IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Remove older MITM fixes to make compatible with dogtag 1.3.3

Browse Source 
We set a new port to be used with dogtag but IPA doesn't utilize it.

This also changes the way we determine which security database to use.
Rather than using whether api.env.home is set use api.env.in_tree.
This commit is contained in:
Rob Crittenden 2010-03-30 15:27:28 -04:00
parent 34ee09e243
commit 70049496e3
4 changed files with 8 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
ipaserver/install/cainstance.py
View File

@ -56,6 +56,7 @@ PKI_INSTANCE_NAME="pki-ca"
AGENT_SECURE_PORT=9443
EE_SECURE_PORT=9444
ADMIN_SECURE_PORT=9445
EE_CLIENT_AUTH_PORT=9446
UNSECURE_PORT=9180
TOMCAT_SERVER_PORT=9701
@ -482,6 +483,7 @@ class CAInstance(service.Service):
'-agent_secure_port', str(AGENT_SECURE_PORT),
'-ee_secure_port', str(EE_SECURE_PORT),
'-admin_secure_port', str(ADMIN_SECURE_PORT),
'-ee_secure_client_auth_port', str(EE_CLIENT_AUTH_PORT),
'-unsecure_port', str(UNSECURE_PORT),
'-tomcat_server_port', str(TOMCAT_SERVER_PORT),
'-redirect', 'conf=/etc/pki-ca',
@ -518,18 +520,6 @@ class CAInstance(service.Service):
pent = pwd.getpwnam(self.pki_user)
os.chown('/var/lib/pki-ca/conf/CS.cfg', pent.pw_uid, pent.pw_gid )
# Update the servlet mapping to so we use the agent interface rather
# than the end-user interface. The agent interface always requires
# client auth which lets us work work around the NSS change which
# disallows renegotation (CVE-2009-3555)
#
# The spaces here, while ugly, are required because update_file()
# escapes the incoming string.
installutils.update_file('/var/lib/%s/webapps/ca/WEB-INF/web.xml' % PKI_INSTANCE_NAME,
' <url-pattern> /ee/ca/profileSubmitSSLClient </url-pattern>',
' <url-pattern> /agent/ca/profileSubmitSSLClient </url-pattern>'
)
logging.debug("restarting ca instance")
try:
self.restart()

4
ipaserver/install/certs.py
View File

@ -570,7 +570,7 @@ class CertDB(object):
password = f.readline()
f.close()
http_status, http_reason_phrase, http_headers, http_body = \
dogtag.https_request(self.host_name, api.env.ca_agent_port, "/ca/agent/ca/profileSubmitSSLClient", self.secdir, password, "ipaCert", **params)
dogtag.https_request(self.host_name, api.env.ca_ee_port, "/ca/ee/ca/profileSubmitSSLClient", self.secdir, password, "ipaCert", **params)
if http_status != 200:
raise CertificateOperationError(error=_('Unable to communicate with CMS (%s)') % \
@ -657,7 +657,7 @@ class CertDB(object):
password = f.readline()
f.close()
http_status, http_reason_phrase, http_headers, http_body = \
dogtag.https_request(self.host_name, api.env.ca_agent_port, "/ca/agent/ca/profileSubmitSSLClient", self.secdir, password, "ipaCert", **params)
dogtag.https_request(self.host_name, api.env.ca_ee_port, "/ca/ee/ca/profileSubmitSSLClient", self.secdir, password, "ipaCert", **params)
if http_status != 200:
raise RuntimeError("Unable to submit cert request")

6
ipaserver/plugins/dogtag.py
View File

@ -1208,7 +1208,7 @@ class ra(rabase.rabase):
Request Authority backend plugin.
"""
def __init__(self):
if api.env.home:
if api.env.in_tree:
self.sec_dir = api.env.dot_ipa + os.sep + 'alias'
self.pwd_file = self.sec_dir + os.sep + '.pwd'
else:
@ -1452,8 +1452,8 @@ class ra(rabase.rabase):
# Call CMS
http_status, http_reason_phrase, http_headers, http_body = \
self._sslget('/ca/agent/ca/profileSubmitSSLClient',
self.env.ca_agent_port,
self._sslget('/ca/ee/ca/profileSubmitSSLClient',
self.env.ca_ee_port,
profileId='caIPAserviceCert',
cert_request_type=request_type,
cert_request=csr,

2
ipaserver/plugins/rabase.py
View File

@ -41,7 +41,7 @@ class rabase(Backend):
Request Authority backend plugin.
"""
def __init__(self):
if api.env.home:
if api.env.in_tree:
self.sec_dir = api.env.dot_ipa + os.sep + 'alias'
self.pwd_file = self.sec_dir + os.sep + '.pwd'
self.serial_file = self.sec_dir + os.sep + 'ca_serialno'