enable proxy for dogtag

Dogtag is going to be proxied through httpd. To make this work, it has to support renegotiation of the SSL connection. This patch enables renegotiate in the nss configuration file during during apache configuration, as well as modifies libnss to set the appropriate optins on the ssl connection in order to renegotiate. The IPA install uses the internal ports instead of proxying through httpd since httpd is not set up yet. IPA needs to Request the certificate through a port that uses authentication. On the Dogtag side, they provide an additional mapping for this: /ca/eeca/ca as opposed tp /ca/ee/ca just for this purpose. https://fedorahosted.org/freeipa/ticket/1334 add flag to pkicreate in order to enable using proxy. add the proxy file in /etc/http/conf.d/ Signed-off-by: Simo Sorce <ssorce@redhat.com>
author: Adam Young <ayoung@redhat.com> 2011-08-17 15:36:18 -0400
committer: Simo Sorce <ssorce@redhat.com> 2011-08-29 17:54:49 -0400
commit: 5ee93349f6700d024fa4db68c960951d9964504b (patch)
tree: 6a1d480036fbc0a820563ff9166caeb9d53a4585 /ipaserver
parent: 3ef732d7381a8d59400a669009904e14c8265792 (diff)
download: freeipa-5ee93349f6700d024fa4db68c960951d9964504b.tar.gz
freeipa-5ee93349f6700d024fa4db68c960951d9964504b.tar.xz
freeipa-5ee93349f6700d024fa4db68c960951d9964504b.zip
4 files changed, 19 insertions, 5 deletions
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 5c6c49e4b..d86b3928c 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -56,6 +56,7 @@ from ipaserver.install import certs
 from ipaserver.install.installutils import ReplicaConfig
 from ipalib import util
 
+HTTPD_CONFD = "/etc/httpd/conf.d/"
 DEFAULT_DSPORT=7389
 
 PKI_USER = "pkiuser"
@@ -70,6 +71,7 @@ EE_CLIENT_AUTH_PORT=9446
 UNSECURE_PORT=9180
 TOMCAT_SERVER_PORT=9701
 
+
 # We need to reset the template because the CA uses the regular boot
 # information
 INF_TEMPLATE = """
@@ -537,6 +539,7 @@ class CAInstance(service.Service):
                 self.step("requesting RA certificate from CA", self.__request_ra_certificate)
                 self.step("issuing RA agent certificate", self.__issue_ra_cert)
                 self.step("adding RA agent as a trusted user", self.__configure_ra)
+            self.step("Configure HTTP to proxy connections", self.__http_proxy)
 
         self.start_creation("Configuring certificate server", 210)
 
@@ -557,6 +560,7 @@ class CAInstance(service.Service):
                 '-tomcat_server_port', str(TOMCAT_SERVER_PORT),
                 '-redirect', 'conf=/etc/pki-ca',
                 '-redirect', 'logs=/var/log/pki-ca',
+                '-enable_proxy'
         ]
         ipautil.run(args, env={'PKI_HOSTNAME':self.fqdn})
 
@@ -658,7 +662,7 @@ class CAInstance(service.Service):
                 args.append("-sd_hostname")
                 args.append(self.master_host)
                 args.append("-sd_admin_port")
-                args.append(str(ADMIN_SECURE_PORT))
+                args.append("443")
                 args.append("-sd_admin_name")
                 args.append("admin")
                 args.append("-sd_admin_password")
@@ -666,7 +670,7 @@ class CAInstance(service.Service):
                 args.append("-clone_start_tls")
                 args.append("true")
                 args.append("-clone_uri")
-                args.append("https://%s:%d" % (self.master_host, EE_SECURE_PORT))
+                args.append("https://%s:%d" % (self.master_host, 443))
             else:
                 args.append("-clone")
                 args.append("false")
@@ -1077,6 +1081,11 @@ class CAInstance(service.Service):
         fd.close()
         os.chmod(location, 0444)
 
+    def __http_proxy(self):
+        shutil.copy(ipautil.SHARE_DIR + "ipa-pki-proxy.conf",
+                    HTTPD_CONFD + "ipa-pki-proxy.conf")
+
+
 def install_replica_ca(config, postinstall=False):
     """
     Install a CA on a replica.
diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index f14efe33f..d3df1681b 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -633,7 +633,7 @@ class CertDB(object):
             password = f.readline()
             f.close()
             http_status, http_reason_phrase, http_headers, http_body = \
-                dogtag.https_request(self.host_name, api.env.ca_ee_port, "/ca/ee/ca/profileSubmitSSLClient", self.secdir, password, "ipaCert", **params)
+                dogtag.https_request(self.host_name, api.env.ca_ee_install_port, "/ca/ee/ca/profileSubmitSSLClient", self.secdir, password, "ipaCert", **params)
 
             if http_status != 200:
                 raise CertificateOperationError(error='Unable to communicate with CMS (%s)' % \
@@ -715,7 +715,7 @@ class CertDB(object):
             password = f.readline()
             f.close()
             http_status, http_reason_phrase, http_headers, http_body = \
-                dogtag.https_request(self.host_name, api.env.ca_ee_port, "/ca/ee/ca/profileSubmitSSLClient", self.secdir, password, "ipaCert", **params)
+                dogtag.https_request(self.host_name, api.env.ca_ee_install_port, "/ca/ee/ca/profileSubmitSSLClient", self.secdir, password, "ipaCert", **params)
             if http_status != 200:
                 raise RuntimeError("Unable to submit cert request")
 
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index fe5f7aa95..04d1ed402 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -75,6 +75,7 @@ class HTTPInstance(service.Service):
         self.step("disabling mod_ssl in httpd", self.__disable_mod_ssl)
         self.step("setting mod_nss port to 443", self.__set_mod_nss_port)
         self.step("setting mod_nss password file", self.__set_mod_nss_passwordfile)
+        self.step("enabling mod_nss renegotiate", self.__enable_mod_nss_renegotiate)
         self.step("adding URL rewriting rules", self.__add_include)
         self.step("configuring httpd", self.__configure_http)
         self.step("setting up ssl", self.__setup_ssl)
@@ -160,6 +161,10 @@ class HTTPInstance(service.Service):
     def __set_mod_nss_nickname(self, nickname):
         installutils.set_directive(NSS_CONF, 'NSSNickname', nickname)
 
+    def __enable_mod_nss_renegotiate(self):
+        installutils.set_directive(NSS_CONF, 'NSSRenegotiation', 'on',False)
+        installutils.set_directive(NSS_CONF, 'NSSRequireSafeNegotiation', 'on',False)
+
     def __set_mod_nss_passwordfile(self):
         installutils.set_directive(NSS_CONF, 'NSSPassPhraseDialog', 'file:/etc/httpd/conf/password.conf')
 
diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py
index d1234a0d2..23d06abc1 100644
--- a/ipaserver/plugins/dogtag.py
+++ b/ipaserver/plugins/dogtag.py
@@ -1514,7 +1514,7 @@ class ra(rabase.rabase):
 
         # Call CMS
         http_status, http_reason_phrase, http_headers, http_body = \
-            self._sslget('/ca/ee/ca/profileSubmitSSLClient',
+            self._sslget('/ca/eeca/ca/profileSubmitSSLClient',
                          self.env.ca_ee_port,
                          profileId='caIPAserviceCert',
                          cert_request_type=request_type,
author	Adam Young <ayoung@redhat.com>	2011-08-17 15:36:18 -0400
committer	Simo Sorce <ssorce@redhat.com>	2011-08-29 17:54:49 -0400
commit	5ee93349f6700d024fa4db68c960951d9964504b (patch)
tree	6a1d480036fbc0a820563ff9166caeb9d53a4585 /ipaserver
parent	3ef732d7381a8d59400a669009904e14c8265792 (diff)
download	freeipa-5ee93349f6700d024fa4db68c960951d9964504b.tar.gz freeipa-5ee93349f6700d024fa4db68c960951d9964504b.tar.xz freeipa-5ee93349f6700d024fa4db68c960951d9964504b.zip