From d32b44be6a1dd73e514a6063cad2c8c84aaed360 Mon Sep 17 00:00:00 2001 From: Adam Young Date: Wed, 17 Aug 2011 15:36:18 -0400 Subject: enable proxy for dogtag Dogtag is going to be proxied through httpd. To make this work, it has to support renegotiation of the SSL connection. This patch enables renegotiate in the nss configuration file during during apache configuration, as well as modifies libnss to set the appropriate optins on the ssl connection in order to renegotiate. The IPA install uses the internal ports instead of proxying through httpd since httpd is not set up yet. IPA needs to Request the certificate through a port that uses authentication. On the Dogtag side, they provide an additional mapping for this: /ca/eeca/ca as opposed tp /ca/ee/ca just for this purpose. https://fedorahosted.org/freeipa/ticket/1334 add flag to pkicreate in order to enable using proxy. add the proxy file in /etc/http/conf.d/ Signed-off-by: Simo Sorce --- freeipa.spec.in | 3 +++ install/conf/Makefile.am | 1 + install/conf/ipa-pki-proxy.conf | 25 +++++++++++++++++++++++++ install/tools/ipa-ca-install | 4 ++++ ipalib/constants.py | 10 +++++++--- ipapython/dogtag.py | 2 +- ipapython/nsslib.py | 15 ++++++++++++++- ipaserver/install/cainstance.py | 13 +++++++++++-- ipaserver/install/certs.py | 4 ++-- ipaserver/install/httpinstance.py | 5 +++++ ipaserver/plugins/dogtag.py | 2 +- 11 files changed, 74 insertions(+), 10 deletions(-) create mode 100644 install/conf/ipa-pki-proxy.conf diff --git a/freeipa.spec.in b/freeipa.spec.in index 760100cf4..a691a408e 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -303,6 +303,7 @@ ln -s ../../../..%{_sysconfdir}/ipa/html/ipa_error.css \ # So we can own our Apache configuration mkdir -p %{buildroot}%{_sysconfdir}/httpd/conf.d/ /bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa.conf +/bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-pki-proxy.conf /bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf install -m755 ipa.init %{buildroot}%{_initrddir}/ipa %endif @@ -451,8 +452,10 @@ fi %config(noreplace) %{_sysconfdir}/ipa/html/hbac-deny-remove.html %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa.conf +%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-pki-proxy.conf %{_usr}/share/ipa/ipa.conf %{_usr}/share/ipa/ipa-rewrite.conf +%{_usr}/share/ipa/ipa-pki-proxy.conf %dir %{_usr}/share/ipa/updates/ %{_usr}/share/ipa/updates/* %attr(755,root,root) %{plugin_dir}/libipa_pwd_extop.so diff --git a/install/conf/Makefile.am b/install/conf/Makefile.am index e00ad618f..5ee3eddb5 100644 --- a/install/conf/Makefile.am +++ b/install/conf/Makefile.am @@ -3,6 +3,7 @@ NULL = appdir = $(IPA_DATA_DIR) app_DATA = \ ipa.conf \ + ipa-pki-proxy.conf \ ipa-rewrite.conf \ $(NULL) diff --git a/install/conf/ipa-pki-proxy.conf b/install/conf/ipa-pki-proxy.conf new file mode 100644 index 000000000..275f32645 --- /dev/null +++ b/install/conf/ipa-pki-proxy.conf @@ -0,0 +1,25 @@ +ProxyRequests Off + +# matches for ee port + + NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate + NSSVerifyClient none + ProxyPassMatch ajp://localhost:9447/ + ProxyPassReverse ajp://localhost:9447/ + + +# matches for admin port + + NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate + NSSVerifyClient none + ProxyPassMatch ajp://localhost:9447/ + ProxyPassReverse ajp://localhost:9447/ + + +# matches for agent port and eeca port + + NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate + NSSVerifyClient require + ProxyPassMatch ajp://localhost:9447/ + ProxyPassReverse ajp://localhost:9447/ + diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install index 7bbba4b14..05a05dce9 100755 --- a/install/tools/ipa-ca-install +++ b/install/tools/ipa-ca-install @@ -36,6 +36,7 @@ from ipapython import version from ipalib import api, util from ipapython.config import IPAOptionParser from ipapython import sysrestore +from ipapython import ipautil CACERT="/etc/ipa/ca.crt" REPLICA_INFO_TOP_DIR=None @@ -144,6 +145,9 @@ def main(): cs.add_simple_service('dogtagldap/%s@%s' % (config.host_name, config.realm_name)) cs.add_cert_to_service() + # We need to restart apache as we drop a new config file in there + ipautil.service_restart('httpd', '', True) + try: if not os.geteuid()==0: sys.exit("\nYou must be root to run this script.\n") diff --git a/ipalib/constants.py b/ipalib/constants.py index 026e07354..51cf566e1 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -136,9 +136,13 @@ DEFAULT_CONFIG = ( # CA plugin: ('ca_host', FQDN), # Set in Env._finalize_core() - ('ca_port', 9180), - ('ca_agent_port', 9443), - ('ca_ee_port', 9444), + ('ca_port', 80), + ('ca_agent_port', 443), + ('ca_ee_port', 443), + ('ca_install_port', 9180), + ('ca_agent_install_port', 9443), + ('ca_ee_install_port', 9444), + # Special CLI: ('prompt_all', False), diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py index 969535e4b..02f981974 100644 --- a/ipapython/dogtag.py +++ b/ipapython/dogtag.py @@ -34,7 +34,7 @@ def get_ca_certchain(ca_host=None): if ca_host is None: ca_host = api.env.ca_host chain = None - conn = httplib.HTTPConnection(ca_host, api.env.ca_port) + conn = httplib.HTTPConnection(ca_host, api.env.ca_install_port) conn.request("GET", "/ca/ee/ca/getCertChain") res = conn.getresponse() doc = None diff --git a/ipapython/nsslib.py b/ipapython/nsslib.py index e347d2179..c4d8cdcf6 100644 --- a/ipapython/nsslib.py +++ b/ipapython/nsslib.py @@ -208,12 +208,25 @@ class NSSConnection(httplib.HTTPConnection, NSSAddressFamilyFallback): self._create_socket() def _create_socket(self): + + #TODO remove the try block once python-nss is guaranteed to + #contain these values + try : + ssl_enable_renegotiation = SSL_ENABLE_RENEGOTIATION #pylint: disable=E0602 + ssl_require_safe_negotiation = SSL_REQUIRE_SAFE_NEGOTIATION #pylint: disable=E0602 + ssl_renegotiate_requires_xtn = SSL_RENEGOTIATE_REQUIRES_XTN #pylint: disable=E0602 + except : + ssl_enable_renegotiation = 20 + ssl_require_safe_negotiation = 21 + ssl_renegotiate_requires_xtn = 2 + # Create the socket here so we can do things like let the caller # override the NSS callbacks self.sock = ssl.SSLSocket(family=self.family) self.sock.set_ssl_option(ssl.SSL_SECURITY, True) self.sock.set_ssl_option(ssl.SSL_HANDSHAKE_AS_CLIENT, True) - + self.sock.set_ssl_option(ssl_require_safe_negotiation, False) + self.sock.set_ssl_option(ssl_enable_renegotiation, ssl_renegotiate_requires_xtn) # Provide a callback which notifies us when the SSL handshake is complete self.sock.set_handshake_callback(self.handshake_callback) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 5c6c49e4b..d86b3928c 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -56,6 +56,7 @@ from ipaserver.install import certs from ipaserver.install.installutils import ReplicaConfig from ipalib import util +HTTPD_CONFD = "/etc/httpd/conf.d/" DEFAULT_DSPORT=7389 PKI_USER = "pkiuser" @@ -70,6 +71,7 @@ EE_CLIENT_AUTH_PORT=9446 UNSECURE_PORT=9180 TOMCAT_SERVER_PORT=9701 + # We need to reset the template because the CA uses the regular boot # information INF_TEMPLATE = """ @@ -537,6 +539,7 @@ class CAInstance(service.Service): self.step("requesting RA certificate from CA", self.__request_ra_certificate) self.step("issuing RA agent certificate", self.__issue_ra_cert) self.step("adding RA agent as a trusted user", self.__configure_ra) + self.step("Configure HTTP to proxy connections", self.__http_proxy) self.start_creation("Configuring certificate server", 210) @@ -557,6 +560,7 @@ class CAInstance(service.Service): '-tomcat_server_port', str(TOMCAT_SERVER_PORT), '-redirect', 'conf=/etc/pki-ca', '-redirect', 'logs=/var/log/pki-ca', + '-enable_proxy' ] ipautil.run(args, env={'PKI_HOSTNAME':self.fqdn}) @@ -658,7 +662,7 @@ class CAInstance(service.Service): args.append("-sd_hostname") args.append(self.master_host) args.append("-sd_admin_port") - args.append(str(ADMIN_SECURE_PORT)) + args.append("443") args.append("-sd_admin_name") args.append("admin") args.append("-sd_admin_password") @@ -666,7 +670,7 @@ class CAInstance(service.Service): args.append("-clone_start_tls") args.append("true") args.append("-clone_uri") - args.append("https://%s:%d" % (self.master_host, EE_SECURE_PORT)) + args.append("https://%s:%d" % (self.master_host, 443)) else: args.append("-clone") args.append("false") @@ -1077,6 +1081,11 @@ class CAInstance(service.Service): fd.close() os.chmod(location, 0444) + def __http_proxy(self): + shutil.copy(ipautil.SHARE_DIR + "ipa-pki-proxy.conf", + HTTPD_CONFD + "ipa-pki-proxy.conf") + + def install_replica_ca(config, postinstall=False): """ Install a CA on a replica. diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py index f14efe33f..d3df1681b 100644 --- a/ipaserver/install/certs.py +++ b/ipaserver/install/certs.py @@ -633,7 +633,7 @@ class CertDB(object): password = f.readline() f.close() http_status, http_reason_phrase, http_headers, http_body = \ - dogtag.https_request(self.host_name, api.env.ca_ee_port, "/ca/ee/ca/profileSubmitSSLClient", self.secdir, password, "ipaCert", **params) + dogtag.https_request(self.host_name, api.env.ca_ee_install_port, "/ca/ee/ca/profileSubmitSSLClient", self.secdir, password, "ipaCert", **params) if http_status != 200: raise CertificateOperationError(error='Unable to communicate with CMS (%s)' % \ @@ -715,7 +715,7 @@ class CertDB(object): password = f.readline() f.close() http_status, http_reason_phrase, http_headers, http_body = \ - dogtag.https_request(self.host_name, api.env.ca_ee_port, "/ca/ee/ca/profileSubmitSSLClient", self.secdir, password, "ipaCert", **params) + dogtag.https_request(self.host_name, api.env.ca_ee_install_port, "/ca/ee/ca/profileSubmitSSLClient", self.secdir, password, "ipaCert", **params) if http_status != 200: raise RuntimeError("Unable to submit cert request") diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index fe5f7aa95..04d1ed402 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -75,6 +75,7 @@ class HTTPInstance(service.Service): self.step("disabling mod_ssl in httpd", self.__disable_mod_ssl) self.step("setting mod_nss port to 443", self.__set_mod_nss_port) self.step("setting mod_nss password file", self.__set_mod_nss_passwordfile) + self.step("enabling mod_nss renegotiate", self.__enable_mod_nss_renegotiate) self.step("adding URL rewriting rules", self.__add_include) self.step("configuring httpd", self.__configure_http) self.step("setting up ssl", self.__setup_ssl) @@ -160,6 +161,10 @@ class HTTPInstance(service.Service): def __set_mod_nss_nickname(self, nickname): installutils.set_directive(NSS_CONF, 'NSSNickname', nickname) + def __enable_mod_nss_renegotiate(self): + installutils.set_directive(NSS_CONF, 'NSSRenegotiation', 'on',False) + installutils.set_directive(NSS_CONF, 'NSSRequireSafeNegotiation', 'on',False) + def __set_mod_nss_passwordfile(self): installutils.set_directive(NSS_CONF, 'NSSPassPhraseDialog', 'file:/etc/httpd/conf/password.conf') diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py index d1234a0d2..23d06abc1 100644 --- a/ipaserver/plugins/dogtag.py +++ b/ipaserver/plugins/dogtag.py @@ -1514,7 +1514,7 @@ class ra(rabase.rabase): # Call CMS http_status, http_reason_phrase, http_headers, http_body = \ - self._sslget('/ca/ee/ca/profileSubmitSSLClient', + self._sslget('/ca/eeca/ca/profileSubmitSSLClient', self.env.ca_ee_port, profileId='caIPAserviceCert', cert_request_type=request_type, -- cgit