diff options
Diffstat (limited to 'ipaserver')
-rw-r--r-- | ipaserver/install/cainstance.py | 13 | ||||
-rw-r--r-- | ipaserver/install/certs.py | 4 | ||||
-rw-r--r-- | ipaserver/install/httpinstance.py | 5 | ||||
-rw-r--r-- | ipaserver/plugins/dogtag.py | 2 |
4 files changed, 19 insertions, 5 deletions
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 5c6c49e4b..d86b3928c 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -56,6 +56,7 @@ from ipaserver.install import certs from ipaserver.install.installutils import ReplicaConfig from ipalib import util +HTTPD_CONFD = "/etc/httpd/conf.d/" DEFAULT_DSPORT=7389 PKI_USER = "pkiuser" @@ -70,6 +71,7 @@ EE_CLIENT_AUTH_PORT=9446 UNSECURE_PORT=9180 TOMCAT_SERVER_PORT=9701 + # We need to reset the template because the CA uses the regular boot # information INF_TEMPLATE = """ @@ -537,6 +539,7 @@ class CAInstance(service.Service): self.step("requesting RA certificate from CA", self.__request_ra_certificate) self.step("issuing RA agent certificate", self.__issue_ra_cert) self.step("adding RA agent as a trusted user", self.__configure_ra) + self.step("Configure HTTP to proxy connections", self.__http_proxy) self.start_creation("Configuring certificate server", 210) @@ -557,6 +560,7 @@ class CAInstance(service.Service): '-tomcat_server_port', str(TOMCAT_SERVER_PORT), '-redirect', 'conf=/etc/pki-ca', '-redirect', 'logs=/var/log/pki-ca', + '-enable_proxy' ] ipautil.run(args, env={'PKI_HOSTNAME':self.fqdn}) @@ -658,7 +662,7 @@ class CAInstance(service.Service): args.append("-sd_hostname") args.append(self.master_host) args.append("-sd_admin_port") - args.append(str(ADMIN_SECURE_PORT)) + args.append("443") args.append("-sd_admin_name") args.append("admin") args.append("-sd_admin_password") @@ -666,7 +670,7 @@ class CAInstance(service.Service): args.append("-clone_start_tls") args.append("true") args.append("-clone_uri") - args.append("https://%s:%d" % (self.master_host, EE_SECURE_PORT)) + args.append("https://%s:%d" % (self.master_host, 443)) else: args.append("-clone") args.append("false") @@ -1077,6 +1081,11 @@ class CAInstance(service.Service): fd.close() os.chmod(location, 0444) + def __http_proxy(self): + shutil.copy(ipautil.SHARE_DIR + "ipa-pki-proxy.conf", + HTTPD_CONFD + "ipa-pki-proxy.conf") + + def install_replica_ca(config, postinstall=False): """ Install a CA on a replica. diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py index f14efe33f..d3df1681b 100644 --- a/ipaserver/install/certs.py +++ b/ipaserver/install/certs.py @@ -633,7 +633,7 @@ class CertDB(object): password = f.readline() f.close() http_status, http_reason_phrase, http_headers, http_body = \ - dogtag.https_request(self.host_name, api.env.ca_ee_port, "/ca/ee/ca/profileSubmitSSLClient", self.secdir, password, "ipaCert", **params) + dogtag.https_request(self.host_name, api.env.ca_ee_install_port, "/ca/ee/ca/profileSubmitSSLClient", self.secdir, password, "ipaCert", **params) if http_status != 200: raise CertificateOperationError(error='Unable to communicate with CMS (%s)' % \ @@ -715,7 +715,7 @@ class CertDB(object): password = f.readline() f.close() http_status, http_reason_phrase, http_headers, http_body = \ - dogtag.https_request(self.host_name, api.env.ca_ee_port, "/ca/ee/ca/profileSubmitSSLClient", self.secdir, password, "ipaCert", **params) + dogtag.https_request(self.host_name, api.env.ca_ee_install_port, "/ca/ee/ca/profileSubmitSSLClient", self.secdir, password, "ipaCert", **params) if http_status != 200: raise RuntimeError("Unable to submit cert request") diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index fe5f7aa95..04d1ed402 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -75,6 +75,7 @@ class HTTPInstance(service.Service): self.step("disabling mod_ssl in httpd", self.__disable_mod_ssl) self.step("setting mod_nss port to 443", self.__set_mod_nss_port) self.step("setting mod_nss password file", self.__set_mod_nss_passwordfile) + self.step("enabling mod_nss renegotiate", self.__enable_mod_nss_renegotiate) self.step("adding URL rewriting rules", self.__add_include) self.step("configuring httpd", self.__configure_http) self.step("setting up ssl", self.__setup_ssl) @@ -160,6 +161,10 @@ class HTTPInstance(service.Service): def __set_mod_nss_nickname(self, nickname): installutils.set_directive(NSS_CONF, 'NSSNickname', nickname) + def __enable_mod_nss_renegotiate(self): + installutils.set_directive(NSS_CONF, 'NSSRenegotiation', 'on',False) + installutils.set_directive(NSS_CONF, 'NSSRequireSafeNegotiation', 'on',False) + def __set_mod_nss_passwordfile(self): installutils.set_directive(NSS_CONF, 'NSSPassPhraseDialog', 'file:/etc/httpd/conf/password.conf') diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py index d1234a0d2..23d06abc1 100644 --- a/ipaserver/plugins/dogtag.py +++ b/ipaserver/plugins/dogtag.py @@ -1514,7 +1514,7 @@ class ra(rabase.rabase): # Call CMS http_status, http_reason_phrase, http_headers, http_body = \ - self._sslget('/ca/ee/ca/profileSubmitSSLClient', + self._sslget('/ca/eeca/ca/profileSubmitSSLClient', self.env.ca_ee_port, profileId='caIPAserviceCert', cert_request_type=request_type, |