/proxy-ipa.conf
That's a symlink into /etc/pki-ca/proxy-ipa.conf which is a file
owned
by pkiuser:pkiuser with permission 660 (therefore not readable by the
apache user).
Ok it turns out permissions are not the real issue as the file is read
while apache is till root, it's a selinux issue.
Apache starts if I setenforce 0
Still a NAck of course, it needs to work with selinux in enforcing
mode
Simo.
This version owns the proxy config file. It works with setenforce 0,
but does not work with SELinux, so, preemptive-nack. But I will be gone
for a week, so if someone wants to pick this up and run with it, start
from here.
The previous patch with the corrected isfile vs islink issue works fine
as long as the SELinux policy is fixed to allow access
to /etc/pki-ca/proxy-ipa.conf
I have tested a mastyer and then replica install with no issues after I
loaded a custom SeLinux policy that allow that.
So tentative ACK to the former patch.
I will discuss with Ade how to resolve the SELinux issue and willpush to
master once that is solved.
Simo.
Previous patch is based on a change for PKI-CA that we are not going
to push, so we can't go with that. The file
/etc/pki-ca/proxy-ipa.conf will not be available for IPA to use.
Whatever the issue is with this patch it has to be fairly minor. The
difference in approach is that this one includes the conf file and
places it in /etc/httpd/conf.d. The problem is possibly the fact that
this one uses localhost instead of the FQDN, although I did test it
both ways prior to adding it to the RPM, and it worked with localhost
and SELinux in enforcing mode.
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Failure seems to be from this step in the install log:
After configuration, the server can be operated by the command:
/sbin/service pki-cad restart pki-ca
2011-08-26 21:51:47,114 DEBUG stderr=[error] FAILED
run_command(/sbin/service p
ki-cad restart pki-ca), exit status=126 output=Stopping pki-ca: [ OK ]
/usr/bin/runcon: /var/lib/pki-ca/pki-ca: Permission denied
And in the Audit log:
type=AVC msg=audit(1314409907.089:2397): avc: denied { transition }
for pid=21040 comm=runcon path=/etc/rc.d/init.d/tomcat6 dev=dm-0
ino=35449 scontext=system_u:system_r:kernel_t:s0
tcontext=system_u:system_r:pki_ca_script_t:s0 tclass=process
type=AVC msg=audit(1314410048.272:2398): avc: denied { transition }
for pid=21124 comm=runcon path=/etc/rc.d/init.d/tomcat6 dev=dm-0
ino=35449 scontext=system_u:system_r:kernel_t:s0
tcontext=system_u:system_r:pki_ca_script_t:s0 tclass=process
I guess these AVCs were due to mislabeling of your development system.
I tried multiple times w/o any issues.
I added a few minor corrections.
a) actually copying the file to /etc/httpd/conf.d was missing, I do that
as an additional final configuration step in cainstance.py
b) renamed the file to ipa-pki-proxy.conf, the orginal name was fine as
a dogtag file, but as an ipa file it lacked context
c) I added an httpd server restart in ipa-ca-install as that script does
not otherwise restart apache and we need it to read the new conf file
that was just dropped down.
This was tested and pushed to master.
Simo.
I pushed it to ipa-2-1.
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0283-enable-proxy-for-dogtag
On Fri, 2011-08-26 at 22:28 -0400, Adam Young wrote:
On 08/26/2011 08:57 PM, Adam Young wrote:
On 08/26/2011 06:30 PM, Simo Sorce wrote:
On Fri, 2011-08-26 at 17:41 -0400, Adam Young wrote:
On 08/26/2011 02:34 PM, Simo Sorce wrote:
On Fri, 2011-08-26 at 14:03 -0400, Simo Sorce wrote:
On Fri, 2011-08-26 at 12:45 -0400, Adam Young wrote:
On 08/25/2011 05:24 PM, Adam Young wrote:
Uses the updated version of pkicreate which makes an ipa specific
proxy config file.
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
The test for the proxy file in /etc/httpd/conf.d was isfile' but
since the file is actually a symlink, it needs to be islink.
This
one checks for either.
Nack, install fails after configuring the http service.
Restart bails out
using export SYSTEMCL_SKIP_REDIRECT=1 to get systemd out of the
way (it
was suppressing the error output) I get an permission denied error
trying to open /etc/httpd/conf.d/proxy-ipa.conf
That's a symlink into /etc/pki-ca/proxy-ipa.conf which is a file
owned
by pkiuser:pkiuser with permission 660 (therefore not readable by the
apache user).
Ok it turns out permissions are not the real issue as the file is read
while apache is till root, it's a selinux issue.
Apache starts if I setenforce 0
Still a NAck of course, it needs to work with selinux in enforcing
mode
Simo.
This version owns the proxy config file. It works with setenforce 0,
but does not work with SELinux, so, preemptive-nack. But I will be gone
for a week, so if someone wants to pick this up and run with it, start
from here.
The previous patch with the corrected isfile vs islink issue works fine
as long as the SELinux policy is fixed to allow access
to /etc/pki-ca/proxy-ipa.conf
I have tested a mastyer and then replica install with no issues after I
loaded a custom SeLinux policy that allow that.
So tentative ACK to the former patch.
I will discuss with Ade how to resolve the SELinux issue and willpush to
master once that is solved.
Simo.
Previous patch is based on a change for PKI-CA that we are not going
to push, so we can't go with that. The file
/etc/pki-ca/proxy-ipa.conf will not be available for IPA to use.
Whatever the issue is with this patch it has to be fairly minor. The
difference in approach is that this one includes the conf file and
places it in /etc/httpd/conf.d. The problem is possibly the fact that
this one uses localhost instead of the FQDN, although I did test it
both ways prior to adding it to the RPM, and it worked with localhost
and SELinux in enforcing mode.
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Failure seems to be from this step in the install log:
After configuration, the server can be operated by the command:
/sbin/service pki-cad restart pki-ca
2011-08-26 21:51:47,114 DEBUG stderr=[error] FAILED
run_command(/sbin/service p
ki-cad restart pki-ca), exit status=126 output=Stopping pki-ca: [ OK ]
/usr/bin/runcon: /var/lib/pki-ca/pki-ca: Permission denied
And in the Audit log:
type=AVC msg=audit(1314409907.089:2397): avc: denied { transition }
for pid=21040 comm=runcon path=/etc/rc.d/init.d/tomcat6 dev=dm-0
ino=35449 scontext=system_u:system_r:kernel_t:s0
tcontext=system_u:system_r:pki_ca_script_t:s0 tclass=process
type=AVC msg=audit(1314410048.272:2398): avc: denied { transition }
for pid=21124 comm=runcon path=/etc/rc.d/init.d/tomcat6 dev=dm-0
ino=35449 scontext=system_u:system_r:kernel_t:s0
tcontext=system_u:system_r:pki_ca_script_t:s0 tclass=process
I guess these AVCs were due to mislabeling of your development system.
I tried multiple times w/o any issues.
I added a few minor corrections.
a) actually copying the file to /etc/httpd/conf.d was missing, I do that
as an additional final configuration step in cainstance.py
b) renamed the file to ipa-pki-proxy.conf, the orginal name was fine as
a dogtag file, but as an ipa file it lacked context
c) I added an httpd server restart in ipa-ca-install as that script does
not otherwise restart apache and we need it to read the new conf file
that was just dropped down.
This was tested and pushed to master.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0283-enable-proxy-for-dogtag
On Fri, 2011-08-26 at 12:45 -0400, Adam Young wrote: On 08/25/2011 05:24 PM, Adam Young wrote: Uses the updated version of pkicreate which makes an ipa specific proxy config file. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel The test for the proxy file in /etc/httpd/conf.d was isfile' but since the file is actually a symlink, it needs to be islink. This one checks for either. Nack, install fails after configuring the http service. Restart bails out using export SYSTEMCL_SKIP_REDIRECT=1 to get systemd out of the way (it was suppressing the error output) I get an permission denied error trying to open /etc/httpd/conf.d/proxy-ipa.conf That's a symlink into /etc/pki-ca/proxy-ipa.conf which is a file owned by pkiuser:pkiuser with permission 660 (therefore not readable by the apache user). Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0283-enable-proxy-for-dogtag
On Fri, 2011-08-26 at 14:03 -0400, Simo Sorce wrote: On Fri, 2011-08-26 at 12:45 -0400, Adam Young wrote: On 08/25/2011 05:24 PM, Adam Young wrote: Uses the updated version of pkicreate which makes an ipa specific proxy config file. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel The test for the proxy file in /etc/httpd/conf.d was isfile' but since the file is actually a symlink, it needs to be islink. This one checks for either. Nack, install fails after configuring the http service. Restart bails out using export SYSTEMCL_SKIP_REDIRECT=1 to get systemd out of the way (it was suppressing the error output) I get an permission denied error trying to open /etc/httpd/conf.d/proxy-ipa.conf That's a symlink into /etc/pki-ca/proxy-ipa.conf which is a file owned by pkiuser:pkiuser with permission 660 (therefore not readable by the apache user). Ok it turns out permissions are not the real issue as the file is read while apache is till root, it's a selinux issue. Apache starts if I setenforce 0 Still a NAck of course, it needs to work with selinux in enforcing mode Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0283-enable-proxy-for-dogtag
On 08/26/2011 02:34 PM, Simo Sorce wrote:
On Fri, 2011-08-26 at 14:03 -0400, Simo Sorce wrote:
On Fri, 2011-08-26 at 12:45 -0400, Adam Young wrote:
On 08/25/2011 05:24 PM, Adam Young wrote:
Uses the updated version of pkicreate which makes an ipa specific
proxy config file.
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
The test for the proxy file in /etc/httpd/conf.d was isfile' but
since the file is actually a symlink, it needs to be islink. This
one checks for either.
Nack, install fails after configuring the http service.
Restart bails out
using export SYSTEMCL_SKIP_REDIRECT=1 to get systemd out of the way (it
was suppressing the error output) I get an permission denied error
trying to open /etc/httpd/conf.d/proxy-ipa.conf
That's a symlink into /etc/pki-ca/proxy-ipa.conf which is a file owned
by pkiuser:pkiuser with permission 660 (therefore not readable by the
apache user).
Ok it turns out permissions are not the real issue as the file is read
while apache is till root, it's a selinux issue.
Apache starts if I setenforce 0
Still a NAck of course, it needs to work with selinux in enforcing mode
Simo.
This version owns the proxy config file. It works with setenforce 0,
but does not work with SELinux, so, preemptive-nack. But I will be gone
for a week, so if someone wants to pick this up and run with it, start
from here.
From 00b43e83864f9a27b20b1d2e90010c7cee007d19 Mon Sep 17 00:00:00 2001
From: Adam Young ayo...@redhat.com
Date: Wed, 17 Aug 2011 15:36:18 -0400
Subject: [PATCH] enable proxy for dogtag
Dogtag is going to be proxied through httpd. To make this work, it has to support renegotiation of the SSL
connection. This patch enables renegotiate in the nss configuration file during during apache configuration,
as well as modifies libnss to set the appropriate optins on the ssl connection in order to renegotiate.
The IPA install uses the internal ports instead of proxying through
httpd since httpd is not set up yet.
IPA needs to Request the certificate through a port that uses authentication. On the Dogtag side, they provide an additional mapping for this: /ca/eeca/ca as opposed tp /ca/ee/ca just for this purpose.
https://fedorahosted.org/freeipa/ticket/1334
add flag to pkicreate in order to enable using proxy.
add the proxy file in /etc/http/conf.d/
---
freeipa.spec.in |3 +++
install/conf/Makefile.am |1 +
install/conf/proxy-ipa.conf | 25 +
ipalib/constants.py | 10 +++---
ipapython/dogtag.py |2 +-
ipapython/nsslib.py | 15 ++-
ipaserver/install/cainstance.py |6 --
ipaserver/install/certs.py|4 ++--
ipaserver/install/httpinstance.py |5 +
ipaserver/plugins/dogtag.py |2 +-
10 files changed, 63 insertions(+), 10 deletions(-)
create mode 100644 install/conf/proxy-ipa.conf
diff --git a/freeipa.spec.in b/freeipa.spec.in
index d25aee693591243da2adf01319869c60919d2dd0..c8a125a834a159401c295a0080f371a968435c21 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -304,6 +304,7 @@ ln -s ../../../..%{_sysconfdir}/ipa/html/ipa_error.css \
# So we can own our Apache configuration
mkdir -p %{buildroot}%{_sysconfdir}/httpd/conf.d/
/bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa.conf
+/bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/proxy-ipa.conf
/bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf
mkdir -p %{buildroot}%{_initrddir}
install -m755 ipa.init %{buildroot}%{_initrddir}/ipa
@@ -449,8 +450,10 @@ fi
%config(noreplace) %{_sysconfdir}/ipa/html/hbac-deny-remove.html
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa.conf
+%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/proxy-ipa.conf
%{_usr}/share/ipa/ipa.conf
%{_usr}/share/ipa/ipa-rewrite.conf
+%{_usr}/share/ipa/proxy-ipa.conf
%dir %{_usr}/share/ipa/updates/
%{_usr}/share/ipa/updates/*
%attr(755,root,root) %{plugin_dir}/libipa_pwd_extop.so
diff --git a/install/conf/Makefile.am b/install/conf/Makefile.am
index e00ad618f47b704d3fb6451545fe3fbfaa1b31a9..2055f4e93bf7b884f318315eced8da1208d13a65 100644
--- a/install/conf/Makefile.am
+++ b/install/conf/Makefile.am
@@ -3,6 +3,7 @@ NULL =
appdir = $(IPA_DATA_DIR)
app_DATA = \
ipa.conf \
+ proxy-ipa.conf \
ipa-rewrite.conf \
$(NULL)
diff --git a/install/conf/proxy-ipa.conf b/install/conf/proxy-ipa.conf
new file mode 100644
index ..af949209f897c274fce6137e8a4ac6a19da263db
--- /dev/null
+++ b/install/conf/proxy-ipa.conf
@@ -0,0 +1,25 @@
+ProxyRequests Off
+
+# matches for ee port
+LocationMatch
Re: [Freeipa-devel] [PATCH] 0283-enable-proxy-for-dogtag
On Fri, 2011-08-26 at 17:41 -0400, Adam Young wrote: On 08/26/2011 02:34 PM, Simo Sorce wrote: On Fri, 2011-08-26 at 14:03 -0400, Simo Sorce wrote: On Fri, 2011-08-26 at 12:45 -0400, Adam Young wrote: On 08/25/2011 05:24 PM, Adam Young wrote: Uses the updated version of pkicreate which makes an ipa specific proxy config file. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel The test for the proxy file in /etc/httpd/conf.d was isfile' but since the file is actually a symlink, it needs to be islink. This one checks for either. Nack, install fails after configuring the http service. Restart bails out using export SYSTEMCL_SKIP_REDIRECT=1 to get systemd out of the way (it was suppressing the error output) I get an permission denied error trying to open /etc/httpd/conf.d/proxy-ipa.conf That's a symlink into /etc/pki-ca/proxy-ipa.conf which is a file owned by pkiuser:pkiuser with permission 660 (therefore not readable by the apache user). Ok it turns out permissions are not the real issue as the file is read while apache is till root, it's a selinux issue. Apache starts if I setenforce 0 Still a NAck of course, it needs to work with selinux in enforcing mode Simo. This version owns the proxy config file. It works with setenforce 0, but does not work with SELinux, so, preemptive-nack. But I will be gone for a week, so if someone wants to pick this up and run with it, start from here. The previous patch with the corrected isfile vs islink issue works fine as long as the SELinux policy is fixed to allow access to /etc/pki-ca/proxy-ipa.conf I have tested a mastyer and then replica install with no issues after I loaded a custom SeLinux policy that allow that. So tentative ACK to the former patch. I will discuss with Ade how to resolve the SELinux issue and willpush to master once that is solved. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0283-enable-proxy-for-dogtag
On 08/26/2011 06:30 PM, Simo Sorce wrote: On Fri, 2011-08-26 at 17:41 -0400, Adam Young wrote: On 08/26/2011 02:34 PM, Simo Sorce wrote: On Fri, 2011-08-26 at 14:03 -0400, Simo Sorce wrote: On Fri, 2011-08-26 at 12:45 -0400, Adam Young wrote: On 08/25/2011 05:24 PM, Adam Young wrote: Uses the updated version of pkicreate which makes an ipa specific proxy config file. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel The test for the proxy file in /etc/httpd/conf.d was isfile' but since the file is actually a symlink, it needs to be islink. This one checks for either. Nack, install fails after configuring the http service. Restart bails out using export SYSTEMCL_SKIP_REDIRECT=1 to get systemd out of the way (it was suppressing the error output) I get an permission denied error trying to open /etc/httpd/conf.d/proxy-ipa.conf That's a symlink into /etc/pki-ca/proxy-ipa.conf which is a file owned by pkiuser:pkiuser with permission 660 (therefore not readable by the apache user). Ok it turns out permissions are not the real issue as the file is read while apache is till root, it's a selinux issue. Apache starts if I setenforce 0 Still a NAck of course, it needs to work with selinux in enforcing mode Simo. This version owns the proxy config file. It works with setenforce 0, but does not work with SELinux, so, preemptive-nack. But I will be gone for a week, so if someone wants to pick this up and run with it, start from here. The previous patch with the corrected isfile vs islink issue works fine as long as the SELinux policy is fixed to allow access to /etc/pki-ca/proxy-ipa.conf I have tested a mastyer and then replica install with no issues after I loaded a custom SeLinux policy that allow that. So tentative ACK to the former patch. I will discuss with Ade how to resolve the SELinux issue and willpush to master once that is solved. Simo. Previous patch is based on a change for PKI-CA that we are not going to push, so we can't go with that. The file /etc/pki-ca/proxy-ipa.conf will not be available for IPA to use. Whatever the issue is with this patch it has to be fairly minor. The difference in approach is that this one includes the conf file and places it in /etc/httpd/conf.d. The problem is possibly the fact that this one uses localhost instead of the FQDN, although I did test it both ways prior to adding it to the RPM, and it worked with localhost and SELinux in enforcing mode. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0283-enable-proxy-for-dogtag
On 08/26/2011 08:57 PM, Adam Young wrote:
On 08/26/2011 06:30 PM, Simo Sorce wrote:
On Fri, 2011-08-26 at 17:41 -0400, Adam Young wrote:
On 08/26/2011 02:34 PM, Simo Sorce wrote:
On Fri, 2011-08-26 at 14:03 -0400, Simo Sorce wrote:
On Fri, 2011-08-26 at 12:45 -0400, Adam Young wrote:
On 08/25/2011 05:24 PM, Adam Young wrote:
Uses the updated version of pkicreate which makes an ipa specific
proxy config file.
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
The test for the proxy file in /etc/httpd/conf.d was isfile' but
since the file is actually a symlink, it needs to be islink.
This
one checks for either.
Nack, install fails after configuring the http service.
Restart bails out
using export SYSTEMCL_SKIP_REDIRECT=1 to get systemd out of the
way (it
was suppressing the error output) I get an permission denied error
trying to open /etc/httpd/conf.d/proxy-ipa.conf
That's a symlink into /etc/pki-ca/proxy-ipa.conf which is a file
owned
by pkiuser:pkiuser with permission 660 (therefore not readable by the
apache user).
Ok it turns out permissions are not the real issue as the file is read
while apache is till root, it's a selinux issue.
Apache starts if I setenforce 0
Still a NAck of course, it needs to work with selinux in enforcing
mode
Simo.
This version owns the proxy config file. It works with setenforce 0,
but does not work with SELinux, so, preemptive-nack. But I will be gone
for a week, so if someone wants to pick this up and run with it, start
from here.
The previous patch with the corrected isfile vs islink issue works fine
as long as the SELinux policy is fixed to allow access
to /etc/pki-ca/proxy-ipa.conf
I have tested a mastyer and then replica install with no issues after I
loaded a custom SeLinux policy that allow that.
So tentative ACK to the former patch.
I will discuss with Ade how to resolve the SELinux issue and willpush to
master once that is solved.
Simo.
Previous patch is based on a change for PKI-CA that we are not going
to push, so we can't go with that. The file
/etc/pki-ca/proxy-ipa.conf will not be available for IPA to use.
Whatever the issue is with this patch it has to be fairly minor. The
difference in approach is that this one includes the conf file and
places it in /etc/httpd/conf.d. The problem is possibly the fact that
this one uses localhost instead of the FQDN, although I did test it
both ways prior to adding it to the RPM, and it worked with localhost
and SELinux in enforcing mode.
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Failure seems to be from this step in the install log:
After configuration, the server can be operated by the command:
/sbin/service pki-cad restart pki-ca
2011-08-26 21:51:47,114 DEBUG stderr=[error] FAILED
run_command(/sbin/service p
ki-cad restart pki-ca), exit status=126 output=Stopping pki-ca: [ OK ]
/usr/bin/runcon: /var/lib/pki-ca/pki-ca: Permission denied
And in the Audit log:
type=AVC msg=audit(1314409907.089:2397): avc: denied { transition }
for pid=21040 comm=runcon path=/etc/rc.d/init.d/tomcat6 dev=dm-0
ino=35449 scontext=system_u:system_r:kernel_t:s0
tcontext=system_u:system_r:pki_ca_script_t:s0 tclass=process
type=AVC msg=audit(1314410048.272:2398): avc: denied { transition }
for pid=21124 comm=runcon path=/etc/rc.d/init.d/tomcat6 dev=dm-0
ino=35449 scontext=system_u:system_r:kernel_t:s0
tcontext=system_u:system_r:pki_ca_script_t:s0 tclass=process
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0283-enable-proxy-for-dogtag
Uses the updated version of pkicreate which makes an ipa specific proxy
config file.
From 585eec7bf70f9785742f488334fc7aaa7a1cbdf6 Mon Sep 17 00:00:00 2001
From: Adam Young ayo...@redhat.com
Date: Wed, 17 Aug 2011 15:36:18 -0400
Subject: [PATCH] enable proxy for dogtag
Dogtag is going to be proxied through httpd. To make this work, it has to support renegotiation of the SSL
connection. This patch enables renegotiate in the nss configuration file during during apache configuration,
as well as modifies libnss to set the appropriate optins on the ssl connection in order to renegotiate.
The IPA install uses the internal ports instead of proxying through
httpd since httpd is not set up yet.
IPA needs to Request the certificate through a port that uses authentication. On the Dogtag side, they provide an additional mapping for this: /ca/eeca/ca as opposed tp /ca/ee/ca just for this purpose.
https://fedorahosted.org/freeipa/ticket/1334
add flag to pkicreate in order to enable using proxy.
adding /etc/http/conf.d/ symlink to /etc/pki-ca/proxy.conf, and cleans it up on uninstall
---
ipalib/constants.py | 10 +++---
ipapython/dogtag.py |2 +-
ipapython/nsslib.py | 15 ++-
ipaserver/install/cainstance.py | 20 ++--
ipaserver/install/certs.py|4 ++--
ipaserver/install/httpinstance.py |5 +
ipaserver/plugins/dogtag.py |2 +-
7 files changed, 48 insertions(+), 10 deletions(-)
diff --git a/ipalib/constants.py b/ipalib/constants.py
index 026e0735441eabf8dbe63fffa85da69aa151c5d7..244360fe17dee4ff91b561fb6e3f7b5f4e443726 100644
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@@ -136,9 +136,13 @@ DEFAULT_CONFIG = (
# CA plugin:
('ca_host', FQDN), # Set in Env._finalize_core()
-('ca_port', 9180),
-('ca_agent_port', 9443),
-('ca_ee_port', 9444),
+('ca_port', 80),
+('ca_agent_port', 443),
+('ca_ee_port', 443),
+('ca_install_port', 9180),
+('ca_agent_install_port',9443 ),
+('ca_ee_install_port',9444 ),
+
# Special CLI:
('prompt_all', False),
diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py
index 969535e4b95d3fc7f7f5202000bb29deef558e32..02f981974e1047a880ed05e428a86b4a4d4a6c21 100644
--- a/ipapython/dogtag.py
+++ b/ipapython/dogtag.py
@@ -34,7 +34,7 @@ def get_ca_certchain(ca_host=None):
if ca_host is None:
ca_host = api.env.ca_host
chain = None
-conn = httplib.HTTPConnection(ca_host, api.env.ca_port)
+conn = httplib.HTTPConnection(ca_host, api.env.ca_install_port)
conn.request(GET, /ca/ee/ca/getCertChain)
res = conn.getresponse()
doc = None
diff --git a/ipapython/nsslib.py b/ipapython/nsslib.py
index e347d217992a4a549413f3e33d9248a403ee68cd..a0c5a8d36921c6eef3bf4320aab0a0c544ce82fd 100644
--- a/ipapython/nsslib.py
+++ b/ipapython/nsslib.py
@@ -208,12 +208,25 @@ class NSSConnection(httplib.HTTPConnection, NSSAddressFamilyFallback):
self._create_socket()
def _create_socket(self):
+
+#TODO remove the try block once python-nss is guaranteed to
+ #contain these values
+ try :
+ ssl_enable_renegotiation = SSL_ENABLE_RENEGOTIATION #pylint: disable=E0602
+ ssl_require_safe_negotiation = SSL_REQUIRE_SAFE_NEGOTIATION #pylint: disable=E0602
+ ssl_renegotiate_requires_xtn = SSL_RENEGOTIATE_REQUIRES_XTN #pylint: disable=E0602
+ except :
+ ssl_enable_renegotiation = 20
+ ssl_require_safe_negotiation = 21
+ ssl_renegotiate_requires_xtn = 2
+
# Create the socket here so we can do things like let the caller
# override the NSS callbacks
self.sock = ssl.SSLSocket(family=self.family)
self.sock.set_ssl_option(ssl.SSL_SECURITY, True)
self.sock.set_ssl_option(ssl.SSL_HANDSHAKE_AS_CLIENT, True)
-
+ self.sock.set_ssl_option(ssl_require_safe_negotiation, False)
+ self.sock.set_ssl_option(ssl_enable_renegotiation, ssl_renegotiate_requires_xtn)
# Provide a callback which notifies us when the SSL handshake is complete
self.sock.set_handshake_callback(self.handshake_callback)
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 5c6c49e4b1780e5b64815cad2c39c7994d981cd4..b9fdd3ea63f7ba129a106442e3ab500e7afc25bd 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -69,6 +69,8 @@ ADMIN_SECURE_PORT=9445
EE_CLIENT_AUTH_PORT=9446
UNSECURE_PORT=9180
TOMCAT_SERVER_PORT=9701
+PKI_PROXY_FILE=/etc/pki-ca/proxy-ipa.conf
+PKI_PROXY_LINK=/etc/httpd/conf.d/proxy-ipa.conf
# We need to reset the template because the CA uses the regular boot
# information
@@ -257,6 +259,7 @@ class CADSInstance(service.Service):
self.step(creating directory server user, self.__create_ds_user)
self.step(creating directory server instance, self.__create_instance)
+
self.step(restarting directory server, self.restart_instance)
Re: [Freeipa-devel] [PATCH] 0283-enable-proxy-for-dogtag
This version tells pkisilent to use the remote ports for cloning.
From fb492c384c7979e93055f9a2e9b27a7856e8b45a Mon Sep 17 00:00:00 2001
From: Adam Young ayo...@redhat.com
Date: Wed, 17 Aug 2011 15:36:18 -0400
Subject: [PATCH] enable proxy for dogtag
Dogtag is going to be proxied through httpd. To make this work, it has to support renegotiation of the SSL
connection. This patch enables renegotiate in the nss configuration file during during apache configuration,
as well as modifies libnss to set the appropriate optins on the ssl connection in order to renegotiate.
The IPA install uses the internal ports instead of proxying through
httpd since httpd is not set up yet.
IPA needs to Request the certificate through a port that uses authentication. On the Dogtag side, they provide an additional mapping for this: /ca/eeca/ca as opposed tp /ca/ee/ca just for this purpose.
https://fedorahosted.org/freeipa/ticket/1334
add flag to pkicreate in order to enable using proxy.
adding /etc/http/conf.d/ symlink to /etc/pki-ca/proxy.conf. and cleanit up on uninstall
---
ipalib/constants.py | 10 +++---
ipapython/dogtag.py |2 +-
ipapython/nsslib.py | 15 ++-
ipaserver/install/cainstance.py | 17 +++--
ipaserver/install/certs.py|4 ++--
ipaserver/install/httpinstance.py |5 +
ipaserver/plugins/dogtag.py |2 +-
7 files changed, 45 insertions(+), 10 deletions(-)
diff --git a/ipalib/constants.py b/ipalib/constants.py
index 026e0735441eabf8dbe63fffa85da69aa151c5d7..244360fe17dee4ff91b561fb6e3f7b5f4e443726 100644
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@@ -136,9 +136,13 @@ DEFAULT_CONFIG = (
# CA plugin:
('ca_host', FQDN), # Set in Env._finalize_core()
-('ca_port', 9180),
-('ca_agent_port', 9443),
-('ca_ee_port', 9444),
+('ca_port', 80),
+('ca_agent_port', 443),
+('ca_ee_port', 443),
+('ca_install_port', 9180),
+('ca_agent_install_port',9443 ),
+('ca_ee_install_port',9444 ),
+
# Special CLI:
('prompt_all', False),
diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py
index 969535e4b95d3fc7f7f5202000bb29deef558e32..02f981974e1047a880ed05e428a86b4a4d4a6c21 100644
--- a/ipapython/dogtag.py
+++ b/ipapython/dogtag.py
@@ -34,7 +34,7 @@ def get_ca_certchain(ca_host=None):
if ca_host is None:
ca_host = api.env.ca_host
chain = None
-conn = httplib.HTTPConnection(ca_host, api.env.ca_port)
+conn = httplib.HTTPConnection(ca_host, api.env.ca_install_port)
conn.request(GET, /ca/ee/ca/getCertChain)
res = conn.getresponse()
doc = None
diff --git a/ipapython/nsslib.py b/ipapython/nsslib.py
index e347d217992a4a549413f3e33d9248a403ee68cd..a0c5a8d36921c6eef3bf4320aab0a0c544ce82fd 100644
--- a/ipapython/nsslib.py
+++ b/ipapython/nsslib.py
@@ -208,12 +208,25 @@ class NSSConnection(httplib.HTTPConnection, NSSAddressFamilyFallback):
self._create_socket()
def _create_socket(self):
+
+#TODO remove the try block once python-nss is guaranteed to
+ #contain these values
+ try :
+ ssl_enable_renegotiation = SSL_ENABLE_RENEGOTIATION #pylint: disable=E0602
+ ssl_require_safe_negotiation = SSL_REQUIRE_SAFE_NEGOTIATION #pylint: disable=E0602
+ ssl_renegotiate_requires_xtn = SSL_RENEGOTIATE_REQUIRES_XTN #pylint: disable=E0602
+ except :
+ ssl_enable_renegotiation = 20
+ ssl_require_safe_negotiation = 21
+ ssl_renegotiate_requires_xtn = 2
+
# Create the socket here so we can do things like let the caller
# override the NSS callbacks
self.sock = ssl.SSLSocket(family=self.family)
self.sock.set_ssl_option(ssl.SSL_SECURITY, True)
self.sock.set_ssl_option(ssl.SSL_HANDSHAKE_AS_CLIENT, True)
-
+ self.sock.set_ssl_option(ssl_require_safe_negotiation, False)
+ self.sock.set_ssl_option(ssl_enable_renegotiation, ssl_renegotiate_requires_xtn)
# Provide a callback which notifies us when the SSL handshake is complete
self.sock.set_handshake_callback(self.handshake_callback)
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 5c6c49e4b1780e5b64815cad2c39c7994d981cd4..cb542b874c5a103f823f08618d2ecd8e98267255 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -257,6 +257,7 @@ class CADSInstance(service.Service):
self.step(creating directory server user, self.__create_ds_user)
self.step(creating directory server instance, self.__create_instance)
+
self.step(restarting directory server, self.restart_instance)
self.start_creation(Configuring directory server for the CA, 30)
@@ -476,6 +477,7 @@ class CAInstance(service.Service):
return os.path.exists(self.server_root + '/' + PKI_INSTANCE_NAME)
+
def configure_instance(self, host_name, dm_password,
admin_password,
Re: [Freeipa-devel] [PATCH] 0283-enable-proxy-for-dogtag
NACK. Replicate uses the install code, which grabs the local constants. Need to extend it to use the local constants for a base install, but the remote constants for the replica installs. On 08/19/2011 01:57 PM, Dmitri Pal wrote: On 08/19/2011 01:19 PM, Adam Young wrote: The complete solution for this patch requires changes in Dogtag that Ade Lee is working on right now. In order to test, I have provided a couple of files that I have been using: 1. Apply patch, build and install IPA rpms, run ipaserver-install as per usual. 2. Move the dogtag.conf file into /etc/httpd/conf.d directorys 3. Run the proxy_dogtag.py script to modify the Dogtag instance to accept AJP connections from httpd so httpd can act as a proxy 4. Restart IPA To test: 1. add a host. 2. Generate a csr: http://freeipa.org/page/Certificate_Authority#Request_a_certificate 3. request a certificate for the newly added host. 4. Optionally, Revoke the certificate for the host Please do not forget to test the proxy test when replica does not have the CA installed and has to forward the request to the one that has. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0283-enable-proxy-for-dogtag
With this version, and Ade's patch posted to the PKI list, we have a
functioning proxy.
I still need to do some cleanup in the /etc/httpd/conf.d directory: the
modifications to nss.conf are not removed in uninstall, nor is the
symlink to /etc/pki-ca/proxy.conf.
We also need to limit the number of suburls of the PKI CA that the proxy
exposes. This version exposes all of the. I think we need a very
limited subset.
I've created a replica --no-pki and successfully requested a
certificate on it.
On 08/19/2011 01:57 PM, Dmitri Pal wrote:
On 08/19/2011 01:19 PM, Adam Young wrote:
The complete solution for this patch requires changes in Dogtag that
Ade Lee is working on right now. In order to test, I have provided a
couple of files that I have been using:
1. Apply patch, build and install IPA rpms, run ipaserver-install as
per usual.
2. Move the dogtag.conf file into /etc/httpd/conf.d directorys
3. Run the proxy_dogtag.py script to modify the Dogtag instance to
accept AJP connections from httpd so httpd can act as a proxy
4. Restart IPA
To test:
1. add a host.
2. Generate a csr:
http://freeipa.org/page/Certificate_Authority#Request_a_certificate
3. request a certificate for the newly added host.
4. Optionally, Revoke the certificate for the host
Please do not forget to test the proxy test when replica does not have
the CA installed and has to forward the request to the one that has.
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
From 3f0997d97a5815244ea7038b0f207e31d2b857cb Mon Sep 17 00:00:00 2001
From: Adam Young ayo...@redhat.com
Date: Wed, 17 Aug 2011 15:36:18 -0400
Subject: [PATCH] enable proxy for dogtag
Dogtag is going to be proxied through httpd. To make this work, it has to support renegotiation of the SSL
connection. This patch enables renegotiate in the nss configuration file during during apache configuration,
as well as modifies libnss to set the appropriate optins on the ssl connection in order to renegotiate.
The IPA install uses the internal ports instead of proxying through
httpd since httpd is not set up yet.
IPA needs to Request the certificate through a port that uses authentication. On the Dogtag side, they provide an additional mapping for this: /ca/eeca/ca as opposed tp /ca/ee/ca just for this purpose.
https://fedorahosted.org/freeipa/ticket/1334
add flag to pkicreate in order to enable using proxy.
adding /etc/http/conf.d/ symlink to /etc/pki-ca/proxy.conf.
---
ipalib/constants.py | 10 +++---
ipapython/dogtag.py |2 +-
ipapython/nsslib.py | 15 ++-
ipaserver/install/cainstance.py |7 +++
ipaserver/install/certs.py|4 ++--
ipaserver/install/httpinstance.py |5 +
ipaserver/plugins/dogtag.py |2 +-
7 files changed, 37 insertions(+), 8 deletions(-)
diff --git a/ipalib/constants.py b/ipalib/constants.py
index 026e0735441eabf8dbe63fffa85da69aa151c5d7..244360fe17dee4ff91b561fb6e3f7b5f4e443726 100644
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@@ -136,9 +136,13 @@ DEFAULT_CONFIG = (
# CA plugin:
('ca_host', FQDN), # Set in Env._finalize_core()
-('ca_port', 9180),
-('ca_agent_port', 9443),
-('ca_ee_port', 9444),
+('ca_port', 80),
+('ca_agent_port', 443),
+('ca_ee_port', 443),
+('ca_install_port', 9180),
+('ca_agent_install_port',9443 ),
+('ca_ee_install_port',9444 ),
+
# Special CLI:
('prompt_all', False),
diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py
index 969535e4b95d3fc7f7f5202000bb29deef558e32..02f981974e1047a880ed05e428a86b4a4d4a6c21 100644
--- a/ipapython/dogtag.py
+++ b/ipapython/dogtag.py
@@ -34,7 +34,7 @@ def get_ca_certchain(ca_host=None):
if ca_host is None:
ca_host = api.env.ca_host
chain = None
-conn = httplib.HTTPConnection(ca_host, api.env.ca_port)
+conn = httplib.HTTPConnection(ca_host, api.env.ca_install_port)
conn.request(GET, /ca/ee/ca/getCertChain)
res = conn.getresponse()
doc = None
diff --git a/ipapython/nsslib.py b/ipapython/nsslib.py
index e347d217992a4a549413f3e33d9248a403ee68cd..a0c5a8d36921c6eef3bf4320aab0a0c544ce82fd 100644
--- a/ipapython/nsslib.py
+++ b/ipapython/nsslib.py
@@ -208,12 +208,25 @@ class NSSConnection(httplib.HTTPConnection, NSSAddressFamilyFallback):
self._create_socket()
def _create_socket(self):
+
+#TODO remove the try block once python-nss is guaranteed to
+ #contain these values
+ try :
+
[Freeipa-devel] [PATCH] 0283-enable-proxy-for-dogtag
The complete solution for this patch requires changes in Dogtag that Ade
Lee is working on right now. In order to test, I have provided a couple
of files that I have been using:
1. Apply patch, build and install IPA rpms, run ipaserver-install as
per usual.
2. Move the dogtag.conf file into /etc/httpd/conf.d directorys
3. Run the proxy_dogtag.py script to modify the Dogtag instance to
accept AJP connections from httpd so httpd can act as a proxy
4. Restart IPA
To test:
1. add a host.
2. Generate a csr:
http://freeipa.org/page/Certificate_Authority#Request_a_certificate
3. request a certificate for the newly added host.
4. Optionally, Revoke the certificate for the host
#NSS_SSL_ENABLE_RENEGOTIATION 1
ProxyRequests Off
# matches for ee port
LocationMatch
^/ca/ee/*|^/ca/renewal|^/ca/certbasedenrollment|^/ca/ocsp|^/ca/enrollment|^/ca/profileSubmit|^/ca/cgi-bin/pkiclient.exe
NSSVerifyClient none
ProxyPassMatch ajp://127.0.0.1:8009/
ProxyPassReverse ajp://127.0.0.1:8009/
/LocationMatch
# matches for admin port
LocationMatch
^/ca/admin/*|^/ca/auths|^/ca/acl|^/ca/server|^/ca/caadmin|^/ca/caprofile|^/ca/jobsScheduler|^/ca/capublisher|^/ca/log|^/ca/ug
NSSVerifyClient none
ProxyPassMatch ajp://127.0.0.1:8009/
ProxyPassReverse ajp://127.0.0.1:8009/
/LocationMatch
# matches for agent port and eeca port
LocationMatch
^/ca/agent/*|^/ca/ca/getCertFromRequest|^/ca/ca/GetBySerial|^/ca/ca/connector|/ca/ca/displayCertFromRequest|^/ca/doRevoke|^/ca/eeca/*
NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
NSSVerifyClient require
ProxyPassMatch ajp://127.0.0.1:8009/
ProxyPassReverse ajp://127.0.0.1:8009/
/LocationMatch
# static content
LocationMatch ^/graphics/*
NSSVerifyClient none
ProxyPassMatch ajp://127.0.0.1:8009/
ProxyPassReverse ajp://127.0.0.1:8009/
/LocationMatch
#!/usr/bin/python
from lxml import etree
import tempfile
#Disabling filters in web.xml
web_xml_path = '/var/lib/pki-ca/webapps/ca/WEB-INF/web.xml';
print(opening +web_xml_path)
infile = open(web_xml_path, 'rw')
doc = etree.parse(infile)
infile.close
init_param_names = doc.xpath('//web-app/filter/init-param/param-name')
print ('init-param_names ')
for name in init_param_names:
text = name.text
text.strip
if (name.text == 'active'):
values = name.xpath('../param-value')
for value in values:
value.text = false
ofile = open(web_xml_path, 'w')
doc.write(ofile)
print(saving +web_xml_path)
ofile.close
#adding Connector port=8009 protocol=AJP/1.3 redirectPort=9444 / to
server.xml
server_xml_path =/etc/pki-ca/server.xml;
infile = open(server_xml_path, 'rw')
doc = etree.parse(infile)
infile.close()
catalina =doc.xpath('Service[@name=Catalina]')
port8009 = catalina[0].xpath('Connector[@port=8009]' )
if (len(port8009) 0):
print (Port 8009 found )
else:
print (No Port 8009 defined )
port8009 = etree.XML( Connector port=\8009\ protocol=\AJP/1.3\
redirectPort=\9444\ /)
catalina[0].append(port8009)
ofile = open(server_xml_path, 'w')
doc.write(ofile)
ofile.close
From 706d0415c714a2f14ced774ace1b6a61eef482a1 Mon Sep 17 00:00:00 2001
From: Adam Young ayo...@redhat.com
Date: Wed, 17 Aug 2011 15:36:18 -0400
Subject: [PATCH] enable proxy for dogtag
Dogtag is going to be proxied through httpd. To make this work, it has to support renegotiation of the SSL
connection. This patch enables renegotiate in the nss configuration file during during apache configuration,
as well as modifies libnss to set the appropriate optins on the ssl connection in order to renegotiate.
The IPA install uses the internal ports instead of proxying through
httpd since httpd is not set up yet.
IPA needs to Request the certificate through a port that uses authentication. On the Dogtag side, they provide an additional mapping for this: /ca/eeca/ca as opposed tp /ca/ee/ca just for this purpose.
https://fedorahosted.org/freeipa/ticket/1334
---
ipalib/constants.py | 10 +++---
ipapython/dogtag.py |2 +-
ipapython/nsslib.py | 15 ++-
ipaserver/install/certs.py|4 ++--
ipaserver/install/httpinstance.py |5 +
ipaserver/plugins/dogtag.py |2 +-
6 files changed, 30 insertions(+), 8 deletions(-)
diff --git a/ipalib/constants.py b/ipalib/constants.py
index 026e0735441eabf8dbe63fffa85da69aa151c5d7..244360fe17dee4ff91b561fb6e3f7b5f4e443726 100644
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@@ -136,9 +136,13 @@ DEFAULT_CONFIG = (
# CA plugin:
('ca_host', FQDN), # Set in Env._finalize_core()
-('ca_port', 9180),
-('ca_agent_port', 9443),
-('ca_ee_port', 9444),
+('ca_port', 80),
+('ca_agent_port', 443),
+('ca_ee_port', 443),
+('ca_install_port', 9180),
+('ca_agent_install_port',9443 ),
+('ca_ee_install_port',9444 ),
+
# Special CLI:
('prompt_all',
Re: [Freeipa-devel] [PATCH] 0283-enable-proxy-for-dogtag
On 08/19/2011 01:19 PM, Adam Young wrote: The complete solution for this patch requires changes in Dogtag that Ade Lee is working on right now. In order to test, I have provided a couple of files that I have been using: 1. Apply patch, build and install IPA rpms, run ipaserver-install as per usual. 2. Move the dogtag.conf file into /etc/httpd/conf.d directorys 3. Run the proxy_dogtag.py script to modify the Dogtag instance to accept AJP connections from httpd so httpd can act as a proxy 4. Restart IPA To test: 1. add a host. 2. Generate a csr: http://freeipa.org/page/Certificate_Authority#Request_a_certificate 3. request a certificate for the newly added host. 4. Optionally, Revoke the certificate for the host Please do not forget to test the proxy test when replica does not have the CA installed and has to forward the request to the one that has. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
