summaryrefslogtreecommitdiffstats
path: root/install
diff options
context:
space:
mode:
Diffstat (limited to 'install')
-rw-r--r--install/conf/Makefile.am1
-rw-r--r--install/conf/ipa-pki-proxy.conf25
-rwxr-xr-xinstall/tools/ipa-ca-install4
3 files changed, 30 insertions, 0 deletions
diff --git a/install/conf/Makefile.am b/install/conf/Makefile.am
index e00ad61..5ee3edd 100644
--- a/install/conf/Makefile.am
+++ b/install/conf/Makefile.am
@@ -3,6 +3,7 @@ NULL =
appdir = $(IPA_DATA_DIR)
app_DATA = \
ipa.conf \
+ ipa-pki-proxy.conf \
ipa-rewrite.conf \
$(NULL)
diff --git a/install/conf/ipa-pki-proxy.conf b/install/conf/ipa-pki-proxy.conf
new file mode 100644
index 0000000..275f326
--- /dev/null
+++ b/install/conf/ipa-pki-proxy.conf
@@ -0,0 +1,25 @@
+ProxyRequests Off
+
+# matches for ee port
+<LocationMatch "^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange">
+ NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
+ NSSVerifyClient none
+ ProxyPassMatch ajp://localhost:9447/
+ ProxyPassReverse ajp://localhost:9447/
+</LocationMatch>
+
+# matches for admin port
+<LocationMatch "^/ca/admin/ca/getCertChain|^/ca/admin/ca/getConfigEntries|^/ca/admin/ca/getCookie|^/ca/admin/ca/getStatus|^/ca/admin/ca/securityDomainLogin|^/ca/admin/ca/getDomainXML">
+ NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
+ NSSVerifyClient none
+ ProxyPassMatch ajp://localhost:9447/
+ ProxyPassReverse ajp://localhost:9447/
+</LocationMatch>
+
+# matches for agent port and eeca port
+<LocationMatch "^/ca/agent/ca/displayBySerial|^/ca/agent/ca/doRevoke|^/ca/agent/ca/doUnrevoke|^/ca/agent/ca/updateDomainXML|^/ca/eeca/ca/profileSubmitSSLClient">
+ NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
+ NSSVerifyClient require
+ ProxyPassMatch ajp://localhost:9447/
+ ProxyPassReverse ajp://localhost:9447/
+</LocationMatch>
diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install
index 7bbba4b..05a05dc 100755
--- a/install/tools/ipa-ca-install
+++ b/install/tools/ipa-ca-install
@@ -36,6 +36,7 @@ from ipapython import version
from ipalib import api, util
from ipapython.config import IPAOptionParser
from ipapython import sysrestore
+from ipapython import ipautil
CACERT="/etc/ipa/ca.crt"
REPLICA_INFO_TOP_DIR=None
@@ -144,6 +145,9 @@ def main():
cs.add_simple_service('dogtagldap/%s@%s' % (config.host_name, config.realm_name))
cs.add_cert_to_service()
+ # We need to restart apache as we drop a new config file in there
+ ipautil.service_restart('httpd', '', True)
+
try:
if not os.geteuid()==0:
sys.exit("\nYou must be root to run this script.\n")