summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authormharmsen <mharmsen@c9f7a03b-bd48-0410-a16d-cbbf54688b0b>2009-02-25 00:51:41 +0000
committermharmsen <mharmsen@c9f7a03b-bd48-0410-a16d-cbbf54688b0b>2009-02-25 00:51:41 +0000
commit9c2b222571f70cce8b5c1c6c469e3266535b2fc1 (patch)
tree1554e8dbb02724a9f3b525276a7475f34c1f60c9
parentf1afa835f94b7d5a60396aba77ee11cca93aef88 (diff)
downloadpki-9c2b222571f70cce8b5c1c6c469e3266535b2fc1.tar.gz
pki-9c2b222571f70cce8b5c1c6c469e3266535b2fc1.tar.xz
pki-9c2b222571f70cce8b5c1c6c469e3266535b2fc1.zip
Bugzilla Bug #485859 - port separation for RA and TPS.
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@243 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
-rw-r--r--pki/base/ra/apache/conf/nss.conf100
-rw-r--r--pki/base/ra/doc/CS.cfg1
-rwxr-xr-xpki/base/ra/lib/perl/PKI/RA/DonePanel.pm4
-rwxr-xr-xpki/base/ra/setup/postinstall3
-rwxr-xr-xpki/base/setup/pkicreate344
-rwxr-xr-xpki/base/setup/pkiremove10
-rw-r--r--pki/base/tps/apache/conf/nss.conf100
-rw-r--r--pki/base/tps/doc/CS.cfg1
-rwxr-xr-xpki/base/tps/lib/perl/PKI/TPS/DonePanel.pm4
-rwxr-xr-xpki/base/tps/setup/postinstall3
-rw-r--r--pki/dogtag/ra/pki-ra.spec4
-rw-r--r--pki/dogtag/setup/pki-setup.spec4
-rw-r--r--pki/dogtag/tps/pki-tps.spec4
13 files changed, 447 insertions, 135 deletions
diff --git a/pki/base/ra/apache/conf/nss.conf b/pki/base/ra/apache/conf/nss.conf
index 02c505091..42085a60b 100644
--- a/pki/base/ra/apache/conf/nss.conf
+++ b/pki/base/ra/apache/conf/nss.conf
@@ -17,6 +17,8 @@
#
Listen 0.0.0.0:[SECURE_PORT]
+Listen 0.0.0.0:[NON_CLIENTAUTH_SECURE_PORT]
+
##
## SSL Global Context
##
@@ -59,7 +61,7 @@ NSSSession3CacheTimeout 86400
# General setup for the virtual host
#DocumentRoot "/htdocs"
-#ServerName [SERVER_NAME]:[SECURE_PORT]
+#ServerName [Server_Name]:[Secure_Port]
#ServerAdmin you@example.com
# mod_ssl logs to separate log files, you can choose to do that if you'd like
@@ -90,7 +92,7 @@ NSSCertificateDatabase [SERVER_ROOT]/alias
# Client Authentication (Type):
# Client certificate verification type. Types are none, optional and
# require.
-NSSVerifyClient none
+NSSVerifyClient require
# Access Control:
# With SSLRequire you can do per-directory access control based
@@ -150,3 +152,97 @@ NSSVerifyClient none
</VirtualHost>
+<VirtualHost _default_:[NON_CLIENTAUTH_SECURE_PORT]>
+
+# General setup for the virtual host
+#DocumentRoot "/htdocs"
+#ServerName [Server_Name]:[Non_Clientauth_Secure_Port]
+#ServerAdmin you@example.com
+
+# mod_ssl logs to separate log files, you can choose to do that if you'd like
+ErrorLog [SERVER_ROOT]/logs/error_log
+TransferLog [SERVER_ROOT]/logs/access_log
+
+# SSL Engine Switch:
+# Enable/Disable SSL for this virtual host.
+NSSEngine on
+
+# SSL Cipher Suite:
+# List the ciphers that the client is permitted to negotiate.
+# See the mod_nss documentation for a complete list.
+NSSCipherSuite -des,-desede3,-rc2,-rc2export,-rc4,-rc4export,+rsa_3des_sha,-rsa_des_56_sha,+rsa_des_sha,-rsa_null_md5,-rsa_null_sha,-rsa_rc2_40_md5,+rsa_rc4_128_md5,-rsa_rc4_128_sha,-rsa_rc4_40_md5,-rsa_rc4_56_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-fips_des_sha,+fips_3des_sha,-rsa_aes_128_sha,-rsa_aes_256_sha,+ecdhe_ecdsa_aes_256_sha
+
+NSSProtocol SSLv3,TLSv1
+
+# SSL Certificate Nickname:
+# The nickname of the server certificate you are going to use.
+NSSNickname "Server-Cert cert-[INSTANCE_ID]"
+
+# Server Certificate Database:
+# The NSS security database directory that holds the certificates and
+# keys. The database consists of 3 files: cert8.db, key3.db and secmod.db.
+# Provide the directory that these files exist.
+NSSCertificateDatabase [SERVER_ROOT]/alias
+
+# Client Authentication (Type):
+# Client certificate verification type. Types are none, optional and
+# require.
+NSSVerifyClient none
+
+# Access Control:
+# With SSLRequire you can do per-directory access control based
+# on arbitrary complex boolean expressions containing server
+# variable checks and other lookup directives. The syntax is a
+# mixture between C and Perl. See the mod_nss documentation
+# for more details.
+#<Location />
+#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
+# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
+# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
+# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
+# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
+# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
+#</Location>
+
+# SSL Engine Options:
+# Set various options for the SSL engine.
+# o FakeBasicAuth:
+# Translate the client X.509 into a Basic Authorisation. This means that
+# the standard Auth/DBMAuth methods can be used for access control. The
+# user name is the `one line' version of the client's X.509 certificate.
+# Note that no password is obtained from the user. Every entry in the user
+# file needs this password: `xxj31ZMTZzkVA'.
+# o ExportCertData:
+# This exports two additional environment variables: SSL_CLIENT_CERT and
+# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
+# server (always existing) and the client (only existing when client
+# authentication is used). This can be used to import the certificates
+# into CGI scripts.
+# o StdEnvVars:
+# This exports the standard SSL/TLS related `SSL_*' environment variables.
+# Per default this exportation is switched off for performance reasons,
+# because the extraction step is an expensive operation and is usually
+# useless for serving static content. So one usually enables the
+# exportation for CGI and SSI requests only.
+# o StrictRequire:
+# This denies access when "SSLRequireSSL" or "SSLRequire" applied even
+# under a "Satisfy any" situation, i.e. when it applies access is denied
+# and no other module can change it.
+# o OptRenegotiate:
+# This enables optimized SSL connection renegotiation handling when SSL
+# directives are used in per-directory context.
+#SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
+<Files ~ "\.(cgi|shtml|phtml|php3?)$">
+ NSSOptions +StdEnvVars +ExportCertData
+</Files>
+<Directory "/cgi-bin">
+ NSSOptions +StdEnvVars
+</Directory>
+
+# Per-Server Logging:
+# The home of a custom SSL log file. Use this when you want a
+# compact non-error SSL logfile on a virtual host basis.
+#CustomLog [SERVER_ROOT]/logs/ssl_request_log \
+# "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
+
+</VirtualHost>
diff --git a/pki/base/ra/doc/CS.cfg b/pki/base/ra/doc/CS.cfg
index 3602addc5..831f91a07 100644
--- a/pki/base/ra/doc/CS.cfg
+++ b/pki/base/ra/doc/CS.cfg
@@ -104,6 +104,7 @@ cs.type=RA
service.machineName=[SERVER_NAME]
service.instanceDir=[SERVER_ROOT]
service.securePort=[SECURE_PORT]
+service.non_clientauth_securePort=[NON_CLIENTAUTH_SECURE_PORT]
service.unsecurePort=[PORT]
service.instanceID=[INSTANCE_ID]
logging._000=#########################################
diff --git a/pki/base/ra/lib/perl/PKI/RA/DonePanel.pm b/pki/base/ra/lib/perl/PKI/RA/DonePanel.pm
index b44f9db89..4bd04cf76 100755
--- a/pki/base/ra/lib/perl/PKI/RA/DonePanel.pm
+++ b/pki/base/ra/lib/perl/PKI/RA/DonePanel.pm
@@ -304,15 +304,11 @@ sub display
system( "chmod 00660 $instDir/conf/nss.conf.tmp" );
open(NSS_CONF, "<$instDir/conf/nss.conf");
while (<NSS_CONF>) {
- if (/NSSVerifyClient none/) {
- print TMP_NSS_CONF "NSSVerifyClient optional\n";
- } else {
if ((/^NSSNickname/) && ($tokenname ne "") && ($tokenname ne "NSS Certificate DB")) {
print TMP_NSS_CONF "NSSNickname \"$nickname\"\n";
} else {
print TMP_NSS_CONF $_;
}
- }
}
close(NSS_CONF);
close(TMP_NSS_CONF);
diff --git a/pki/base/ra/setup/postinstall b/pki/base/ra/setup/postinstall
index 0d1462f29..517c6e448 100755
--- a/pki/base/ra/setup/postinstall
+++ b/pki/base/ra/setup/postinstall
@@ -44,6 +44,7 @@ fi
PKI_INSTANCE_NAME="${PKI_PRODUCT_NAME}-${PKI_SUBSYSTEM_NAME}"
SECURE_PORT=12889
+NON_CLIENTAUTH_SECURE_PORT=12890
UNSECURE_PORT=12888
@@ -53,7 +54,7 @@ UNSECURE_PORT=12888
if [ ! -e "/var/lib/${PKI_INSTANCE_NAME}" ]
then
- /usr/bin/pkicreate -pki_instance_root=/var/lib -pki_instance_name=${PKI_INSTANCE_NAME} -subsystem_type=${PKI_SUBSYSTEM_NAME} -secure_port=${SECURE_PORT} -unsecure_port=${UNSECURE_PORT} -redirect conf=/etc/${PKI_INSTANCE_NAME} -redirect logs=/var/log/${PKI_INSTANCE_NAME}
+ /usr/bin/pkicreate -pki_instance_root=/var/lib -pki_instance_name=${PKI_INSTANCE_NAME} -subsystem_type=${PKI_SUBSYSTEM_NAME} -secure_port=${SECURE_PORT} -non_clientauth_secure_port=${NON_CLIENTAUTH_SECURE_PORT} -unsecure_port=${UNSECURE_PORT} -redirect conf=/etc/${PKI_INSTANCE_NAME} -redirect logs=/var/log/${PKI_INSTANCE_NAME}
fi
diff --git a/pki/base/setup/pkicreate b/pki/base/setup/pkicreate
index 3313d9f6f..f99fa5777 100755
--- a/pki/base/setup/pkicreate
+++ b/pki/base/setup/pkicreate
@@ -25,20 +25,19 @@
#
# Sample Invocation (for CA):
#
-# ./pkicreate
-# -pki_instance_root=/var/lib
-# -pki_instance_name=pki-ca1
-# -subsystem_type=ca
-# -secure_port=9543 || -agent_secure_port=9543
-# -ee_secure_port=9544
-# -admin_secure_port=9545
-# -unsecure_port=9580
-# -tomcat_server_port=9801
-# -user=pkiuser
-# -group=pkiuser
-# -redirect conf=/export/pki/pki-ca1/conf
-# -redirect logs=/export/pki/pki-ca1/logs
-# -verbose
+# ./pkicreate -pki_instance_root=/var/lib
+# -pki_instance_name=pki-ca1
+# -subsystem_type=ca
+# -agent_secure_port=9543
+# -ee_secure_port=9544
+# -admin_secure_port=9545
+# -unsecure_port=9580
+# -tomcat_server_port=9801
+# -user=pkiuser
+# -group=pkiuser
+# -redirect conf=/etc/pki-ca1
+# -redirect logs=/var/log/pki-ca1
+# -verbose
#
##############################################################
@@ -317,6 +316,7 @@ my $OBJ_EXT = "OBJ_EXT";
my $PORT = "PORT";
my $PROCESS_ID = "PROCESS_ID";
my $SECURE_PORT = "SECURE_PORT";
+my $NON_CLIENTAUTH_SECURE_PORT = "NON_CLIENTAUTH_SECURE_PORT";
my $SECURITY_LIBRARIES = "SECURITY_LIBRARIES";
my $SERVER_NAME = "SERVER_NAME";
my $SERVER_ROOT = "SERVER_ROOT";
@@ -395,6 +395,7 @@ my $pki_instance_root = "";
my $pki_instance_name = "";
my $subsystem_type = "";
my $secure_port = -1;
+my $non_clientauth_secure_port = -1;
my $unsecure_port = -1;
my $tomcat_server_port = -1;
@@ -702,107 +703,186 @@ if( -l $jaas_link ) {
# no return value
sub usage()
{
+ print( STDOUT "\n" );
print( STDOUT
- "Usage: pkicreate -pki_instance_root=<pki_instance_root> "
- . "# Instance root\n"
- . " "
- . "# directory\n"
- . " "
+ "###############################################################################\n"
+ . "### USAGE: CA, KRA, OCSP, or TKS subsystem instance creation (Tomcat) ###\n"
+ . "###############################################################################\n\n"
+ . "pkicreate -pki_instance_root=<pki_instance_root> "
+ . "# Instance root directory\n"
+ . " "
. "# destination\n\n"
- . " -pki_instance_name=<pki_instance_id> "
- . "# Unique PKI\n"
- . " "
- . "# subsystem\n"
- . " "
+ . " -pki_instance_name=<pki_instance_id> "
+ . "# Unique PKI subsystem\n"
+ . " "
. "# instance name\n\n"
- . " -subsystem_type=<subsystem_type> "
+ . " -subsystem_type=<subsystem_type> "
. "# Subsystem type\n"
- . " "
- . "# [ca | kra | ocsp |\n"
- . " "
- . "# tks | ra | tps]\n\n"
- . " -secure_port=<secure_port> "
- . "# Secure port\n\n"
- . " -unsecure_port=<unsecure_port> "
- . "#Unsecure port\n\n"
- . "###################### Optional separate ports ############\n\n"
- . " -agent_secure_port=<agent_secure_port> "
- . "#Agent secure port, Same as 'secure_port'\n\n"
- . " -ee_secure_port=<ee_secure_port> "
+ . " "
+ . "# [ca | kra | ocsp | tks]\n\n"
+ . " #####################################################################\n"
+ . " ### SELECT separate secure ports for AGENT, EE, and ADMIN: ###\n"
+ . " #####################################################################\n\n"
+ . " -agent_secure_port=<agent_secure_port> "
+ . "# Agent secure port\n\n"
+ . " -ee_secure_port=<ee_secure_port> "
. "# EE secure port\n\n"
- . " -admin_secure_port=<admin_secure_port> "
- . "# Admin secureport\n\n"
- . "###################### End Optional separate ports ########\n\n"
- . " -tomcat_server_port=<tomcat_server_port> "
- . "# Unique port\n"
- . " "
+ . " -admin_secure_port=<admin_secure_port> "
+ . "# Admin secure port\n\n"
+ . " #####################################################################\n"
+ . " ### OR a single secure port shared by AGENT, EE, and ADMIN: ###\n"
+ . " #####################################################################\n\n"
+ . " -secure_port=<secure_port> "
+ . "# Secure port\n"
+ . " "
+ . "# (shared by Agent,\n"
+ . " "
+ . "# EE, and Admin)\n\n"
+ . " #####################################################################\n"
+ . " ### END secure port SELECTION ###\n"
+ . " #####################################################################\n\n"
+ . " -unsecure_port=<unsecure_port> "
+ . "# Unsecure port\n\n"
+ . " -tomcat_server_port=<tomcat_server_port> "
+ . "# Unique port for each\n"
+ . " "
+ . "# Tomcat instance\n\n"
+ . " [-user=<username>] "
+ . "# User ownership\n"
+ . " "
+ . "# (must ALSO specify\n"
+ . " "
+ . "# group ownership)\n"
+ . " "
+ . "#\n"
+ . " "
+ . "# [Default=pkiuser]\n\n"
+ . " [-group=<groupname>] "
+ . "# Group ownership\n"
+ . " "
+ . "# (must ALSO specify\n"
+ . " "
+ . "# user ownership)\n"
+ . " "
+ . "#\n"
+ . " "
+ . "# [Default=pkiuser]\n\n"
+ . " [-redirect conf=<real conf dir path>] "
+ . "# Redirection of\n"
+ . " "
+ . "# 'conf' directory\n\n"
+ . " [-redirect logs=<real logs dir path>] "
+ . "# Redirection of\n"
+ . " "
+ . "# 'logs' directory\n\n"
+ . " [-verbose] "
+ . "# Print out liberal info\n"
+ . " "
+ . "# during 'pkicreate'\n\n"
+ . " [-help] "
+ . "# Print out this screen\n\n\n"
+ . "###############################################################################\n"
+ . "### USAGE: RA or TPS subsystem instance creation (Apache) ###\n"
+ . "###############################################################################\n\n"
+ . "pkicreate -pki_instance_root=<pki_instance_root> "
+ . "# Instance root directory\n"
+ . " "
+ . "# destination\n\n"
+ . " -pki_instance_name=<pki_instance_id> "
+ . "# Unique PKI subsystem\n"
+ . " "
+ . "# instance name\n\n"
+ . " -subsystem_type=<subsystem_type> "
+ . "# Subsystem type\n"
+ . " "
+ . "# [ra | tps]\n\n"
+ . " -secure_port=<secure_port> "
+ . "# Secure port\n"
+ . " "
+ . "# (clientauth)\n"
+ . " "
+ . "# for each\n"
+ . " "
+ . "# Apache instance\n\n"
+ . " -non_clientauth_secure_port=<non_clientauth_secure_port>\n\n"
+ . " "
+ . "# Secure port\n"
+ . " "
+ . "# (non-clientauth)\n"
+ . " "
. "# for each\n"
- . " "
- . "# tomcat instance\n"
- . " "
- . "# [ca | kra | ocsp |\n"
- . " "
- . "# tks] ONLY\n\n"
- . " [-user=<username>] "
- . "# user ownership\n"
- . " "
- . "# [must ALSO specify\n"
- . " "
- . "# group ownership]\n"
- . " "
+ . " "
+ . "# Apache instance\n\n"
+ . " -unsecure_port=<unsecure_port> "
+ . "# Unsecure port\n\n"
+ . " [-user=<username>] "
+ . "# User ownership\n"
+ . " "
+ . "# (must ALSO specify\n"
+ . " "
+ . "# group ownership)\n"
+ . " "
. "#\n"
- . " "
- . "# (Default=pkiuser)\n\n"
- . " [-group=<groupname>] "
- . "# group ownership\n"
- . " "
- . "# [must ALSO specify\n"
- . " "
- . "# user ownership]\n"
- . " "
+ . " "
+ . "# [Default=pkiuser]\n\n"
+ . " [-group=<groupname>] "
+ . "# Group ownership\n"
+ . " "
+ . "# (must ALSO specify\n"
+ . " "
+ . "# user ownership)\n"
+ . " "
. "#\n"
- . " "
- . "# (Default=pkiuser)\n\n"
- . " [-redirect conf=<real conf dir path>] "
- . "# redirection of\n"
- . " "
- . "# conf directory\n\n"
- . " [-redirect logs=<real logs dir path>] "
- . "# redirection of\n"
- . " "
- . "# logs directory\n\n"
- . " [-verbose] "
- . "# Print out\n"
- . " "
- . "# liberal info\n"
- . " "
- . "# during pkicreate\n\n"
- . " [-help] "
- . "# Print out\n"
- . " "
- . "# this screen\n\n" );
+ . " "
+ . "# [Default=pkiuser]\n\n"
+ . " [-redirect conf=<real conf dir path>] "
+ . "# Redirection of\n"
+ . " "
+ . "# 'conf' directory\n\n"
+ . " [-redirect logs=<real logs dir path>] "
+ . "# Redirection of\n"
+ . " "
+ . "# 'logs' directory\n\n"
+ . " [-verbose] "
+ . "# Print out liberal info\n"
+ . " "
+ . "# during 'pkicreate'\n\n"
+ . " [-help] "
+ . "# Print out this screen\n\n\n" );
+
+ print( STDOUT
+ "###############################################################################\n"
+ . "### EXAMPLE: PKI (Apache) subsystem instance creation of a TPS ###\n"
+ . "###############################################################################\n\n"
+ . "pkicreate -pki_instance_root=/var/lib \\\n"
+ . " -pki_instance_name=$pki_flavor-tps1 \\\n"
+ . " -subsystem_type=tps \\\n"
+ . " -secure_port=7989 \\\n"
+ . " -non_clientauth_secure_port=7990 \\\n"
+ . " -unsecure_port=7988 \\\n"
+ . " -user=pkiuser \\\n"
+ . " -group=pkiuser \\\n"
+ . " -redirect conf=/etc/$pki_flavor-tps1 \\\n"
+ . " -redirect logs=/var/log/$pki_flavor-tps1 \\\n"
+ . " -verbose\n\n" );
print( STDOUT
- "Example: pkicreate -pki_instance_root=/var/lib\n"
- . " -pki_instance_name=$pki_flavor-ca1\n"
- . " -subsystem_type=ca\n"
- . "[Either mandatory: \n"
- . " -secure_port=9543\n"
- . "] or\n"
- . "[ Optional separate ports:\n"
- . " -agent_secure_port=9543\n"
- . " -ee_secure_port=9544\n"
- . " -admin_secure_port=9545\n"
- . "]\n"
- . " -unsecure_port=9580\n"
- . " -tomcat_server_port=9801\n"
- . " -user=pkiuser\n"
- . " -group=pkiuser\n"
- . " -redirect conf=/export/pki/$pki_flavor-ca1/"
- . "conf\n"
- . " -redirect logs=/export/pki/$pki_flavor-ca1/"
- . "logs\n"
- . " -verbose\n\n" );
+ "###############################################################################\n"
+ . "### EXAMPLE: PKI (Tomcat) subsystem instance creation of a CA ###\n"
+ . "###############################################################################\n\n"
+ . "pkicreate -pki_instance_root=/var/lib \\\n"
+ . " -pki_instance_name=$pki_flavor-ca1 \\\n"
+ . " -subsystem_type=ca \\\n"
+ . " -agent_secure_port=9543 \\\n"
+ . " -ee_secure_port=9544 \\\n"
+ . " -admin_secure_port=9545 \\\n"
+ . " -unsecure_port=9580 \\\n"
+ . " -tomcat_server_port=9801 \\\n"
+ . " -user=pkiuser \\\n"
+ . " -group=pkiuser \\\n"
+ . " -redirect conf=/etc/$pki_flavor-ca1 \\\n"
+ . " -redirect logs=/var/log/$pki_flavor-ca1 \\\n"
+ . " -verbose\n\n" );
print( STDOUT
"IMPORTANT: Must be run as root!\n\n" );
@@ -835,6 +915,7 @@ sub pki_instance_already_exists
sub parse_arguments()
{
my $l_secure_port = -1;
+ my $l_non_clientauth_secure_port = -1;
my $l_unsecure_port = -1;
my $l_tomcat_server_port = -1;
my $l_agent_secure_port = -1;
@@ -847,6 +928,7 @@ sub parse_arguments()
"pki_instance_name=s" => \$pki_instance_name,
"subsystem_type=s" => \$subsystem_type,
"secure_port:i" => \$l_secure_port,
+ "non_clientauth_secure_port:i" => \$l_non_clientauth_secure_port,
"unsecure_port:i" => \$l_unsecure_port,
"agent_secure_port:i" => \$l_agent_secure_port,
"ee_secure_port:i" => \$l_ee_secure_port,
@@ -982,7 +1064,42 @@ sub parse_arguments()
}
}
+ ## Mandatory "-non_clientauth_secure_port=<non_clientauth_secure_port>"
+ ## option/exclusion
+ if( ( $subsystem_type eq $RA || $subsystem_type eq $TPS ) ) {
+ if( $l_non_clientauth_secure_port >= 0 ) {
+ $non_clientauth_secure_port = $l_non_clientauth_secure_port;
+ emit( " non_clientauth_secure_port "
+ . "$non_clientauth_secure_port\n" );
+ } else {
+ if( $l_non_clientauth_secure_port == -1)
+ {
+ emit( "Must include value for non_clientauth_secure_port!\n",
+ "error" );
+ usage();
+ return 0;
+ }
+ }
+
+ if( $l_agent_secure_port > 0 ||
+ $l_ee_secure_port > 0 ||
+ $l_admin_secure_port > 0) {
+ emit( "Must NOT include values for any agent|admin|ee ports!\n",
+ "error");
+ usage();
+ return 0;
+ }
+ } else {
+ ## Mandatory EXCLUSION for CA, KRA, OCSP, and TKS subsystems
+ if( $l_non_clientauth_secure_port != -1 ) {
+ emit( "Must NOT include value for non_clientauth_secure_port!\n",
+ "error" );
+ usage();
+ return 0;
+ }
+ }
+
## Mandatory "-unsecure_port=<unsecure_port>" option
if( $l_unsecure_port >= 0 ) {
$unsecure_port = $l_unsecure_port;
@@ -1016,19 +1133,6 @@ sub parse_arguments()
}
}
- if( ($subsystem_type eq $RA || $subsystem_type eq $TPS ) ) {
- ## Don't do port separation for RA or TPS
-
- if( $l_agent_secure_port > 0 || $l_ee_secure_port > 0
- || $l_admin_secure_port > 0) {
-
- emit( "Must NOT include separate ports for RA or TPS!\n",
- "error");
- usage();
- return 0;
- }
- }
-
if( $l_agent_secure_port >= 0 ) {
$agent_secure_port = $l_agent_secure_port;
@@ -2174,6 +2278,7 @@ sub process_pki_templates()
$slot_hash{$PORT} = $unsecure_port;
$slot_hash{$PROCESS_ID} = $$;
$slot_hash{$SECURE_PORT} = $secure_port;
+ $slot_hash{$NON_CLIENTAUTH_SECURE_PORT} = $non_clientauth_secure_port;
$slot_hash{$SECURITY_LIBRARIES} = $default_security_libraries;
$slot_hash{$SERVER_NAME} = $host;
$slot_hash{$SERVER_ROOT} = $pki_instance_path;
@@ -3382,6 +3487,9 @@ sub process_pki_selinux_setup()
if ($secure_port != -1) {
&add_selinux_port($setype_p, $secure_port);
}
+ if ($non_clientauth_secure_port != -1) {
+ &add_selinux_port($setype_p, $non_clientauth_secure_port);
+ }
if ($unsecure_port != -1) {
&add_selinux_port($setype_p, $unsecure_port);
}
diff --git a/pki/base/setup/pkiremove b/pki/base/setup/pkiremove
index a1e8c79bf..3ba93ff48 100755
--- a/pki/base/setup/pkiremove
+++ b/pki/base/setup/pkiremove
@@ -208,6 +208,7 @@ sub update_domain()
{
my $conf_file = $pki_instance_path . "/conf/CS.cfg";
my $sport;
+ my $ncsport;
my $secport;
my $secselect;
my $typeval;
@@ -220,6 +221,7 @@ sub update_domain()
chomp($line);
(my $varname, my $valname) = split(/=/, $line);
if ($varname eq "service.securePort") { $sport = $valname; }
+ if ($varname eq "service.non_clientauth_securePort") { $ncsport = $valname; }
if ($varname eq "securitydomain.host") { $sechost = $valname; }
if ($varname eq "securitydomain.httpsport") { $secport = $valname; }
if ($varname eq "securitydomain.select") { $secselect = $valname; }
@@ -283,6 +285,7 @@ sub update_domain()
'list' => $listval,
'host' => $machinename,
'sport' => $sport,
+ 'ncsport' => $ncsport,
'operation' => 'remove'
],
);
@@ -389,6 +392,7 @@ sub remove_selinux_ports()
my $conf_file = $pki_instance_path . "/conf/CS.cfg";
my $typeval;
my $secure_port;
+ my $non_clientauth_secure_port;
my $unsecure_port;
my @ports = ();
@@ -400,6 +404,7 @@ sub remove_selinux_ports()
(my $varname, my $valname) = split(/=/, $line);
if ($varname eq "cs.type") { $typeval = $valname; }
if ($varname eq "service.securePort") { $secure_port = $valname; }
+ if ($varname eq "service.non_clientauth_securePort") { $non_clientauth_secure_port = $valname; }
if ($varname eq "service.unsecurePort") { $unsecure_port = $valname; }
}
close(DAT);
@@ -424,8 +429,13 @@ sub remove_selinux_ports()
$ports[$i] = $secure_port;
$i++;
}
+ if (defined $non_clientauth_secure_port) {
+ $ports[$i] = $non_clientauth_secure_port;
+ $i++;
+ }
if (defined $unsecure_port) {
$ports[$i] = $unsecure_port;
+ $i++;
}
}
diff --git a/pki/base/tps/apache/conf/nss.conf b/pki/base/tps/apache/conf/nss.conf
index 43f7753da..0c7b7b6c3 100644
--- a/pki/base/tps/apache/conf/nss.conf
+++ b/pki/base/tps/apache/conf/nss.conf
@@ -17,6 +17,8 @@
#
Listen 0.0.0.0:[SECURE_PORT]
+Listen 0.0.0.0:[NON_CLIENTAUTH_SECURE_PORT]
+
##
## SSL Global Context
##
@@ -59,7 +61,7 @@ NSSSession3CacheTimeout 86400
# General setup for the virtual host
#DocumentRoot "/htdocs"
-#ServerName [SERVER_NAME]:[SECURE_PORT]
+#ServerName [Server_Name]:[Secure_Port]
#ServerAdmin you@example.com
# mod_ssl logs to separate log files, you can choose to do that if you'd like
@@ -90,7 +92,7 @@ NSSCertificateDatabase [SERVER_ROOT]/alias
# Client Authentication (Type):
# Client certificate verification type. Types are none, optional and
# require.
-NSSVerifyClient none
+NSSVerifyClient require
# Access Control:
# With SSLRequire you can do per-directory access control based
@@ -150,3 +152,97 @@ NSSVerifyClient none
</VirtualHost>
+<VirtualHost _default_:[NON_CLIENTAUTH_SECURE_PORT]>
+
+# General setup for the virtual host
+#DocumentRoot "/htdocs"
+#ServerName [Server_Name]:[Non_Clientauth_Secure_Port]
+#ServerAdmin you@example.com
+
+# mod_ssl logs to separate log files, you can choose to do that if you'd like
+ErrorLog [SERVER_ROOT]/logs/error_log
+TransferLog [SERVER_ROOT]/logs/access_log
+
+# SSL Engine Switch:
+# Enable/Disable SSL for this virtual host.
+NSSEngine on
+
+# SSL Cipher Suite:
+# List the ciphers that the client is permitted to negotiate.
+# See the mod_nss documentation for a complete list.
+NSSCipherSuite -des,-desede3,-rc2,-rc2export,-rc4,-rc4export,+rsa_3des_sha,-rsa_des_56_sha,+rsa_des_sha,-rsa_null_md5,-rsa_null_sha,-rsa_rc2_40_md5,+rsa_rc4_128_md5,-rsa_rc4_128_sha,-rsa_rc4_40_md5,-rsa_rc4_56_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-fips_des_sha,+fips_3des_sha,-rsa_aes_128_sha,-rsa_aes_256_sha,+ecdhe_ecdsa_aes_256_sha
+
+NSSProtocol SSLv3,TLSv1
+
+# SSL Certificate Nickname:
+# The nickname of the server certificate you are going to use.
+NSSNickname "Server-Cert cert-[INSTANCE_ID]"
+
+# Server Certificate Database:
+# The NSS security database directory that holds the certificates and
+# keys. The database consists of 3 files: cert8.db, key3.db and secmod.db.
+# Provide the directory that these files exist.
+NSSCertificateDatabase [SERVER_ROOT]/alias
+
+# Client Authentication (Type):
+# Client certificate verification type. Types are none, optional and
+# require.
+NSSVerifyClient none
+
+# Access Control:
+# With SSLRequire you can do per-directory access control based
+# on arbitrary complex boolean expressions containing server
+# variable checks and other lookup directives. The syntax is a
+# mixture between C and Perl. See the mod_nss documentation
+# for more details.
+#<Location />
+#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
+# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
+# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
+# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
+# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
+# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
+#</Location>
+
+# SSL Engine Options:
+# Set various options for the SSL engine.
+# o FakeBasicAuth:
+# Translate the client X.509 into a Basic Authorisation. This means that
+# the standard Auth/DBMAuth methods can be used for access control. The
+# user name is the `one line' version of the client's X.509 certificate.
+# Note that no password is obtained from the user. Every entry in the user
+# file needs this password: `xxj31ZMTZzkVA'.
+# o ExportCertData:
+# This exports two additional environment variables: SSL_CLIENT_CERT and
+# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
+# server (always existing) and the client (only existing when client
+# authentication is used). This can be used to import the certificates
+# into CGI scripts.
+# o StdEnvVars:
+# This exports the standard SSL/TLS related `SSL_*' environment variables.
+# Per default this exportation is switched off for performance reasons,
+# because the extraction step is an expensive operation and is usually
+# useless for serving static content. So one usually enables the
+# exportation for CGI and SSI requests only.
+# o StrictRequire:
+# This denies access when "SSLRequireSSL" or "SSLRequire" applied even
+# under a "Satisfy any" situation, i.e. when it applies access is denied
+# and no other module can change it.
+# o OptRenegotiate:
+# This enables optimized SSL connection renegotiation handling when SSL
+# directives are used in per-directory context.
+#SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
+<Files ~ "\.(cgi|shtml|phtml|php3?)$">
+ NSSOptions +StdEnvVars
+</Files>
+<Directory "/cgi-bin">
+ NSSOptions +StdEnvVars
+</Directory>
+
+# Per-Server Logging:
+# The home of a custom SSL log file. Use this when you want a
+# compact non-error SSL logfile on a virtual host basis.
+#CustomLog [SERVER_ROOT]/logs/ssl_request_log \
+# "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
+
+</VirtualHost>
diff --git a/pki/base/tps/doc/CS.cfg b/pki/base/tps/doc/CS.cfg
index 7385ad00b..b48667228 100644
--- a/pki/base/tps/doc/CS.cfg
+++ b/pki/base/tps/doc/CS.cfg
@@ -22,6 +22,7 @@ cs.type=TPS
service.machineName=[SERVER_NAME]
service.instanceDir=[SERVER_ROOT]
service.securePort=[SECURE_PORT]
+service.non_clientauth_securePort=[NON_CLIENTAUTH_SECURE_PORT]
service.unsecurePort=[PORT]
service.instanceID=[INSTANCE_ID]
logging._000=#########################################
diff --git a/pki/base/tps/lib/perl/PKI/TPS/DonePanel.pm b/pki/base/tps/lib/perl/PKI/TPS/DonePanel.pm
index 677ae3cd4..dd5058208 100755
--- a/pki/base/tps/lib/perl/PKI/TPS/DonePanel.pm
+++ b/pki/base/tps/lib/perl/PKI/TPS/DonePanel.pm
@@ -316,15 +316,11 @@ sub display
system( "chmod 00660 $instDir/conf/nss.conf.tmp" );
open(NSS_CONF, "<$instDir/conf/nss.conf");
while (<NSS_CONF>) {
- if (/NSSVerifyClient none/) {
- print TMP_NSS_CONF "NSSVerifyClient require\n";
- } else {
if ((/^NSSNickname/) && ($tokenname ne "") && ($tokenname ne "NSS Certificate DB")) {
print TMP_NSS_CONF "NSSNickname \"$nickname\"\n";
} else {
print TMP_NSS_CONF $_;
}
- }
}
close(NSS_CONF);
close(TMP_NSS_CONF);
diff --git a/pki/base/tps/setup/postinstall b/pki/base/tps/setup/postinstall
index 4ee7969a2..4bab87edd 100755
--- a/pki/base/tps/setup/postinstall
+++ b/pki/base/tps/setup/postinstall
@@ -46,6 +46,7 @@ fi
PKI_INSTANCE_NAME="${PKI_PRODUCT_NAME}-${PKI_SUBSYSTEM_NAME}"
SECURE_PORT=7889
+NON_CLIENTAUTH_SECURE_PORT=7890
UNSECURE_PORT=7888
@@ -55,7 +56,7 @@ UNSECURE_PORT=7888
if [ ! -e "/var/lib/${PKI_INSTANCE_NAME}" ]
then
- /usr/bin/pkicreate -pki_instance_root=/var/lib -pki_instance_name=${PKI_INSTANCE_NAME} -subsystem_type=${PKI_SUBSYSTEM_NAME} -secure_port=${SECURE_PORT} -unsecure_port=${UNSECURE_PORT} -redirect conf=/etc/${PKI_INSTANCE_NAME} -redirect logs=/var/log/${PKI_INSTANCE_NAME}
+ /usr/bin/pkicreate -pki_instance_root=/var/lib -pki_instance_name=${PKI_INSTANCE_NAME} -subsystem_type=${PKI_SUBSYSTEM_NAME} -secure_port=${SECURE_PORT} -non_clientauth_secure_port=${NON_CLIENTAUTH_SECURE_PORT} -unsecure_port=${UNSECURE_PORT} -redirect conf=/etc/${PKI_INSTANCE_NAME} -redirect logs=/var/log/${PKI_INSTANCE_NAME}
fi
diff --git a/pki/dogtag/ra/pki-ra.spec b/pki/dogtag/ra/pki-ra.spec
index bce43db35..18177bead 100644
--- a/pki/dogtag/ra/pki-ra.spec
+++ b/pki/dogtag/ra/pki-ra.spec
@@ -34,7 +34,7 @@
## Package Header Definitions
%define base_name %{base_prefix}-%{base_component}
%define base_version 1.0.0
-%define base_release 15
+%define base_release 16
%define base_group System Environment/Daemons
%define base_vendor Red Hat, Inc.
%define base_license GPLv2 with exceptions
@@ -261,6 +261,8 @@ fi
###############################################################################
%changelog
+* Tue Feb 24 2009 Matthew Harmsen <mharmsen@redhat.com> 1.0.0-16
+- Bugzilla Bug #485859 - port separation for RA and TPS
* Mon Feb 23 2009 Matthew Harmsen <mharmsen@redhat.com> 1.0.0-15
- Bugzilla Bug #486435 - clicking on configuration URL results in error
* Sat Feb 14 2009 Matthew Harmsen <mharmsen@redhat.com> 1.0.0-14
diff --git a/pki/dogtag/setup/pki-setup.spec b/pki/dogtag/setup/pki-setup.spec
index beabb748b..f966ef310 100644
--- a/pki/dogtag/setup/pki-setup.spec
+++ b/pki/dogtag/setup/pki-setup.spec
@@ -33,7 +33,7 @@
## Package Header Definitions
%define base_name %{base_prefix}-%{base_component}
%define base_version 1.0.0
-%define base_release 11
+%define base_release 12
%define base_group System Environment/Shells
%define base_vendor Red Hat, Inc.
%define base_license GPLv2 with exceptions
@@ -217,6 +217,8 @@ rm -rf ${RPM_BUILD_ROOT}
###############################################################################
%changelog
+* Tue Feb 24 2009 Matthew Harmsen <mharmsen@redhat.com> 1.0.0-12
+- Bugzilla Bug #485859 - port separation for RA and TPS
* Wed Feb 11 2009 Matthew Harmsen <mharmsen@redhat.com> 1.0.0-11
- Bugzilla Bug #467155 - Change "renameTo" to "cp -p "
* Mon Feb 9 2009 Ade Lee <alee@redhat.com> 1.0.0-10
diff --git a/pki/dogtag/tps/pki-tps.spec b/pki/dogtag/tps/pki-tps.spec
index 65db01a9e..f16ca5b5f 100644
--- a/pki/dogtag/tps/pki-tps.spec
+++ b/pki/dogtag/tps/pki-tps.spec
@@ -34,7 +34,7 @@
## Package Header Definitions
%define base_name %{base_prefix}-%{base_component}
%define base_version 1.0.0
-%define base_release 23
+%define base_release 24
%define base_group System Environment/Daemons
%define base_vendor Red Hat, Inc.
%define base_license LGPLv2 with exceptions
@@ -308,6 +308,8 @@ fi
###############################################################################
%changelog
+* Tue Feb 24 2009 Matthew Harmsen <mharmsen@redhat.com> 1.0.0-24
+- Bugzilla Bug #485859 - port separation for RA and TPS
* Mon Feb 23 2009 Matthew Harmsen <mharmsen@redhat.com> 1.0.0-23
- Bugzilla Bug #486435 - clicking on configuration URL results in error
* Tue Feb 17 2009 Matthew Harmsen <mharmsen@redhat.com> 1.0.0-22