Remove older MITM fixes to make compatible with dogtag 1.3.3

We set a new port to be used with dogtag but IPA doesn't utilize it. This also changes the way we determine which security database to use. Rather than using whether api.env.home is set use api.env.in_tree.
author: Rob Crittenden <rcritten@redhat.com> 2010-03-30 15:27:28 -0400
committer: Rob Crittenden <rcritten@redhat.com> 2010-04-19 10:04:25 -0400
commit: 70049496e3cfe0db01a58bcc51c7ea13e6caac24 (patch)
tree: fafd80fe2e5401573346b75271236e268eacc81f
parent: 34ee09e2438d942ce43b3b687ee26836a9165a7e (diff)
download: freeipa-70049496e3cfe0db01a58bcc51c7ea13e6caac24.tar.gz
freeipa-70049496e3cfe0db01a58bcc51c7ea13e6caac24.tar.xz
freeipa-70049496e3cfe0db01a58bcc51c7ea13e6caac24.zip
4 files changed, 8 insertions, 18 deletions
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index f31bdc6d2..69921a33a 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -56,6 +56,7 @@ PKI_INSTANCE_NAME="pki-ca"
 AGENT_SECURE_PORT=9443
 EE_SECURE_PORT=9444
 ADMIN_SECURE_PORT=9445
+EE_CLIENT_AUTH_PORT=9446
 UNSECURE_PORT=9180
 TOMCAT_SERVER_PORT=9701
 
@@ -482,6 +483,7 @@ class CAInstance(service.Service):
                 '-agent_secure_port', str(AGENT_SECURE_PORT),
                 '-ee_secure_port', str(EE_SECURE_PORT),
                 '-admin_secure_port', str(ADMIN_SECURE_PORT),
+                '-ee_secure_client_auth_port', str(EE_CLIENT_AUTH_PORT),
                 '-unsecure_port', str(UNSECURE_PORT),
                 '-tomcat_server_port', str(TOMCAT_SERVER_PORT),
                 '-redirect', 'conf=/etc/pki-ca',
@@ -518,18 +520,6 @@ class CAInstance(service.Service):
         pent = pwd.getpwnam(self.pki_user)
         os.chown('/var/lib/pki-ca/conf/CS.cfg', pent.pw_uid, pent.pw_gid )
 
-        # Update the servlet mapping to so we use the agent interface rather
-        # than the end-user interface. The agent interface always requires
-        # client auth which lets us work work around the NSS change which
-        # disallows renegotation (CVE-2009-3555)
-        #
-        # The spaces here, while ugly, are required because update_file()
-        # escapes the incoming string.
-        installutils.update_file('/var/lib/%s/webapps/ca/WEB-INF/web.xml' % PKI_INSTANCE_NAME,
-            '      <url-pattern>   /ee/ca/profileSubmitSSLClient  </url-pattern>',
-            '      <url-pattern>   /agent/ca/profileSubmitSSLClient  </url-pattern>'
-)
-
         logging.debug("restarting ca instance")
         try:
             self.restart()
diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index 4b8a57e92..05c9213bb 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -570,7 +570,7 @@ class CertDB(object):
             password = f.readline()
             f.close()
             http_status, http_reason_phrase, http_headers, http_body = \
-                dogtag.https_request(self.host_name, api.env.ca_agent_port, "/ca/agent/ca/profileSubmitSSLClient", self.secdir, password, "ipaCert", **params)
+                dogtag.https_request(self.host_name, api.env.ca_ee_port, "/ca/ee/ca/profileSubmitSSLClient", self.secdir, password, "ipaCert", **params)
 
             if http_status != 200:
                 raise CertificateOperationError(error=_('Unable to communicate with CMS (%s)') % \
@@ -657,7 +657,7 @@ class CertDB(object):
             password = f.readline()
             f.close()
             http_status, http_reason_phrase, http_headers, http_body = \
-                dogtag.https_request(self.host_name, api.env.ca_agent_port, "/ca/agent/ca/profileSubmitSSLClient", self.secdir, password, "ipaCert", **params)
+                dogtag.https_request(self.host_name, api.env.ca_ee_port, "/ca/ee/ca/profileSubmitSSLClient", self.secdir, password, "ipaCert", **params)
             if http_status != 200:
                 raise RuntimeError("Unable to submit cert request")
 
diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py
index 4c572da47..2b0529e0e 100644
--- a/ipaserver/plugins/dogtag.py
+++ b/ipaserver/plugins/dogtag.py
@@ -1208,7 +1208,7 @@ class ra(rabase.rabase):
     Request Authority backend plugin.
     """
     def __init__(self):
-        if api.env.home:
+        if api.env.in_tree:
             self.sec_dir = api.env.dot_ipa + os.sep + 'alias'
             self.pwd_file = self.sec_dir + os.sep + '.pwd'
         else:
@@ -1452,8 +1452,8 @@ class ra(rabase.rabase):
 
         # Call CMS
         http_status, http_reason_phrase, http_headers, http_body = \
-            self._sslget('/ca/agent/ca/profileSubmitSSLClient',
-                         self.env.ca_agent_port,
+            self._sslget('/ca/ee/ca/profileSubmitSSLClient',
+                         self.env.ca_ee_port,
                          profileId='caIPAserviceCert',
                          cert_request_type=request_type,
                          cert_request=csr,
diff --git a/ipaserver/plugins/rabase.py b/ipaserver/plugins/rabase.py
index c6aabf71c..7a3e4e397 100644
--- a/ipaserver/plugins/rabase.py
+++ b/ipaserver/plugins/rabase.py
@@ -41,7 +41,7 @@ class rabase(Backend):
     Request Authority backend plugin.
     """
     def __init__(self):
-        if api.env.home:
+        if api.env.in_tree:
             self.sec_dir = api.env.dot_ipa + os.sep + 'alias'
             self.pwd_file = self.sec_dir + os.sep + '.pwd'
             self.serial_file = self.sec_dir + os.sep + 'ca_serialno'
author	Rob Crittenden <rcritten@redhat.com>	2010-03-30 15:27:28 -0400
committer	Rob Crittenden <rcritten@redhat.com>	2010-04-19 10:04:25 -0400
commit	70049496e3cfe0db01a58bcc51c7ea13e6caac24 (patch)
tree	fafd80fe2e5401573346b75271236e268eacc81f
parent	34ee09e2438d942ce43b3b687ee26836a9165a7e (diff)
download	freeipa-70049496e3cfe0db01a58bcc51c7ea13e6caac24.tar.gz freeipa-70049496e3cfe0db01a58bcc51c7ea13e6caac24.tar.xz freeipa-70049496e3cfe0db01a58bcc51c7ea13e6caac24.zip