summaryrefslogtreecommitdiffstats
path: root/ipaserver/install/httpinstance.py
diff options
context:
space:
mode:
authorAdam Young <ayoung@redhat.com>2011-08-17 15:36:18 -0400
committerRob Crittenden <rcritten@redhat.com>2011-08-29 17:05:44 -0400
commitd32b44be6a1dd73e514a6063cad2c8c84aaed360 (patch)
tree7df1dedf3366806d700d33c808a3be0c68883a1e /ipaserver/install/httpinstance.py
parent91c9e8320932124ff77178383a0531fb2b218f2f (diff)
downloadfreeipa-d32b44be6a1dd73e514a6063cad2c8c84aaed360.tar.gz
freeipa-d32b44be6a1dd73e514a6063cad2c8c84aaed360.tar.xz
freeipa-d32b44be6a1dd73e514a6063cad2c8c84aaed360.zip
enable proxy for dogtag
Dogtag is going to be proxied through httpd. To make this work, it has to support renegotiation of the SSL connection. This patch enables renegotiate in the nss configuration file during during apache configuration, as well as modifies libnss to set the appropriate optins on the ssl connection in order to renegotiate. The IPA install uses the internal ports instead of proxying through httpd since httpd is not set up yet. IPA needs to Request the certificate through a port that uses authentication. On the Dogtag side, they provide an additional mapping for this: /ca/eeca/ca as opposed tp /ca/ee/ca just for this purpose. https://fedorahosted.org/freeipa/ticket/1334 add flag to pkicreate in order to enable using proxy. add the proxy file in /etc/http/conf.d/ Signed-off-by: Simo Sorce <ssorce@redhat.com>
Diffstat (limited to 'ipaserver/install/httpinstance.py')
-rw-r--r--ipaserver/install/httpinstance.py5
1 files changed, 5 insertions, 0 deletions
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index fe5f7aa95..04d1ed402 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -75,6 +75,7 @@ class HTTPInstance(service.Service):
self.step("disabling mod_ssl in httpd", self.__disable_mod_ssl)
self.step("setting mod_nss port to 443", self.__set_mod_nss_port)
self.step("setting mod_nss password file", self.__set_mod_nss_passwordfile)
+ self.step("enabling mod_nss renegotiate", self.__enable_mod_nss_renegotiate)
self.step("adding URL rewriting rules", self.__add_include)
self.step("configuring httpd", self.__configure_http)
self.step("setting up ssl", self.__setup_ssl)
@@ -160,6 +161,10 @@ class HTTPInstance(service.Service):
def __set_mod_nss_nickname(self, nickname):
installutils.set_directive(NSS_CONF, 'NSSNickname', nickname)
+ def __enable_mod_nss_renegotiate(self):
+ installutils.set_directive(NSS_CONF, 'NSSRenegotiation', 'on',False)
+ installutils.set_directive(NSS_CONF, 'NSSRequireSafeNegotiation', 'on',False)
+
def __set_mod_nss_passwordfile(self):
installutils.set_directive(NSS_CONF, 'NSSPassPhraseDialog', 'file:/etc/httpd/conf/password.conf')