summaryrefslogtreecommitdiffstats
path: root/ipaserver
diff options
context:
space:
mode:
Diffstat (limited to 'ipaserver')
-rw-r--r--ipaserver/install/cainstance.py14
-rw-r--r--ipaserver/install/certs.py4
-rw-r--r--ipaserver/plugins/dogtag.py6
-rw-r--r--ipaserver/plugins/rabase.py2
4 files changed, 8 insertions, 18 deletions
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index f31bdc6d2..69921a33a 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -56,6 +56,7 @@ PKI_INSTANCE_NAME="pki-ca"
AGENT_SECURE_PORT=9443
EE_SECURE_PORT=9444
ADMIN_SECURE_PORT=9445
+EE_CLIENT_AUTH_PORT=9446
UNSECURE_PORT=9180
TOMCAT_SERVER_PORT=9701
@@ -482,6 +483,7 @@ class CAInstance(service.Service):
'-agent_secure_port', str(AGENT_SECURE_PORT),
'-ee_secure_port', str(EE_SECURE_PORT),
'-admin_secure_port', str(ADMIN_SECURE_PORT),
+ '-ee_secure_client_auth_port', str(EE_CLIENT_AUTH_PORT),
'-unsecure_port', str(UNSECURE_PORT),
'-tomcat_server_port', str(TOMCAT_SERVER_PORT),
'-redirect', 'conf=/etc/pki-ca',
@@ -518,18 +520,6 @@ class CAInstance(service.Service):
pent = pwd.getpwnam(self.pki_user)
os.chown('/var/lib/pki-ca/conf/CS.cfg', pent.pw_uid, pent.pw_gid )
- # Update the servlet mapping to so we use the agent interface rather
- # than the end-user interface. The agent interface always requires
- # client auth which lets us work work around the NSS change which
- # disallows renegotation (CVE-2009-3555)
- #
- # The spaces here, while ugly, are required because update_file()
- # escapes the incoming string.
- installutils.update_file('/var/lib/%s/webapps/ca/WEB-INF/web.xml' % PKI_INSTANCE_NAME,
- ' <url-pattern> /ee/ca/profileSubmitSSLClient </url-pattern>',
- ' <url-pattern> /agent/ca/profileSubmitSSLClient </url-pattern>'
-)
-
logging.debug("restarting ca instance")
try:
self.restart()
diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index 4b8a57e92..05c9213bb 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -570,7 +570,7 @@ class CertDB(object):
password = f.readline()
f.close()
http_status, http_reason_phrase, http_headers, http_body = \
- dogtag.https_request(self.host_name, api.env.ca_agent_port, "/ca/agent/ca/profileSubmitSSLClient", self.secdir, password, "ipaCert", **params)
+ dogtag.https_request(self.host_name, api.env.ca_ee_port, "/ca/ee/ca/profileSubmitSSLClient", self.secdir, password, "ipaCert", **params)
if http_status != 200:
raise CertificateOperationError(error=_('Unable to communicate with CMS (%s)') % \
@@ -657,7 +657,7 @@ class CertDB(object):
password = f.readline()
f.close()
http_status, http_reason_phrase, http_headers, http_body = \
- dogtag.https_request(self.host_name, api.env.ca_agent_port, "/ca/agent/ca/profileSubmitSSLClient", self.secdir, password, "ipaCert", **params)
+ dogtag.https_request(self.host_name, api.env.ca_ee_port, "/ca/ee/ca/profileSubmitSSLClient", self.secdir, password, "ipaCert", **params)
if http_status != 200:
raise RuntimeError("Unable to submit cert request")
diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py
index 4c572da47..2b0529e0e 100644
--- a/ipaserver/plugins/dogtag.py
+++ b/ipaserver/plugins/dogtag.py
@@ -1208,7 +1208,7 @@ class ra(rabase.rabase):
Request Authority backend plugin.
"""
def __init__(self):
- if api.env.home:
+ if api.env.in_tree:
self.sec_dir = api.env.dot_ipa + os.sep + 'alias'
self.pwd_file = self.sec_dir + os.sep + '.pwd'
else:
@@ -1452,8 +1452,8 @@ class ra(rabase.rabase):
# Call CMS
http_status, http_reason_phrase, http_headers, http_body = \
- self._sslget('/ca/agent/ca/profileSubmitSSLClient',
- self.env.ca_agent_port,
+ self._sslget('/ca/ee/ca/profileSubmitSSLClient',
+ self.env.ca_ee_port,
profileId='caIPAserviceCert',
cert_request_type=request_type,
cert_request=csr,
diff --git a/ipaserver/plugins/rabase.py b/ipaserver/plugins/rabase.py
index c6aabf71c..7a3e4e397 100644
--- a/ipaserver/plugins/rabase.py
+++ b/ipaserver/plugins/rabase.py
@@ -41,7 +41,7 @@ class rabase(Backend):
Request Authority backend plugin.
"""
def __init__(self):
- if api.env.home:
+ if api.env.in_tree:
self.sec_dir = api.env.dot_ipa + os.sep + 'alias'
self.pwd_file = self.sec_dir + os.sep + '.pwd'
self.serial_file = self.sec_dir + os.sep + 'ca_serialno'