mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-27 09:21:59 -06:00
0b08043c37
The KRA backend has been simplified since most of the tasks have been moved somewhere else. The transport certificate will be installed on the client, and it is not needed by KRA backend. The KRA agent's PEM certificate is now generated during installation due to permission issue. The kra_host() for now is removed since the current ldap_enable() cannot register the KRA service, so it is using the kra_host environment variable. The KRA installer has been modified to use Dogtag's CLI to create KRA agent and setup the client authentication. The proxy settings have been updated to include KRA's URLs. Some constants have been renamed for clarity. The DOGTAG_AGENT_P12 has been renamed to DOGTAG_ADMIN_P12 since file actually contains the Dogtag admin's certificate and private key and it can be used to access both CA and KRA. The DOGTAG_AGENT_PEM has been renamed to KRA_AGENT_PEM since it can only be used for KRA. The Dogtag dependency has been updated to 10.2.1-0.1. https://fedorahosted.org/freeipa/ticket/4503 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
31 lines
2.1 KiB
Plaintext
31 lines
2.1 KiB
Plaintext
# VERSION 5 - DO NOT REMOVE THIS LINE
|
|
|
|
ProxyRequests Off
|
|
|
|
# matches for ee port
|
|
<LocationMatch "^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange|^/ca/ee/ca/getCRL|^/ca/ee/ca/profileSubmit">
|
|
NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
|
|
NSSVerifyClient none
|
|
ProxyPassMatch ajp://localhost:$DOGTAG_PORT
|
|
ProxyPassReverse ajp://localhost:$DOGTAG_PORT
|
|
</LocationMatch>
|
|
|
|
# matches for admin port and installer
|
|
<LocationMatch "^/ca/admin/ca/getCertChain|^/ca/admin/ca/getConfigEntries|^/ca/admin/ca/getCookie|^/ca/admin/ca/getStatus|^/ca/admin/ca/securityDomainLogin|^/ca/admin/ca/getDomainXML|^/ca/rest/installer/installToken|^/ca/admin/ca/updateNumberRange|^/ca/rest/securityDomain/domainInfo|^/ca/rest/account/login|^/ca/admin/ca/tokenAuthenticate|^/ca/admin/ca/updateNumberRange|^/ca/admin/ca/updateDomainXML|^/ca/rest/account/logout|^/ca/rest/securityDomain/installToken|^/ca/admin/ca/updateConnector|^/ca/admin/ca/getSubsystemCert|^/kra/admin/kra/updateNumberRange|^/kra/admin/kra/getConfigEntries|^/kra/rest/config/cert/transport">
|
|
NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
|
|
NSSVerifyClient none
|
|
ProxyPassMatch ajp://localhost:$DOGTAG_PORT
|
|
ProxyPassReverse ajp://localhost:$DOGTAG_PORT
|
|
</LocationMatch>
|
|
|
|
# matches for agent port and eeca port
|
|
<LocationMatch "^/ca/agent/ca/displayBySerial|^/ca/agent/ca/doRevoke|^/ca/agent/ca/doUnrevoke|^/ca/agent/ca/updateDomainXML|^/ca/eeca/ca/profileSubmitSSLClient|^/kra/agent/kra/connector|^/kra/rest/account|^/kra/rest/agent/keyrequests|^/kra/rest/agent/keys|^/ca/rest/admin/kraconnector/remove">
|
|
NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
|
|
NSSVerifyClient require
|
|
ProxyPassMatch ajp://localhost:$DOGTAG_PORT
|
|
ProxyPassReverse ajp://localhost:$DOGTAG_PORT
|
|
</LocationMatch>
|
|
|
|
# Only enable this on servers that are not generating a CRL
|
|
${CLONE}RewriteRule ^/ipa/crl/MasterCRL.bin https://$FQDN/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL [L,R=301,NC]
|