diff options
| author | vakwetu <vakwetu@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2011-08-23 18:37:28 +0000 |
|---|---|---|
| committer | vakwetu <vakwetu@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2011-08-23 18:37:28 +0000 |
| commit | dcbedb00e5fae3d56bf8091b54773b8f18d4d3ad (patch) | |
| tree | ddaeb25344e5e2c1379cd588632a1a926de577ff /pki/base | |
| parent | 216293aca940f20c72ad5a388f2926657acabe03 (diff) | |
| download | pki-dcbedb00e5fae3d56bf8091b54773b8f18d4d3ad.tar.gz pki-dcbedb00e5fae3d56bf8091b54773b8f18d4d3ad.tar.xz pki-dcbedb00e5fae3d56bf8091b54773b8f18d4d3ad.zip | |
Resolves #712931 - CS requires too many ports to be open in the FW
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@2160 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
Diffstat (limited to 'pki/base')
23 files changed, 463 insertions, 80 deletions
diff --git a/pki/base/ca/shared/conf/CS.cfg.in b/pki/base/ca/shared/conf/CS.cfg.in index 289f65147..e3447bbc8 100644 --- a/pki/base/ca/shared/conf/CS.cfg.in +++ b/pki/base/ca/shared/conf/CS.cfg.in @@ -20,6 +20,8 @@ preop.product.name=CS preop.product.version=@VERSION@ preop.system.name=CA preop.system.fullname=Certificate Authority +proxy.securePort=[PKI_PROXY_SECURE_PORT] +proxy.unsecurePort=[PKI_PROXY_UNSECURE_PORT] cs.state._000=## cs.state._001=## cs.state=0 (pre-operational) cs.state._002=## cs.state=1 (running) diff --git a/pki/base/ca/shared/conf/proxy.conf b/pki/base/ca/shared/conf/proxy.conf new file mode 100644 index 000000000..663ba5722 --- /dev/null +++ b/pki/base/ca/shared/conf/proxy.conf @@ -0,0 +1,34 @@ +ProxyRequests Off + +# matches for ee port +<LocationMatch "^/ca/ee/*|^/ca/renewal|^/ca/certbasedenrollment|^/ca/ocsp|^/ca/enrollment|^/ca/profileSubmit|^/ca/cgi-bin/pkiclient.exe"> + NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate + NSSVerifyClient none + ProxyPassMatch ajp://[PKI_MACHINE_NAME]:[PKI_AJP_PORT]/ + ProxyPassReverse ajp://[PKI_MACHINE_NAME]:[PKI_AJP_PORT]/ +</LocationMatch> + +# matches for admin port +<LocationMatch "^/ca/admin/*|^/ca/auths|^/ca/acl|^/ca/server|^/ca/caadmin|^/ca/caprofile|^/ca/jobsScheduler|^/ca/capublisher|^/ca/log|^/ca/ug"> + NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate + NSSVerifyClient none + ProxyPassMatch ajp://[PKI_MACHINE_NAME]:[PKI_AJP_PORT]/ + ProxyPassReverse ajp://[PKI_MACHINE_NAME]:[PKI_AJP_PORT]/ +</LocationMatch> + +# matches for agent port and eeca port +<LocationMatch "^/ca/agent/*|^/ca/ca/getCertFromRequest|^/ca/ca/GetBySerial|^/ca/ca/connector|/ca/ca/displayCertFromRequest|^/ca/doRevoke|^/ca/eeca/*"> + NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate + NSSVerifyClient require + ProxyPassMatch ajp://[PKI_MACHINE_NAME]:[PKI_AJP_PORT]/ + ProxyPassReverse ajp://[PKI_MACHINE_NAME]:[PKI_AJP_PORT]/ +</LocationMatch> + +# static content +<LocationMatch "^/graphics/*"> + NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate + NSSVerifyClient none + ProxyPassMatch ajp://[PKI_MACHINE_NAME]:[PKI_AJP_PORT]/ + ProxyPassReverse ajp://[PKI_MACHINE_NAME]:[PKI_AJP_PORT]/ +</LocationMatch> + diff --git a/pki/base/ca/shared/conf/server.xml b/pki/base/ca/shared/conf/server.xml index 07f4a4060..5984d4919 100644 --- a/pki/base/ca/shared/conf/server.xml +++ b/pki/base/ca/shared/conf/server.xml @@ -209,10 +209,10 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) clientAuth="false" sslProtocol="TLS" /> --> - <!-- Define an AJP 1.3 Connector on port 8009 --> -<!-- - <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" /> ---> + <!-- Define an AJP 1.3 Connector on port [PKI_AJP_PORT] --> +[PKI_OPEN_AJP_PORT_COMMENT] + <Connector port="[PKI_AJP_PORT]" protocol="AJP/1.3" redirectPort="[PKI_AJP_REDIRECT_PORT]" /> +[PKI_CLOSE_AJP_PORT_COMMENT] <!-- An Engine represents the entry point (within Catalina) that processes diff --git a/pki/base/ca/shared/webapps/ca/WEB-INF/web.xml b/pki/base/ca/shared/webapps/ca/WEB-INF/web.xml index 43223c661..5e91977aa 100644 --- a/pki/base/ca/shared/webapps/ca/WEB-INF/web.xml +++ b/pki/base/ca/shared/webapps/ca/WEB-INF/web.xml @@ -10,6 +10,12 @@ <param-name>https_port</param-name> <param-value>[PKI_AGENT_SECURE_PORT]</param-value> </init-param> +[PKI_OPEN_ENABLE_PROXY_COMMENT] + <init-param> + <param-name>proxy_port</param-name> + <param-value>[PKI_PROXY_SECURE_PORT]</param-value> + </init-param> +[PKI_CLOSE_ENABLE_PROXY_COMMENT] <init-param> <param-name>active</param-name> <param-value>true</param-value> @@ -23,6 +29,12 @@ <param-name>https_port</param-name> <param-value>[PKI_ADMIN_SECURE_PORT]</param-value> </init-param> +[PKI_OPEN_ENABLE_PROXY_COMMENT] + <init-param> + <param-name>proxy_port</param-name> + <param-value>[PKI_PROXY_SECURE_PORT]</param-value> + </init-param> +[PKI_CLOSE_ENABLE_PROXY_COMMENT] <init-param> <param-name>active</param-name> <param-value>true</param-value> @@ -40,6 +52,16 @@ <param-name>https_port</param-name> <param-value>[PKI_EE_SECURE_PORT]</param-value> </init-param> +[PKI_OPEN_ENABLE_PROXY_COMMENT] + <init-param> + <param-name>proxy_port</param-name> + <param-value>[PKI_PROXY_SECURE_PORT]</param-value> + </init-param> + <init-param> + <param-name>proxy_http_port</param-name> + <param-value>[PKI_PROXY_UNSECURE_PORT]</param-value> + </init-param> +[PKI_CLOSE_ENABLE_PROXY_COMMENT] <init-param> <param-name>active</param-name> <param-value>true</param-value> @@ -53,6 +75,12 @@ <param-name>https_port</param-name> <param-value>[PKI_EE_SECURE_CLIENT_AUTH_PORT]</param-value> </init-param> +[PKI_OPEN_ENABLE_PROXY_COMMENT] + <init-param> + <param-name>proxy_port</param-name> + <param-value>[PKI_PROXY_SECURE_PORT]</param-value> + </init-param> +[PKI_CLOSE_ENABLE_PROXY_COMMENT] <init-param> <param-name>active</param-name> <param-value>true</param-value> diff --git a/pki/base/common/src/com/netscape/cms/servlet/csadmin/ImportCAChainPanel.java b/pki/base/common/src/com/netscape/cms/servlet/csadmin/ImportCAChainPanel.java index fe32ee799..8a730d519 100755 --- a/pki/base/common/src/com/netscape/cms/servlet/csadmin/ImportCAChainPanel.java +++ b/pki/base/common/src/com/netscape/cms/servlet/csadmin/ImportCAChainPanel.java @@ -101,10 +101,12 @@ public class ImportCAChainPanel extends WizardPanelBase { IConfigStore cs = CMS.getConfigStore(); try { context.put("machineName", cs.getString("machineName")); - context.put("https_port", CMS.getEESSLPort()); - context.put("http_port", CMS.getEENonSSLPort()); - } catch (EBaseException e) {} - + context.put("https_port", cs.getString("pkicreate.ee_secure_port")); + context.put("http_port", cs.getString("pkicreate.unsecure_port")); + } catch (EBaseException e) { + CMS.debug("ImportCACertChain:display: Exception: " + e.toString()); + context.put("errorString", "Error loading values for Import CA Certificate Panel"); + } ISubsystem ca = (ISubsystem) CMS.getSubsystem("ca"); @@ -150,8 +152,8 @@ public class ImportCAChainPanel extends WizardPanelBase { IConfigStore cs = CMS.getConfigStore(); try { context.put("machineName", cs.getString("machineName")); - context.put("https_port", CMS.getEESSLPort()); - context.put("http_port", CMS.getEENonSSLPort()); + context.put("https_port", cs.getString("pkicreate.ee_secure_port")); + context.put("http_port", cs.getString("pkicreate.unsecure_port")); context.put("title", "Import CA's Certificate Chain"); context.put("panel", "admin/console/config/importcachainpanel.vm"); } catch (EBaseException e) {} diff --git a/pki/base/common/src/com/netscape/cms/servlet/filter/AdminRequestFilter.java b/pki/base/common/src/com/netscape/cms/servlet/filter/AdminRequestFilter.java index 848ffba6f..75e02a24b 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/filter/AdminRequestFilter.java +++ b/pki/base/common/src/com/netscape/cms/servlet/filter/AdminRequestFilter.java @@ -26,6 +26,7 @@ public class AdminRequestFilter implements Filter private static final String HTTPS_SCHEME = "https"; private static final String HTTPS_PORT = "https_port"; private static final String HTTPS_ROLE = "Admin"; + private static final String PROXY_PORT = "proxy_port"; private FilterConfig config; @@ -51,6 +52,7 @@ public class AdminRequestFilter implements Filter String request_port = null; String param_https_port = null; + String param_proxy_port = null; String msg = null; String param_active = null; @@ -84,22 +86,39 @@ public class AdminRequestFilter implements Filter return; } + param_proxy_port = config.getInitParameter(PROXY_PORT); + boolean bad_port = false; + // Compare the request and param "https" ports if( ! param_https_port.equals( request_port ) ) { - String uri = ((HttpServletRequest) request).getRequestURI(); - msg = "Use HTTPS port '" + param_https_port - + "' instead of '" + request_port - + "' when performing " + HTTPS_ROLE + " tasks!"; - CMS.debug( filterName + ": " + msg ); - CMS.debug( filterName + ": uri is " + uri); - if ((param_active != null) &&(param_active.equals("false"))) { - CMS.debug("Filter is disabled .. continuing"); + String uri = ((HttpServletRequest) request).getRequestURI(); + if (param_proxy_port != null) { + if (!param_proxy_port.equals(request_port)) { + msg = "Use HTTPS port '" + param_https_port + + "' or proxy port '" + param_proxy_port + + "' instead of '" + request_port + + "' when performing " + HTTPS_ROLE + " tasks!"; + bad_port = true; + } } else { - resp.sendError( HttpServletResponse.SC_NOT_FOUND, msg ); - return; + msg = "Use HTTPS port '" + param_https_port + + "' instead of '" + request_port + + "' when performing " + HTTPS_ROLE + " tasks!"; + bad_port = true; + } + if (bad_port) { + CMS.debug( filterName + ": " + msg ); + CMS.debug( filterName + ": uri is " + uri); + if ((param_active != null) &&(param_active.equals("false"))) { + CMS.debug("Filter is disabled .. continuing"); + } else { + resp.sendError( HttpServletResponse.SC_NOT_FOUND, msg ); + return; + } } } } + // CMS.debug("Exiting the admin filter"); chain.doFilter( request, response ); diff --git a/pki/base/common/src/com/netscape/cms/servlet/filter/AgentRequestFilter.java b/pki/base/common/src/com/netscape/cms/servlet/filter/AgentRequestFilter.java index e4d1bb3df..da16dc01d 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/filter/AgentRequestFilter.java +++ b/pki/base/common/src/com/netscape/cms/servlet/filter/AgentRequestFilter.java @@ -26,6 +26,7 @@ public class AgentRequestFilter implements Filter private static final String HTTPS_SCHEME = "https"; private static final String HTTPS_PORT = "https_port"; private static final String HTTPS_ROLE = "Agent"; + private static final String PROXY_PORT = "proxy_port"; private FilterConfig config; @@ -51,6 +52,7 @@ public class AgentRequestFilter implements Filter String request_port = null; String param_https_port = null; + String param_proxy_port = null; String msg = null; String param_active = null; @@ -85,19 +87,35 @@ public class AgentRequestFilter implements Filter return; } + param_proxy_port = config.getInitParameter(PROXY_PORT); + boolean bad_port = false; + // Compare the request and param "https" ports if( ! param_https_port.equals( request_port ) ) { String uri = ((HttpServletRequest) request).getRequestURI(); - msg = "Use HTTPS port '" + param_https_port - + "' instead of '" + request_port - + "' when performing " + HTTPS_ROLE + " tasks!"; - CMS.debug( filterName + ": " + msg ); - CMS.debug( filterName + ": uri is " + uri); - if ((param_active != null) &&(param_active.equals("false"))) { - CMS.debug("Filter is disabled .. continuing"); + if (param_proxy_port != null) { + if (!param_proxy_port.equals(request_port)) { + msg = "Use HTTPS port '" + param_https_port + + "' or proxy port '" + param_proxy_port + + "' instead of '" + request_port + + "' when performing " + HTTPS_ROLE + " tasks!"; + bad_port = true; + } } else { - resp.sendError( HttpServletResponse.SC_NOT_FOUND, msg ); - return; + msg = "Use HTTPS port '" + param_https_port + + "' instead of '" + request_port + + "' when performing " + HTTPS_ROLE + " tasks!"; + bad_port = true; + } + if (bad_port) { + CMS.debug( filterName + ": " + msg ); + CMS.debug( filterName + ": uri is " + uri); + if ((param_active != null) &&(param_active.equals("false"))) { + CMS.debug("Filter is disabled .. continuing"); + } else { + resp.sendError( HttpServletResponse.SC_NOT_FOUND, msg ); + return; + } } } } diff --git a/pki/base/common/src/com/netscape/cms/servlet/filter/EEClientAuthRequestFilter.java b/pki/base/common/src/com/netscape/cms/servlet/filter/EEClientAuthRequestFilter.java index 6ed6617bc..3c11dbd55 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/filter/EEClientAuthRequestFilter.java +++ b/pki/base/common/src/com/netscape/cms/servlet/filter/EEClientAuthRequestFilter.java @@ -26,6 +26,7 @@ public class EEClientAuthRequestFilter implements Filter private static final String HTTPS_SCHEME = "https"; private static final String HTTPS_PORT = "https_port"; private static final String HTTPS_ROLE = "EE Client Auth"; + private static final String PROXY_PORT = "proxy_port"; private FilterConfig config; @@ -53,6 +54,7 @@ public class EEClientAuthRequestFilter implements Filter String param_https_port = null; String msg = null; String param_active = null; + String param_proxy_port = null; // CMS.debug("Entering the EECA filter"); param_active = config.getInitParameter( "active"); @@ -84,19 +86,35 @@ public class EEClientAuthRequestFilter implements Filter return; } + param_proxy_port = config.getInitParameter(PROXY_PORT); + boolean bad_port = false; + // Compare the request and param "https" ports if( ! param_https_port.equals( request_port ) ) { String uri = ((HttpServletRequest) request).getRequestURI(); - msg = "Use HTTPS port '" + param_https_port - + "' instead of '" + request_port - + "' when performing " + HTTPS_ROLE + " tasks!"; - CMS.debug( filterName + ": " + msg ); - CMS.debug( filterName + ": uri is " + msg); - if ((param_active != null) &&(param_active.equals("false"))) { - CMS.debug("Filter is disabled .. continuing"); + if (param_proxy_port != null) { + if (!param_proxy_port.equals(request_port)) { + msg = "Use HTTPS port '" + param_https_port + + "' or proxy port '" + param_proxy_port + + "' instead of '" + request_port + + "' when performing " + HTTPS_ROLE + " tasks!"; + bad_port = true; + } } else { - resp.sendError( HttpServletResponse.SC_NOT_FOUND, msg ); - return; + msg = "Use HTTPS port '" + param_https_port + + "' instead of '" + request_port + + "' when performing " + HTTPS_ROLE + " tasks!"; + bad_port = true; + } + if (bad_port) { + CMS.debug( filterName + ": " + msg ); + CMS.debug( filterName + ": uri is " + uri); + if ((param_active != null) &&(param_active.equals("false"))) { + CMS.debug("Filter is disabled .. continuing"); + } else { + resp.sendError( HttpServletResponse.SC_NOT_FOUND, msg ); + return; + } } } } diff --git a/pki/base/common/src/com/netscape/cms/servlet/filter/EERequestFilter.java b/pki/base/common/src/com/netscape/cms/servlet/filter/EERequestFilter.java index 23df05954..69634506e 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/filter/EERequestFilter.java +++ b/pki/base/common/src/com/netscape/cms/servlet/filter/EERequestFilter.java @@ -29,6 +29,8 @@ public class EERequestFilter implements Filter private static final String HTTPS_SCHEME = "https"; private static final String HTTPS_PORT = "https_port"; private static final String HTTPS_ROLE = "EE"; + private static final String PROXY_PORT = "proxy_port"; + private static final String PROXY_HTTP_PORT = "proxy_http_port"; private FilterConfig config; @@ -55,6 +57,8 @@ public class EERequestFilter implements Filter String request_port = null; String param_http_port = null; String param_https_port = null; + String param_proxy_port = null; + String param_proxy_http_port = null; String msg = null; String param_active = null; @@ -100,6 +104,10 @@ public class EERequestFilter implements Filter return; } + param_proxy_http_port = config.getInitParameter(PROXY_HTTP_PORT); + param_proxy_port = config.getInitParameter(PROXY_PORT); + boolean bad_port = false; + // If the scheme is "http", compare // the request and param "http" ports; // otherwise, if the scheme is "https", compare @@ -107,32 +115,61 @@ public class EERequestFilter implements Filter if( scheme.equals( HTTP_SCHEME ) ) { if( ! param_http_port.equals( request_port ) ) { String uri = ((HttpServletRequest) request).getRequestURI(); - msg = "Use HTTP port '" + param_http_port - + "' instead of '" + request_port - + "' when performing " + HTTP_ROLE + " tasks!"; - CMS.debug( filterName + ": " + msg ); - CMS.debug( filterName + ": uri is " + uri); - if ((param_active != null) &&(param_active.equals("false"))) { - CMS.debug("Filter is disabled .. continuing"); + if (param_proxy_http_port != null) { + if (!param_proxy_http_port.equals(request_port)) { + msg = "Use HTTP port '" + param_http_port + + "' or proxy port '" + param_proxy_http_port + + "' instead of '" + request_port + + "' when performing " + HTTP_ROLE + " tasks!"; + bad_port = true; + } } else { - resp.sendError( HttpServletResponse.SC_NOT_FOUND, msg ); - return; + msg = "Use HTTP port '" + param_http_port + + "' instead of '" + request_port + + "' when performing " + HTTP_ROLE + " tasks!"; + bad_port = true; + } + if (bad_port) { + CMS.debug( filterName + ": " + msg ); + CMS.debug( filterName + ": uri is " + uri); + if ((param_active != null) &&(param_active.equals("false"))) { + CMS.debug("Filter is disabled .. continuing"); + } else { + resp.sendError( HttpServletResponse.SC_NOT_FOUND, msg ); + return; + } } } } else if( scheme.equals( HTTPS_SCHEME ) ) { if( ! param_https_port.equals( request_port ) ) { - msg = "Use HTTPS port '" + param_https_port - + "' instead of '" + request_port - + "' when performing " + HTTPS_ROLE + " tasks!"; - CMS.debug( filterName + ": " + msg ); - if ((param_active != null) &&(param_active.equals("false"))) { - CMS.debug("Filter is disabled .. continuing"); + String uri = ((HttpServletRequest) request).getRequestURI(); + if (param_proxy_port != null) { + if (!param_proxy_port.equals(request_port)) { + msg = "Use HTTPS port '" + param_https_port + + "' or proxy port '" + param_proxy_port + + "' instead of '" + request_port + + "' when performing " + HTTPS_ROLE + " tasks!"; + bad_port = true; + } } else { - resp.sendError( HttpServletResponse.SC_NOT_FOUND, msg ); - return; + msg = "Use HTTPS port '" + param_https_port + + "' instead of '" + request_port + + "' when performing " + HTTPS_ROLE + " tasks!"; + bad_port = true; + } + if (bad_port) { + CMS.debug( filterName + ": " + msg ); + CMS.debug( filterName + ": uri is " + uri); + if ((param_active != null) &&(param_active.equals("false"))) { + CMS.debug("Filter is disabled .. continuing"); + } else { + resp.sendError( HttpServletResponse.SC_NOT_FOUND, msg ); + return; + } } } } + } // CMS.debug("Exiting the EE filter"); diff --git a/pki/base/common/src/com/netscape/cmscore/apps/CMSEngine.java b/pki/base/common/src/com/netscape/cmscore/apps/CMSEngine.java index b9809043c..afaa5c9fc 100644 --- a/pki/base/common/src/com/netscape/cmscore/apps/CMSEngine.java +++ b/pki/base/common/src/com/netscape/cmscore/apps/CMSEngine.java @@ -323,6 +323,7 @@ public class CMSEngine implements ICMSEngine { } } parseServerXML(); + fixProxyPorts(); } /** @@ -543,6 +544,27 @@ public class CMSEngine implements ICMSEngine { } } + private void fixProxyPorts() throws EBaseException { + try { + String port = mConfig.getString("proxy.securePort", ""); + if (!port.equals("")) { + info[EE_SSL][PORT] = port; + info[ADMIN][PORT] = port; + info[AGENT][PORT] = port; + info[EE_CLIENT_AUTH_SSL][PORT] = port; + } + + port = mConfig.getString("proxy.unsecurePort", ""); + if (!port.equals("")) { + info[EE_NON_SSL][PORT] = port; + } + } catch (EBaseException e) { + CMS.debug("CMSEngine: fixProxyPorts exception: " + e.toString()); + throw e; + } + } + + public IConfigStore createFileConfigStore(String path) throws EBaseException { try { /* if the file is not there, create one */ diff --git a/pki/base/kra/shared/conf/CS.cfg.in b/pki/base/kra/shared/conf/CS.cfg.in index 9332d119e..4bf1c738e 100644 --- a/pki/base/kra/shared/conf/CS.cfg.in +++ b/pki/base/kra/shared/conf/CS.cfg.in @@ -19,6 +19,8 @@ preop.product.name=CS preop.product.version=@VERSION@ preop.system.name=DRM preop.system.fullname=Data Recovery Manager +proxy.securePort=[PKI_PROXY_SECURE_PORT] +proxy.unsecurePort=[PKI_PROXY_UNSECURE_PORT] cs.state=0 cs.type=KRA admin.interface.uri=kra/admin/console/config/wizard diff --git a/pki/base/kra/shared/conf/server.xml b/pki/base/kra/shared/conf/server.xml index 856c2c2a5..d7df4b13e 100644 --- a/pki/base/kra/shared/conf/server.xml +++ b/pki/base/kra/shared/conf/server.xml @@ -191,10 +191,10 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) clientAuth="false" sslProtocol="TLS" /> --> - <!-- Define an AJP 1.3 Connector on port 8009 --> -<!-- - <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" /> ---> + <!-- Define an AJP 1.3 Connector on port [PKI_AJP_PORT] --> +[PKI_OPEN_AJP_PORT_COMMENT] + <Connector port="[PKI_AJP_PORT]" protocol="AJP/1.3" redirectPort="PKI_AJP_REDIRECT_PORT]" /> +[PKI_CLOSE_AJP_PORT_COMMENT] <!-- An Engine represents the entry point (within Catalina) that processes diff --git a/pki/base/kra/shared/webapps/kra/WEB-INF/web.xml b/pki/base/kra/shared/webapps/kra/WEB-INF/web.xml index 095f74481..fdc2779b1 100644 --- a/pki/base/kra/shared/webapps/kra/WEB-INF/web.xml +++ b/pki/base/kra/shared/webapps/kra/WEB-INF/web.xml @@ -10,6 +10,12 @@ <param-name>https_port</param-name> <param-value>[PKI_AGENT_SECURE_PORT]</param-value> </init-param> +[PKI_OPEN_ENABLE_PROXY_COMMENT] + <init-param> + <param-name>proxy_port</param-name> + <param-value>[PKI_PROXY_SECURE_PORT]</param-value> + </init-param> +[PKI_CLOSE_ENABLE_PROXY_COMMENT] <init-param> <param-name>active</param-name> <param-value>true</param-value> @@ -23,6 +29,12 @@ <param-name>https_port</param-name> <param-value>[PKI_ADMIN_SECURE_PORT]</param-value> </init-param> +[PKI_OPEN_ENABLE_PROXY_COMMENT] + <init-param> + <param-name>proxy_port</param-name> + <param-value>[PKI_PROXY_SECURE_PORT]</param-value> + </init-param> +[PKI_CLOSE_ENABLE_PROXY_COMMENT] <init-param> <param-name>active</param-name> <param-value>true</param-value> @@ -40,6 +52,16 @@ <param-name>https_port</param-name> <param-value>[PKI_EE_SECURE_PORT]</param-value> </init-param> +[PKI_OPEN_ENABLE_PROXY_COMMENT] + <init-param> + <param-name>proxy_port</param-name> + <param-value>[PKI_PROXY_SECURE_PORT]</param-value> + </init-param> + <init-param> + <param-name>proxy_http_port</param-name> + <param-value>[PKI_PROXY_UNSECURE_PORT]</param-value> + </init-param> +[PKI_CLOSE_ENABLE_PROXY_COMMENT] <init-param> <param-name>active</param-name> <param-value>true</param-value> diff --git a/pki/base/ocsp/shared/conf/CS.cfg.in b/pki/base/ocsp/shared/conf/CS.cfg.in index 309417641..4cd234c84 100644 --- a/pki/base/ocsp/shared/conf/CS.cfg.in +++ b/pki/base/ocsp/shared/conf/CS.cfg.in @@ -26,6 +26,8 @@ preop.product.name=CS preop.product.version=@VERSION@ preop.system.name=OCSP preop.system.fullname=OCSP Responder +proxy.securePort=[PKI_PROXY_SECURE_PORT] +proxy.unsecurePort=[PKI_PROXY_UNSECURE_PORT] preop.configModules.module0.userFriendlyName=NSS Internal PKCS #11 Module preop.configModules.module0.commonName=NSS Internal PKCS #11 Module preop.configModules.module0.imagePath=../img/clearpixel.gif diff --git a/pki/base/ocsp/shared/conf/server.xml b/pki/base/ocsp/shared/conf/server.xml index 856c2c2a5..ff33b9aa4 100644 --- a/pki/base/ocsp/shared/conf/server.xml +++ b/pki/base/ocsp/shared/conf/server.xml @@ -191,10 +191,10 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) clientAuth="false" sslProtocol="TLS" /> --> - <!-- Define an AJP 1.3 Connector on port 8009 --> -<!-- - <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" /> ---> + <!-- Define an AJP 1.3 Connector on port [PKI_AJP_PORT] --> +[PKI_OPEN_AJP_PORT_COMMENT] + <Connector port="[PKI_AJP_PORT]" protocol="AJP/1.3" redirectPort="[PKI_AJP_REDIRECT_PORT]" /> +[PKI_CLOSE_AJP_PORT_COMMENT] <!-- An Engine represents the entry point (within Catalina) that processes diff --git a/pki/base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml b/pki/base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml index ef79e3865..7ac6247e3 100644 --- a/pki/base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml +++ b/pki/base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml @@ -14,6 +14,12 @@ <param-name>https_port</param-name> <param-value>[PKI_AGENT_SECURE_PORT]</param-value> </init-param> +[PKI_OPEN_ENABLE_PROXY_COMMENT] + <init-param> + <param-name>proxy_port</param-name> + <param-value>[PKI_PROXY_SECURE_PORT]</param-value> + </init-param> +[PKI_CLOSE_ENABLE_PROXY_COMMENT] <init-param> <param-name>active</param-name> <param-value>true</param-value> @@ -27,6 +33,12 @@ <param-name>https_port</param-name> <param-value>[PKI_ADMIN_SECURE_PORT]</param-value> </init-param> +[PKI_OPEN_ENABLE_PROXY_COMMENT] + <init-param> + <param-name>proxy_port</param-name> + <param-value>[PKI_PROXY_SECURE_PORT]</param-value> + </init-param> +[PKI_CLOSE_ENABLE_PROXY_COMMENT] <init-param> <param-name>active</param-name> <param-value>true</param-value> @@ -44,6 +56,16 @@ <param-name>https_port</param-name> <param-value>[PKI_EE_SECURE_PORT]</param-value> </init-param> +[PKI_OPEN_ENABLE_PROXY_COMMENT] + <init-param> + <param-name>proxy_port</param-name> + <param-value>[PKI_PROXY_SECURE_PORT]</param-value> + </init-param> + <init-param> + <param-name>proxy_http_port</param-name> + <param-value>[PKI_PROXY_UNSECURE_PORT]</param-value> + </init-param> +[PKI_CLOSE_ENABLE_PROXY_COMMENT] <init-param> <param-name>active</param-name> <param-value>true</param-value> diff --git a/pki/base/selinux/src/pki.if b/pki/base/selinux/src/pki.if index 56b671d0c..cba0f91ac 100644 --- a/pki/base/selinux/src/pki.if +++ b/pki/base/selinux/src/pki.if @@ -22,6 +22,7 @@ template(`pki_ca_template',` type rpm_var_lib_t; type rpm_exec_t; type setfiles_t; + type httpd_t; ') ######################################## # @@ -192,6 +193,8 @@ template(`pki_ca_template',` # allow writing to the kernel keyring allow $1_t self:key { write read }; + #reverse proxy + corenet_tcp_connect_dogtag_port($1_t) ') diff --git a/pki/base/selinux/src/pki.te b/pki/base/selinux/src/pki.te index f12059fa9..2261af4b3 100644 --- a/pki/base/selinux/src/pki.te +++ b/pki/base/selinux/src/pki.te @@ -1,4 +1,4 @@ -policy_module(pki,1.0.24) +policy_module(pki,1.0.25) attribute pki_ca_config; attribute pki_ca_executable; @@ -22,6 +22,9 @@ pki_ca_template(pki_ca) corenet_tcp_connect_pki_kra_port(pki_ca_t) corenet_tcp_connect_pki_ocsp_port(pki_ca_t) +# forward proxy +corenet_tcp_connect_pki_ca_port(httpd_t) + # for crl publishing allow pki_ca_t pki_ca_var_lib_t:lnk_file { rename create unlink }; @@ -43,6 +46,9 @@ files_type(pki_kra_tomcat_exec_t) pki_ca_template(pki_kra) corenet_tcp_connect_pki_ca_port(pki_kra_t) +# forward proxy +corenet_tcp_connect_pki_kra_port(httpd_t) + attribute pki_ocsp_config; attribute pki_ocsp_executable; attribute pki_ocsp_var_lib; @@ -58,6 +64,9 @@ files_type(pki_ocsp_tomcat_exec_t) pki_ca_template(pki_ocsp) corenet_tcp_connect_pki_ca_port(pki_ocsp_t) +# forward proxy +corenet_tcp_connect_pki_ocsp_port(httpd_t) + attribute pki_ra_config; attribute pki_ra_executable; attribute pki_ra_var_lib; @@ -87,6 +96,9 @@ files_type(pki_tks_tomcat_exec_t) pki_ca_template(pki_tks) corenet_tcp_connect_pki_ca_port(pki_tks_t) +# forward proxy +corenet_tcp_connect_pki_tks_port(httpd_t) + # needed for token enrollment, list /var/cache/tomcat5/temp files_list_var(pki_tks_t) diff --git a/pki/base/setup/pkicommon.pm b/pki/base/setup/pkicommon.pm index 002e8a0a2..0d7be6080 100755 --- a/pki/base/setup/pkicommon.pm +++ b/pki/base/setup/pkicommon.pm @@ -1214,7 +1214,8 @@ sub AreConnectorPortsValid { # parse parameters my ($secure_port, $unsecure_port, $agent_secure_port, - $ee_secure_port, $admin_secure_port) = @_; + $ee_secure_port, $admin_secure_port, $proxy_secure_port, + $proxy_unsecure_port, $ajp_port) = @_; if ($secure_port == -1 && $agent_secure_port == -1) @@ -1236,18 +1237,30 @@ sub AreConnectorPortsValid return 1; } - # Now make sure none of the separated ports are the same - if (($agent_secure_port == $admin_secure_port) || - ($agent_secure_port == $ee_secure_port) || - ($ee_secure_port == $admin_secure_port)) - { + if (!portsUnique($agent_secure_port,$ee_secure_port, $admin_secure_port, $proxy_secure_port, + $proxy_unsecure_port, $ajp_port)) { return 0; } return 1; - + } +#return 1 - if non-negative ports are uique +#return 0 - otherwise (failure) +sub portsUnique +{ + my @ports = sort @_; + my $last_port = -1; + for my $port (@ports) { + next if ($port < 0); + if ($port == $last_port) { + return 0; + } + $last_port = $port; + } + return 1; +} # return 1 - port is available (success) # return 0 - port is unavailable; report an error (failure) diff --git a/pki/base/setup/pkicreate b/pki/base/setup/pkicreate index 404738de4..da6f3c478 100755 --- a/pki/base/setup/pkicreate +++ b/pki/base/setup/pkicreate @@ -221,6 +221,7 @@ my $tomcat6_conf_base_name = "tomcat6.conf"; # CA, KRA, OCSP, T my $velocity_prop_base_name = "velocity.properties"; # CA, KRA, OCSP, TKS my $web_xml_base_name = "web.xml"; # CA, KRA, OCSP, TKS my $profile_select_base_name = "ProfileSelect.template"; # CA +my $proxy_conf_base_name = "proxy.conf"; # CA my $registry_template_base_name = "registry_instance"; # CA, KRA, OCSP, TKS, RA, TPS my $pki_apache_initscript_base_name = "pki_apache_initscript"; # RA, TPS @@ -291,6 +292,7 @@ my $PKI_RANDOM_NUMBER_SLOT = "PKI_RANDOM_NUMBER"; my $PKI_SECURE_PORT_SLOT = "PKI_SECURE_PORT"; my $PKI_EE_SECURE_PORT_SLOT = "PKI_EE_SECURE_PORT"; my $PKI_EE_SECURE_CLIENT_AUTH_PORT_SLOT = "PKI_EE_SECURE_CLIENT_AUTH_PORT"; +my $PKI_EE_SECURE_CLIENT_AUTH_PORT_UI_SLOT = "PKI_EE_SECURE_CLIENT_AUTH_PORT_UI"; my $PKI_AGENT_SECURE_PORT_SLOT = "PKI_AGENT_SECURE_PORT"; my $PKI_ADMIN_SECURE_PORT_SLOT = "PKI_ADMIN_SECURE_PORT"; my $PKI_SERVER_XML_CONF = "PKI_SERVER_XML_CONF"; @@ -322,6 +324,14 @@ my $PKI_OPEN_SEPARATE_PORTS_COMMENT_SERVER_SLOT = "PKI_OPEN_SEPARATE_PORT my $PKI_CLOSE_SEPARATE_PORTS_COMMENT_SERVER_SLOT = "PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT"; my $PKI_OPEN_SEPARATE_PORTS_COMMENT_WEB_SLOT = "PKI_OPEN_SEPARATE_PORTS_WEB_COMMENT"; my $PKI_CLOSE_SEPARATE_PORTS_COMMENT_WEB_SLOT = "PKI_CLOSE_SEPARATE_PORTS_WEB_COMMENT"; +my $PKI_OPEN_AJP_PORT_COMMENT_SLOT = "PKI_OPEN_AJP_PORT_COMMENT"; +my $PKI_CLOSE_AJP_PORT_COMMENT_SLOT = "PKI_CLOSE_AJP_PORT_COMMENT"; +my $PKI_OPEN_ENABLE_PROXY_COMMENT_SLOT = "PKI_OPEN_ENABLE_PROXY_COMMENT"; +my $PKI_CLOSE_ENABLE_PROXY_COMMENT_SLOT = "PKI_CLOSE_ENABLE_PROXY_COMMENT"; +my $PKI_AJP_REDIRECT_PORT_SLOT = "PKI_AJP_REDIRECT_PORT"; +my $PKI_AJP_PORT_SLOT = "PKI_AJP_PORT"; +my $PROXY_SECURE_PORT_SLOT = "PKI_PROXY_SECURE_PORT"; +my $PROXY_UNSECURE_PORT_SLOT = "PKI_PROXY_UNSECURE_PORT"; my $PKI_UNSECURE_PORT_NAME = "Unsecure"; my $PKI_AGENT_SECURE_PORT_NAME = "Agent"; my $PKI_ADMIN_SECURE_PORT_NAME = "Admin"; @@ -347,6 +357,11 @@ my $SELINUX_PORT_UNDEFINED = 0; my $SELINUX_PORT_DEFINED = 1; my $SELINUX_PORT_WRONGLY_DEFINED = 2; +#proxy defaults +my $PROXY_SECURE_PORT_DEFAULT = "443"; +my $PROXY_UNSECURE_PORT_DEFAULT = "80"; +my $AJP_PORT_DEFAULT = "9447"; + ############################################################## # Local Data Structures ############################################################## @@ -376,6 +391,10 @@ my $agent_secure_port = -1; my $ee_secure_port = -1; my $ee_secure_client_auth_port = -1; my $admin_secure_port = -1; +my $proxy_secure_port = -1; +my $proxy_unsecure_port = -1; +my $ajp_port = -1; +my $enable_proxy = undef; my $username = undef; my $groupname = undef; my $redirected_conf_path = undef; @@ -526,8 +545,10 @@ my $webapps_root_subsystem_path = undef; # CA, KRA, OCSP, TKS my $webinf_instance_path = undef; # CA, KRA, OCSP, TKS my $webinf_lib_instance_path = undef; # CA, KRA, OCSP, TKS my $webinf_subsystem_path = undef; # CA, KRA, OCSP, TKS -my $profile_select_template_subsystem_file_path = undef; #CA +my $profile_select_template_subsystem_file_path = undef; #CA my $profile_select_template_instance_file_path = undef; #CA +my $proxy_conf_subsystem_file_path = undef; #CA +my $proxy_conf_instance_file_path = undef; #CA # PKI init script variables my $pki_registry_initscript = undef; # CA, KRA, OCSP, TKS, RA, TPS @@ -668,6 +689,25 @@ pkicreate -pki_instance_root=<pki_instance_root> # Instance root directory -tomcat_server_port=<tomcat_server_port> # Unique port for each # Tomcat instance + ##################################################################### + ### proxy configuration ### + ### if -enable_proxy is set, ajp_port, proxy_secure_port, and ### + ### proxy_unsecure_port are also set. ### + ##################################################################### + + [-enable_proxy] #enable proxy configuration + [-ajp_port=<ajp_port>] #AJP port, default 9447 + + [-proxy_secure_port=<proxy_secure_port>] # Proxy secure port, + # default 443 + + [-proxy_unsecure_port=<unsecure_port>] # Proxy unsecure port, + # default 80 + + ##################################################################### + ### END proxy configuration ### + ##################################################################### + [-user=<username>] # User ownership # (must ALSO specify # group ownership) @@ -916,6 +956,9 @@ sub parse_arguments my $l_ee_secure_port = -1; my $l_ee_secure_client_auth_port = -1; my $l_admin_secure_port = -1; + my $l_proxy_secure_port = -1; + my $l_proxy_unsecure_port = -1; + my $l_ajp_port = -1; my $show_help = 0; my $result = GetOptions("help" => \$show_help, @@ -930,6 +973,10 @@ sub parse_arguments "ee_secure_client_auth_port:i" => \$l_ee_secure_client_auth_port, "admin_secure_port:i" => \$l_admin_secure_port, "tomcat_server_port:i" => \$l_tomcat_server_port, + "proxy_secure_port:i" => \$l_proxy_secure_port, + "proxy_unsecure_port:i" => \$l_proxy_unsecure_port, + "ajp_port:i" => \$l_ajp_port, + "enable_proxy" => \$enable_proxy, "user=s" => \$username, "group=s" => \$groupname, "verbose+" => \$verbose, @@ -1186,8 +1233,23 @@ sub parse_arguments } } + if ($enable_proxy) { + + $proxy_secure_port = ($l_proxy_secure_port >= 0) ? $l_proxy_secure_port : + $PROXY_SECURE_PORT_DEFAULT; + emit(" proxy_secure_port $proxy_secure_port\n"); + + $proxy_unsecure_port = ($l_proxy_unsecure_port >= 0) ? $l_proxy_unsecure_port : + $PROXY_UNSECURE_PORT_DEFAULT; + emit(" proxy_unsecure_port $proxy_unsecure_port\n"); + + $ajp_port = ($l_ajp_port >= 0) ? $l_ajp_port : $AJP_PORT_DEFAULT; + emit(" ajp_port $ajp_port\n"); + } + if (!AreConnectorPortsValid($secure_port,$unsecure_port,$agent_secure_port, - $ee_secure_port,$ee_secure_client_auth_port, $admin_secure_port)) + $ee_secure_port,$ee_secure_client_auth_port, $admin_secure_port, + $proxy_secure_port, $proxy_unsecure_port)) { usage(); emit("Invalid port numbers submitted!\n","error"); @@ -1547,6 +1609,9 @@ sub initialize_subdirectory_paths $profile_select_template_instance_file_path = $webapps_subsystem_instance_path . "/ee/". $subsystem_type . "/" . $profile_select_base_name; + + $proxy_conf_subsystem_file_path = $conf_subsystem_path + . "/" . $proxy_conf_base_name; } ## Initialize subdirectory paths (RA, TPS subsystems) @@ -1901,6 +1966,8 @@ sub process_pki_directories . "/" . $pfile_base_name; $pki_cfg_instance_file_path = $conf_instance_path . "/" . $pki_cfg_base_name; + $proxy_conf_instance_file_path = $conf_instance_path + . "/" . $proxy_conf_base_name; $catalina_properties_instance_file_path = $conf_instance_path . "/" . $catalina_properties_base_name; @@ -1948,6 +2015,8 @@ sub process_pki_directories . "/" . $pfile_base_name; $pki_cfg_instance_file_path = $redirected_conf_path . "/" . $pki_cfg_base_name; + $proxy_conf_instance_file_path = $redirected_conf_path + . "/" . $proxy_conf_base_name; $catalina_properties_instance_file_path = $redirected_conf_path . "/" . $catalina_properties_base_name; @@ -2346,6 +2415,7 @@ LoadModule nss_module /opt/fortitude/modules.local/libmodnss.so $slot_hash{$PKI_AGENT_SECURE_PORT_SLOT} = $agent_secure_port; $slot_hash{$PKI_EE_SECURE_PORT_SLOT} = $ee_secure_port; $slot_hash{$PKI_EE_SECURE_CLIENT_AUTH_PORT_SLOT} = $ee_secure_client_auth_port; + $slot_hash{$PKI_EE_SECURE_CLIENT_AUTH_PORT_UI_SLOT} = $ee_secure_client_auth_port; $slot_hash{$PKI_ADMIN_SECURE_PORT_SLOT} = $admin_secure_port; # Comment "Port Separation" appropriately @@ -2378,7 +2448,8 @@ LoadModule nss_module /opt/fortitude/modules.local/libmodnss.so $slot_hash{$PKI_SECURE_PORT_SLOT} = $secure_port; $slot_hash{$PKI_AGENT_SECURE_PORT_SLOT} = $secure_port; $slot_hash{$PKI_EE_SECURE_PORT_SLOT} = $secure_port; - $slot_hash{$PKI_EE_SECURE_CLIENT_AUTH_PORT_SLOT} = $secure_port; + $slot_hash{$PKI_EE_SECURE_CLIENT_AUTH_PORT_SLOT} = $secure_port; + $slot_hash{$PKI_EE_SECURE_CLIENT_AUTH_PORT_UI_SLOT} = $secure_port; $slot_hash{$PKI_ADMIN_SECURE_PORT_SLOT} = $secure_port; # Comment "Shared Ports" appropriately @@ -2398,7 +2469,31 @@ LoadModule nss_module /opt/fortitude/modules.local/libmodnss.so # Comment out the "Admin/Agent/EE" Filters $slot_hash{$PKI_OPEN_SEPARATE_PORTS_COMMENT_WEB_SLOT} = $PKI_OPEN_COMMENT; $slot_hash{$PKI_CLOSE_SEPARATE_PORTS_COMMENT_WEB_SLOT} = $PKI_CLOSE_COMMENT; - } + } + + if ($enable_proxy) { + if ($use_port_separation) { + $slot_hash{$PKI_AJP_REDIRECT_PORT_SLOT} = $ee_secure_port; + } else { + $slot_hash{$PKI_AJP_REDIRECT_PORT_SLOT} = $secure_port; + } + $slot_hash{$PKI_EE_SECURE_CLIENT_AUTH_PORT_UI_SLOT} = $proxy_secure_port; + $slot_hash{$PKI_AJP_PORT_SLOT} = $ajp_port; + $slot_hash{$PKI_OPEN_AJP_PORT_COMMENT_SLOT} = ""; + $slot_hash{$PKI_CLOSE_AJP_PORT_COMMENT_SLOT} = ""; + $slot_hash{$PKI_OPEN_ENABLE_PROXY_COMMENT_SLOT} = ""; + $slot_hash{$PKI_CLOSE_ENABLE_PROXY_COMMENT_SLOT} = ""; + } else { + $slot_hash{$PKI_OPEN_AJP_PORT_COMMENT_SLOT} = $PKI_OPEN_COMMENT; + $slot_hash{$PKI_CLOSE_AJP_PORT_COMMENT_SLOT} = $PKI_CLOSE_COMMENT; + $slot_hash{$PKI_OPEN_ENABLE_PROXY_COMMENT_SLOT} = $PKI_OPEN_COMMENT; + $slot_hash{$PKI_CLOSE_ENABLE_PROXY_COMMENT_SLOT} = $PKI_CLOSE_COMMENT; + } + + $slot_hash{$PROXY_SECURE_PORT_SLOT} = ($proxy_secure_port >=0) ? + $proxy_secure_port : ""; + $slot_hash{$PROXY_UNSECURE_PORT_SLOT} = ($proxy_unsecure_port>=0) ? + $proxy_unsecure_port : ""; $slot_hash{$PKI_WEBAPPS_NAME} = $webapps_base_subsystem_dir; $slot_hash{$PKI_FLAVOR_SLOT} = $pki_flavor; @@ -2470,7 +2565,12 @@ LoadModule nss_module /opt/fortitude/modules.local/libmodnss.so $profile_select_template_subsystem_file_path, $profile_select_template_instance_file_path, \%slot_hash); - } + # process proxy.conf file + return 0 if !process_file_template("proxy_conf", + $proxy_conf_subsystem_file_path, + $proxy_conf_instance_file_path, + \%slot_hash); + } ## Process templates (RA, TPS instances) @@ -3073,6 +3173,9 @@ sub process_pki_selinux_setup if ($admin_secure_port != -1) { add_selinux_port($setype_p, $admin_secure_port, \$semanage_cmds); } + if ($ajp_port != -1) { + add_selinux_port($setype_p, $ajp_port, \$semanage_cmds); + } # now run the selinux commands in batch mode if ($semanage_cmds ne "") { diff --git a/pki/base/tks/shared/conf/CS.cfg.in b/pki/base/tks/shared/conf/CS.cfg.in index 64296808a..d98a25154 100644 --- a/pki/base/tks/shared/conf/CS.cfg.in +++ b/pki/base/tks/shared/conf/CS.cfg.in @@ -25,6 +25,8 @@ preop.system.name=TKS preop.product.name=CS preop.product.version=@VERSION@ preop.system.fullname=Token Key Service +proxy.securePort=[PKI_PROXY_SECURE_PORT] +proxy.unsecurePort=[PKI_PROXY_UNSECURE_PORT] tks.cert.list=sslserver,subsystem,audit_signing tks.cert.sslserver.certusage=SSLServer tks.cert.subsystem.certusage=SSLClient diff --git a/pki/base/tks/shared/conf/server.xml b/pki/base/tks/shared/conf/server.xml index 856c2c2a5..ff33b9aa4 100644 --- a/pki/base/tks/shared/conf/server.xml +++ b/pki/base/tks/shared/conf/server.xml @@ -191,10 +191,10 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) clientAuth="false" sslProtocol="TLS" /> --> - <!-- Define an AJP 1.3 Connector on port 8009 --> -<!-- - <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" /> ---> + <!-- Define an AJP 1.3 Connector on port [PKI_AJP_PORT] --> +[PKI_OPEN_AJP_PORT_COMMENT] + <Connector port="[PKI_AJP_PORT]" protocol="AJP/1.3" redirectPort="[PKI_AJP_REDIRECT_PORT]" /> +[PKI_CLOSE_AJP_PORT_COMMENT] <!-- An Engine represents the entry point (within Catalina) that processes diff --git a/pki/base/tks/shared/webapps/tks/WEB-INF/web.xml b/pki/base/tks/shared/webapps/tks/WEB-INF/web.xml index 693d7b9fd..34517a63d 100644 --- a/pki/base/tks/shared/webapps/tks/WEB-INF/web.xml +++ b/pki/base/tks/shared/webapps/tks/WEB-INF/web.xml @@ -14,6 +14,12 @@ <param-name>https_port</param-name> <param-value>[PKI_AGENT_SECURE_PORT]</param-value> </init-param> +[PKI_OPEN_ENABLE_PROXY_COMMENT] + <init-param> + <param-name>proxy_port</param-name> + <param-value>[PKI_PROXY_SECURE_PORT]</param-value> + </init-param> +[PKI_CLOSE_ENABLE_PROXY_COMMENT] <init-param> <param-name>active</param-name> <param-value>true</param-value> @@ -27,6 +33,12 @@ <param-name>https_port</param-name> <param-value>[PKI_ADMIN_SECURE_PORT]</param-value> </init-param> +[PKI_OPEN_ENABLE_PROXY_COMMENT] + <init-param> + <param-name>proxy_port</param-name> + <param-value>[PKI_PROXY_SECURE_PORT]</param-value> + </init-param> +[PKI_CLOSE_ENABLE_PROXY_COMMENT] <init-param> <param-name>active</param-name> <param-value>true</param-value> @@ -44,6 +56,16 @@ <param-name>https_port</param-name> <param-value>[PKI_EE_SECURE_PORT]</param-value> </init-param> +[PKI_OPEN_ENABLE_PROXY_COMMENT] + <init-param> + <param-name>proxy_port</param-name> + <param-value>[PKI_PROXY_SECURE_PORT]</param-value> + </init-param> + <init-param> + <param-name>proxy_http_port</param-name> + <param-value>[PKI_PROXY_UNSECURE_PORT]</param-value> + </init-param> +[PKI_CLOSE_ENABLE_PROXY_COMMENT] <init-param> <param-name>active</param-name> <param-value>true</param-value> |