4 files changed, 8 insertions, 18 deletions
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index f31bdc6d2..69921a33a 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -56,6 +56,7 @@ PKI_INSTANCE_NAME="pki-ca"
 AGENT_SECURE_PORT=9443
 EE_SECURE_PORT=9444
 ADMIN_SECURE_PORT=9445
+EE_CLIENT_AUTH_PORT=9446
 UNSECURE_PORT=9180
 TOMCAT_SERVER_PORT=9701
 
@@ -482,6 +483,7 @@ class CAInstance(service.Service):
                 '-agent_secure_port', str(AGENT_SECURE_PORT),
                 '-ee_secure_port', str(EE_SECURE_PORT),
                 '-admin_secure_port', str(ADMIN_SECURE_PORT),
+                '-ee_secure_client_auth_port', str(EE_CLIENT_AUTH_PORT),
                 '-unsecure_port', str(UNSECURE_PORT),
                 '-tomcat_server_port', str(TOMCAT_SERVER_PORT),
                 '-redirect', 'conf=/etc/pki-ca',
@@ -518,18 +520,6 @@ class CAInstance(service.Service):
         pent = pwd.getpwnam(self.pki_user)
         os.chown('/var/lib/pki-ca/conf/CS.cfg', pent.pw_uid, pent.pw_gid )
 
-        # Update the servlet mapping to so we use the agent interface rather
-        # than the end-user interface. The agent interface always requires
-        # client auth which lets us work work around the NSS change which
-        # disallows renegotation (CVE-2009-3555)
-        #
-        # The spaces here, while ugly, are required because update_file()
-        # escapes the incoming string.
-        installutils.update_file('/var/lib/%s/webapps/ca/WEB-INF/web.xml' % PKI_INSTANCE_NAME,
-            '      <url-pattern>   /ee/ca/profileSubmitSSLClient  </url-pattern>',
-            '      <url-pattern>   /agent/ca/profileSubmitSSLClient  </url-pattern>'
-)
-
         logging.debug("restarting ca instance")
         try:
             self.restart()
diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index 4b8a57e92..05c9213bb 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -570,7 +570,7 @@ class CertDB(object):
             password = f.readline()
             f.close()
             http_status, http_reason_phrase, http_headers, http_body = \
-                dogtag.https_request(self.host_name, api.env.ca_agent_port, "/ca/agent/ca/profileSubmitSSLClient", self.secdir, password, "ipaCert", **params)
+                dogtag.https_request(self.host_name, api.env.ca_ee_port, "/ca/ee/ca/profileSubmitSSLClient", self.secdir, password, "ipaCert", **params)
 
             if http_status != 200:
                 raise CertificateOperationError(error=_('Unable to communicate with CMS (%s)') % \
@@ -657,7 +657,7 @@ class CertDB(object):
             password = f.readline()
             f.close()
             http_status, http_reason_phrase, http_headers, http_body = \
-                dogtag.https_request(self.host_name, api.env.ca_agent_port, "/ca/agent/ca/profileSubmitSSLClient", self.secdir, password, "ipaCert", **params)
+                dogtag.https_request(self.host_name, api.env.ca_ee_port, "/ca/ee/ca/profileSubmitSSLClient", self.secdir, password, "ipaCert", **params)
             if http_status != 200:
                 raise RuntimeError("Unable to submit cert request")
 
diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py
index 4c572da47..2b0529e0e 100644
--- a/ipaserver/plugins/dogtag.py
+++ b/ipaserver/plugins/dogtag.py
@@ -1208,7 +1208,7 @@ class ra(rabase.rabase):
     Request Authority backend plugin.
     """
     def __init__(self):
-        if api.env.home:
+        if api.env.in_tree:
             self.sec_dir = api.env.dot_ipa + os.sep + 'alias'
             self.pwd_file = self.sec_dir + os.sep + '.pwd'
         else:
@@ -1452,8 +1452,8 @@ class ra(rabase.rabase):
 
         # Call CMS
         http_status, http_reason_phrase, http_headers, http_body = \
-            self._sslget('/ca/agent/ca/profileSubmitSSLClient',
-                         self.env.ca_agent_port,
+            self._sslget('/ca/ee/ca/profileSubmitSSLClient',
+                         self.env.ca_ee_port,
                          profileId='caIPAserviceCert',
                          cert_request_type=request_type,
                          cert_request=csr,
diff --git a/ipaserver/plugins/rabase.py b/ipaserver/plugins/rabase.py
index c6aabf71c..7a3e4e397 100644
--- a/ipaserver/plugins/rabase.py
+++ b/ipaserver/plugins/rabase.py
@@ -41,7 +41,7 @@ class rabase(Backend):
     Request Authority backend plugin.
     """
     def __init__(self):
-        if api.env.home:
+        if api.env.in_tree:
             self.sec_dir = api.env.dot_ipa + os.sep + 'alias'
             self.pwd_file = self.sec_dir + os.sep + '.pwd'
             self.serial_file = self.sec_dir + os.sep + 'ca_serialno'