diff options
author | Adam Young <ayoung@redhat.com> | 2011-08-17 15:36:18 -0400 |
---|---|---|
committer | Simo Sorce <ssorce@redhat.com> | 2011-08-29 17:54:49 -0400 |
commit | 5ee93349f6700d024fa4db68c960951d9964504b (patch) | |
tree | 6a1d480036fbc0a820563ff9166caeb9d53a4585 /install/tools/ipa-ca-install | |
parent | 3ef732d7381a8d59400a669009904e14c8265792 (diff) | |
download | freeipa-5ee93349f6700d024fa4db68c960951d9964504b.tar.gz freeipa-5ee93349f6700d024fa4db68c960951d9964504b.tar.xz freeipa-5ee93349f6700d024fa4db68c960951d9964504b.zip |
enable proxy for dogtag
Dogtag is going to be proxied through httpd. To make this work, it has to support renegotiation of the SSL
connection. This patch enables renegotiate in the nss configuration file during during apache configuration,
as well as modifies libnss to set the appropriate optins on the ssl connection in order to renegotiate.
The IPA install uses the internal ports instead of proxying through
httpd since httpd is not set up yet.
IPA needs to Request the certificate through a port that uses authentication. On the Dogtag side, they provide an additional mapping for this: /ca/eeca/ca as opposed tp /ca/ee/ca just for this purpose.
https://fedorahosted.org/freeipa/ticket/1334
add flag to pkicreate in order to enable using proxy.
add the proxy file in /etc/http/conf.d/
Signed-off-by: Simo Sorce <ssorce@redhat.com>
Diffstat (limited to 'install/tools/ipa-ca-install')
-rwxr-xr-x | install/tools/ipa-ca-install | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install index 7bbba4b14..05a05dce9 100755 --- a/install/tools/ipa-ca-install +++ b/install/tools/ipa-ca-install @@ -36,6 +36,7 @@ from ipapython import version from ipalib import api, util from ipapython.config import IPAOptionParser from ipapython import sysrestore +from ipapython import ipautil CACERT="/etc/ipa/ca.crt" REPLICA_INFO_TOP_DIR=None @@ -144,6 +145,9 @@ def main(): cs.add_simple_service('dogtagldap/%s@%s' % (config.host_name, config.realm_name)) cs.add_cert_to_service() + # We need to restart apache as we drop a new config file in there + ipautil.service_restart('httpd', '', True) + try: if not os.geteuid()==0: sys.exit("\nYou must be root to run this script.\n") |