diff options
| author | Rob Crittenden <rcritten@redhat.com> | 2010-03-30 15:27:28 -0400 |
|---|---|---|
| committer | Rob Crittenden <rcritten@redhat.com> | 2010-04-19 10:04:25 -0400 |
| commit | 70049496e3cfe0db01a58bcc51c7ea13e6caac24 (patch) | |
| tree | fafd80fe2e5401573346b75271236e268eacc81f /ipaserver/install/cainstance.py | |
| parent | 34ee09e2438d942ce43b3b687ee26836a9165a7e (diff) | |
| download | freeipa-70049496e3cfe0db01a58bcc51c7ea13e6caac24.tar.gz freeipa-70049496e3cfe0db01a58bcc51c7ea13e6caac24.tar.xz freeipa-70049496e3cfe0db01a58bcc51c7ea13e6caac24.zip | |
Remove older MITM fixes to make compatible with dogtag 1.3.3
We set a new port to be used with dogtag but IPA doesn't utilize it.
This also changes the way we determine which security database to use.
Rather than using whether api.env.home is set use api.env.in_tree.
Diffstat (limited to 'ipaserver/install/cainstance.py')
| -rw-r--r-- | ipaserver/install/cainstance.py | 14 |
1 files changed, 2 insertions, 12 deletions
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index f31bdc6d2..69921a33a 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -56,6 +56,7 @@ PKI_INSTANCE_NAME="pki-ca" AGENT_SECURE_PORT=9443 EE_SECURE_PORT=9444 ADMIN_SECURE_PORT=9445 +EE_CLIENT_AUTH_PORT=9446 UNSECURE_PORT=9180 TOMCAT_SERVER_PORT=9701 @@ -482,6 +483,7 @@ class CAInstance(service.Service): '-agent_secure_port', str(AGENT_SECURE_PORT), '-ee_secure_port', str(EE_SECURE_PORT), '-admin_secure_port', str(ADMIN_SECURE_PORT), + '-ee_secure_client_auth_port', str(EE_CLIENT_AUTH_PORT), '-unsecure_port', str(UNSECURE_PORT), '-tomcat_server_port', str(TOMCAT_SERVER_PORT), '-redirect', 'conf=/etc/pki-ca', @@ -518,18 +520,6 @@ class CAInstance(service.Service): pent = pwd.getpwnam(self.pki_user) os.chown('/var/lib/pki-ca/conf/CS.cfg', pent.pw_uid, pent.pw_gid ) - # Update the servlet mapping to so we use the agent interface rather - # than the end-user interface. The agent interface always requires - # client auth which lets us work work around the NSS change which - # disallows renegotation (CVE-2009-3555) - # - # The spaces here, while ugly, are required because update_file() - # escapes the incoming string. - installutils.update_file('/var/lib/%s/webapps/ca/WEB-INF/web.xml' % PKI_INSTANCE_NAME, - ' <url-pattern> /ee/ca/profileSubmitSSLClient </url-pattern>', - ' <url-pattern> /agent/ca/profileSubmitSSLClient </url-pattern>' -) - logging.debug("restarting ca instance") try: self.restart() |