enable proxy for dogtag

Dogtag is going to be proxied through httpd. To make this work, it has to support renegotiation of the SSL connection. This patch enables renegotiate in the nss configuration file during during apache configuration, as well as modifies libnss to set the appropriate optins on the ssl connection in order to renegotiate. The IPA install uses the internal ports instead of proxying through httpd since httpd is not set up yet. IPA needs to Request the certificate through a port that uses authentication. On the Dogtag side, they provide an additional mapping for this: /ca/eeca/ca as opposed tp /ca/ee/ca just for this purpose. https://fedorahosted.org/freeipa/ticket/1334 add flag to pkicreate in order to enable using proxy. add the proxy file in /etc/http/conf.d/ Signed-off-by: Simo Sorce <ssorce@redhat.com>
2024-12-23 07:33:27 -06:00 · 2011-08-17 15:36:18 -04:00 · 2011-08-17 15:36:18 -04:00 · 5ee93349f6
commit 5ee93349f6
parent 3ef732d738
11 changed files with 74 additions and 10 deletions
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@ -304,6 +304,7 @@ ln -s ../../../..%{_sysconfdir}/ipa/html/ipa_error.css \
 # So we can own our Apache configuration
 mkdir -p %{buildroot}%{_sysconfdir}/httpd/conf.d/
 /bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa.conf
+/bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-pki-proxy.conf
 /bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf
 mkdir -p %{buildroot}%{_initrddir}
 install -m755 ipa.init %{buildroot}%{_initrddir}/ipa
@ -449,8 +450,10 @@ fi
 %config(noreplace) %{_sysconfdir}/ipa/html/hbac-deny-remove.html
 %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf
 %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa.conf
+%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-pki-proxy.conf
 %{_usr}/share/ipa/ipa.conf
 %{_usr}/share/ipa/ipa-rewrite.conf
+%{_usr}/share/ipa/ipa-pki-proxy.conf
 %dir %{_usr}/share/ipa/updates/
 %{_usr}/share/ipa/updates/*
 %attr(755,root,root) %{plugin_dir}/libipa_pwd_extop.so
--- a/install/conf/Makefile.am
+++ b/install/conf/Makefile.am
@ -3,6 +3,7 @@ NULL =
 appdir = $(IPA_DATA_DIR)
 app_DATA =                              \
 	ipa.conf			\
+	ipa-pki-proxy.conf			\
 	ipa-rewrite.conf		\
 	$(NULL)

--- a/install/conf/ipa-pki-proxy.conf
+++ b/install/conf/ipa-pki-proxy.conf
@ -0,0 +1,25 @@
+ProxyRequests Off
+
+# matches for ee port
+<LocationMatch "^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange">
+    NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
+    NSSVerifyClient none
+    ProxyPassMatch ajp://localhost:9447/
+    ProxyPassReverse ajp://localhost:9447/
+</LocationMatch>
+
+# matches for admin port
+<LocationMatch "^/ca/admin/ca/getCertChain|^/ca/admin/ca/getConfigEntries|^/ca/admin/ca/getCookie|^/ca/admin/ca/getStatus|^/ca/admin/ca/securityDomainLogin|^/ca/admin/ca/getDomainXML">
+    NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
+    NSSVerifyClient none
+    ProxyPassMatch ajp://localhost:9447/
+    ProxyPassReverse ajp://localhost:9447/
+</LocationMatch>
+
+# matches for agent port and eeca port
+<LocationMatch "^/ca/agent/ca/displayBySerial|^/ca/agent/ca/doRevoke|^/ca/agent/ca/doUnrevoke|^/ca/agent/ca/updateDomainXML|^/ca/eeca/ca/profileSubmitSSLClient">
+    NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
+    NSSVerifyClient require
+    ProxyPassMatch ajp://localhost:9447/
+    ProxyPassReverse ajp://localhost:9447/
+</LocationMatch>
--- a/install/tools/ipa-ca-install
+++ b/install/tools/ipa-ca-install
@ -36,6 +36,7 @@ from ipapython import version
 from ipalib import api, util
 from ipapython.config import IPAOptionParser
 from ipapython import sysrestore
+from ipapython import ipautil

 CACERT="/etc/ipa/ca.crt"
 REPLICA_INFO_TOP_DIR=None
@ -144,6 +145,9 @@ def main():
    cs.add_simple_service('dogtagldap/%s@%s' % (config.host_name, config.realm_name))
    cs.add_cert_to_service()

+    # We need to restart apache as we drop a new config file in there
+    ipautil.service_restart('httpd', '', True)
+
 try:
    if not os.geteuid()==0:
        sys.exit("\nYou must be root to run this script.\n")
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@ -136,9 +136,13 @@ DEFAULT_CONFIG = (

    # CA plugin:
    ('ca_host', FQDN),  # Set in Env._finalize_core()
-    ('ca_port', 9180),
-    ('ca_agent_port', 9443),
-    ('ca_ee_port', 9444),
+    ('ca_port', 80),
+    ('ca_agent_port', 443),
+    ('ca_ee_port', 443),
+    ('ca_install_port', 9180),
+    ('ca_agent_install_port', 9443),
+    ('ca_ee_install_port', 9444),
+

    # Special CLI:
    ('prompt_all', False),
--- a/ipapython/dogtag.py
+++ b/ipapython/dogtag.py
@ -34,7 +34,7 @@ def get_ca_certchain(ca_host=None):
    if ca_host is None:
        ca_host = api.env.ca_host
    chain = None
-    conn = httplib.HTTPConnection(ca_host, api.env.ca_port)
+    conn = httplib.HTTPConnection(ca_host, api.env.ca_install_port)
    conn.request("GET", "/ca/ee/ca/getCertChain")
    res = conn.getresponse()
    doc = None
--- a/ipapython/nsslib.py
+++ b/ipapython/nsslib.py
@ -208,12 +208,25 @@ class NSSConnection(httplib.HTTPConnection, NSSAddressFamilyFallback):
        self._create_socket()

    def _create_socket(self):
+
+        #TODO remove the try block once python-nss is guaranteed to
+	#contain these values
+        try :
+                ssl_enable_renegotiation  = SSL_ENABLE_RENEGOTIATION   #pylint: disable=E0602
+                ssl_require_safe_negotiation = SSL_REQUIRE_SAFE_NEGOTIATION  #pylint: disable=E0602
+                ssl_renegotiate_requires_xtn = SSL_RENEGOTIATE_REQUIRES_XTN #pylint: disable=E0602
+        except :
+                ssl_enable_renegotiation  = 20
+                ssl_require_safe_negotiation = 21
+                ssl_renegotiate_requires_xtn = 2
+
        # Create the socket here so we can do things like let the caller
        # override the NSS callbacks
        self.sock = ssl.SSLSocket(family=self.family)
        self.sock.set_ssl_option(ssl.SSL_SECURITY, True)
        self.sock.set_ssl_option(ssl.SSL_HANDSHAKE_AS_CLIENT, True)
-
+        self.sock.set_ssl_option(ssl_require_safe_negotiation, False)
+        self.sock.set_ssl_option(ssl_enable_renegotiation, ssl_renegotiate_requires_xtn)
        # Provide a callback which notifies us when the SSL handshake is complete
        self.sock.set_handshake_callback(self.handshake_callback)

--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@ -56,6 +56,7 @@ from ipaserver.install import certs
 from ipaserver.install.installutils import ReplicaConfig
 from ipalib import util

+HTTPD_CONFD = "/etc/httpd/conf.d/"
 DEFAULT_DSPORT=7389

 PKI_USER = "pkiuser"
@ -70,6 +71,7 @@ EE_CLIENT_AUTH_PORT=9446
 UNSECURE_PORT=9180
 TOMCAT_SERVER_PORT=9701

+
 # We need to reset the template because the CA uses the regular boot
 # information
 INF_TEMPLATE = """
@ -537,6 +539,7 @@ class CAInstance(service.Service):
                self.step("requesting RA certificate from CA", self.__request_ra_certificate)
                self.step("issuing RA agent certificate", self.__issue_ra_cert)
                self.step("adding RA agent as a trusted user", self.__configure_ra)
+            self.step("Configure HTTP to proxy connections", self.__http_proxy)

        self.start_creation("Configuring certificate server", 210)

@ -557,6 +560,7 @@ class CAInstance(service.Service):
                '-tomcat_server_port', str(TOMCAT_SERVER_PORT),
                '-redirect', 'conf=/etc/pki-ca',
                '-redirect', 'logs=/var/log/pki-ca',
+                '-enable_proxy'
        ]
        ipautil.run(args, env={'PKI_HOSTNAME':self.fqdn})

@ -658,7 +662,7 @@ class CAInstance(service.Service):
                args.append("-sd_hostname")
                args.append(self.master_host)
                args.append("-sd_admin_port")
-                args.append(str(ADMIN_SECURE_PORT))
+                args.append("443")
                args.append("-sd_admin_name")
                args.append("admin")
                args.append("-sd_admin_password")
@ -666,7 +670,7 @@ class CAInstance(service.Service):
                args.append("-clone_start_tls")
                args.append("true")
                args.append("-clone_uri")
-                args.append("https://%s:%d" % (self.master_host, EE_SECURE_PORT))
+                args.append("https://%s:%d" % (self.master_host, 443))
            else:
                args.append("-clone")
                args.append("false")
@ -1077,6 +1081,11 @@ class CAInstance(service.Service):
        fd.close()
        os.chmod(location, 0444)

+    def __http_proxy(self):
+        shutil.copy(ipautil.SHARE_DIR + "ipa-pki-proxy.conf",
+                    HTTPD_CONFD + "ipa-pki-proxy.conf")
+
+
 def install_replica_ca(config, postinstall=False):
    """
    Install a CA on a replica.
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@ -633,7 +633,7 @@ class CertDB(object):
            password = f.readline()
            f.close()
            http_status, http_reason_phrase, http_headers, http_body = \
-                dogtag.https_request(self.host_name, api.env.ca_ee_port, "/ca/ee/ca/profileSubmitSSLClient", self.secdir, password, "ipaCert", **params)
+                dogtag.https_request(self.host_name, api.env.ca_ee_install_port, "/ca/ee/ca/profileSubmitSSLClient", self.secdir, password, "ipaCert", **params)

            if http_status != 200:
                raise CertificateOperationError(error='Unable to communicate with CMS (%s)' % \
@ -715,7 +715,7 @@ class CertDB(object):
            password = f.readline()
            f.close()
            http_status, http_reason_phrase, http_headers, http_body = \
-                dogtag.https_request(self.host_name, api.env.ca_ee_port, "/ca/ee/ca/profileSubmitSSLClient", self.secdir, password, "ipaCert", **params)
+                dogtag.https_request(self.host_name, api.env.ca_ee_install_port, "/ca/ee/ca/profileSubmitSSLClient", self.secdir, password, "ipaCert", **params)
            if http_status != 200:
                raise RuntimeError("Unable to submit cert request")

--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@ -75,6 +75,7 @@ class HTTPInstance(service.Service):
        self.step("disabling mod_ssl in httpd", self.__disable_mod_ssl)
        self.step("setting mod_nss port to 443", self.__set_mod_nss_port)
        self.step("setting mod_nss password file", self.__set_mod_nss_passwordfile)
+        self.step("enabling mod_nss renegotiate", self.__enable_mod_nss_renegotiate)
        self.step("adding URL rewriting rules", self.__add_include)
        self.step("configuring httpd", self.__configure_http)
        self.step("setting up ssl", self.__setup_ssl)
@ -160,6 +161,10 @@ class HTTPInstance(service.Service):
    def __set_mod_nss_nickname(self, nickname):
        installutils.set_directive(NSS_CONF, 'NSSNickname', nickname)

+    def __enable_mod_nss_renegotiate(self):
+        installutils.set_directive(NSS_CONF, 'NSSRenegotiation', 'on',False)
+        installutils.set_directive(NSS_CONF, 'NSSRequireSafeNegotiation', 'on',False)
+
    def __set_mod_nss_passwordfile(self):
        installutils.set_directive(NSS_CONF, 'NSSPassPhraseDialog', 'file:/etc/httpd/conf/password.conf')

--- a/ipaserver/plugins/dogtag.py
+++ b/ipaserver/plugins/dogtag.py
@ -1514,7 +1514,7 @@ class ra(rabase.rabase):

        # Call CMS
        http_status, http_reason_phrase, http_headers, http_body = \
-            self._sslget('/ca/ee/ca/profileSubmitSSLClient',
+            self._sslget('/ca/eeca/ca/profileSubmitSSLClient',
                         self.env.ca_ee_port,
                         profileId='caIPAserviceCert',
                         cert_request_type=request_type,