Provide Custom PKI JNDI Realm.

Provide a Realm that provides the following:

1. Allows SSL client certificate authentation upon protected URLs.
For now we are protecting the new DRM Rest functions.

2. Allows simple PKI ACL checking like we have in the current server.
  This is accomplished with the help of a simple file that maps URLs
  to ACL resourceIDs and operations.

3. DRMRestClient now support SSL Client authentication to test the feature.

How to test this:

Install new KRA server, after installing build pki-core rpm.
Uncomment "PKIJNDIRealm" settings in conf/server.xml
Some customization will be needed for instance specific info. See
the sample in server.xml.
Uncomment the "Security Constraint" and "login-config" settings webapps/kra/WEB-INF/web.xml

In running DRMTest.java in eclipse do the following:
   Change the arguments to support SSL Client auth such as:
      -h localhost -p 10443 -w secret -d ~/archive-test -s true -c "KRA Administrator of Instance pki-kra's SjcRedhat Domain ID"
       where the new flags are -s = true for SSL and -c = <client auth cert name>

   Export the KRA's admin/agent client auth cert from Firefox to a pk12 file.
   Import this cert into ~/archive-test by using "pk12util" utility.

Run the DRMTest.java program in eclipse and observe the results. There should be a prompt
for a client cert.

4 files changed, 154 insertions, 1 deletions

diff --git a/pki/base/kra/shared/conf/acl.ldif b/pki/base/kra/shared/conf/acl.ldif
index 4c219eaaa..38a9a088c 100644
--- a/pki/base/kra/shared/conf/acl.ldif
+++ b/pki/base/kra/shared/conf/acl.ldif
@@ -30,3 +30,13 @@ resourceACLS: certServer.kra.TokenKeyRecovery:submit:allow (submit) group="Data
 resourceACLS: certServer.kra.registerUser:read,modify:allow (modify,read) group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators":Only Enterprise Administrators are allowed to register a new agent
 resourceACLS: certServer.kra.getTransportCert:read:allow (read) group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators":Only Enterprise Administrators are allowed to retrieve the transport cert
 resourceACLS: certServer.clone.configuration:read,modify:allow (modify,read) group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators":Only Enterprise Administrators are allowed to clone the configuration.
+resourceACLS: certServer.kra.pki.key.retrieve:execute:allow (execute) group="Data Recovery Manager Agents":Data Recovery Manager Agents may retrieve archived key
+resourceACLS: certServer.kra.pki.keyrequests:read:allow (read) group="Data Recovery Manager Agents":Data Recovery Manager Agents may read keyrequests data
+resourceACLS: certServer.kra.pki.keyrequest:read:allow (read) group="Data Recovery Manager Agents":Data Recovery Manager Agents may read keyrequest data
+resourceACLS: certServer.kra.pki.keyrequest.archive:execute:allow (execute) group="Data Recovery Manager Agents":Data Recovery Manager Agents may issue archival request
+resourceACLS: certServer.kra.pki.keyrequest.recover:execute:allow (execute) group="Data Recovery Manager Agents":Data Recovery Manager Agents may issue recovery request
+resourceACLS: certServer.kra.pki.keyrequest.approve:execute:allow (execute) group="Data Recovery Manager Agents":Data Recovery Manager Agents may approve security data request
+resourceACLS: certServer.kra.pki.keyrequest.reject:execute:allow (execute) group="Data Recovery Manager Agents":Data Recovery Manager Agents may reject key security data request
+resourceACLS: certServer.kra.pki.keyrequest.cancel:execute:allow (execute) group="Data Recovery Manager Agents":Data Recovery Manager Agents may cancel security data request
+resourceACLS: certServer.kra.pki.keys:read:allow (read) group="Data Recovery Manager Agents":Data Recovery Manager Agents may read security data
+resourceACLS: certServer.kra.pki.config.cert.transport:read:allow (read) group="Data Recovery Manager Agents":Data Recovery Manager Agents may read transport cert data
diff --git a/pki/base/kra/shared/conf/server.xml b/pki/base/kra/shared/conf/server.xml
index fcd849ef2..58121d448 100644
--- a/pki/base/kra/shared/conf/server.xml
+++ b/pki/base/kra/shared/conf/server.xml
@@ -229,8 +229,58 @@ Tomcat Port         = [TOMCAT_SERVER_PORT] (for shutdown)
            resources under the key "UserDatabase".  Any edits
            that are performed against this UserDatabase are immediately
            available for use by the Realm.  -->
+
+      <!--
       <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
              resourceName="UserDatabase"/>
+      -->
+
+      <!-- Custom PKIJNDI realm
+
+          Example:
+
+          <Realm className="com.netscape.cmscore.realm.PKIJNDIRealm" : classpath to realm
+          connectionURL="ldap://localhost:389" : standard JNDI connection URL
+          userBase="ou=people,dc=localhost-pki-kra" : standard JNDI userBase property
+          userSearch="(description={0})" : Attribute to search for user of incoming client auth certificate
+                                         : Use userSearch="(UID={0})" if wanting to search isolate user based on UID
+                                         : Also set the following: certUIDLabel="UID" or whatever the field containing
+                                         : the user's UID happens to be. This will cause the incoming's cert dn to be
+                                         : be searched for <certUIDLabel>=<uid value>
+
+          certAttrName="userCertificate" : Attribute containing user's client auth certificate
+          roleBase="ou=groups,dc=localhost-pki-kra" : Standard JNDI search base for roles or groups
+          roleName="cn" : Standard attribute name containg roles or groups
+          roleSubtree="true" : Standard JNDI roleSubtree property
+          roleSearch="(uniqueMember={0})" : How to search for a user in a specific role or group
+          connectionName="cn=Directory Manager" : Connection name, needs elevated privileges
+          connectionPassword="secret123" : Password for elevated user
+          aclBase ="cn=aclResources,dc=localhost-pki-kra" : Custom base location of PKI ACL's in directory
+          aclAttrName="resourceACLS" : Name of attribute containing PKI ACL's
+       />
+
+          Uncomment and customize  below to activate Realm.
+          Also umcomment Security Constraints and login config  values
+          in WEB-INF/web.xml as well.
+      --> 
+
+      <!-- 
+      <Realm className="com.netscape.cmscore.realm.PKIJNDIRealm"
+          connectionURL="ldap://localhost:389"
+          userBase="ou=people,dc=localhost-pki-kra"
+          userSearch="(description={0})"
+          certAttrName="userCertificate"
+          roleBase="ou=groups,dc=localhost-pki-kra"
+          roleName="cn"
+          roleSubtree="true"
+          roleSearch="(uniqueMember={0})"
+          connectionName="cn=Directory Manager"
+          connectionPassword="netscape"
+          aclBase ="cn=aclResources,dc=localhost-pki-kra"
+          aclAttrName="resourceACLS"
+       />
+
+       -->
 
       <!-- Define the default virtual host
            Note: XML Schema validation will not work with Xerces 2.2.
diff --git a/pki/base/kra/shared/webapps/kra/WEB-INF/auth.properties b/pki/base/kra/shared/webapps/kra/WEB-INF/auth.properties
new file mode 100644
index 000000000..a206aa9e4
--- /dev/null
+++ b/pki/base/kra/shared/webapps/kra/WEB-INF/auth.properties
@@ -0,0 +1,16 @@
+# Restful API auth/authz mapping info
+#
+# Format:
+# <Rest API URL> = <ACL Resource ID>,<ACL resource operation>
+# ex:      /kra/pki/key/retrieve = certServer.kra.pki.key.retrieve,execute
+
+/kra/pki/key/retrieve = certServer.kra.pki.key.retrieve,execute
+/kra/pki/keyrequests = certServer.kra.pki.keyrequests,read
+/kra/pki/keyrequest = certServer.kra.pki.keyrequest,read
+/kra/pki/keyrequest/archive = certServer.kra.pki.keyrequest.archive,execute
+/kra/pki/keyrequest/recover = certServer.kra.pki.keyrequest.recover,execute
+/kra/pki/keyrequest/approve = certServer.kra.pki.keyrequest.approve,execute
+/kra/pki/keyrequest/reject = certServer.kra.pki.keyrequest.reject,execute
+/kra/pki/keyrequest/cancel = certServer.kra.pki.keyrequest.cancel,execute
+/kra/pki/keys = certServer.kra.pki.keys,read
+/kra/pki/config/cert/transport = certServer.kra.pki.config.cert.transport,read
diff --git a/pki/base/kra/shared/webapps/kra/WEB-INF/web.xml b/pki/base/kra/shared/webapps/kra/WEB-INF/web.xml
index 529aeadbc..c6e9934eb 100644
--- a/pki/base/kra/shared/webapps/kra/WEB-INF/web.xml
+++ b/pki/base/kra/shared/webapps/kra/WEB-INF/web.xml
@@ -1034,5 +1034,82 @@
    <session-config>
         <session-timeout>30</session-timeout>
    </session-config>
-</web-app>
 
+<!-- Default login configuration uses form-based authentication -->
+<!-- Security Constraint for agent access to the Security Data Rest Interface -->
+
+<!-- Uncomment to activate PKIJNDI realm as in conf/server.xml -->
+<!--
+<security-constraint>
+   <display-name>KRA Top Level Constraint</display-name>
+   <web-resource-collection>
+      <web-resource-name>KRA Protected Area</web-resource-name>
+         <url-pattern>/pki/*
+         </url-pattern>
+      </web-resource-collection>
+   <user-data-constraint>
+        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
+    </user-data-constraint>
+   <auth-constraint>
+      <role-name>*</role-name>
+   </auth-constraint>
+</security-constraint>
+-->
+
+<!-- Security Constraint to deny certain http methods for key/retrieve -->
+<!-- Uncomment to activate PKIJNDI realm as in conf/server.xml -->
+<!--
+<security-constraint>
+<display-name>Key forbidden</display-name>
+<web-resource-collection>
+  <web-resource-name>Key forbidden</web-resource-name>
+      <url-pattern>/pki/key/retrieve</url-pattern>
+  <http-method>GET</http-method>
+  <http-method>PUT</http-method>
+  <http-method>DELETE</http-method>
+</web-resource-collection>
+<auth-constraint/>
+</security-constraint>
+-->
+
+<!-- Security Constraint to deny certain http methods for keyrequest/* -->
+<!-- Uncomment to activate PKIJNDI realm as in conf/server.xml -->
+
+<!--
+<security-constraint>
+<display-name>KeyRequest forbidden</display-name>
+<web-resource-collection>
+  <web-resource-name>KeyRequest forbidden</web-resource-name>
+      <url-pattern>/pki/keyrequest/archive</url-pattern>
+      <url-pattern>/pki/keyrequest/recover</url-pattern>
+      <url-pattern>/pki/keyrequest/approve/*</url-pattern>
+      <url-pattern>/pki/keyrequest/reject/*</url-pattern>
+      <url-pattern>/pki/keyrequest/cancel/*</url-pattern>
+  <http-method>GET</http-method>
+  <http-method>PUT</http-method>
+  <http-method>DELETE</http-method>
+</web-resource-collection>
+<auth-constraint/>
+</security-constraint>
+-->
+
+
+<!-- Customized SSL Client auth login config 
+      uncomment to activate PKIJNDI realm as in conf/server.xml 
+-->
+
+<!--
+
+<login-config>
+   <realm-name>PKIJNDIRealm</realm-name> 
+   <auth-method>CLIENT-CERT</auth-method>
+   <realm-name>Client Cert Protected Area</realm-name>
+</login-config>
+
+<security-role>
+   <role-name>*</role-name>
+</security-role>
+
+-->
+
+</web-app>