Configure PKI AJP Secret with 256-bit secret

By default, PKI's AJP secret is generated as a 75-bit password. By
generating it in IPA, we can guarantee the strength of the AJP secret.
It makes sense to use a stronger AJP secret because it typically
isn't rotated; access to AJP allows an attacker to impersonate an admin
while talking to PKI.

Fixes: https://pagure.io/freeipa/issue/8372
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1849146
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1845447
Related: https://github.com/dogtagpki/pki/pull/437

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This commit is contained in:
Alexander Scheel 2020-06-17 16:00:25 -04:00 committed by Christian Heimes
parent c5e9bd61d6
commit 3ecea7800a
3 changed files with 6 additions and 1 deletions

View File

@ -12,6 +12,7 @@
#
# Predefined variables
# - ipa_ca_subject
# - ipa_ajp_secret
# - ipa_fqdn
# - ipa_subject_base
# - pki_admin_password

View File

@ -12,6 +12,7 @@ ipa_ca_pem_file=/etc/ipa/ca.crt
## dynamic values
# ipa_ca_subject=
# ipa_ajp_secret=
# ipa_subject_base=
# ipa_fqdn=
# ipa_ocsp_uri=
@ -66,6 +67,7 @@ pki_issuing_ca=%(pki_issuing_ca_uri)s
pki_replication_password=
pki_enable_proxy=True
pki_ajp_secret=%(ipa_ajp_secret)s
pki_restart_configured_instance=False
pki_security_domain_hostname=%(ipa_fqdn)s
pki_security_domain_https_port=443

View File

@ -840,7 +840,9 @@ class PKIIniLoader:
pki_subsystem_type=subsystem.lower(),
home_dir=os.path.expanduser("~"),
# for softhsm2 testing
softhsm2_so=paths.LIBSOFTHSM2_SO
softhsm2_so=paths.LIBSOFTHSM2_SO,
# Configure a more secure AJP password by default
ipa_ajp_secret=ipautil.ipa_generate_password(special=None)
)
@classmethod