summaryrefslogtreecommitdiffstats
path: root/install
diff options
context:
space:
mode:
authorAdam Young <ayoung@redhat.com>2011-08-17 15:36:18 -0400
committerRob Crittenden <rcritten@redhat.com>2011-08-29 17:05:44 -0400
commitd32b44be6a1dd73e514a6063cad2c8c84aaed360 (patch)
tree7df1dedf3366806d700d33c808a3be0c68883a1e /install
parent91c9e8320932124ff77178383a0531fb2b218f2f (diff)
downloadfreeipa-d32b44be6a1dd73e514a6063cad2c8c84aaed360.zip
freeipa-d32b44be6a1dd73e514a6063cad2c8c84aaed360.tar.gz
freeipa-d32b44be6a1dd73e514a6063cad2c8c84aaed360.tar.xz
enable proxy for dogtag
Dogtag is going to be proxied through httpd. To make this work, it has to support renegotiation of the SSL connection. This patch enables renegotiate in the nss configuration file during during apache configuration, as well as modifies libnss to set the appropriate optins on the ssl connection in order to renegotiate. The IPA install uses the internal ports instead of proxying through httpd since httpd is not set up yet. IPA needs to Request the certificate through a port that uses authentication. On the Dogtag side, they provide an additional mapping for this: /ca/eeca/ca as opposed tp /ca/ee/ca just for this purpose. https://fedorahosted.org/freeipa/ticket/1334 add flag to pkicreate in order to enable using proxy. add the proxy file in /etc/http/conf.d/ Signed-off-by: Simo Sorce <ssorce@redhat.com>
Diffstat (limited to 'install')
-rw-r--r--install/conf/Makefile.am1
-rw-r--r--install/conf/ipa-pki-proxy.conf25
-rwxr-xr-xinstall/tools/ipa-ca-install4
3 files changed, 30 insertions, 0 deletions
diff --git a/install/conf/Makefile.am b/install/conf/Makefile.am
index e00ad61..5ee3edd 100644
--- a/install/conf/Makefile.am
+++ b/install/conf/Makefile.am
@@ -3,6 +3,7 @@ NULL =
appdir = $(IPA_DATA_DIR)
app_DATA = \
ipa.conf \
+ ipa-pki-proxy.conf \
ipa-rewrite.conf \
$(NULL)
diff --git a/install/conf/ipa-pki-proxy.conf b/install/conf/ipa-pki-proxy.conf
new file mode 100644
index 0000000..275f326
--- /dev/null
+++ b/install/conf/ipa-pki-proxy.conf
@@ -0,0 +1,25 @@
+ProxyRequests Off
+
+# matches for ee port
+<LocationMatch "^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange">
+ NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
+ NSSVerifyClient none
+ ProxyPassMatch ajp://localhost:9447/
+ ProxyPassReverse ajp://localhost:9447/
+</LocationMatch>
+
+# matches for admin port
+<LocationMatch "^/ca/admin/ca/getCertChain|^/ca/admin/ca/getConfigEntries|^/ca/admin/ca/getCookie|^/ca/admin/ca/getStatus|^/ca/admin/ca/securityDomainLogin|^/ca/admin/ca/getDomainXML">
+ NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
+ NSSVerifyClient none
+ ProxyPassMatch ajp://localhost:9447/
+ ProxyPassReverse ajp://localhost:9447/
+</LocationMatch>
+
+# matches for agent port and eeca port
+<LocationMatch "^/ca/agent/ca/displayBySerial|^/ca/agent/ca/doRevoke|^/ca/agent/ca/doUnrevoke|^/ca/agent/ca/updateDomainXML|^/ca/eeca/ca/profileSubmitSSLClient">
+ NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
+ NSSVerifyClient require
+ ProxyPassMatch ajp://localhost:9447/
+ ProxyPassReverse ajp://localhost:9447/
+</LocationMatch>
diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install
index 7bbba4b..05a05dc 100755
--- a/install/tools/ipa-ca-install
+++ b/install/tools/ipa-ca-install
@@ -36,6 +36,7 @@ from ipapython import version
from ipalib import api, util
from ipapython.config import IPAOptionParser
from ipapython import sysrestore
+from ipapython import ipautil
CACERT="/etc/ipa/ca.crt"
REPLICA_INFO_TOP_DIR=None
@@ -144,6 +145,9 @@ def main():
cs.add_simple_service('dogtagldap/%s@%s' % (config.host_name, config.realm_name))
cs.add_cert_to_service()
+ # We need to restart apache as we drop a new config file in there
+ ipautil.service_restart('httpd', '', True)
+
try:
if not os.geteuid()==0:
sys.exit("\nYou must be root to run this script.\n")