Bugzilla Bug #490489 - Configuration modifications are not replicated between

admins, agents, and end entities
Bugzilla Bug #490483 -  Unable to configure CA using "Shared Ports"


git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@316 c9f7a03b-bd48-0410-a16d-cbbf54688b0b

3 files changed, 106 insertions, 106 deletions

diff --git a/pki/base/kra/shared/conf/server.xml b/pki/base/kra/shared/conf/server.xml
index ed0a8371f..0b44bc9ee 100644
--- a/pki/base/kra/shared/conf/server.xml
+++ b/pki/base/kra/shared/conf/server.xml
@@ -83,25 +83,18 @@ Tomcat Port       = [TOMCAT_SERVER_PORT] (for shutdown)
          IP address of the remote client.
     -->
 
-    <!-- Define a non-SSL HTTP/1.1 Connector on port 8080 -->
-
-
-
+<!-- Define a non-SSL HTTP/1.1 Connector on port 8080 -->
+[PKI_UNSECURE_PORT_SERVER_COMMENT]
+<Connector name="[PKI_UNSECURE_PORT_CONNECTOR_NAME]" port="[PKI_UNSECURE_PORT]" maxHttpHeaderSize="8192"
+        maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
+        enableLookups="false" redirectPort="8443" acceptCount="100"
+        connectionTimeout="20000" disableUploadTimeout="true"/>
 
-    <!-- Shared Ports:  Unsecure Port -->
-    [PKI_OPEN_SHARED_PORTS_SERVER_COMMENT]
-    <Connector port="[PKI_UNSECURE_PORT]" maxHttpHeaderSize="8192"
-               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
-               enableLookups="false" redirectPort="8443" acceptCount="100"
-               connectionTimeout="20000" disableUploadTimeout="true" />
-    [PKI_CLOSE_SHARED_PORTS_SERVER_COMMENT]
 
-<!-- Port Separation:  Agent Secure Port                -->
-<!--                   OR                               -->
-<!-- Shared Ports:     Agent, EE, and Admin Secure Port -->
 <!-- Define a SSL HTTP/1.1 Connector on port 8443 -->
+[PKI_SECURE_PORT_SERVER_COMMENT]
 <!-- DO NOT REMOVE - Begin define PKI secure port -->
-<Connector port="[PKI_SECURE_PORT]" maxHttpHeaderSize="8192"
+<Connector name="[PKI_SECURE_PORT_CONNECTOR_NAME]" port="[PKI_SECURE_PORT]" maxHttpHeaderSize="8192"
         maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
         enableLookups="false" disableUploadTimeout="true"
         acceptCount="100" scheme="https" secure="true"
@@ -117,6 +110,40 @@ Tomcat Port       = [TOMCAT_SERVER_PORT] (for shutdown)
         certdbDir="[PKI_INSTANCE_PATH]/alias"/>
 <!-- DO NOT REMOVE - End define PKI secure port -->
 
+[PKI_OPEN_SEPARATE_PORTS_SERVER_COMMENT][PKI_ADMIN_SECURE_PORT_SERVER_COMMENT]
+<Connector name="[PKI_ADMIN_SECURE_PORT_CONNECTOR_NAME]" port="[PKI_ADMIN_SECURE_PORT]" maxHttpHeaderSize="8192"
+        maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
+        enableLookups="false" disableUploadTimeout="true"
+        acceptCount="100" scheme="https" secure="true"
+        clientAuth="false" sslProtocol="SSL"
+        sslOptions="ssl2=true,ssl3=true,tls=true"
+        ssl2Ciphers="-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5"
+        ssl3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,+TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA"
+        tls3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,+TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA"
+        SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation"
+        serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf"
+        passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf"
+        passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile"
+        certdbDir="[PKI_INSTANCE_PATH]/alias"/>
+[PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT]
+
+[PKI_OPEN_SEPARATE_PORTS_SERVER_COMMENT][PKI_EE_SECURE_PORT_SERVER_COMMENT]
+<Connector name="[PKI_EE_SECURE_PORT_CONNECTOR_NAME]" port="[PKI_EE_SECURE_PORT]" maxHttpHeaderSize="8192"
+        maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
+        enableLookups="false" disableUploadTimeout="true"
+        acceptCount="100" scheme="https" secure="true"
+        clientAuth="false" sslProtocol="SSL"
+        sslOptions="ssl2=true,ssl3=true,tls=true"
+        ssl2Ciphers="-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5"
+        ssl3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,+TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA"
+        tls3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,+TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA"
+        SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation"
+        serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf"
+        passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf"
+        passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile"
+        certdbDir="[PKI_INSTANCE_PATH]/alias"/>
+[PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT]
+
     <!-- Note : To disable connection timeouts, set connectionTimeout value
      to 0 -->
 	
@@ -408,88 +435,4 @@ Tomcat Port       = [TOMCAT_SERVER_PORT] (for shutdown)
 
   </Service>
 
-<!-- Port Separation:  Admin Secure Port -->
-<!-- Port Separation:  Unsecure Port -->
-<!-- Port Separation:  EE Secure Port -->
-[PKI_OPEN_SEPARATE_PORTS_SERVER_COMMENT]
-
-<Service name="CatalinaAdmin">
-
-<Connector port="[PKI_ADMIN_SECURE_PORT]" maxHttpHeaderSize="8192"
-        maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
-        enableLookups="false" disableUploadTimeout="true"
-        acceptCount="100" scheme="https" secure="true"
-        clientAuth="false" sslProtocol="SSL"
-        sslOptions="ssl2=true,ssl3=true,tls=true"
-        ssl2Ciphers="-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5"
-        ssl3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,+TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA"
-        tls3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,+TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA"
-        SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation"
-        serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf"
-        passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf"
-        passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile"
-        certdbDir="[PKI_INSTANCE_PATH]/alias"/>
-
-    <Engine name="CatalinaAdmin" defaultHost="localhost">
-
-      <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
-             resourceName="UserDatabase"/>
-
-      <Host name="localhost" appBase="webapps.admin"
-       unpackWARs="true" autoDeploy="false" 
-       xmlValidation="false" xmlNamespaceAware="false">
-
-        <Valve className="org.apache.catalina.valves.AccessLogValve"
-                 directory="logs"  prefix="localhost_access_log." suffix=".txt"
-                 pattern="common" resolveHosts="false"/>
-
-      </Host>
-
-    </Engine>
-
-  </Service>
-
-
-<Service name="CatalinaEE">
-
-<Connector port="[PKI_UNSECURE_PORT]" maxHttpHeaderSize="8192"
-        maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
-        enableLookups="false" redirectPort="8443" acceptCount="100"
-        connectionTimeout="20000" disableUploadTimeout="true"/>
-
-<Connector port="[PKI_EE_SECURE_PORT]" maxHttpHeaderSize="8192"
-        maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
-        enableLookups="false" disableUploadTimeout="true"
-        acceptCount="100" scheme="https" secure="true"
-        clientAuth="false" sslProtocol="SSL"
-        sslOptions="ssl2=true,ssl3=true,tls=true"
-        ssl2Ciphers="-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5"
-        ssl3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,+TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA"
-        tls3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,+TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA"
-        SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation"
-        serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf"
-        passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf"
-        passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile"
-        certdbDir="[PKI_INSTANCE_PATH]/alias"/>
-
-    <Engine name="CatalinaEE" defaultHost="localhost">
-
-      <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
-             resourceName="UserDatabase"/>
-
-      <Host name="localhost" appBase="webapps.ee"
-       unpackWARs="true" autoDeploy="false" 
-       xmlValidation="false" xmlNamespaceAware="false">
-
-
-        <Valve className="org.apache.catalina.valves.AccessLogValve"
-                 directory="logs"  prefix="localhost_access_log." suffix=".txt"
-                 pattern="common" resolveHosts="false"/>
-
-      </Host>
-
-    </Engine>
-
-  </Service>
-[PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT]
 </Server>
diff --git a/pki/base/kra/shared/etc/init.d/httpd b/pki/base/kra/shared/etc/init.d/httpd
index 1cda47903..7fa60e661 100755
--- a/pki/base/kra/shared/etc/init.d/httpd
+++ b/pki/base/kra/shared/etc/init.d/httpd
@@ -296,7 +296,7 @@ get_pki_secure_port()
 	# establish well-known strings
 	begin_ssl_comment="<!-- DO NOT REMOVE - Begin define PKI secure port -->"
 	end_ssl_comment="<!-- DO NOT REMOVE - End define PKI secure port -->"
-	connector_statement="<Connector port=\""
+	connector_statement="<Connector name=\""
 
 	# initialize looping variables
 	ssl_comment_found=0
@@ -331,10 +331,15 @@ get_pki_secure_port()
 			if [ "$head" == "$connector_statement" ] ; then
 				# once the Connector statement has been found,
 				tail=`echo $line | cut -b18-`
-				# extract the numeric port information
-				port=`echo $tail | cut -d\" -f1`
-				PKI_SECURE_PORT=$port
-				return 0
+				# extract the name of the connector
+				name=`echo $tail | cut -d\" -f1`
+				if	[ "$name" == "Agent"  ] ||
+					[ "$name" == "Secure" ] ; then
+					# extract the numeric port information
+					port=`echo $tail | cut -d\" -f3`
+					PKI_SECURE_PORT=$port
+					return 0
+				fi
 			fi
 		fi
     done
diff --git a/pki/base/kra/shared/webapps/kra/WEB-INF/web.xml b/pki/base/kra/shared/webapps/kra/WEB-INF/web.xml
index d19383465..109b796c4 100644
--- a/pki/base/kra/shared/webapps/kra/WEB-INF/web.xml
+++ b/pki/base/kra/shared/webapps/kra/WEB-INF/web.xml
@@ -3,6 +3,42 @@
    PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "file:///usr/share/rhpki/setup/web-app_2_3.dtd">
 <web-app>
 
+    <filter>
+        <filter-name>PassThroughRequestFilter</filter-name>
+        <filter-class>com.netscape.cms.servlet.filter.PassThroughRequestFilter</filter-class>
+    </filter>
+
+    <filter>
+        <filter-name>AgentRequestFilter</filter-name>
+        <filter-class>com.netscape.cms.servlet.filter.AgentRequestFilter</filter-class>
+        <init-param>
+            <param-name>https_port</param-name>
+            <param-value>[PKI_AGENT_SECURE_PORT]</param-value>
+        </init-param>
+    </filter>
+
+    <filter>
+        <filter-name>AdminRequestFilter</filter-name>
+        <filter-class>com.netscape.cms.servlet.filter.AdminRequestFilter</filter-class>
+        <init-param>
+            <param-name>https_port</param-name>
+            <param-value>[PKI_ADMIN_SECURE_PORT]</param-value>
+        </init-param>
+    </filter>
+
+    <filter>
+        <filter-name>EERequestFilter</filter-name>
+        <filter-class>com.netscape.cms.servlet.filter.EERequestFilter</filter-class>
+        <init-param>
+            <param-name>http_port</param-name>
+            <param-value>[PKI_UNSECURE_PORT]</param-value>
+        </init-param>
+        <init-param>
+            <param-name>https_port</param-name>
+            <param-value>[PKI_EE_SECURE_PORT]</param-value>
+        </init-param>
+    </filter>
+
     <servlet>
         <servlet-name>csadmin-wizard</servlet-name>
         <servlet-class>com.netscape.cms.servlet.wizard.WizardServlet</servlet-class>
@@ -812,6 +848,24 @@
                          <param-value> ee          </param-value> </init-param>
    </servlet>
 
+[PKI_OPEN_SEPARATE_PORTS_WEB_COMMENT]
+   <filter-mapping>
+      <filter-name>  AgentRequestFilter  </filter-name>
+      <url-pattern>  /agent/*            </url-pattern>
+   </filter-mapping>
+
+   <filter-mapping>
+      <filter-name>  AdminRequestFilter  </filter-name>
+      <url-pattern>  /admin/*            </url-pattern>
+      <url-pattern>  /auths              </url-pattern>
+   </filter-mapping>
+
+   <filter-mapping>
+      <filter-name>  EERequestFilter  </filter-name>
+      <url-pattern>  /ee/*            </url-pattern>
+   </filter-mapping>
+[PKI_CLOSE_SEPARATE_PORTS_WEB_COMMENT]
+
    <servlet-mapping>
       <servlet-name>  kraserver  </servlet-name>
       <url-pattern>   /server  </url-pattern>
@@ -848,12 +902,10 @@
       <url-pattern>   /acl  </url-pattern>
    </servlet-mapping>
 
-[PKI_OPEN_SEPARATE_PORTS_WEB_COMMENT]
    <servlet-mapping>
       <servlet-name>  kraauths  </servlet-name>
       <url-pattern>   /auths  </url-pattern>
    </servlet-mapping>
-[PKI_CLOSE_SEPARATE_PORTS_WEB_COMMENT]
 
    <servlet-mapping>
       <servlet-name>  krajobsScheduler  </servlet-name>