Configure PKI AJP Secret with 256-bit secret

By default, PKI's AJP secret is generated as a 75-bit password. By generating it in IPA, we can guarantee the strength of the AJP secret. It makes sense to use a stronger AJP secret because it typically isn't rotated; access to AJP allows an attacker to impersonate an admin while talking to PKI. Fixes: https://pagure.io/freeipa/issue/8372 Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1849146 Related: https://bugzilla.redhat.com/show_bug.cgi?id=1845447 Related: https://github.com/dogtagpki/pki/pull/437 Signed-off-by: Alexander Scheel <ascheel@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2025-02-25 18:55:28 -06:00 · 2020-06-17 16:00:25 -04:00
parent c5e9bd61d6
commit 3ecea7800a
3 changed files with 6 additions and 1 deletions
--- a/ipaserver/install/dogtaginstance.py
+++ b/ipaserver/install/dogtaginstance.py
@@ -840,7 +840,9 @@ class PKIIniLoader:
            pki_subsystem_type=subsystem.lower(),
            home_dir=os.path.expanduser("~"),
            # for softhsm2 testing
-            softhsm2_so=paths.LIBSOFTHSM2_SO
+            softhsm2_so=paths.LIBSOFTHSM2_SO,
+            # Configure a more secure AJP password by default
+            ipa_ajp_secret=ipautil.ipa_generate_password(special=None)
        )

    @classmethod