4 files changed, 19 insertions, 5 deletions

diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 5c6c49e4b..d86b3928c 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -56,6 +56,7 @@ from ipaserver.install import certs
 from ipaserver.install.installutils import ReplicaConfig
 from ipalib import util
 
+HTTPD_CONFD = "/etc/httpd/conf.d/"
 DEFAULT_DSPORT=7389
 
 PKI_USER = "pkiuser"
@@ -70,6 +71,7 @@ EE_CLIENT_AUTH_PORT=9446
 UNSECURE_PORT=9180
 TOMCAT_SERVER_PORT=9701
 
+
 # We need to reset the template because the CA uses the regular boot
 # information
 INF_TEMPLATE = """
@@ -537,6 +539,7 @@ class CAInstance(service.Service):
                 self.step("requesting RA certificate from CA", self.__request_ra_certificate)
                 self.step("issuing RA agent certificate", self.__issue_ra_cert)
                 self.step("adding RA agent as a trusted user", self.__configure_ra)
+            self.step("Configure HTTP to proxy connections", self.__http_proxy)
 
         self.start_creation("Configuring certificate server", 210)
 
@@ -557,6 +560,7 @@ class CAInstance(service.Service):
                 '-tomcat_server_port', str(TOMCAT_SERVER_PORT),
                 '-redirect', 'conf=/etc/pki-ca',
                 '-redirect', 'logs=/var/log/pki-ca',
+                '-enable_proxy'
         ]
         ipautil.run(args, env={'PKI_HOSTNAME':self.fqdn})
 
@@ -658,7 +662,7 @@ class CAInstance(service.Service):
                 args.append("-sd_hostname")
                 args.append(self.master_host)
                 args.append("-sd_admin_port")
-                args.append(str(ADMIN_SECURE_PORT))
+                args.append("443")
                 args.append("-sd_admin_name")
                 args.append("admin")
                 args.append("-sd_admin_password")
@@ -666,7 +670,7 @@ class CAInstance(service.Service):
                 args.append("-clone_start_tls")
                 args.append("true")
                 args.append("-clone_uri")
-                args.append("https://%s:%d" % (self.master_host, EE_SECURE_PORT))
+                args.append("https://%s:%d" % (self.master_host, 443))
             else:
                 args.append("-clone")
                 args.append("false")
@@ -1077,6 +1081,11 @@ class CAInstance(service.Service):
         fd.close()
         os.chmod(location, 0444)
 
+    def __http_proxy(self):
+        shutil.copy(ipautil.SHARE_DIR + "ipa-pki-proxy.conf",
+                    HTTPD_CONFD + "ipa-pki-proxy.conf")
+
+
 def install_replica_ca(config, postinstall=False):
     """
     Install a CA on a replica.
diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index f14efe33f..d3df1681b 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -633,7 +633,7 @@ class CertDB(object):
             password = f.readline()
             f.close()
             http_status, http_reason_phrase, http_headers, http_body = \
-                dogtag.https_request(self.host_name, api.env.ca_ee_port, "/ca/ee/ca/profileSubmitSSLClient", self.secdir, password, "ipaCert", **params)
+                dogtag.https_request(self.host_name, api.env.ca_ee_install_port, "/ca/ee/ca/profileSubmitSSLClient", self.secdir, password, "ipaCert", **params)
 
             if http_status != 200:
                 raise CertificateOperationError(error='Unable to communicate with CMS (%s)' % \
@@ -715,7 +715,7 @@ class CertDB(object):
             password = f.readline()
             f.close()
             http_status, http_reason_phrase, http_headers, http_body = \
-                dogtag.https_request(self.host_name, api.env.ca_ee_port, "/ca/ee/ca/profileSubmitSSLClient", self.secdir, password, "ipaCert", **params)
+                dogtag.https_request(self.host_name, api.env.ca_ee_install_port, "/ca/ee/ca/profileSubmitSSLClient", self.secdir, password, "ipaCert", **params)
             if http_status != 200:
                 raise RuntimeError("Unable to submit cert request")
 
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index fe5f7aa95..04d1ed402 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -75,6 +75,7 @@ class HTTPInstance(service.Service):
         self.step("disabling mod_ssl in httpd", self.__disable_mod_ssl)
         self.step("setting mod_nss port to 443", self.__set_mod_nss_port)
         self.step("setting mod_nss password file", self.__set_mod_nss_passwordfile)
+        self.step("enabling mod_nss renegotiate", self.__enable_mod_nss_renegotiate)
         self.step("adding URL rewriting rules", self.__add_include)
         self.step("configuring httpd", self.__configure_http)
         self.step("setting up ssl", self.__setup_ssl)
@@ -160,6 +161,10 @@ class HTTPInstance(service.Service):
     def __set_mod_nss_nickname(self, nickname):
         installutils.set_directive(NSS_CONF, 'NSSNickname', nickname)
 
+    def __enable_mod_nss_renegotiate(self):
+        installutils.set_directive(NSS_CONF, 'NSSRenegotiation', 'on',False)
+        installutils.set_directive(NSS_CONF, 'NSSRequireSafeNegotiation', 'on',False)
+
     def __set_mod_nss_passwordfile(self):
         installutils.set_directive(NSS_CONF, 'NSSPassPhraseDialog', 'file:/etc/httpd/conf/password.conf')
 
diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py
index d1234a0d2..23d06abc1 100644
--- a/ipaserver/plugins/dogtag.py
+++ b/ipaserver/plugins/dogtag.py
@@ -1514,7 +1514,7 @@ class ra(rabase.rabase):
 
         # Call CMS
         http_status, http_reason_phrase, http_headers, http_body = \
-            self._sslget('/ca/ee/ca/profileSubmitSSLClient',
+            self._sslget('/ca/eeca/ca/profileSubmitSSLClient',
                          self.env.ca_ee_port,
                          profileId='caIPAserviceCert',
                          cert_request_type=request_type,