Require SSL for the XML-RPC interface

2025-02-25 18:55:28 -06:00 · 2007-10-19 10:14:30 -04:00
parent 086193af0a
commit ba0adcffb1
4 changed files with 53 additions and 2 deletions
--- a/ipa-python/krbtransport.py
+++ b/ipa-python/krbtransport.py
@@ -24,7 +24,7 @@ import xmlrpclib
 import kerberos
 from kerberos import GSSError

-class KerbTransport(xmlrpclib.Transport):
+class KerbTransport(xmlrpclib.SafeTransport):
    """Handles Kerberos Negotiation authentication to an XML-RPC server."""

    def get_host_info(self, host):
--- a/ipa-python/rpcclient.py
+++ b/ipa-python/rpcclient.py
@@ -40,7 +40,7 @@ class RPCClient:
    
    def server_url(self):
        """Build the XML-RPC server URL from our configuration"""
-        return "http://" + config.config.get_server() + "/ipa"
+        return "https://" + config.config.get_server() + "/ipa"
    
    def setup_server(self):
        """Create our XML-RPC server connection using kerberos
--- a/ipa-server/ipa-install/ipa-server-setupssl
+++ b/ipa-server/ipa-install/ipa-server-setupssl
@@ -133,6 +133,50 @@ if [ -n "$prefix" ] ; then
    mv $secdir/${prefix}key3.db $secdir/key3.db
 fi

+modnssdir=/etc/httpd/alias
+
+# Setup SSL in Apache
+if [ -e $modnssdir ]; then
+    mkdir ${modnssdir}.ipa
+    mv $modnssdir/cert8.db ${modnssdir}.ipa
+    mv $modnssdir/key3.db ${modnssdir}.ipa
+fi
+
+# Create a new database for mod_nss
+echo -e "\n" > $modnssdir/pw.txt
+certutil -N -d $modnssdir -f $modnssdir/pw.txt
+
+# Add the CA we created
+certutil -A -d $modnssdir -n "CA certificate" -t "CT,CT," -a -i $secdir/cacert.asc
+
+# Request a new server cert
+certutil -R -d $modnssdir \
+            -s "cn=$myhost,ou=Apache Web Server" \
+            -o $modnssdir/tmpcertreq \
+            -g 1024 \
+            -z $secdir/noise.txt \
+            -f $modnssdir/pw.txt
+
+# Have the FDS CA issue the cert
+echo -e "2\n9\nn\n1\n9\nn\n" | \
+certutil -C -d $secdir \
+            -c "CA certificate" \
+            -i $modnssdir/tmpcertreq \
+            -o $modnssdir/tmpcert.der \
+            -m 1002 \
+            -v 120 \
+            -f $secdir/pwdfile.txt \
+            -1 \
+            -5
+
+# Now add this cert to the Apache database
+certutil -A -d $modnssdir -n "Server-Cert"\
+         -t u,u,u \
+         -i $modnssdir/tmpcert.der \
+         -f $modnsdir/tmpcert.der
+
+rm -f $modnssdir/pw.txt $modnssdir/tmpcertreq $modnssder/tmpcert.der
+
 # enable SSL in the directory server

 ldapmodify -x -h localhost -p $ldapport -D "cn=Directory Manager" -w $password <<EOF
--- a/ipa-server/xmlrpc-server/ipa.conf
+++ b/ipa-server/xmlrpc-server/ipa.conf
@@ -2,6 +2,13 @@

 ProxyRequests Off

+# Make all requests use SSL except for Kerberos authentication errors
+RewriteEngine on
+
+RewriteCond %{SERVER_PORT}  !^443$$
+RewriteCond %{REQUEST_URI}  !^/(errors)/
+RewriteRule ^/(.*)          https://%{SERVER_NAME}/$$1 [L,R,NC]
+
 <Proxy *>
  AuthType Kerberos
  AuthName "Kerberos Login"