diff options
| author | Endi Sukma Dewata <edewata@redhat.com> | 2012-07-26 20:40:08 -0500 |
|---|---|---|
| committer | Endi Sukma Dewata <edewata@redhat.com> | 2012-08-03 17:07:20 -0500 |
| commit | 9ca367e9c16273af11909f4c72f9c5cf5ddb0b4d (patch) | |
| tree | d6ea91b97102cb948b7c767c08e96f50951aa720 | |
| parent | eca4d635e67eaf3c6878d35acfaaf11df53151e2 (diff) | |
| download | pki-9ca367e9c16273af11909f4c72f9c5cf5ddb0b4d.tar.gz pki-9ca367e9c16273af11909f4c72f9c5cf5ddb0b4d.tar.xz pki-9ca367e9c16273af11909f4c72f9c5cf5ddb0b4d.zip | |
Enabled SSL authenticator and PKI realm.
The SSL connection has been configured with clientAuth="want" so
users can choose whether to provide a client certificate or username
and password. The authentication and authorization will be handled
by the SSL authenticator with fallback and PKI realm. New access
control rules have been added for users, groups, and certs REST
services.
Ticket #107
| -rw-r--r-- | base/ca/shared/conf/acl.ldif | 3 | ||||
| -rw-r--r-- | base/ca/shared/conf/server.xml | 2 | ||||
| -rw-r--r-- | base/ca/shared/webapps/ca/WEB-INF/auth.properties | 9 | ||||
| -rw-r--r-- | base/ca/shared/webapps/ca/WEB-INF/web.xml | 35 | ||||
| -rw-r--r-- | base/common/shared/conf/context.xml | 4 | ||||
| -rw-r--r-- | base/common/shared/conf/server.xml | 3 | ||||
| -rw-r--r-- | base/deploy/src/scriptlets/pkiparser.py | 14 | ||||
| -rw-r--r-- | base/deploy/src/scriptlets/slot_substitution.py | 12 | ||||
| -rwxr-xr-x | base/setup/pki | 1 | ||||
| -rwxr-xr-x | base/setup/pkicreate | 2 |
10 files changed, 80 insertions, 5 deletions
diff --git a/base/ca/shared/conf/acl.ldif b/base/ca/shared/conf/acl.ldif index ceea1f27a..aec1447e5 100644 --- a/base/ca/shared/conf/acl.ldif +++ b/base/ca/shared/conf/acl.ldif @@ -51,3 +51,6 @@ resourceACLS: certServer.ca.connectorInfo:read,modify:allow (modify,read) group= resourceACLS: certServer.ca.registerUser:read,modify:allow (modify,read) group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise RA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators":Only Enterprise Administrators are allowed to register a new agent resourceACLS: certServer.clone.configuration:read,modify:allow (modify,read) group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise RA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators":Only Enterprise Administrators are allowed to clone the configuration. resourceACLS: certServer.admin.ocsp:read,modify:allow (modify,read) group="Enterprise OCSP Administrators":Only Enterprise Administrators are allowed to read or update the OCSP configuration. +resourceACLS: certServer.ca.certs:execute:allow (execute) group="Certificate Manager Agents":Agents may execute cert operations +resourceACLS: certServer.ca.groups:execute:allow (execute) group="Administrators":Admins may execute group operations +resourceACLS: certServer.ca.users:execute:allow (execute) group="Administrators":Admins may execute user operations diff --git a/base/ca/shared/conf/server.xml b/base/ca/shared/conf/server.xml index 4056fbbb7..60317d2fa 100644 --- a/base/ca/shared/conf/server.xml +++ b/base/ca/shared/conf/server.xml @@ -84,7 +84,7 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) --> [PKI_UNSECURE_PORT_SERVER_COMMENT] - <Connector name="[PKI_UNSECURE_PORT_CONNECTOR_NAME]" port="[PKI_UNSECURE_PORT]" protocol="HTTP/1.1" redirectPort="8443" + <Connector name="[PKI_UNSECURE_PORT_CONNECTOR_NAME]" port="[PKI_UNSECURE_PORT]" protocol="HTTP/1.1" redirectPort="[PKI_SECURE_PORT]" maxHttpHeaderSize="8192" acceptCount="100" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" connectionTimeout="20000" disableUploadTimeout="true" diff --git a/base/ca/shared/webapps/ca/WEB-INF/auth.properties b/base/ca/shared/webapps/ca/WEB-INF/auth.properties new file mode 100644 index 000000000..ebb1c6c3f --- /dev/null +++ b/base/ca/shared/webapps/ca/WEB-INF/auth.properties @@ -0,0 +1,9 @@ +# Restful API auth/authz mapping info +# +# Format: +# <Rest API URL> = <ACL Resource ID>,<ACL resource operation> +# ex: /ca/pki/users = certServer.ca.users,read + +/ca/rest/admin/users = certServer.ca.users,execute +/ca/rest/admin/groups = certServer.ca.groups,execute +/ca/rest/agent/certs = certServer.ca.certs,execute diff --git a/base/ca/shared/webapps/ca/WEB-INF/web.xml b/base/ca/shared/webapps/ca/WEB-INF/web.xml index 7ec3932c9..af474872e 100644 --- a/base/ca/shared/webapps/ca/WEB-INF/web.xml +++ b/base/ca/shared/webapps/ca/WEB-INF/web.xml @@ -2382,5 +2382,40 @@ <session-config> <session-timeout>30</session-timeout> </session-config> + + <security-constraint> + <web-resource-collection> + <web-resource-name>Admin Services</web-resource-name> + <url-pattern>/rest/admin/*</url-pattern> + </web-resource-collection> + <auth-constraint> + <role-name>*</role-name> + </auth-constraint> + <user-data-constraint> + <transport-guarantee>CONFIDENTIAL</transport-guarantee> + </user-data-constraint> + </security-constraint> + + <security-constraint> + <web-resource-collection> + <web-resource-name>Agent Services</web-resource-name> + <url-pattern>/rest/agent/certs/*</url-pattern> + </web-resource-collection> + <auth-constraint> + <role-name>*</role-name> + </auth-constraint> + <user-data-constraint> + <transport-guarantee>CONFIDENTIAL</transport-guarantee> + </user-data-constraint> + </security-constraint> + + <login-config> + <realm-name>Certificate Authority</realm-name> + </login-config> + + <security-role> + <role-name>*</role-name> + </security-role> + </web-app> diff --git a/base/common/shared/conf/context.xml b/base/common/shared/conf/context.xml index 4b00dbe3c..b28f1bd20 100644 --- a/base/common/shared/conf/context.xml +++ b/base/common/shared/conf/context.xml @@ -39,4 +39,8 @@ <Valve className="org.apache.catalina.valves.CometConnectionManagerValve" /> --> + <Valve className="com.netscape.cmscore.realm.SSLAuthenticatorWithFallback" /> + + <Realm className="com.netscape.cmscore.realm.PKIRealm" /> + </Context> diff --git a/base/common/shared/conf/server.xml b/base/common/shared/conf/server.xml index d3c781a6b..596b7e356 100644 --- a/base/common/shared/conf/server.xml +++ b/base/common/shared/conf/server.xml @@ -117,7 +117,7 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) --> [PKI_UNSECURE_PORT_SERVER_COMMENT] - <Connector name="[PKI_UNSECURE_PORT_CONNECTOR_NAME]" port="[PKI_UNSECURE_PORT]" protocol="HTTP/1.1" redirectPort="8443" + <Connector name="[PKI_UNSECURE_PORT_CONNECTOR_NAME]" port="[PKI_UNSECURE_PORT]" protocol="HTTP/1.1" redirectPort="[PKI_SECURE_PORT]" maxHttpHeaderSize="8192" acceptCount="100" maxThreads="150" minSpareThreads="25" enableLookups="false" connectionTimeout="20000" disableUploadTimeout="true" @@ -186,7 +186,6 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) ocspTimeout="10" strictCiphers="false" clientAuth="[PKI_AGENT_CLIENTAUTH]" - clientauth="[PKI_AGENT_CLIENTAUTH]" sslOptions="[TOMCAT_SSL_OPTIONS]" ssl2Ciphers="[TOMCAT_SSL2_CIPHERS]" ssl3Ciphers="[TOMCAT_SSL3_CIPHERS]" diff --git a/base/deploy/src/scriptlets/pkiparser.py b/base/deploy/src/scriptlets/pkiparser.py index 5674cf87a..66c1e4085 100644 --- a/base/deploy/src/scriptlets/pkiparser.py +++ b/base/deploy/src/scriptlets/pkiparser.py @@ -400,6 +400,9 @@ def compose_pki_master_dictionary(): config.pki_master_dict['pki_source_server_xml'] =\ os.path.join(config.pki_master_dict['pki_source_shared_path'], "server.xml") + config.pki_master_dict['pki_source_context_xml'] =\ + os.path.join(config.pki_master_dict['pki_source_shared_path'], + "context.xml") config.pki_master_dict['pki_source_tomcat_conf'] =\ os.path.join(config.pki_master_dict['pki_source_shared_path'], "tomcat.conf") @@ -984,6 +987,10 @@ def compose_pki_master_dictionary(): os.path.join( config.pki_master_dict['pki_instance_configuration_path'], "server.xml") + config.pki_master_dict['pki_target_context_xml'] =\ + os.path.join( + config.pki_master_dict['pki_instance_configuration_path'], + "context.xml") config.pki_master_dict['pki_target_tomcat_conf_instance_id'] =\ config.pki_master_dict['pki_root_prefix'] +\ "/etc/sysconfig/" +\ @@ -997,6 +1004,11 @@ def compose_pki_master_dictionary(): config.pki_master_dict['pki_tomcat_webapps_root_path'], "index.jsp") # in-place slot substitution name/value pairs + config.pki_master_dict['pki_target_auth_properties'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_webapps_subsystem_path'], + "WEB-INF", + "auth.properties") config.pki_master_dict['pki_target_velocity_properties'] =\ os.path.join( config.pki_master_dict['pki_tomcat_webapps_subsystem_path'], @@ -1131,7 +1143,7 @@ def compose_pki_master_dictionary(): ['PKI_ADMIN_SECURE_PORT_SERVER_COMMENT_SLOT'] =\ "" config.pki_master_dict['PKI_AGENT_CLIENTAUTH_SLOT'] =\ - "agent" + "want" config.pki_master_dict['PKI_AGENT_SECURE_PORT_SLOT'] =\ config.pki_master_dict['pki_https_port'] config.pki_master_dict['PKI_AJP_PORT_SLOT'] =\ diff --git a/base/deploy/src/scriptlets/slot_substitution.py b/base/deploy/src/scriptlets/slot_substitution.py index 3467596e8..482d1d9cb 100644 --- a/base/deploy/src/scriptlets/slot_substitution.py +++ b/base/deploy/src/scriptlets/slot_substitution.py @@ -54,6 +54,10 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): master['pki_target_server_xml'], overwrite_flag=True) util.file.copy_with_slot_substitution( + master['pki_source_context_xml'], + master['pki_target_context_xml'], + overwrite_flag=True) + util.file.copy_with_slot_substitution( master['pki_source_tomcat_conf'], master['pki_target_tomcat_conf_instance_id'], uid=0, gid=0, overwrite_flag=True) @@ -66,6 +70,8 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): master['pki_target_index_jsp'], overwrite_flag=True) util.file.apply_slot_substitution( + master['pki_target_auth_properties']) + util.file.apply_slot_substitution( master['pki_target_velocity_properties']) util.file.apply_slot_substitution( master['pki_target_subsystem_web_xml']) @@ -109,6 +115,10 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): master['pki_target_server_xml'], overwrite_flag=True) util.file.copy_with_slot_substitution( + master['pki_source_context_xml'], + master['pki_target_context_xml'], + overwrite_flag=True) + util.file.copy_with_slot_substitution( master['pki_source_tomcat_conf'], master['pki_target_tomcat_conf_instance_id'], uid=0, gid=0, overwrite_flag=True) @@ -121,6 +131,8 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): master['pki_target_index_jsp'], overwrite_flag=True) util.file.apply_slot_substitution( + master['pki_target_auth_properties']) + util.file.apply_slot_substitution( master['pki_target_velocity_properties']) util.file.apply_slot_substitution( master['pki_target_subsystem_web_xml']) diff --git a/base/setup/pki b/base/setup/pki index a2d5a69d6..90c863f35 100755 --- a/base/setup/pki +++ b/base/setup/pki @@ -75,6 +75,7 @@ $ENV{CLASSPATH} = "/usr/share/java/${PRODUCT}/pki-certsrv.jar:" . "/usr/share/java/${PRODUCT}/pki-cms.jar:" . "/usr/share/java/${PRODUCT}/pki-nsutil.jar:" . "/usr/share/java/apache-commons-cli.jar:" + . "/usr/share/java/apache-commons-codec.jar:" . "/usr/share/java/apache-commons-lang.jar:" . "/usr/share/java/apache-commons-logging.jar:" . "/usr/share/java/commons-httpclient.jar:" diff --git a/base/setup/pkicreate b/base/setup/pkicreate index 6abb73755..cc4ee703f 100755 --- a/base/setup/pkicreate +++ b/base/setup/pkicreate @@ -2560,7 +2560,7 @@ LoadModule nss_module /opt/fortitude/modules.local/libmodnss.so $slot_hash{$PKI_EE_SECURE_CLIENT_AUTH_PORT_COMMENT_SERVER_SLOT} = ""; # Set appropriate "clientAuth" parameter for "Shared Ports" - $slot_hash{$PKI_AGENT_CLIENTAUTH_SLOT} = "agent"; + $slot_hash{$PKI_AGENT_CLIENTAUTH_SLOT} = "want"; # Comment out the "Admin/EE" Ports $slot_hash{$PKI_OPEN_SEPARATE_PORTS_COMMENT_SERVER_SLOT} = $PKI_OPEN_COMMENT; |