10 files changed, 80 insertions, 5 deletions

diff --git a/base/ca/shared/conf/acl.ldif b/base/ca/shared/conf/acl.ldif
index ceea1f27a..aec1447e5 100644
--- a/base/ca/shared/conf/acl.ldif
+++ b/base/ca/shared/conf/acl.ldif
@@ -51,3 +51,6 @@ resourceACLS: certServer.ca.connectorInfo:read,modify:allow (modify,read) group=
 resourceACLS: certServer.ca.registerUser:read,modify:allow (modify,read) group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise RA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators":Only Enterprise Administrators are allowed to register a new agent
 resourceACLS: certServer.clone.configuration:read,modify:allow (modify,read) group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise RA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators":Only Enterprise Administrators are allowed to clone the configuration.
 resourceACLS: certServer.admin.ocsp:read,modify:allow (modify,read) group="Enterprise OCSP Administrators":Only Enterprise Administrators are allowed to read or update the OCSP configuration.
+resourceACLS: certServer.ca.certs:execute:allow (execute) group="Certificate Manager Agents":Agents may execute cert operations
+resourceACLS: certServer.ca.groups:execute:allow (execute) group="Administrators":Admins may execute group operations
+resourceACLS: certServer.ca.users:execute:allow (execute) group="Administrators":Admins may execute user operations
diff --git a/base/ca/shared/conf/server.xml b/base/ca/shared/conf/server.xml
index 4056fbbb7..60317d2fa 100644
--- a/base/ca/shared/conf/server.xml
+++ b/base/ca/shared/conf/server.xml
@@ -84,7 +84,7 @@ Tomcat Port         = [TOMCAT_SERVER_PORT] (for shutdown)
     -->
 
     [PKI_UNSECURE_PORT_SERVER_COMMENT]
-    <Connector name="[PKI_UNSECURE_PORT_CONNECTOR_NAME]" port="[PKI_UNSECURE_PORT]" protocol="HTTP/1.1" redirectPort="8443" 
+    <Connector name="[PKI_UNSECURE_PORT_CONNECTOR_NAME]" port="[PKI_UNSECURE_PORT]" protocol="HTTP/1.1" redirectPort="[PKI_SECURE_PORT]"
 	       maxHttpHeaderSize="8192"
 	       acceptCount="100" maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
 	       enableLookups="false" connectionTimeout="20000" disableUploadTimeout="true"
diff --git a/base/ca/shared/webapps/ca/WEB-INF/auth.properties b/base/ca/shared/webapps/ca/WEB-INF/auth.properties
new file mode 100644
index 000000000..ebb1c6c3f
--- /dev/null
+++ b/base/ca/shared/webapps/ca/WEB-INF/auth.properties
@@ -0,0 +1,9 @@
+# Restful API auth/authz mapping info
+#
+# Format:
+# <Rest API URL> = <ACL Resource ID>,<ACL resource operation>
+# ex:      /ca/pki/users = certServer.ca.users,read
+
+/ca/rest/admin/users = certServer.ca.users,execute
+/ca/rest/admin/groups = certServer.ca.groups,execute
+/ca/rest/agent/certs = certServer.ca.certs,execute
diff --git a/base/ca/shared/webapps/ca/WEB-INF/web.xml b/base/ca/shared/webapps/ca/WEB-INF/web.xml
index 7ec3932c9..af474872e 100644
--- a/base/ca/shared/webapps/ca/WEB-INF/web.xml
+++ b/base/ca/shared/webapps/ca/WEB-INF/web.xml
@@ -2382,5 +2382,40 @@
    <session-config>
         <session-timeout>30</session-timeout>
    </session-config>
+
+    <security-constraint>
+        <web-resource-collection>
+            <web-resource-name>Admin Services</web-resource-name>
+            <url-pattern>/rest/admin/*</url-pattern>
+        </web-resource-collection>
+        <auth-constraint>
+            <role-name>*</role-name>
+        </auth-constraint>
+        <user-data-constraint>
+            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
+        </user-data-constraint>
+    </security-constraint>
+
+    <security-constraint>
+        <web-resource-collection>
+            <web-resource-name>Agent Services</web-resource-name>
+            <url-pattern>/rest/agent/certs/*</url-pattern>
+        </web-resource-collection>
+        <auth-constraint>
+            <role-name>*</role-name>
+        </auth-constraint>
+        <user-data-constraint>
+            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
+        </user-data-constraint>
+    </security-constraint>
+
+    <login-config>
+        <realm-name>Certificate Authority</realm-name>
+    </login-config>
+
+    <security-role>
+        <role-name>*</role-name>
+    </security-role>
+
 </web-app>
 
diff --git a/base/common/shared/conf/context.xml b/base/common/shared/conf/context.xml
index 4b00dbe3c..b28f1bd20 100644
--- a/base/common/shared/conf/context.xml
+++ b/base/common/shared/conf/context.xml
@@ -39,4 +39,8 @@
     <Valve className="org.apache.catalina.valves.CometConnectionManagerValve" />
     -->
 
+    <Valve className="com.netscape.cmscore.realm.SSLAuthenticatorWithFallback" />
+
+    <Realm className="com.netscape.cmscore.realm.PKIRealm" />
+
 </Context>
diff --git a/base/common/shared/conf/server.xml b/base/common/shared/conf/server.xml
index d3c781a6b..596b7e356 100644
--- a/base/common/shared/conf/server.xml
+++ b/base/common/shared/conf/server.xml
@@ -117,7 +117,7 @@ Tomcat Port         = [TOMCAT_SERVER_PORT] (for shutdown)
     -->
 
     [PKI_UNSECURE_PORT_SERVER_COMMENT]
-    <Connector name="[PKI_UNSECURE_PORT_CONNECTOR_NAME]" port="[PKI_UNSECURE_PORT]" protocol="HTTP/1.1" redirectPort="8443"
+    <Connector name="[PKI_UNSECURE_PORT_CONNECTOR_NAME]" port="[PKI_UNSECURE_PORT]" protocol="HTTP/1.1" redirectPort="[PKI_SECURE_PORT]"
            maxHttpHeaderSize="8192"
            acceptCount="100" maxThreads="150" minSpareThreads="25"
            enableLookups="false" connectionTimeout="20000" disableUploadTimeout="true"
@@ -186,7 +186,6 @@ Tomcat Port         = [TOMCAT_SERVER_PORT] (for shutdown)
            ocspTimeout="10"
            strictCiphers="false"
            clientAuth="[PKI_AGENT_CLIENTAUTH]"
-           clientauth="[PKI_AGENT_CLIENTAUTH]"
            sslOptions="[TOMCAT_SSL_OPTIONS]"
            ssl2Ciphers="[TOMCAT_SSL2_CIPHERS]"
            ssl3Ciphers="[TOMCAT_SSL3_CIPHERS]"
diff --git a/base/deploy/src/scriptlets/pkiparser.py b/base/deploy/src/scriptlets/pkiparser.py
index 5674cf87a..66c1e4085 100644
--- a/base/deploy/src/scriptlets/pkiparser.py
+++ b/base/deploy/src/scriptlets/pkiparser.py
@@ -400,6 +400,9 @@ def compose_pki_master_dictionary():
             config.pki_master_dict['pki_source_server_xml'] =\
                 os.path.join(config.pki_master_dict['pki_source_shared_path'],
                              "server.xml")
+            config.pki_master_dict['pki_source_context_xml'] =\
+                os.path.join(config.pki_master_dict['pki_source_shared_path'],
+                             "context.xml")
             config.pki_master_dict['pki_source_tomcat_conf'] =\
                 os.path.join(config.pki_master_dict['pki_source_shared_path'],
                              "tomcat.conf")
@@ -984,6 +987,10 @@ def compose_pki_master_dictionary():
                 os.path.join(
                     config.pki_master_dict['pki_instance_configuration_path'],
                     "server.xml")
+            config.pki_master_dict['pki_target_context_xml'] =\
+                os.path.join(
+                    config.pki_master_dict['pki_instance_configuration_path'],
+                    "context.xml")
             config.pki_master_dict['pki_target_tomcat_conf_instance_id'] =\
                 config.pki_master_dict['pki_root_prefix'] +\
                 "/etc/sysconfig/" +\
@@ -997,6 +1004,11 @@ def compose_pki_master_dictionary():
                     config.pki_master_dict['pki_tomcat_webapps_root_path'],
                     "index.jsp")
             # in-place slot substitution name/value pairs
+            config.pki_master_dict['pki_target_auth_properties'] =\
+                os.path.join(
+                    config.pki_master_dict['pki_tomcat_webapps_subsystem_path'],
+                    "WEB-INF",
+                    "auth.properties")
             config.pki_master_dict['pki_target_velocity_properties'] =\
                 os.path.join(
                     config.pki_master_dict['pki_tomcat_webapps_subsystem_path'],
@@ -1131,7 +1143,7 @@ def compose_pki_master_dictionary():
             ['PKI_ADMIN_SECURE_PORT_SERVER_COMMENT_SLOT'] =\
                 ""
             config.pki_master_dict['PKI_AGENT_CLIENTAUTH_SLOT'] =\
-                "agent"
+                "want"
             config.pki_master_dict['PKI_AGENT_SECURE_PORT_SLOT'] =\
                 config.pki_master_dict['pki_https_port']
             config.pki_master_dict['PKI_AJP_PORT_SLOT'] =\
diff --git a/base/deploy/src/scriptlets/slot_substitution.py b/base/deploy/src/scriptlets/slot_substitution.py
index 3467596e8..482d1d9cb 100644
--- a/base/deploy/src/scriptlets/slot_substitution.py
+++ b/base/deploy/src/scriptlets/slot_substitution.py
@@ -54,6 +54,10 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
                 master['pki_target_server_xml'],
                 overwrite_flag=True)
             util.file.copy_with_slot_substitution(
+                master['pki_source_context_xml'],
+                master['pki_target_context_xml'],
+                overwrite_flag=True)
+            util.file.copy_with_slot_substitution(
                 master['pki_source_tomcat_conf'],
                 master['pki_target_tomcat_conf_instance_id'],
                 uid=0, gid=0, overwrite_flag=True)
@@ -66,6 +70,8 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
                 master['pki_target_index_jsp'],
                 overwrite_flag=True)
             util.file.apply_slot_substitution(
+                master['pki_target_auth_properties'])
+            util.file.apply_slot_substitution(
                 master['pki_target_velocity_properties'])
             util.file.apply_slot_substitution(
                 master['pki_target_subsystem_web_xml'])
@@ -109,6 +115,10 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
                 master['pki_target_server_xml'],
                 overwrite_flag=True)
             util.file.copy_with_slot_substitution(
+                master['pki_source_context_xml'],
+                master['pki_target_context_xml'],
+                overwrite_flag=True)
+            util.file.copy_with_slot_substitution(
                 master['pki_source_tomcat_conf'],
                 master['pki_target_tomcat_conf_instance_id'],
                 uid=0, gid=0, overwrite_flag=True)
@@ -121,6 +131,8 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
                 master['pki_target_index_jsp'],
                 overwrite_flag=True)
             util.file.apply_slot_substitution(
+                master['pki_target_auth_properties'])
+            util.file.apply_slot_substitution(
                 master['pki_target_velocity_properties'])
             util.file.apply_slot_substitution(
                 master['pki_target_subsystem_web_xml'])
diff --git a/base/setup/pki b/base/setup/pki
index a2d5a69d6..90c863f35 100755
--- a/base/setup/pki
+++ b/base/setup/pki
@@ -75,6 +75,7 @@ $ENV{CLASSPATH} = "/usr/share/java/${PRODUCT}/pki-certsrv.jar:"
                 . "/usr/share/java/${PRODUCT}/pki-cms.jar:"
                 . "/usr/share/java/${PRODUCT}/pki-nsutil.jar:"
                 . "/usr/share/java/apache-commons-cli.jar:"
+                . "/usr/share/java/apache-commons-codec.jar:"
                 . "/usr/share/java/apache-commons-lang.jar:"
                 . "/usr/share/java/apache-commons-logging.jar:"
                 . "/usr/share/java/commons-httpclient.jar:"
diff --git a/base/setup/pkicreate b/base/setup/pkicreate
index 6abb73755..cc4ee703f 100755
--- a/base/setup/pkicreate
+++ b/base/setup/pkicreate
@@ -2560,7 +2560,7 @@ LoadModule nss_module  /opt/fortitude/modules.local/libmodnss.so
             $slot_hash{$PKI_EE_SECURE_CLIENT_AUTH_PORT_COMMENT_SERVER_SLOT}    = "";
 
             # Set appropriate "clientAuth" parameter for "Shared Ports"
-            $slot_hash{$PKI_AGENT_CLIENTAUTH_SLOT} = "agent";
+            $slot_hash{$PKI_AGENT_CLIENTAUTH_SLOT} = "want";
 
             # Comment out the "Admin/EE" Ports
             $slot_hash{$PKI_OPEN_SEPARATE_PORTS_COMMENT_SERVER_SLOT}  = $PKI_OPEN_COMMENT;